cfn-nag 0.3.36 → 0.3.37

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 3bbfbd7db2b9426d31da6b33f1c57ef3206fd577
-  data.tar.gz: 7467677da594cc69cb29499937341f174e1a96f9
+  metadata.gz: 679f328149572244f9d7716508fb21ec61d51b82
+  data.tar.gz: 5fe1047c08e2b48a6e7370ffb65ac7aa877a0503
 SHA512:
-  metadata.gz: 3f78c54ce0cd89a94668916325489a8e1f5438323cccba1d914163cc821550c3dca33f2fb15c73b74181f68d3710bba329c20d7f8aee192e58da7087fde25b6a
-  data.tar.gz: f9e9162205017eaedd6699781fd50d135082b42f03af1ea3682100c29378a9e27e90115a6efbcc67091f7a181e5dfec1697378caacb1425602fcf71d09c0326d
+  metadata.gz: 5cf850041ccbb24904d252e21153c84a843bdfd05eec85fd87f2752ac1707b731b06ba81ffa1b5b81fea4bf77c71c209d4898f1ef6fb4d4b192dc92cd29a0ae6
+  data.tar.gz: 2d2ed30c52bdd934748b423982daba740ed52b427ee186d9c95ab7cda8996be33ff2d1410e81f8e2bc8cdf786dc630bff9bb43c572d7e49e2a089cf8147f0a59

data/lib/cfn-nag/cfn_nag.rb

@@ -14,10 +14,11 @@ class CfnNag
                  print_suppression: false,
                  isolate_custom_rule_exceptions: false)
     @rule_directory = rule_directory
-    @custom_rule_loader = CustomRuleLoader.new(rule_directory: rule_directory,
-                                               allow_suppression: allow_suppression,
-                                               print_suppression: print_suppression,
-                                               isolate_custom_rule_exceptions: isolate_custom_rule_exceptions)
+    @custom_rule_loader = CustomRuleLoader.new(
+      rule_directory: rule_directory, allow_suppression: allow_suppression,
+      print_suppression: print_suppression,
+      isolate_custom_rule_exceptions: isolate_custom_rule_exceptions
+    )
     @profile_definition = profile_definition
   end
 
@@ -26,10 +27,12 @@ class CfnNag
   #
   # Return an aggregate failure count (for exit code usage)
   #
-  def audit_aggregate_across_files_and_render_results(input_path:,
-                                                      output_format: 'txt',
-                                                      parameter_values_path: nil)
-    aggregate_results = audit_aggregate_across_files input_path: input_path, parameter_values_path: parameter_values_path
+  def audit_aggregate_across_files_and_render_results(
+    input_path:, output_format: 'txt', parameter_values_path: nil
+  )
+    aggregate_results = \
+      audit_aggregate_across_files input_path: input_path,
+                                   parameter_values_path: parameter_values_path
 
     render_results(aggregate_results: aggregate_results,
                    output_format: output_format)
@@ -43,7 +46,8 @@ class CfnNag
   # Given a file or directory path, return aggregate results
   #
   def audit_aggregate_across_files(input_path:, parameter_values_path: nil)
-    parameter_values_string = parameter_values_path.nil? ? nil : IO.read(parameter_values_path)
+    parameter_values_string = \
+      parameter_values_path.nil? ? nil : IO.read(parameter_values_path)
     templates = TemplateDiscovery.new.discover_templates(input_path)
     aggregate_results = []
     templates.each do |template|
@@ -59,7 +63,8 @@ class CfnNag
   ##
   # Given cloudformation json/yml, run all the rules against it
   #
-  # Optionally include JSON with Parameters key to substitute into cfn_model.parameters
+  # Optionally include JSON with Parameters key to substitute into
+  # cfn_model.parameters
   #
   # Return a hash with failure count
   #
@@ -68,7 +73,8 @@ class CfnNag
     violations = []
 
     begin
-      cfn_model = CfnParser.new.parse cloudformation_string, parameter_values_string
+      cfn_model = CfnParser.new.parse cloudformation_string,
+                                      parameter_values_string
     rescue Psych::SyntaxError, ParserError => parser_error
       violations << Violation.new(id: 'FATAL',
                                   type: Violation::FAILING_VIOLATION,
@@ -76,9 +82,10 @@ class CfnNag
       stop_processing = true
     end
 
-    violations += @custom_rule_loader.execute_custom_rules(cfn_model) unless stop_processing == true
-
-    violations = filter_violations_by_profile violations unless stop_processing == true
+    unless stop_processing == true
+      violations += @custom_rule_loader.execute_custom_rules(cfn_model)
+      violations = filter_violations_by_profile violations
+    end
 
     {
       failure_count: Violation.count_failures(violations),
@@ -102,7 +109,8 @@ class CfnNag
   def filter_violations_by_profile(violations)
     profile = nil
     unless @profile_definition.nil?
-      profile = ProfileLoader.new(@custom_rule_loader.rule_definitions).load(profile_definition: @profile_definition)
+      profile = ProfileLoader.new(@custom_rule_loader.rule_definitions)
+                             .load(profile_definition: @profile_definition)
     end
 
     violations.reject do |violation|

data/lib/cfn-nag/custom_rule_loader.rb

@@ -49,9 +49,9 @@ class CustomRuleLoader
 
     discover_rule_classes(@rule_directory).each do |rule_class|
       begin
-        filtered_cfn_model = cfn_model_with_suppressed_resources_removed cfn_model: cfn_model,
-                                                                         rule_id: rule_class.new.rule_id,
-                                                                         allow_suppression: @allow_suppression
+        filtered_cfn_model = cfn_model_with_suppressed_resources_removed \
+          cfn_model: cfn_model, rule_id: rule_class.new.rule_id,
+          allow_suppression: @allow_suppression
         audit_result = rule_class.new.audit(filtered_cfn_model)
         violations << audit_result unless audit_result.nil?
       rescue Exception => exception
@@ -76,7 +76,10 @@ class CustomRuleLoader
   private
 
   def rules_to_suppress(resource)
-    if resource.metadata && resource.metadata['cfn_nag'] && resource.metadata['cfn_nag']['rules_to_suppress']
+    if resource.metadata &&
+       resource.metadata['cfn_nag'] &&
+       resource.metadata['cfn_nag']['rules_to_suppress']
+
       resource.metadata['cfn_nag']['rules_to_suppress']
     else
       nil
@@ -102,7 +105,8 @@ class CustomRuleLoader
       logical_resource_id = mangled_metadata.first
       mangled_rules = mangled_metadata[1]
 
-      STDERR.puts "#{logical_resource_id} has missing cfn_nag suppression rule id: #{mangled_rules}"
+      STDERR.puts "#{logical_resource_id} has missing cfn_nag " \
+                  "suppression rule id: #{mangled_rules}"
     end
   end
 
@@ -112,7 +116,8 @@ class CustomRuleLoader
       rule_to_suppress['id'] == rule_id
     end
     if found_suppression_rule && @print_suppression
-      STDERR.puts "Suppressing #{rule_id} on #{logical_resource_id} for reason: #{found_suppression_rule['reason']}"
+      STDERR.puts "Suppressing #{rule_id} on #{logical_resource_id} " \
+                  "for reason: #{found_suppression_rule['reason']}"
     end
     !found_suppression_rule.nil?
   end
@@ -136,9 +141,8 @@ class CustomRuleLoader
   end
 
   def validate_extra_rule_directory(rule_directory)
-    unless rule_directory.nil?
-      raise "Not a real directory #{rule_directory}" unless File.directory? rule_directory
-    end
+    return true if rule_directory.nil? || File.directory?(rule_directory)
+    raise "Not a real directory #{rule_directory}"
   end
 
   def discover_rule_filenames(rule_directory)
@@ -172,7 +176,9 @@ class CustomRuleLoader
     unless rule_directory.nil?
       rule_filenames += Dir[File.join(rule_directory, '*jmespath.rb')].sort
     end
-    rule_filenames += Dir[File.join(__dir__, 'custom_rules', '*jmespath.rb')].sort
+    rule_filenames += Dir[File.join(__dir__,
+                                    'custom_rules',
+                                    '*jmespath.rb')].sort
     Logging.logger['log'].debug "jmespath_filenames: #{rule_filenames}"
     rule_filenames
   end

data/lib/cfn-nag/custom_rules/CloudFormationAuthenticationRule.rb

@@ -3,7 +3,8 @@ require_relative 'base'
 
 class CloudFormationAuthenticationRule < BaseRule
   def rule_text
-    'Specifying credentials in the template itself is probably not the safest thing'
+    'Specifying credentials in the template itself ' \
+    'is probably not the safest thing'
   end
 
   def rule_type

data/lib/cfn-nag/custom_rules/CloudFrontDistributionAccessLoggingRule.rb

@@ -15,9 +15,11 @@ class CloudFrontDistributionAccessLoggingRule < BaseRule
   end
 
   def audit_impl(cfn_model)
-    violating_distributions = cfn_model.resources_by_type('AWS::CloudFront::Distribution').select do |distribution|
-      distribution.distributionConfig['Logging'].nil?
-    end
+    violating_distributions = \
+      cfn_model.resources_by_type('AWS::CloudFront::Distribution')
+               .select do |distribution|
+        distribution.distributionConfig['Logging'].nil?
+      end
 
     violating_distributions.map(&:logical_resource_id)
   end

data/lib/cfn-nag/custom_rules/EbsVolumeHasSseRule.rb

@@ -15,9 +15,10 @@ class EbsVolumeHasSseRule < BaseRule
   end
 
   def audit_impl(cfn_model)
-    violating_volumes = cfn_model.resources_by_type('AWS::EC2::Volume').select do |volume|
-      volume.encrypted.nil? || volume.encrypted.to_s.downcase == 'false'
-    end
+    violating_volumes = \
+      cfn_model.resources_by_type('AWS::EC2::Volume').select do |volume|
+        volume.encrypted.nil? || volume.encrypted.to_s.downcase == 'false'
+      end
 
     violating_volumes.map(&:logical_resource_id)
   end

data/lib/cfn-nag/custom_rules/ElasticLoadBalancerAccessLoggingRule.rb

@@ -15,9 +15,12 @@ class ElasticLoadBalancerAccessLoggingRule < BaseRule
   end
 
   def audit_impl(cfn_model)
-    violating_elbs = cfn_model.resources_by_type('AWS::ElasticLoadBalancing::LoadBalancer').select do |elb|
-      elb.accessLoggingPolicy.nil? || elb.accessLoggingPolicy['Enabled'] != true
-    end
+    violating_elbs = \
+      cfn_model.resources_by_type('AWS::ElasticLoadBalancing::LoadBalancer')
+               .select do |elb|
+        elb.accessLoggingPolicy.nil? ||
+          elb.accessLoggingPolicy['Enabled'] != true
+      end
 
     violating_elbs.map(&:logical_resource_id)
   end

data/lib/cfn-nag/custom_rules/IamManagedPolicyNotActionRule.rb

@@ -15,9 +15,11 @@ class IamManagedPolicyNotActionRule < BaseRule
   end
 
   def audit_impl(cfn_model)
-    violating_policies = cfn_model.resources_by_type('AWS::IAM::ManagedPolicy').select do |policy|
-      !policy.policy_document.allows_not_action.empty?
-    end
+    violating_policies = \
+      cfn_model.resources_by_type('AWS::IAM::ManagedPolicy')
+               .select do |policy|
+        !policy.policy_document.allows_not_action.empty?
+      end
 
     violating_policies.map(&:logical_resource_id)
   end

data/lib/cfn-nag/custom_rules/IamManagedPolicyNotResourceRule.rb

@@ -15,9 +15,11 @@ class IamManagedPolicyNotResourceRule < BaseRule
   end
 
   def audit_impl(cfn_model)
-    violating_policies = cfn_model.resources_by_type('AWS::IAM::ManagedPolicy').select do |policy|
-      !policy.policy_document.allows_not_resource.empty?
-    end
+    violating_policies = \
+      cfn_model.resources_by_type('AWS::IAM::ManagedPolicy')
+               .select do |policy|
+        !policy.policy_document.allows_not_resource.empty?
+      end
 
     violating_policies.map(&:logical_resource_id)
   end

data/lib/cfn-nag/custom_rules/IamManagedPolicyWildcardActionRule.rb

@@ -15,9 +15,11 @@ class IamManagedPolicyWildcardActionRule < BaseRule
   end
 
   def audit_impl(cfn_model)
-    violating_policies = cfn_model.resources_by_type('AWS::IAM::ManagedPolicy').select do |policy|
-      !policy.policy_document.wildcard_allowed_actions.empty?
-    end
+    violating_policies = \
+      cfn_model.resources_by_type('AWS::IAM::ManagedPolicy')
+               .select do |policy|
+        !policy.policy_document.wildcard_allowed_actions.empty?
+      end
 
     violating_policies.map(&:logical_resource_id)
   end

data/lib/cfn-nag/custom_rules/IamManagedPolicyWildcardResourceRule.rb

@@ -15,9 +15,11 @@ class IamManagedPolicyWildcardResourceRule < BaseRule
   end
 
   def audit_impl(cfn_model)
-    violating_policies = cfn_model.resources_by_type('AWS::IAM::ManagedPolicy').select do |policy|
-      !policy.policy_document.wildcard_allowed_resources.empty?
-    end
+    violating_policies = \
+      cfn_model.resources_by_type('AWS::IAM::ManagedPolicy')
+               .select do |policy|
+        !policy.policy_document.wildcard_allowed_resources.empty?
+      end
 
     violating_policies.map(&:logical_resource_id)
   end

data/lib/cfn-nag/custom_rules/IamPolicyNotActionRule.rb

@@ -15,9 +15,11 @@ class IamPolicyNotActionRule < BaseRule
   end
 
   def audit_impl(cfn_model)
-    violating_policies = cfn_model.resources_by_type('AWS::IAM::Policy').select do |policy|
-      !policy.policy_document.allows_not_action.empty?
-    end
+    violating_policies = \
+      cfn_model.resources_by_type('AWS::IAM::Policy')
+               .select do |policy|
+        !policy.policy_document.allows_not_action.empty?
+      end
 
     violating_policies.map(&:logical_resource_id)
   end

data/lib/cfn-nag/custom_rules/IamPolicyNotResourceRule.rb

@@ -15,9 +15,11 @@ class IamPolicyNotResourceRule < BaseRule
   end
 
   def audit_impl(cfn_model)
-    violating_policies = cfn_model.resources_by_type('AWS::IAM::Policy').select do |policy|
-      !policy.policy_document.allows_not_resource.empty?
-    end
+    violating_policies = \
+      cfn_model.resources_by_type('AWS::IAM::Policy')
+               .select do |policy|
+        !policy.policy_document.allows_not_resource.empty?
+      end
 
     violating_policies.map(&:logical_resource_id)
   end

data/lib/cfn-nag/custom_rules/SecurityGroupIngressOpenToWorldRule.rb

@@ -6,7 +6,8 @@ class SecurityGroupIngressOpenToWorldRule < BaseRule
   include IpAddr
 
   def rule_text
-    'Security Groups found with cidr open to world on ingress.  This should never be true on instance.  Permissible on ELB'
+    'Security Groups found with cidr open to world on ingress.  ' \
+    'This should never be true on instance.  Permissible on ELB'
   end
 
   def rule_type
@@ -18,7 +19,8 @@ class SecurityGroupIngressOpenToWorldRule < BaseRule
   end
 
   ##
-  # This will behave slightly different than the legacy jq based rule which was targeted against inline ingress only
+  # This will behave slightly different than the legacy jq based rule
+  # which was targeted against inline ingress only
   def audit_impl(cfn_model)
     logical_resource_ids = []
     cfn_model.security_groups.each do |security_group|

data/lib/cfn-nag/custom_rules/ebs_volumes_jmespath.rb

@@ -1,4 +1,7 @@
 
 # failure(id: 'F8888',
-#         jmespath: "Resources.*|[?Type == 'AWS::EC2::Volume' && (Properties.Encrypted == `false` || Properties.Encrypted == `null`)].id",
+#         jmespath:
+#         "Resources.*|[?Type == 'AWS::EC2::Volume' && " \
+#         "(Properties.Encrypted == `false` || " \
+#         "Properties.Encrypted == `null`)].id",
 #         message: 'Found a naughty EBS volume')

data/lib/cfn-nag/ip_addr.rb

@@ -2,7 +2,8 @@ require 'netaddr'
 
 module IpAddr
   def ip4_open?(ingress)
-    # only care about literals.  if a Hash/Ref not going to chase it down given likely a Parameter with external val
+    # only care about literals.  if a Hash/Ref not going to chase it down
+    # given likely a Parameter with external val
     ingress.cidrIp.is_a?(String) && ingress.cidrIp == '0.0.0.0/0'
   end
 
@@ -10,8 +11,10 @@ module IpAddr
     normalized_cidr_ip6 = normalize_cidr_ip6(ingress)
     return false if normalized_cidr_ip6.nil?
 
-    # only care about literals.  if a Hash/Ref not going to chase it down given likely a Parameter with external val
-    (NetAddr::CIDRv6.create(normalized_cidr_ip6) == NetAddr::CIDRv6.create('::/0'))
+    # only care about literals.  if a Hash/Ref not going to chase it down
+    # given likely a Parameter with external val
+    (NetAddr::CIDRv6.create(normalized_cidr_ip6) ==
+     NetAddr::CIDRv6.create('::/0'))
   end
 
   def ip4_cidr_range?(ingress)
@@ -22,14 +25,17 @@ module IpAddr
     normalized_cidr_ip6 = normalize_cidr_ip6(ingress)
     return false if normalized_cidr_ip6.nil?
 
-    # only care about literals.  if a Hash/Ref not going to chase it down given likely a Parameter with external val
+    # only care about literals.  if a Hash/Ref not going to chase it down
+    # given likely a Parameter with external val
     !NetAddr::CIDRv6.create(normalized_cidr_ip6).to_s.end_with?('/128')
   end
 
   ##
   # If it's a string, just pass through
-  # If it's a symbol - probably because the YAML.load call treats an unquoted ::/0 as a the symbol :':/0'
-  # Otherwise it's probably a Ref or whatever and we aren't going to do anything with it
+  # If it's a symbol - probably because the YAML.load call treats an unquoted
+  # ::/0 as a the symbol :':/0'
+  # Otherwise it's probably a Ref or whatever and we aren't going to do
+  # anything with it
   #
   def normalize_cidr_ip6(ingress)
     if ingress.cidrIpv6.is_a?(Symbol)

data/lib/cfn-nag/profile_loader.rb

@@ -18,7 +18,8 @@ class ProfileLoader
       if !rule_line_match.nil?
         rule_id = rule_line_match.captures.first
         if @rules_registry.by_id(rule_id) == nil
-          raise "#{rule_id} is not a legal rule identifier from: #{@rules_registry.rules.map { |rule| rule.id }}"
+          raise "#{rule_id} is not a legal rule identifier from: " \
+                "#{@rules_registry.rules.map { |rule| rule.id }}"
         else
           new_profile.add_rule rule_id
         end

data/lib/cfn-nag/result_view/json_results.rb

@@ -3,7 +3,8 @@ require 'json'
 class JsonResults
   def render(results)
     hashified_results = results.each do |result|
-      result[:file_results][:violations] = result[:file_results][:violations].map(&:to_h)
+      result[:file_results][:violations] = \
+        result[:file_results][:violations].map(&:to_h)
     end
 
     puts JSON.pretty_generate(hashified_results)

data/lib/cfn-nag/rule_dumper.rb

@@ -15,7 +15,8 @@ class CfnNagRuleDumper
 
     profile = nil
     unless @profile_definition.nil?
-      profile = ProfileLoader.new(rule_registry).load(profile_definition: @profile_definition)
+      profile = ProfileLoader.new(rule_registry)
+                             .load(profile_definition: @profile_definition)
     end
 
     RulesView.new.emit(rule_registry, profile)

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-nag
 version: !ruby/object:Gem::Version
-  version: 0.3.36
+  version: 0.3.37
 platform: ruby
 authors:
 - Eric Kascic
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-03-27 00:00:00.000000000 Z
+date: 2018-03-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rspec