以下のようなJSONファイルをlogstashのJSONフィルターを用いてElasticsearchに取り込みます
{
"imageScanFindings": {
"findings": [
{
"name": "CVE-2019-3462",
"description": "Incorrect sanitation of the 302 redirect field in HTTP transport method of apt versions 1.4.8 and earlier can lead to content injection by a MITM attacker, potentially leading to remote code execution on the target machine.",
"uri": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-3462",
"severity": "HIGH",
"attributes": [
{
"key": "package_version",
"value": "1.6.3ubuntu0.1"
},
{
"key": "package_name",
"value": "apt"
}
]
},
{
"name": "CVE-2018-16864",
"description": "An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when a program with long command line arguments calls syslog. A local attacker may use this flaw to crash systemd-journald or escalate his privileges. Versions through v240 are vulnerable.",
"uri": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-16864",
"severity": "HIGH",
"attributes": [
{
"key": "package_version",
"value": "237-3ubuntu10.3"
},
{
"key": "package_name",
"value": "systemd"
}
]
},
{
"name": "CVE-2018-16865",
"description": "An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when many entries are sent to the journal socket. A local attacker, or a remote one if systemd-journal-remote is used, may use this flaw to crash systemd-journald or execute code with journald privileges. Versions through v240 are vulnerable.",
"uri": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-16865",
"severity": "HIGH",
"attributes": [
{
"key": "package_version",
"value": "237-3ubuntu10.3"
},
{
"key": "package_name",
"value": "systemd"
}
]
},
{
"name": "CVE-2016-1585",
"description": "In all versions of AppArmor mount rules are accidentally widened when compiled.",
"uri": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-1585",
"severity": "MEDIUM",
"attributes": [
{
"key": "package_version",
"value": "2.12-4ubuntu5"
},
{
"key": "package_name",
"value": "apparmor"
}
]
},
],
"imageScanCompletedAt": 1572344124.0,
"vulnerabilitySourceUpdatedAt": 1572309959.0,
"findingSeverityCounts": {
"HIGH": 3,
"INFORMATIONAL": 15,
"LOW": 75,
"MEDIUM": 100
}
},
"registryId": "629895769338",
"repositoryName": "ecr-scan-sample",
"imageId": {
"imageDigest": "sha256:0e50bbb560068a88500da4fcd56264d3e0e386317efe2f3256f33baaba0ddf54",
"imageTag": "latest"
},
"imageScanStatus": {
"status": "COMPLETE",
"description": "The scan was completed successfully."
}
}
この場合、上記が1ドキュメントとしてElasticsearchに取り込まれることになる認識ですが、これをfinding以下を以下のような形で分割してそれぞれ別ドキュメント格納にすることは可能でしょうか。
Findings[
出力結果1{ ~ },
出力結果2{ ~ },・・・
}