cfn-nag 0.6.4 → 0.6.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fb0243f0a2f327d0408fe6524596d7bf9a0ce8214fb217e869a785983dc30b88
-  data.tar.gz: e9bc6213a3beb72d785abb9e58908460771d36b2127d72d0dde421c4c22b5daa
+  metadata.gz: 3f9f1d1c26fcff5f16d5a7f08db72e28dc7f0d4494dfdd4290e9c4d2d1c73632
+  data.tar.gz: 61b1cd680139fdfcdfcead2f89a4d9df2bb829570f4dadc590930e366b83f0a6
 SHA512:
-  metadata.gz: 99a21920685b6a2a6762060c18d7aeef9881a2527e78324f949582a03b4003adba0713c5421a2bd2040e94c78cb969b1230cd6cbf1e624b7e3056050385011c2
-  data.tar.gz: 3ffb6ec0595927f615efa3e653083fc9efa4bd60db1a20f48591205a06c20ebc07efcf7e6c8330aef0eaee9508cadae34becbbf73c8b3d4ffab25d7491579cba
+  metadata.gz: 30581a3a555205ea494ec63dfa059ceb2b04faed4bc20a36465e4c93afaa401c6fc1c5da10b87055df47858b0f43b7982485415ac2da0ceef0942e4a084be60b
+  data.tar.gz: 775886736eabe0a51107d69663305ced348a357958d073ec6d0393ea1ec940f5530c1ae0c18a59e893a2eeab4211ad6cee255d9bc7b4d57594f6bedb9d68c42e

data/lib/cfn-nag/cfn_nag.rb

@@ -102,9 +102,14 @@ class CfnNag
       violations << fatal_violation(error)
     end
 
+    violations = prune_fatal_violations(violations) if @config.ignore_fatal
     audit_result(violations)
   end
 
+  def prune_fatal_violations(violations)
+    violations.reject { |violation| violation.type == Violation::FAILING_VIOLATION }
+  end
+
   def render_results(aggregate_results:,
                      output_format:)
     results_renderer(output_format).new.render(aggregate_results)

data/lib/cfn-nag/cfn_nag_config.rb

@@ -9,6 +9,7 @@ class CfnNagConfig
                  print_suppression: false,
                  isolate_custom_rule_exceptions: false,
                  fail_on_warnings: false,
+                 ignore_fatal: false,
                  rule_repository_definitions: [],
                  rule_arguments: {})
     @rule_directory = rule_directory
@@ -24,6 +25,7 @@ class CfnNagConfig
     @fail_on_warnings = fail_on_warnings
     @rule_repositories = rule_repositories
     @rule_arguments = rule_arguments
+    @ignore_fatal = ignore_fatal
   end
   # rubocop:enable Metrics/ParameterLists
 
@@ -34,4 +36,5 @@ class CfnNagConfig
   attr_reader :blacklist_definition
   attr_reader :fail_on_warnings
   attr_reader :rule_repositories
+  attr_reader :ignore_fatal
 end

data/lib/cfn-nag/cfn_nag_executor.rb

@@ -129,6 +129,7 @@ class CfnNagExecutor
       isolate_custom_rule_exceptions: opts[:isolate_custom_rule_exceptions],
       fail_on_warnings: opts[:fail_on_warnings],
       rule_repository_definitions: @rule_repository_definitions,
+      ignore_fatal: opts[:ignore_fatal],
       rule_arguments: merge_rule_arguments(opts)
     )
   end

data/lib/cfn-nag/cli_options.rb

@@ -100,6 +100,11 @@ class Options
           type: :string,
           required: false,
           default: nil
+      opt :ignore_fatal,
+          'Ignore files with fatal violations.  Useful for ignoring non-Cloudformation yaml/yml/json in a path',
+          type: :boolean,
+          required: false,
+          default: false
     end
   end
 
@@ -193,6 +198,12 @@ class Options
           type: :string,
           required: false,
           default: nil
+      opt :ignore_fatal,
+          'Ignore files with fatal violations.  Useful for ignoring non-Cloudformation yaml/yml/json in a path',
+          short: 'g',
+          type: :boolean,
+          required: false,
+          default: false
     end
   end
   # rubocop:enable Metrics/BlockLength

data/lib/cfn-nag/custom_rules/EC2NetworkAclEntryOverlappingPortsRule.rb

@@ -18,79 +18,80 @@ class EC2NetworkAclEntryOverlappingPortsRule < BaseRule
   end
 
   def audit_impl(cfn_model)
+    nacl_entries = cfn_model.resources_by_type('AWS::EC2::NetworkAclEntry')
+
+    # Select nacl entries that can be evaluated
+    nacl_entries.select! do |nacl_entry|
+      tcp_or_udp_protocol?(nacl_entry) && valid_ports?(nacl_entry)
+    end
+
     violating_nacl_entries = []
-    cfn_model.resources_by_type('AWS::EC2::NetworkAcl').each do |nacl|
-      violating_nacl_entries += violating_nacl_entries(nacl)
+
+    # Group entries by nacl id, ip type, and egress/ingress
+    grouped_nacl_entries = group_nacl_entries(nacl_entries)
+
+    grouped_nacl_entries.each do |grouping|
+      violating_nacl_entries += overlapping_port_entries(grouping)
     end
     violating_nacl_entries.map(&:logical_resource_id)
   end
 
   private
 
-  def overlapping_port_entries(nacl_entries)
-    unique_pairs(nacl_entries).select do |nacl_entry_pair|
-      tcp_or_udp_protocol?(nacl_entry_pair[0], nacl_entry_pair[1]) && overlap?(nacl_entry_pair[0], nacl_entry_pair[1])
-    end
+  def tcp_or_udp_protocol?(entry)
+    %w[6 17].include?(entry.protocol.to_s)
   end
 
-  def tcp_or_udp_protocol?(entry1, entry2)
-    %w[6 17].include?(entry1.protocol.to_s) && %w[6 17].include?(entry2.protocol.to_s)
+  def valid_ports?(entry)
+    !entry.portRange.nil? && valid_port_number?(entry.portRange['From']) && valid_port_number?(entry.portRange['To'])
   end
 
-  def unique_pairs(arr)
-    pairs_without_dupes = arr.product(arr).select { |pair| pair[0] != pair[1] }
-    pairs_without_dupes.reduce(Set.new) { |set_of_sets, pair| set_of_sets << Set.new(pair) }.to_a.map(&:to_a)
+  def valid_port_number?(port)
+    port.is_a?(Numeric) || (port.is_a?(String) && port.to_i(10) != 0)
   end
 
-  def overlap?(entry1, entry2)
-    roverlap?(entry1, entry2) || loverlap?(entry1, entry2)
-  end
+  def group_nacl_entries(nacl_entries)
+    grouped_nacl_entries = []
 
-  def roverlap?(entry1, entry2)
-    entry1.portRange['From'].between?(entry2.portRange['From'], entry2.portRange['To']) ||
-      entry1.portRange['To'].between?(entry2.portRange['From'], entry2.portRange['To'])
-  end
+    # Group by NaclID
+    nacl_entries.group_by(&:networkAclId).each_value do |entries|
+      # Split entries by ip type
+      ipv4_entries, ipv6_entries = entries.partition { |nacl_entry| nacl_entry.ipv6CidrBlock.nil? }
 
-  def loverlap?(entry1, entry2)
-    entry2.portRange['From'].between?(entry1.portRange['From'], entry1.portRange['To']) ||
-      entry2.portRange['To'].between?(entry1.portRange['From'], entry1.portRange['To'])
-  end
+      # Split entries by egress/ingress
+      egress4, ingress4 = ipv4_entries.partition { |nacl_entry| truthy?(nacl_entry.egress) }
+      egress6, ingress6 = ipv6_entries.partition { |nacl_entry| truthy?(nacl_entry.egress) }
 
-  def egress_entries(nacl_entries)
-    nacl_entries.select do |nacl_entry|
-      truthy?(nacl_entry.egress)
+      grouped_nacl_entries << egress4
+      grouped_nacl_entries << ingress4
+      grouped_nacl_entries << egress6
+      grouped_nacl_entries << ingress6
     end
-  end
 
-  def ingress_entries(nacl_entries)
-    nacl_entries.select do |nacl_entry|
-      not_truthy?(nacl_entry.egress)
-    end
+    grouped_nacl_entries
   end
 
-  def ip6_entries(nacl_entries)
-    nacl_entries.select do |nacl_entry|
-      !nacl_entry.ipv6CidrBlock.nil?
-    end
+  def overlapping_port_entries(nacl_entries)
+    unique_pairs(nacl_entries).select do |nacl_entry_pair|
+      overlap?(nacl_entry_pair[0], nacl_entry_pair[1])
+    end.flatten.uniq
   end
 
-  def ip4_entries(nacl_entries)
-    nacl_entries.select do |nacl_entry|
-      nacl_entry.ipv6CidrBlock.nil?
-    end
+  def unique_pairs(arr)
+    pairs_without_dupes = arr.product(arr).select { |pair| pair[0] != pair[1] }
+    pairs_without_dupes.reduce(Set.new) { |set_of_sets, pair| set_of_sets << Set.new(pair) }.to_a.map(&:to_a)
   end
 
-  def violating_nacl_entries(nacl)
-    violating_ip4_nacl_entries(nacl) || violating_ip6_nacl_entries(nacl)
+  def overlap?(entry1, entry2)
+    port_overlap?(entry1.portRange, entry2.portRange) || port_overlap?(entry2.portRange, entry1.portRange)
   end
 
-  def violating_ip4_nacl_entries(nacl)
-    overlapping_port_entries(egress_entries(ip4_entries(nacl.network_acl_entries))).flatten.uniq &&
-      overlapping_port_entries(ingress_entries(ip4_entries(nacl.network_acl_entries))).flatten.uniq
+  def port_overlap?(port_range1, port_range2)
+    port_number(port_range1['From']).between?(port_number(port_range2['From']), port_number(port_range2['To'])) ||
+      port_number(port_range1['To']).between?(port_number(port_range2['From']), port_number(port_range2['To']))
   end
 
-  def violating_ip6_nacl_entries(nacl)
-    overlapping_port_entries(egress_entries(ip6_entries(nacl.network_acl_entries))).flatten.uniq &&
-      overlapping_port_entries(ingress_entries(ip6_entries(nacl.network_acl_entries))).flatten.uniq
+  def port_number(port)
+    port.to_i
   end
 end

data/lib/cfn-nag/custom_rules/SPCMRule.rb

@@ -26,7 +26,10 @@ class SPCMRule < BaseRule
       policy_documents = SPCM.new.metric_impl(cfn_model)
     rescue StandardError => catch_all_exception
       puts "Experimental SPCM rule is failing. Please report #{catch_all_exception} with the violating template"
-      policy_documents = {}
+      policy_documents = {
+        'AWS::IAM::Policy' => {},
+        'AWS::IAM::Role' => {}
+      }
     end
 
     threshold = spcm_threshold.nil? ? DEFAULT_THRESHOLD : spcm_threshold.to_i

data/lib/cfn-nag/iam_complexity_metric/condition_metric.rb

@@ -6,7 +6,6 @@ require 'set'
 class ConditionMetric
   include Weights
 
-  # rubocop:disable Metrics/AbcSize
   def metric(statement)
     return 0 if statement.condition.nil?
 
@@ -18,7 +17,6 @@ class ConditionMetric
     aggregate += values_with_policy_tags(statement.condition)
     aggregate
   end
-  # rubocop:enable Metrics/AbcSize
 
   private
 

data/lib/cfn-nag/result_view/colored_stdout_results.rb

@@ -6,7 +6,6 @@ require 'cfn-nag/violation'
 class ColoredStdoutResults < StdoutResults
   private
 
-  # rubocop:disable Metrics/AbcSize
   def message(message_type:,
               color:,
               message:,
@@ -24,7 +23,6 @@ class ColoredStdoutResults < StdoutResults
     puts colorize(color, '|') unless line_numbers.empty? && logical_resource_ids.nil?
     puts colorize(color, "| #{message}")
   end
-  # rubocop:enable Metrics/AbcSize
 
   def color_code(color_symbol)
     case color_symbol

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-nag
 version: !ruby/object:Gem::Version
-  version: 0.6.4
+  version: 0.6.9
 platform: ruby
 authors:
 - Eric Kascic
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-06-02 00:00:00.000000000 Z
+date: 2020-10-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -128,14 +128,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.60.1
+        version: '1.76'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.60.1
+        version: '1.76'
 - !ruby/object:Gem::Dependency
   name: lightly
   requirement: !ruby/object:Gem::Requirement
@@ -381,7 +381,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.3
+rubygems_version: 3.1.4
 signing_key: 
 specification_version: 4
 summary: cfn-nag