cfn-nag 0.3.70 → 0.3.71
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/bin/cfn_nag +2 -0
- data/bin/cfn_nag_scan +2 -0
- data/lib/cfn-nag/cfn_nag.rb +2 -2
- data/lib/cfn-nag/custom_rule_loader.rb +12 -0
- data/lib/cfn-nag/custom_rules/base.rb +1 -0
- data/lib/cfn-nag/profile_loader.rb +3 -0
- data/lib/cfn-nag/rule_definition.rb +2 -2
- data/lib/cfn-nag/template_discovery.rb +3 -1
- metadata +1 -1
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: cb1fd786f8282f23fa1a950c373183ee4d790ae388187c6d9dc074c2cacf6d84
|
4
|
+
data.tar.gz: 625fffbc01a10bbc25e069108076c00fa3c3da2c801a413cf4ef9b6cea5d2bae
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: f79be81a03d0e344df96b1c200b27458da31e83728716742a84011498360a819d9249001a8a516d71315559472d483cbd841c549526fdb08064bbb97b8cec869
|
7
|
+
data.tar.gz: 6a6082ebc4f4d8a39f06e05b14bc0c819c39853af46aef2d2566758f64296a519d99416140874055301215cc857ffc85894d3c2e5dffe5f570ca169d7917d86b
|
data/bin/cfn_nag
CHANGED
@@ -7,6 +7,7 @@ require 'logging'
|
|
7
7
|
require 'json'
|
8
8
|
require 'rubygems/specification'
|
9
9
|
|
10
|
+
# rubocop:disable Metrics/BlockLength
|
10
11
|
opts = Trollop.options do
|
11
12
|
options_message = '[options] <cloudformation template path ...>|' \
|
12
13
|
'<cloudformation template in STDIN>'
|
@@ -52,6 +53,7 @@ opts = Trollop.options do
|
|
52
53
|
required: false,
|
53
54
|
default: false
|
54
55
|
end
|
56
|
+
# rubocop:enable Metrics/BlockLength
|
55
57
|
|
56
58
|
CfnNag.configure_logging(opts)
|
57
59
|
|
data/bin/cfn_nag_scan
CHANGED
@@ -7,6 +7,7 @@ require 'logging'
|
|
7
7
|
require 'json'
|
8
8
|
require 'rubygems/specification'
|
9
9
|
|
10
|
+
# rubocop:disable Metrics/BlockLength
|
10
11
|
opts = Trollop.options do
|
11
12
|
version Gem::Specification.find_by_name('cfn-nag').version
|
12
13
|
|
@@ -71,6 +72,7 @@ opts = Trollop.options do
|
|
71
72
|
required: false,
|
72
73
|
default: '..*\.json|..*\.yaml|..*\.yml|..*\.template'
|
73
74
|
end
|
75
|
+
# rubocop:enable Metrics/BlockLength
|
74
76
|
|
75
77
|
unless %w[txt json].include?(opts[:output_format])
|
76
78
|
Trollop.die(:output_format,
|
data/lib/cfn-nag/cfn_nag.rb
CHANGED
@@ -82,8 +82,8 @@ class CfnNag
|
|
82
82
|
parameter_values_string
|
83
83
|
violations += @custom_rule_loader.execute_custom_rules(cfn_model)
|
84
84
|
violations = filter_violations_by_profile violations
|
85
|
-
rescue Psych::SyntaxError, ParserError =>
|
86
|
-
violations << fatal_violation(
|
85
|
+
rescue Psych::SyntaxError, ParserError => exception
|
86
|
+
violations << fatal_violation(exception.to_s)
|
87
87
|
rescue JSON::ParserError => json_parameters_error
|
88
88
|
error = "JSON Parameter values parse error: #{json_parameters_error}"
|
89
89
|
violations << fatal_violation(error)
|
@@ -10,6 +10,7 @@ require 'cfn-nag/jmes_path_discovery'
|
|
10
10
|
# This object can discover the internal and custom user-provided rules and
|
11
11
|
# apply these rules to a CfnModel object
|
12
12
|
#
|
13
|
+
# rubocop:disable Metrics/ClassLength
|
13
14
|
class CustomRuleLoader
|
14
15
|
def initialize(rule_directory: nil,
|
15
16
|
allow_suppression: true,
|
@@ -22,6 +23,7 @@ class CustomRuleLoader
|
|
22
23
|
validate_extra_rule_directory rule_directory
|
23
24
|
end
|
24
25
|
|
26
|
+
# rubocop:disable Security/Eval
|
25
27
|
def rule_definitions
|
26
28
|
rule_registry = RuleRegistry.new
|
27
29
|
|
@@ -39,6 +41,7 @@ class CustomRuleLoader
|
|
39
41
|
|
40
42
|
rule_registry
|
41
43
|
end
|
44
|
+
# rubocop:enable Security/Eval
|
42
45
|
|
43
46
|
def execute_custom_rules(cfn_model)
|
44
47
|
if Logging.logger['log'].debug?
|
@@ -65,6 +68,7 @@ class CustomRuleLoader
|
|
65
68
|
message: rule.rule_text }
|
66
69
|
end
|
67
70
|
|
71
|
+
# rubocop:disable Security/Eval
|
68
72
|
def filter_jmespath_filenames(cfn_model, violations)
|
69
73
|
discover_jmespath_filenames(@rule_directory).each do |jmespath_file|
|
70
74
|
evaluator = JmesPathEvaluator.new cfn_model
|
@@ -74,7 +78,9 @@ class CustomRuleLoader
|
|
74
78
|
violations += evaluator.violations
|
75
79
|
end
|
76
80
|
end
|
81
|
+
# rubocop:enable Security/Eval
|
77
82
|
|
83
|
+
# rubocop:disable Style/RedundantBegin
|
78
84
|
def filter_rule_classes(cfn_model, violations)
|
79
85
|
discover_rule_classes(@rule_directory).each do |rule_class|
|
80
86
|
begin
|
@@ -87,10 +93,12 @@ class CustomRuleLoader
|
|
87
93
|
violations << audit_result unless audit_result.nil?
|
88
94
|
rescue ScriptError, StandardError => rule_error
|
89
95
|
raise rule_error unless @isolate_custom_rule_exceptions
|
96
|
+
|
90
97
|
STDERR.puts rule_error
|
91
98
|
end
|
92
99
|
end
|
93
100
|
end
|
101
|
+
# rubocop:enable Style/RedundantBegin
|
94
102
|
|
95
103
|
def rules_to_suppress(resource)
|
96
104
|
if resource.metadata &&
|
@@ -106,6 +114,7 @@ class CustomRuleLoader
|
|
106
114
|
cfn_model.resources.each do |logical_resource_id, resource|
|
107
115
|
resource_rules_to_suppress = rules_to_suppress resource
|
108
116
|
next if resource_rules_to_suppress.nil?
|
117
|
+
|
109
118
|
mangled_rules = resource_rules_to_suppress.select do |rule_to_suppress|
|
110
119
|
rule_to_suppress['id'].nil?
|
111
120
|
end
|
@@ -132,6 +141,7 @@ class CustomRuleLoader
|
|
132
141
|
def suppress_resource?(rules_to_suppress, rule_id, logical_resource_id)
|
133
142
|
found_suppression_rule = rules_to_suppress.find do |rule_to_suppress|
|
134
143
|
next if rule_to_suppress['id'].nil?
|
144
|
+
|
135
145
|
rule_to_suppress['id'] == rule_id
|
136
146
|
end
|
137
147
|
if found_suppression_rule && @print_suppression
|
@@ -162,6 +172,7 @@ class CustomRuleLoader
|
|
162
172
|
|
163
173
|
def validate_extra_rule_directory(rule_directory)
|
164
174
|
return true if rule_directory.nil? || File.directory?(rule_directory)
|
175
|
+
|
165
176
|
raise "Not a real directory #{rule_directory}"
|
166
177
|
end
|
167
178
|
|
@@ -203,3 +214,4 @@ class CustomRuleLoader
|
|
203
214
|
rule_filenames
|
204
215
|
end
|
205
216
|
end
|
217
|
+
# rubocop:enable Metrics/ClassLength
|
@@ -19,6 +19,7 @@ class ProfileLoader
|
|
19
19
|
|
20
20
|
profile_definition.each_line do |line|
|
21
21
|
next unless (rule_id = rule_line_match(line))
|
22
|
+
|
22
23
|
check_valid_rule_id rule_id
|
23
24
|
new_profile.add_rule rule_id
|
24
25
|
end
|
@@ -33,6 +34,7 @@ class ProfileLoader
|
|
33
34
|
rule_id = rule_id.chomp
|
34
35
|
matches = /^([a-zA-Z]*?[0-9]+)\s*(.*)/.match(rule_id)
|
35
36
|
return false if matches.nil?
|
37
|
+
|
36
38
|
matches.captures.first
|
37
39
|
end
|
38
40
|
|
@@ -45,6 +47,7 @@ class ProfileLoader
|
|
45
47
|
# else raise an error
|
46
48
|
def check_valid_rule_id(rule_id)
|
47
49
|
return true unless @rules_registry.by_id(rule_id).nil?
|
50
|
+
|
48
51
|
raise "#{rule_id} is not a legal rule identifier from: #{rules_ids}"
|
49
52
|
end
|
50
53
|
end
|
@@ -10,6 +10,7 @@ class TemplateDiscovery
|
|
10
10
|
template_pattern: template_pattern)
|
11
11
|
end
|
12
12
|
return [render_path(input_json_path)] if ::File.file? input_json_path
|
13
|
+
|
13
14
|
raise "#{input_json_path} is not a proper path"
|
14
15
|
end
|
15
16
|
|
@@ -17,6 +18,7 @@ class TemplateDiscovery
|
|
17
18
|
|
18
19
|
def render_path(path)
|
19
20
|
return path.path if path.is_a? File
|
21
|
+
|
20
22
|
path
|
21
23
|
end
|
22
24
|
|
@@ -25,7 +27,7 @@ class TemplateDiscovery
|
|
25
27
|
|
26
28
|
templates = []
|
27
29
|
Dir[File.join(directory, '**/**')].each do |file_name|
|
28
|
-
if file_name.match(template_pattern)
|
30
|
+
if file_name.match?(template_pattern)
|
29
31
|
templates << file_name
|
30
32
|
end
|
31
33
|
end
|