fix: Matching logic for product_name and title

[fernandogoncalves-me]

This PR updates the matching logic for rules based only on product_name and title so that both attributes need to match at the same time.

The goal is to prevent the following scenario:

• rule matches on product_name
• rule doesn't match on title (line 370)
• rule doesn't contain any tags or resource_id_regexps
• is_matching_rule wrongly returns True based on the condition in line 374

This would lead to a match based only on product_name, resulting on wrong suppressions.

Testing suppressions

In my opinion, the current organization of that test cases makes it challenging to understand the flows been tested.

To try and (hopefully) make things easier to understand, I've refactored the existing tests.

• All test suppression rules can be found in fixtures/suppression.yaml.
• Findings that should be matched against the suppression rules are consolidated in fixtures/matching_findings.json.
• Findings that should NOT be matched with any suppression rule are consolidated in fixtures/non_matching_findings.json.
• The expected match result between findings and rules can be found in fixtures/expected_matched_findings.json.
• The expected suppression requests sent to Security Hub can be found in fixtures/expected_batch_update_findings.json.

This has reduced the amount of fixture files and made the tests more readable.

I've added this same information about the tests to this readme file.

[marwinbaumannsbp]

Why is non-matching-findings loaded twice?

[fernandogoncalves-me]

The idea is that findings_fixture has both matching and non-matching findings.

So when we apply the suppression rules, we are sure that the non-matching findings are ignored.

The other part where we load only non-matching findings was to test that, if there are no matching findings, an empty list is returned.