cfn-nag 0.6.1 → 0.6.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/cfn-nag/cfn_nag.rb +5 -0
- data/lib/cfn-nag/cfn_nag_config.rb +3 -0
- data/lib/cfn-nag/cfn_nag_executor.rb +1 -0
- data/lib/cfn-nag/cli_options.rb +11 -0
- data/lib/cfn-nag/custom_rules/ApiGatewayV2AccessLoggingRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/SPCMRule.rb +4 -1
- data/lib/cfn-nag/iam_complexity_metric/condition_metric.rb +0 -2
- data/lib/cfn-nag/result_view/colored_stdout_results.rb +0 -2
- metadata +5 -5
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: e529710ae1e5a122268d2a85e271e70ba5983833af5d3f14ac56a2178f6d62cb
|
|
4
|
+
data.tar.gz: 9fcf608bcb2208cea25fcbef7b92de0c9ba8df2a57588c3e230f129d3e2e0f27
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 037bf3ac61698c91b18fff5f53444f734190f862b4b9db7d1e390c66463ded7e6554a7a38d74876f1b442e5fd06cb1d8f30377bc97b60749d7bcf8a98a93c747
|
|
7
|
+
data.tar.gz: 3af9293f005c8c6f147e9c8a85aa256f0d8193b77ebbfcef7b416a8b52f0459f88f60f35e5f17d38b6d722da43ca9f1b3762d7de36d162602fe6782f8abedf2e
|
data/lib/cfn-nag/cfn_nag.rb
CHANGED
|
@@ -102,9 +102,14 @@ class CfnNag
|
|
|
102
102
|
violations << fatal_violation(error)
|
|
103
103
|
end
|
|
104
104
|
|
|
105
|
+
violations = prune_fatal_violations(violations) if @config.ignore_fatal
|
|
105
106
|
audit_result(violations)
|
|
106
107
|
end
|
|
107
108
|
|
|
109
|
+
def prune_fatal_violations(violations)
|
|
110
|
+
violations.reject { |violation| violation.type == Violation::FAILING_VIOLATION }
|
|
111
|
+
end
|
|
112
|
+
|
|
108
113
|
def render_results(aggregate_results:,
|
|
109
114
|
output_format:)
|
|
110
115
|
results_renderer(output_format).new.render(aggregate_results)
|
|
@@ -9,6 +9,7 @@ class CfnNagConfig
|
|
|
9
9
|
print_suppression: false,
|
|
10
10
|
isolate_custom_rule_exceptions: false,
|
|
11
11
|
fail_on_warnings: false,
|
|
12
|
+
ignore_fatal: false,
|
|
12
13
|
rule_repository_definitions: [],
|
|
13
14
|
rule_arguments: {})
|
|
14
15
|
@rule_directory = rule_directory
|
|
@@ -24,6 +25,7 @@ class CfnNagConfig
|
|
|
24
25
|
@fail_on_warnings = fail_on_warnings
|
|
25
26
|
@rule_repositories = rule_repositories
|
|
26
27
|
@rule_arguments = rule_arguments
|
|
28
|
+
@ignore_fatal = ignore_fatal
|
|
27
29
|
end
|
|
28
30
|
# rubocop:enable Metrics/ParameterLists
|
|
29
31
|
|
|
@@ -34,4 +36,5 @@ class CfnNagConfig
|
|
|
34
36
|
attr_reader :blacklist_definition
|
|
35
37
|
attr_reader :fail_on_warnings
|
|
36
38
|
attr_reader :rule_repositories
|
|
39
|
+
attr_reader :ignore_fatal
|
|
37
40
|
end
|
|
@@ -129,6 +129,7 @@ class CfnNagExecutor
|
|
|
129
129
|
isolate_custom_rule_exceptions: opts[:isolate_custom_rule_exceptions],
|
|
130
130
|
fail_on_warnings: opts[:fail_on_warnings],
|
|
131
131
|
rule_repository_definitions: @rule_repository_definitions,
|
|
132
|
+
ignore_fatal: opts[:ignore_fatal],
|
|
132
133
|
rule_arguments: merge_rule_arguments(opts)
|
|
133
134
|
)
|
|
134
135
|
end
|
data/lib/cfn-nag/cli_options.rb
CHANGED
|
@@ -100,6 +100,11 @@ class Options
|
|
|
100
100
|
type: :string,
|
|
101
101
|
required: false,
|
|
102
102
|
default: nil
|
|
103
|
+
opt :ignore_fatal,
|
|
104
|
+
'Ignore files with fatal violations. Useful for ignoring non-Cloudformation yaml/yml/json in a path',
|
|
105
|
+
type: :boolean,
|
|
106
|
+
required: false,
|
|
107
|
+
default: false
|
|
103
108
|
end
|
|
104
109
|
end
|
|
105
110
|
|
|
@@ -193,6 +198,12 @@ class Options
|
|
|
193
198
|
type: :string,
|
|
194
199
|
required: false,
|
|
195
200
|
default: nil
|
|
201
|
+
opt :ignore_fatal,
|
|
202
|
+
'Ignore files with fatal violations. Useful for ignoring non-Cloudformation yaml/yml/json in a path',
|
|
203
|
+
short: 'g',
|
|
204
|
+
type: :boolean,
|
|
205
|
+
required: false,
|
|
206
|
+
default: false
|
|
196
207
|
end
|
|
197
208
|
end
|
|
198
209
|
# rubocop:enable Metrics/BlockLength
|
|
@@ -18,7 +18,7 @@ class ApiGatewayV2AccessLoggingRule < BaseRule
|
|
|
18
18
|
|
|
19
19
|
def audit_impl(cfn_model)
|
|
20
20
|
violating_deployments = cfn_model.resources_by_type('AWS::ApiGatewayV2::Stage').select do |deployment|
|
|
21
|
-
deployment.
|
|
21
|
+
deployment.accessLogSettings.nil?
|
|
22
22
|
end
|
|
23
23
|
|
|
24
24
|
violating_deployments.map(&:logical_resource_id)
|
|
@@ -26,7 +26,10 @@ class SPCMRule < BaseRule
|
|
|
26
26
|
policy_documents = SPCM.new.metric_impl(cfn_model)
|
|
27
27
|
rescue StandardError => catch_all_exception
|
|
28
28
|
puts "Experimental SPCM rule is failing. Please report #{catch_all_exception} with the violating template"
|
|
29
|
-
policy_documents = {
|
|
29
|
+
policy_documents = {
|
|
30
|
+
'AWS::IAM::Policy' => {},
|
|
31
|
+
'AWS::IAM::Role' => {}
|
|
32
|
+
}
|
|
30
33
|
end
|
|
31
34
|
|
|
32
35
|
threshold = spcm_threshold.nil? ? DEFAULT_THRESHOLD : spcm_threshold.to_i
|
|
@@ -6,7 +6,6 @@ require 'set'
|
|
|
6
6
|
class ConditionMetric
|
|
7
7
|
include Weights
|
|
8
8
|
|
|
9
|
-
# rubocop:disable Metrics/AbcSize
|
|
10
9
|
def metric(statement)
|
|
11
10
|
return 0 if statement.condition.nil?
|
|
12
11
|
|
|
@@ -18,7 +17,6 @@ class ConditionMetric
|
|
|
18
17
|
aggregate += values_with_policy_tags(statement.condition)
|
|
19
18
|
aggregate
|
|
20
19
|
end
|
|
21
|
-
# rubocop:enable Metrics/AbcSize
|
|
22
20
|
|
|
23
21
|
private
|
|
24
22
|
|
|
@@ -6,7 +6,6 @@ require 'cfn-nag/violation'
|
|
|
6
6
|
class ColoredStdoutResults < StdoutResults
|
|
7
7
|
private
|
|
8
8
|
|
|
9
|
-
# rubocop:disable Metrics/AbcSize
|
|
10
9
|
def message(message_type:,
|
|
11
10
|
color:,
|
|
12
11
|
message:,
|
|
@@ -24,7 +23,6 @@ class ColoredStdoutResults < StdoutResults
|
|
|
24
23
|
puts colorize(color, '|') unless line_numbers.empty? && logical_resource_ids.nil?
|
|
25
24
|
puts colorize(color, "| #{message}")
|
|
26
25
|
end
|
|
27
|
-
# rubocop:enable Metrics/AbcSize
|
|
28
26
|
|
|
29
27
|
def color_code(color_symbol)
|
|
30
28
|
case color_symbol
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: cfn-nag
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.6.
|
|
4
|
+
version: 0.6.6
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Eric Kascic
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2020-
|
|
11
|
+
date: 2020-06-10 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rake
|
|
@@ -72,14 +72,14 @@ dependencies:
|
|
|
72
72
|
requirements:
|
|
73
73
|
- - '='
|
|
74
74
|
- !ruby/object:Gem::Version
|
|
75
|
-
version: 0.5.
|
|
75
|
+
version: 0.5.1
|
|
76
76
|
type: :runtime
|
|
77
77
|
prerelease: false
|
|
78
78
|
version_requirements: !ruby/object:Gem::Requirement
|
|
79
79
|
requirements:
|
|
80
80
|
- - '='
|
|
81
81
|
- !ruby/object:Gem::Version
|
|
82
|
-
version: 0.5.
|
|
82
|
+
version: 0.5.1
|
|
83
83
|
- !ruby/object:Gem::Dependency
|
|
84
84
|
name: logging
|
|
85
85
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -381,7 +381,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
381
381
|
- !ruby/object:Gem::Version
|
|
382
382
|
version: '0'
|
|
383
383
|
requirements: []
|
|
384
|
-
rubygems_version: 3.1.
|
|
384
|
+
rubygems_version: 3.1.4
|
|
385
385
|
signing_key:
|
|
386
386
|
specification_version: 4
|
|
387
387
|
summary: cfn-nag
|