RubyGems - cfn-nag - Versions diffs - 0.6.23 → 0.7.4 - Mend

cfn-nag 0.6.23 → 0.7.4

Files changed (5) hide show

checksums.yaml +4 -4
data/lib/cfn-nag/custom_rules/ApiGatewayCacheEncryptedRule.rb +34 -0
data/lib/cfn-nag/custom_rules/ECRRepositoryScanOnPushRule.rb +2 -2
data/lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamEncryptionRule.rb +39 -0
metadata +28 -13

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1c7606c36a3090b30bf520802dccc6b333605881e56618a60b12422517ad0068
-  data.tar.gz: bf80d7471ee01f6fb11f3439eea3f9dbbc7a35069b849dab0ad4c5ad3fab2b48
+  metadata.gz: 838ad5d1c9bd172785dd5009c33aedca7d5acf973c39a56d815663214aaf7010
+  data.tar.gz: 5d7047c7ad6a828b37ba3c68fc45417849b4bc5e7d939e26e4c575839c39e567
 SHA512:
-  metadata.gz: d4d3ac0f7e8f1196a98af8a0b366146f66bda4080a224cb0ca3130108b849a23ded6d3febbbf81807bee854ef4ca002b1b02c98f7376ed244066d9509aaf34e6
-  data.tar.gz: 7b33bd7abb7d9d37ed50ad5912fa7e718f5401c60781c5ab0ac4e878d7c5830ac8325fe73fcccf4dd8d1e772838d2bcee77cad140d2e90cfd5a32b3b9042da38
+  metadata.gz: e7c12a2a58f6044defc9f2ab4373dce38702df5bafbe7ed08517d83ad6373a276958d5cb4fb0f3b48ef8e04e612cbeb40261f46607e9e95261a2b916003632bf
+  data.tar.gz: 4f04233ab6e21028579e78f8ab0b0bb372506ab17d920b528dcbded27568973775650a0314e382a983767c0e6a8683a7ee827b21cf7dd3edfca543c47c6c09e5

data/lib/cfn-nag/custom_rules/ApiGatewayCacheEncryptedRule.rb ADDED Viewed

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+require 'cfn-nag/violation'
+require_relative 'base'
+class ApiGatewayCacheEncryptedRule < BaseRule
+  def rule_text
+    'ApiGateway Deployment should have cache data encryption enabled when caching is enabled' \
+    ' in StageDescription properties'
+  end
+  def rule_type
+    Violation::WARNING
+  end
+  def rule_id
+    'W87'
+  end
+  def audit_impl(cfn_model)
+    violating_deployments = cfn_model.resources_by_type('AWS::ApiGateway::Deployment').select do |deployment|
+      violating_deployment?(deployment)
+    end
+    violating_deployments.map(&:logical_resource_id)
+  end
+  private
+  def violating_deployment?(deployment)
+    !deployment.stageDescription.nil? && truthy?(deployment.stageDescription['CachingEnabled']) \
+    && !truthy?(deployment.stageDescription['CacheDataEncrypted'])
+  end
+end

data/lib/cfn-nag/custom_rules/ECRRepositoryScanOnPushRule.rb CHANGED Viewed

@@ -6,7 +6,7 @@ require_relative 'base'
 class ECRRepositoryScanOnPushRule < BaseRule
   def rule_text
-    'ECR Repository should have scanOnPush enabled'
+    'ECR Repository should have ScanOnPush enabled'
   end
   def rule_type
@@ -20,7 +20,7 @@ class ECRRepositoryScanOnPushRule < BaseRule
   def audit_impl(cfn_model)
     violating_ecr_registries = cfn_model.resources_by_type('AWS::ECR::Repository').select do |registry|
       registry.imageScanningConfiguration.nil? ||
-        !truthy?(registry.imageScanningConfiguration['scanOnPush'].to_s)
+        !truthy?(registry.imageScanningConfiguration['ScanOnPush'].to_s)
     end
     violating_ecr_registries.map(&:logical_resource_id)

data/lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamEncryptionRule.rb ADDED Viewed

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+require 'cfn-nag/violation'
+require_relative 'base'
+class KinesisFirehoseDeliveryStreamEncryptionRule < BaseRule
+  def rule_text
+    'Kinesis Firehose DeliveryStream of type DirectPut should specify SSE.'
+  end
+  def rule_type
+    Violation::WARNING
+  end
+  def rule_id
+    'W88'
+  end
+  def audit_impl(cfn_model)
+    violating_delivery_streams =
+      cfn_model.resources_by_type('AWS::KinesisFirehose::DeliveryStream').select do |delivery_stream|
+        violating_delivery_stream?(delivery_stream)
+      end
+    violating_delivery_streams.map(&:logical_resource_id)
+  end
+  private
+  def violating_delivery_stream?(delivery_stream)
+    if delivery_stream.deliveryStreamType == 'KinesisStreamAsSource'
+      false
+    elsif delivery_stream.deliveryStreamEncryptionConfigurationInput.nil?
+      true
+    else
+      delivery_stream.deliveryStreamEncryptionConfigurationInput['KeyType'].nil?
+    end
+  end
+end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-nag
 version: !ruby/object:Gem::Version
-  version: 0.6.23
+  version: 0.7.4
 platform: ruby
 authors:
 - Eric Kascic
-autorequire:
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-01-19 00:00:00.000000000 Z
+date: 2021-03-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -58,28 +58,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.11'
+        version: '0.21'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.11'
+        version: '0.21'
 - !ruby/object:Gem::Dependency
   name: cfn-model
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.5.4
+        version: 0.6.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.5.4
+        version: 0.6.0
 - !ruby/object:Gem::Dependency
   name: logging
   requirement: !ruby/object:Gem::Requirement
@@ -150,8 +150,22 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 0.3.2
+- !ruby/object:Gem::Dependency
+  name: rexml
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Auditing tool for CloudFormation templates
-email:
+email:
 executables:
 - cfn_nag
 - cfn_nag_rules
@@ -183,6 +197,7 @@ files:
 - lib/cfn-nag/custom_rules/AmplifyAppOauthTokenRule.rb
 - lib/cfn-nag/custom_rules/AmplifyBranchBasicAuthConfigPasswordRule.rb
 - lib/cfn-nag/custom_rules/ApiGatewayAccessLoggingRule.rb
+- lib/cfn-nag/custom_rules/ApiGatewayCacheEncryptedRule.rb
 - lib/cfn-nag/custom_rules/ApiGatewayDeploymentUsagePlanRule.rb
 - lib/cfn-nag/custom_rules/ApiGatewayMethodAuthorizationTypeRule.rb
 - lib/cfn-nag/custom_rules/ApiGatewaySecurityPolicyRule.rb
@@ -261,6 +276,7 @@ files:
 - lib/cfn-nag/custom_rules/KMSKeyRotationRule.rb
 - lib/cfn-nag/custom_rules/KMSKeyWildcardPrincipalRule.rb
 - lib/cfn-nag/custom_rules/KendraIndexServerSideEncryptionConfigurationKmsKeyIdRule.rb
+- lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamEncryptionRule.rb
 - lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamRedshiftDestinationConfigurationPasswordRule.rb
 - lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamSplunkDestinationConfigurationHECTokenRule.rb
 - lib/cfn-nag/custom_rules/KinesisStreamStreamEncryptionRule.rb
@@ -374,7 +390,7 @@ homepage: https://github.com/stelligent/cfn_nag
 licenses:
 - MIT
 metadata: {}
-post_install_message:
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -383,16 +399,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.2'
+      version: '2.5'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project:
-rubygems_version: 2.7.6
-signing_key:
+rubygems_version: 3.1.2
+signing_key:
 specification_version: 4
 summary: cfn-nag
 test_files: []