fix(codeartifact): only retrieve the latest version from a package

2026-04-01 05:37:14 +00:00 · 2026-03-04 07:50:52 +01:00
2 changed files with 104 additions and 0 deletions
--- a/prowler/providers/aws/services/codeartifact/codeartifact_service.py
+++ b/prowler/providers/aws/services/codeartifact/codeartifact_service.py
@@ -96,6 +96,7 @@ class CodeArtifact(AWSService):
                                        namespace=package_namespace,
                                        package=package_name,
                                        sortBy="PUBLISHED_TIME",
+                                        maxResults=1,
                                    )
                                )
                            else:
@@ -111,6 +112,7 @@ class CodeArtifact(AWSService):
                                        format=package_format,
                                        package=package_name,
                                        sortBy="PUBLISHED_TIME",
+                                        maxResults=1,
                                    )
                                )
                            latest_version = ""
--- a/tests/providers/aws/services/codeartifact/codeartifact_service_test.py
+++ b/tests/providers/aws/services/codeartifact/codeartifact_service_test.py
@@ -54,6 +54,9 @@ def mock_make_api_call(self, operation_name, kwarg):
        }

    if operation_name == "ListPackageVersions":
+        assert (
+            kwarg.get("maxResults") == 1
+        ), "list_package_versions must pass maxResults=1 to avoid fetching all versions"
        return {
            "defaultDisplayVersion": "latest",
            "format": "pypi",
@@ -204,3 +207,102 @@ class Test_CodeArtifact_Service:
            .latest_version.origin.origin_type
            == OriginInformationValues.INTERNAL
        )
+
+
+def mock_make_api_call_no_namespace(self, operation_name, kwarg):
+    """Mock for packages without a namespace to exercise the else branch"""
+    if operation_name == "ListRepositories":
+        return {
+            "repositories": [
+                {
+                    "name": "test-repository",
+                    "administratorAccount": AWS_ACCOUNT_NUMBER,
+                    "domainName": "test-domain",
+                    "domainOwner": AWS_ACCOUNT_NUMBER,
+                    "arn": TEST_REPOSITORY_ARN,
+                    "description": "test description",
+                },
+            ]
+        }
+    if operation_name == "ListPackages":
+        return {
+            "packages": [
+                {
+                    "format": "pypi",
+                    "package": "test-package-no-ns",
+                    "originConfiguration": {
+                        "restrictions": {
+                            "publish": "ALLOW",
+                            "upstream": "BLOCK",
+                        }
+                    },
+                },
+            ],
+        }
+
+    if operation_name == "ListPackageVersions":
+        assert (
+            kwarg.get("maxResults") == 1
+        ), "list_package_versions must pass maxResults=1 to avoid fetching all versions"
+        assert (
+            "namespace" not in kwarg
+        ), "namespace should not be passed when package has no namespace"
+        return {
+            "defaultDisplayVersion": "1.0.0",
+            "format": "pypi",
+            "package": "test-package-no-ns",
+            "versions": [
+                {
+                    "version": "1.0.0",
+                    "revision": "abc123",
+                    "status": "Published",
+                    "origin": {
+                        "domainEntryPoint": {
+                            "repositoryName": "test-repository",
+                            "externalConnectionName": "",
+                        },
+                        "originType": "EXTERNAL",
+                    },
+                },
+            ],
+        }
+
+    if operation_name == "ListTagsForResource":
+        return {"tags": []}
+
+    return make_api_call(self, operation_name, kwarg)
+
+
+@patch(
+    "botocore.client.BaseClient._make_api_call",
+    new=mock_make_api_call_no_namespace,
+)
+@patch(
+    "prowler.providers.aws.aws_provider.AwsProvider.generate_regional_clients",
+    new=mock_generate_regional_clients,
+)
+class Test_CodeArtifact_Service_No_Namespace:
+    def test_list_packages_no_namespace(self):
+        codeartifact = CodeArtifact(
+            set_mocked_aws_provider([AWS_REGION_EU_WEST_1, AWS_REGION_US_EAST_1])
+        )
+
+        assert len(codeartifact.repositories[TEST_REPOSITORY_ARN].packages) == 1
+
+        package = codeartifact.repositories[TEST_REPOSITORY_ARN].packages[0]
+        assert package.name == "test-package-no-ns"
+        assert package.namespace is None
+        assert package.format == "pypi"
+        assert (
+            package.origin_configuration.restrictions.publish == RestrictionValues.ALLOW
+        )
+        assert (
+            package.origin_configuration.restrictions.upstream
+            == RestrictionValues.BLOCK
+        )
+        assert package.latest_version.version == "1.0.0"
+        assert package.latest_version.status == LatestPackageVersionStatus.Published
+        assert (
+            package.latest_version.origin.origin_type
+            == OriginInformationValues.EXTERNAL
+        )