RubyGems - cfn-nag - Versions diffs - 0.6.23 → 0.7.4 - Mend

cfn-nag 0.6.23 → 0.7.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

checksums.yaml +4 -4
data/lib/cfn-nag/custom_rules/ApiGatewayCacheEncryptedRule.rb +34 -0
data/lib/cfn-nag/custom_rules/ECRRepositoryScanOnPushRule.rb +2 -2
data/lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamEncryptionRule.rb +39 -0
metadata +28 -13

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1c7606c36a3090b30bf520802dccc6b333605881e56618a60b12422517ad0068
-  data.tar.gz: bf80d7471ee01f6fb11f3439eea3f9dbbc7a35069b849dab0ad4c5ad3fab2b48
+  metadata.gz: 838ad5d1c9bd172785dd5009c33aedca7d5acf973c39a56d815663214aaf7010
+  data.tar.gz: 5d7047c7ad6a828b37ba3c68fc45417849b4bc5e7d939e26e4c575839c39e567
 SHA512:
-  metadata.gz: d4d3ac0f7e8f1196a98af8a0b366146f66bda4080a224cb0ca3130108b849a23ded6d3febbbf81807bee854ef4ca002b1b02c98f7376ed244066d9509aaf34e6
-  data.tar.gz: 7b33bd7abb7d9d37ed50ad5912fa7e718f5401c60781c5ab0ac4e878d7c5830ac8325fe73fcccf4dd8d1e772838d2bcee77cad140d2e90cfd5a32b3b9042da38
+  metadata.gz: e7c12a2a58f6044defc9f2ab4373dce38702df5bafbe7ed08517d83ad6373a276958d5cb4fb0f3b48ef8e04e612cbeb40261f46607e9e95261a2b916003632bf
+  data.tar.gz: 4f04233ab6e21028579e78f8ab0b0bb372506ab17d920b528dcbded27568973775650a0314e382a983767c0e6a8683a7ee827b21cf7dd3edfca543c47c6c09e5

data/lib/cfn-nag/custom_rules/ApiGatewayCacheEncryptedRule.rb ADDED Viewed

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+require 'cfn-nag/violation'
+require_relative 'base'
+class ApiGatewayCacheEncryptedRule < BaseRule
+  def rule_text
+    'ApiGateway Deployment should have cache data encryption enabled when caching is enabled' \
+    ' in StageDescription properties'
+  end
+  def rule_type
+    Violation::WARNING
+  end
+  def rule_id
+    'W87'
+  end
+  def audit_impl(cfn_model)
+    violating_deployments = cfn_model.resources_by_type('AWS::ApiGateway::Deployment').select do |deployment|
+      violating_deployment?(deployment)
+    end
+    violating_deployments.map(&:logical_resource_id)
+  end
+  private
+  def violating_deployment?(deployment)
+    !deployment.stageDescription.nil? && truthy?(deployment.stageDescription['CachingEnabled']) \
+    && !truthy?(deployment.stageDescription['CacheDataEncrypted'])
+  end
+end

data/lib/cfn-nag/custom_rules/ECRRepositoryScanOnPushRule.rb CHANGED Viewed

@@ -6,7 +6,7 @@ require_relative 'base'
 class ECRRepositoryScanOnPushRule < BaseRule
   def rule_text
-    'ECR Repository should have scanOnPush enabled'
+    'ECR Repository should have ScanOnPush enabled'
   end
   def rule_type
@@ -20,7 +20,7 @@ class ECRRepositoryScanOnPushRule < BaseRule
   def audit_impl(cfn_model)
     violating_ecr_registries = cfn_model.resources_by_type('AWS::ECR::Repository').select do |registry|
       registry.imageScanningConfiguration.nil? ||
-        !truthy?(registry.imageScanningConfiguration['scanOnPush'].to_s)
+        !truthy?(registry.imageScanningConfiguration['ScanOnPush'].to_s)
     end
     violating_ecr_registries.map(&:logical_resource_id)

data/lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamEncryptionRule.rb ADDED Viewed

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+require 'cfn-nag/violation'
+require_relative 'base'
+class KinesisFirehoseDeliveryStreamEncryptionRule < BaseRule
+  def rule_text
+    'Kinesis Firehose DeliveryStream of type DirectPut should specify SSE.'
+  end
+  def rule_type
+    Violation::WARNING
+  end
+  def rule_id
+    'W88'
+  end
+  def audit_impl(cfn_model)
+    violating_delivery_streams =
+      cfn_model.resources_by_type('AWS::KinesisFirehose::DeliveryStream').select do |delivery_stream|
+        violating_delivery_stream?(delivery_stream)
+      end
+    violating_delivery_streams.map(&:logical_resource_id)
+  end
+  private
+  def violating_delivery_stream?(delivery_stream)
+    if delivery_stream.deliveryStreamType == 'KinesisStreamAsSource'
+      false
+    elsif delivery_stream.deliveryStreamEncryptionConfigurationInput.nil?
+      true
+    else
+      delivery_stream.deliveryStreamEncryptionConfigurationInput['KeyType'].nil?
+    end
+  end
+end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-nag
 version: !ruby/object:Gem::Version
-  version: 0.6.23
+  version: 0.7.4
 platform: ruby
 authors:
 - Eric Kascic
-autorequire:
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-01-19 00:00:00.000000000 Z
+date: 2021-03-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -58,28 +58,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.11'
+        version: '0.21'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.11'
+        version: '0.21'
 - !ruby/object:Gem::Dependency
   name: cfn-model
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.5.4
+        version: 0.6.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.5.4
+        version: 0.6.0
 - !ruby/object:Gem::Dependency
   name: logging
   requirement: !ruby/object:Gem::Requirement
@@ -150,8 +150,22 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 0.3.2
+- !ruby/object:Gem::Dependency
+  name: rexml
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Auditing tool for CloudFormation templates
-email:
+email:
 executables:
 - cfn_nag
 - cfn_nag_rules
@@ -183,6 +197,7 @@ files:
 - lib/cfn-nag/custom_rules/AmplifyAppOauthTokenRule.rb
 - lib/cfn-nag/custom_rules/AmplifyBranchBasicAuthConfigPasswordRule.rb
 - lib/cfn-nag/custom_rules/ApiGatewayAccessLoggingRule.rb
+- lib/cfn-nag/custom_rules/ApiGatewayCacheEncryptedRule.rb
 - lib/cfn-nag/custom_rules/ApiGatewayDeploymentUsagePlanRule.rb
 - lib/cfn-nag/custom_rules/ApiGatewayMethodAuthorizationTypeRule.rb
 - lib/cfn-nag/custom_rules/ApiGatewaySecurityPolicyRule.rb
@@ -261,6 +276,7 @@ files:
 - lib/cfn-nag/custom_rules/KMSKeyRotationRule.rb
 - lib/cfn-nag/custom_rules/KMSKeyWildcardPrincipalRule.rb
 - lib/cfn-nag/custom_rules/KendraIndexServerSideEncryptionConfigurationKmsKeyIdRule.rb
+- lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamEncryptionRule.rb
 - lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamRedshiftDestinationConfigurationPasswordRule.rb
 - lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamSplunkDestinationConfigurationHECTokenRule.rb
 - lib/cfn-nag/custom_rules/KinesisStreamStreamEncryptionRule.rb
@@ -374,7 +390,7 @@ homepage: https://github.com/stelligent/cfn_nag
 licenses:
 - MIT
 metadata: {}
-post_install_message:
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -383,16 +399,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.2'
+      version: '2.5'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project:
-rubygems_version: 2.7.6
-signing_key:
+rubygems_version: 3.1.2
+signing_key:
 specification_version: 4
 summary: cfn-nag
 test_files: []