cfn-nag 0.7.13 → 0.8.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/bin/cfn_nag_rules +2 -2
- data/bin/spcm_scan +1 -1
- data/lib/cfn-nag/cfn_nag.rb +11 -11
- data/lib/cfn-nag/cfn_nag_config.rb +3 -3
- data/lib/cfn-nag/cfn_nag_executor.rb +5 -5
- data/lib/cfn-nag/cli_options.rb +15 -5
- data/lib/cfn-nag/custom_rules/AlexaASKSkillAuthenticationConfigurationClientSecretRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/AlexaASKSkillAuthenticationConfigurationRefreshTokenRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/AmazonMQBrokerUsersPasswordRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/AmplifyAppAccessTokenRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/AmplifyAppBasicAuthConfigPasswordRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/AmplifyAppOauthTokenRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/AmplifyBranchBasicAuthConfigPasswordRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/ApiGatewayAccessLoggingRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/ApiGatewayCacheEncryptedRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/ApiGatewayMethodAuthorizationTypeRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/AppStreamDirectoryConfigServiceAccountCredentialsAccountPasswordRule.rb +3 -3
- data/lib/cfn-nag/custom_rules/CodePipelineWebhookAuthenticationConfigurationSecretTokenRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/CognitoIdentityPoolAllowUnauthenticatedIdentitiesRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/DMSEndpointMongoDbSettingsPasswordRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/DMSEndpointPasswordRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/DirectoryServiceMicrosoftADPasswordRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/DirectoryServiceSimpleADPasswordRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/DocDBDBClusterMasterUserPasswordRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/EC2NetworkAclEntryProtocolRule.rb +3 -7
- data/lib/cfn-nag/custom_rules/EKSClusterEncryptionRule.rb +1 -3
- data/lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesADDomainJoinPasswordRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesCrossRealmTrustPrincipalPasswordRule.rb +3 -3
- data/lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesKdcAdminPasswordRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/ElastiCacheReplicationGroupAuthTokenRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/GameLiftFleetInboundPortRangeRule.rb +2 -0
- data/lib/cfn-nag/custom_rules/IAMUserLoginProfilePasswordRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/IamUserLoginProfilePasswordResetRule.rb +4 -6
- data/lib/cfn-nag/custom_rules/KMSKeyWildcardPrincipalRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamRedshiftDestinationConfigurationPasswordRule.rb +3 -3
- data/lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamSplunkDestinationConfigurationHECTokenRule.rb +3 -3
- data/lib/cfn-nag/custom_rules/KinesisStreamStreamEncryptionRule.rb +3 -5
- data/lib/cfn-nag/custom_rules/LambdaPermissionEventSourceTokenRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/LambdaPermissionInvokeFunctionActionRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/ManagedBlockchainMemberMemberFabricConfigurationAdminPasswordRule.rb +4 -7
- data/lib/cfn-nag/custom_rules/OpsWorksAppAppSourcePasswordRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/OpsWorksAppSslConfigurationPrivateKeyRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/OpsWorksStackCustomCookbooksSourcePasswordRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/OpsWorksStackRdsDbInstancesDbPasswordRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/PinpointAPNSChannelPrivateKeyRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/PinpointAPNSChannelTokenKeyRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/PinpointAPNSSandboxChannelPrivateKeyRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/PinpointAPNSSandboxChannelTokenKeyRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/PinpointAPNSVoipChannelPrivateKeyRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/PinpointAPNSVoipChannelTokenKeyRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/PinpointAPNSVoipSandboxChannelPrivateKeyRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/PinpointAPNSVoipSandboxChannelTokenKeyRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/RDSDBClusterMasterUserPasswordRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/RDSDBInstanceMasterUserPasswordRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/RDSDBInstanceMasterUsernameRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/RedshiftClusterMasterUserPasswordRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/ResourceWithExplicitNameRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/SecretsManagerSecretKmsKeyIdRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/SecurityGroupIngressOpenToWorldRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/SecurityGroupIngressPortRangeRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/SecurityGroupMissingEgressRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/SecurityGroupRuleDescriptionRule.rb +2 -2
- data/lib/cfn-nag/deny_list_loader.rb +43 -0
- data/lib/cfn-nag/iam_complexity_metric/spcm.rb +3 -3
- data/lib/cfn-nag/util/enforce_reference_parameter.rb +1 -1
- data/lib/cfn-nag/violation_filtering.rb +9 -9
- metadata +9 -9
- data/lib/cfn-nag/blacklist_loader.rb +0 -43
data/lib/cfn-nag/custom_rules/ManagedBlockchainMemberMemberFabricConfigurationAdminPasswordRule.rb
CHANGED
@@ -8,7 +8,7 @@ require_relative 'base'
|
|
8
8
|
class ManagedBlockchainMemberMemberFabricConfigurationAdminPasswordRule < BaseRule
|
9
9
|
def rule_text
|
10
10
|
'ManagedBlockchain Member MemberFabricConfiguration AdminPasswordRule must ' \
|
11
|
-
|
11
|
+
'not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.'
|
12
12
|
end
|
13
13
|
|
14
14
|
def rule_type
|
@@ -42,14 +42,11 @@ class ManagedBlockchainMemberMemberFabricConfigurationAdminPasswordRule < BaseRu
|
|
42
42
|
# 'MemberFabricConfiguration'
|
43
43
|
# 'AdminPassword'
|
44
44
|
def password_property_does_not_exist(member)
|
45
|
-
if member.memberConfiguration['MemberFrameworkConfiguration'].nil?
|
46
|
-
|
47
|
-
elsif member.memberConfiguration['MemberFrameworkConfiguration']['MemberFabricConfiguration'].nil?
|
48
|
-
true
|
49
|
-
elsif member.memberConfiguration['MemberFrameworkConfiguration']['MemberFabricConfiguration']['AdminPassword'].nil?
|
45
|
+
if member.memberConfiguration['MemberFrameworkConfiguration'].nil? ||
|
46
|
+
member.memberConfiguration['MemberFrameworkConfiguration']['MemberFabricConfiguration'].nil?
|
50
47
|
true
|
51
48
|
else
|
52
|
-
|
49
|
+
member.memberConfiguration['MemberFrameworkConfiguration']['MemberFabricConfiguration']['AdminPassword'].nil?
|
53
50
|
end
|
54
51
|
end
|
55
52
|
end
|
@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
|
|
6
6
|
class OpsWorksAppAppSourcePasswordRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'OpsWorks App AppSource Password must not be a plaintext ' \
|
9
|
-
|
10
|
-
|
9
|
+
'string or a Ref to a Parameter with a Default value. ' \
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
|
11
11
|
end
|
12
12
|
|
13
13
|
def rule_type
|
@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
|
|
6
6
|
class OpsWorksAppSslConfigurationPrivateKeyRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'OpsWorks App SslConfiguration PrivateKey must not be a plaintext ' \
|
9
|
-
|
10
|
-
|
9
|
+
'string or a Ref to a Parameter with a Default value. ' \
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
11
11
|
end
|
12
12
|
|
13
13
|
def rule_type
|
@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
|
|
6
6
|
class OpsWorksStackCustomCookbooksSourcePasswordRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'OpsWorks Stack CustomCookbooksSource Password must not be a plaintext ' \
|
9
|
-
|
10
|
-
|
9
|
+
'string or a Ref to a Parameter with a Default value. ' \
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
|
11
11
|
end
|
12
12
|
|
13
13
|
def rule_type
|
@@ -6,8 +6,8 @@ require_relative 'sub_property_with_list_password_base_rule'
|
|
6
6
|
class OpsWorksStackRdsDbInstancesDbPasswordRule < SubPropertyWithListPasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'OpsWorks Stack RDS DbInstance DbPassword must not be a plaintext string '\
|
9
|
-
|
10
|
-
|
9
|
+
'or a Ref to a Parameter with a Default value. ' \
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
|
11
11
|
end
|
12
12
|
|
13
13
|
def rule_type
|
@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
|
|
6
6
|
class PinpointAPNSChannelPrivateKeyRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'Pinpoint APNSChannel PrivateKey must not be a plaintext string ' \
|
9
|
-
|
10
|
-
|
9
|
+
'or a Ref to a Parameter with a Default value. ' \
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
11
11
|
end
|
12
12
|
|
13
13
|
def rule_type
|
@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
|
|
6
6
|
class PinpointAPNSChannelTokenKeyRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'Pinpoint APNSChannel TokenKey must not be a plaintext string ' \
|
9
|
-
|
10
|
-
|
9
|
+
'or a Ref to a Parameter with a Default value. ' \
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
11
11
|
end
|
12
12
|
|
13
13
|
def rule_type
|
@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
|
|
6
6
|
class PinpointAPNSSandboxChannelPrivateKeyRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'Pinpoint APNSSandboxChannel PrivateKey must not be a plaintext string ' \
|
9
|
-
|
10
|
-
|
9
|
+
'or a Ref to a Parameter with a Default value. ' \
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
11
11
|
end
|
12
12
|
|
13
13
|
def rule_type
|
@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
|
|
6
6
|
class PinpointAPNSSandboxChannelTokenKeyRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'Pinpoint APNSSandboxChannel TokenKey must not be a plaintext string ' \
|
9
|
-
|
10
|
-
|
9
|
+
'or a Ref to a Parameter with a Default value. ' \
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
11
11
|
end
|
12
12
|
|
13
13
|
def rule_type
|
@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
|
|
6
6
|
class PinpointAPNSVoipChannelPrivateKeyRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'Pinpoint APNSVoipChannel PrivateKey must not be a plaintext string ' \
|
9
|
-
|
10
|
-
|
9
|
+
'or a Ref to a Parameter with a Default value. ' \
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
11
11
|
end
|
12
12
|
|
13
13
|
def rule_type
|
@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
|
|
6
6
|
class PinpointAPNSVoipChannelTokenKeyRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'Pinpoint APNSChannel TokenKey must not be a plaintext string ' \
|
9
|
-
|
10
|
-
|
9
|
+
'or a Ref to a Parameter with a Default value. ' \
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
11
11
|
end
|
12
12
|
|
13
13
|
def rule_type
|
@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
|
|
6
6
|
class PinpointAPNSVoipSandboxChannelPrivateKeyRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'Pinpoint APNSVoipSandboxChannel PrivateKey must not be a plaintext ' \
|
9
|
-
|
10
|
-
|
9
|
+
'string or a Ref to a Parameter with a Default value. ' \
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
11
11
|
end
|
12
12
|
|
13
13
|
def rule_type
|
@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
|
|
6
6
|
class PinpointAPNSVoipSandboxChannelTokenKeyRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'Pinpoint APNSVoipSandboxChannel TokenKey must not be a plaintext string ' \
|
9
|
-
|
10
|
-
|
9
|
+
'or a Ref to a Parameter with a Default value. ' \
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
11
11
|
end
|
12
12
|
|
13
13
|
def rule_type
|
@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
|
|
6
6
|
class RDSDBClusterMasterUserPasswordRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'RDS DB Cluster master user password must not be a plaintext string ' \
|
9
|
-
|
10
|
-
|
9
|
+
'or a Ref to a Parameter with a Default value. ' \
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
|
11
11
|
end
|
12
12
|
|
13
13
|
def rule_type
|
@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
|
|
6
6
|
class RDSDBInstanceMasterUserPasswordRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'RDS instance master user password must not be a plaintext string ' \
|
9
|
-
|
10
|
-
|
9
|
+
'or a Ref to a Parameter with a Default value. ' \
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
|
11
11
|
end
|
12
12
|
|
13
13
|
def rule_type
|
@@ -7,8 +7,8 @@ require_relative 'password_base_rule'
|
|
7
7
|
class RDSDBInstanceMasterUsernameRule < PasswordBaseRule
|
8
8
|
def rule_text
|
9
9
|
'RDS instance master username must not be a plaintext string ' \
|
10
|
-
|
11
|
-
|
10
|
+
'or a Ref to a Parameter with a Default value. ' \
|
11
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
12
12
|
end
|
13
13
|
|
14
14
|
def rule_type
|
@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
|
|
6
6
|
class RedshiftClusterMasterUserPasswordRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'Redshift Cluster master user password must not be a plaintext string ' \
|
9
|
-
|
10
|
-
|
9
|
+
'or a Ref to a Parameter with a Default value. ' \
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
|
11
11
|
end
|
12
12
|
|
13
13
|
def rule_type
|
@@ -6,7 +6,7 @@ require_relative 'boolean_base_rule'
|
|
6
6
|
class SecretsManagerSecretKmsKeyIdRule < BooleanBaseRule
|
7
7
|
def rule_text
|
8
8
|
'Secrets Manager Secret should explicitly specify KmsKeyId.' \
|
9
|
-
|
9
|
+
' Besides control of the key this will allow the secret to be shared cross-account'
|
10
10
|
end
|
11
11
|
|
12
12
|
def rule_type
|
@@ -9,7 +9,7 @@ class SecurityGroupIngressOpenToWorldRule < BaseRule
|
|
9
9
|
|
10
10
|
def rule_text
|
11
11
|
'Security Groups found with cidr open to world on ingress. This should ' \
|
12
|
-
|
12
|
+
'never be true on instance. Permissible on ELB'
|
13
13
|
end
|
14
14
|
|
15
15
|
def rule_type
|
@@ -6,7 +6,7 @@ require_relative 'base'
|
|
6
6
|
class SecurityGroupMissingEgressRule < BaseRule
|
7
7
|
def rule_text
|
8
8
|
'Missing egress rule means all traffic is allowed outbound. Make this ' \
|
9
|
-
|
9
|
+
'explicit if it is desired configuration'
|
10
10
|
end
|
11
11
|
|
12
12
|
def rule_type
|
@@ -8,8 +8,8 @@ require 'cfn-nag/util/blank'
|
|
8
8
|
class SecurityGroupRuleDescriptionRule < BaseRule
|
9
9
|
def rule_text
|
10
10
|
'Security group rules without a description obscure their purpose and may '\
|
11
|
-
|
12
|
-
|
11
|
+
'lead to bad practices in ensuring they only allow traffic from the ports '\
|
12
|
+
'and sources/destinations required.'
|
13
13
|
end
|
14
14
|
|
15
15
|
def rule_type
|
@@ -0,0 +1,43 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'yaml'
|
4
|
+
|
5
|
+
class DenyListLoader
|
6
|
+
def initialize(rules_registry)
|
7
|
+
@rules_registry = rules_registry
|
8
|
+
end
|
9
|
+
|
10
|
+
def load(deny_list_definition:)
|
11
|
+
raise 'Empty profile' if deny_list_definition.strip == ''
|
12
|
+
|
13
|
+
deny_list_ruleset = RuleIdSet.new
|
14
|
+
|
15
|
+
deny_list_hash = load_deny_list_yaml(deny_list_definition)
|
16
|
+
raise 'Deny list is malformed' unless deny_list_hash.is_a? Hash
|
17
|
+
|
18
|
+
rules_to_suppress = deny_list_hash.fetch('RulesToSuppress', {})
|
19
|
+
raise 'Missing RulesToSuppress key in deny list' if rules_to_suppress.empty?
|
20
|
+
|
21
|
+
rule_ids_to_suppress = rules_to_suppress.map { |rule| rule['id'] }
|
22
|
+
rule_ids_to_suppress.each do |rule_id|
|
23
|
+
check_valid_rule_id rule_id
|
24
|
+
deny_list_ruleset.add_rule rule_id
|
25
|
+
end
|
26
|
+
|
27
|
+
deny_list_ruleset
|
28
|
+
end
|
29
|
+
|
30
|
+
private
|
31
|
+
|
32
|
+
def load_deny_list_yaml(deny_list_definition)
|
33
|
+
YAML.safe_load(deny_list_definition)
|
34
|
+
rescue StandardError => yaml_parse_error
|
35
|
+
raise "YAML parse of deny list failed: #{yaml_parse_error}"
|
36
|
+
end
|
37
|
+
|
38
|
+
def check_valid_rule_id(rule_id)
|
39
|
+
return true unless @rules_registry.by_id(rule_id).nil?
|
40
|
+
|
41
|
+
raise "#{rule_id} is not a legal rule identifier from: #{@rules_registry.ids}"
|
42
|
+
end
|
43
|
+
end
|
@@ -11,8 +11,8 @@ class SPCM
|
|
11
11
|
parameter_values_path: nil,
|
12
12
|
condition_values_path: nil,
|
13
13
|
template_pattern: DEFAULT_TEMPLATE_PATTERN)
|
14
|
-
parameter_values_string = parameter_values_path.nil? ? nil :
|
15
|
-
condition_values_string = condition_values_path.nil? ? nil :
|
14
|
+
parameter_values_string = parameter_values_path.nil? ? nil : File.read(parameter_values_path)
|
15
|
+
condition_values_string = condition_values_path.nil? ? nil : File.read(condition_values_path)
|
16
16
|
|
17
17
|
templates = TemplateDiscovery.new.discover_templates(input_json_path: input_path,
|
18
18
|
template_pattern: template_pattern)
|
@@ -21,7 +21,7 @@ class SPCM
|
|
21
21
|
aggregate_results << {
|
22
22
|
filename: template,
|
23
23
|
file_results: metric(
|
24
|
-
cloudformation_string:
|
24
|
+
cloudformation_string: File.read(template),
|
25
25
|
parameter_values_string: parameter_values_string,
|
26
26
|
condition_values_string: condition_values_string
|
27
27
|
)
|
@@ -29,5 +29,5 @@ end
|
|
29
29
|
# is not present; otherwise returns true
|
30
30
|
def no_echo_and_no_default_parameter_check(cfn_model, key_to_check)
|
31
31
|
parameter = cfn_model.parameters[key_to_check['Ref']]
|
32
|
-
truthy?(parameter.noEcho) && parameter.default.nil?
|
32
|
+
!(truthy?(parameter.noEcho) && parameter.default.nil?)
|
33
33
|
end
|
@@ -1,7 +1,7 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
3
|
require 'cfn-nag/profile_loader'
|
4
|
-
require 'cfn-nag/
|
4
|
+
require 'cfn-nag/deny_list_loader'
|
5
5
|
|
6
6
|
module ViolationFiltering
|
7
7
|
def filter_violations_by_profile(profile_definition:, rule_definitions:, violations:)
|
@@ -20,19 +20,19 @@ module ViolationFiltering
|
|
20
20
|
end
|
21
21
|
end
|
22
22
|
|
23
|
-
def
|
24
|
-
|
25
|
-
unless
|
23
|
+
def filter_violations_by_deny_list(deny_list_definition:, rule_definitions:, violations:)
|
24
|
+
deny_list = nil
|
25
|
+
unless deny_list_definition.nil?
|
26
26
|
begin
|
27
|
-
|
28
|
-
|
29
|
-
rescue StandardError =>
|
30
|
-
raise "
|
27
|
+
deny_list = DenyListLoader.new(rule_definitions)
|
28
|
+
.load(deny_list_definition: deny_list_definition)
|
29
|
+
rescue StandardError => deny_list_load_error
|
30
|
+
raise "Deny list loading error: #{deny_list_load_error}"
|
31
31
|
end
|
32
32
|
end
|
33
33
|
|
34
34
|
violations.reject do |violation|
|
35
|
-
!
|
35
|
+
!deny_list.nil? && deny_list.contains_rule?(violation.id)
|
36
36
|
end
|
37
37
|
end
|
38
38
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: cfn-nag
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.8.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Eric Kascic
|
8
|
-
autorequire:
|
8
|
+
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2021-
|
11
|
+
date: 2021-10-07 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rake
|
@@ -72,14 +72,14 @@ dependencies:
|
|
72
72
|
requirements:
|
73
73
|
- - '='
|
74
74
|
- !ruby/object:Gem::Version
|
75
|
-
version: 0.6.
|
75
|
+
version: 0.6.3
|
76
76
|
type: :runtime
|
77
77
|
prerelease: false
|
78
78
|
version_requirements: !ruby/object:Gem::Requirement
|
79
79
|
requirements:
|
80
80
|
- - '='
|
81
81
|
- !ruby/object:Gem::Version
|
82
|
-
version: 0.6.
|
82
|
+
version: 0.6.3
|
83
83
|
- !ruby/object:Gem::Dependency
|
84
84
|
name: logging
|
85
85
|
requirement: !ruby/object:Gem::Requirement
|
@@ -165,7 +165,7 @@ dependencies:
|
|
165
165
|
- !ruby/object:Gem::Version
|
166
166
|
version: '0'
|
167
167
|
description: Auditing tool for CloudFormation templates
|
168
|
-
email:
|
168
|
+
email:
|
169
169
|
executables:
|
170
170
|
- cfn_nag
|
171
171
|
- cfn_nag_rules
|
@@ -180,7 +180,6 @@ files:
|
|
180
180
|
- bin/spcm_scan
|
181
181
|
- lib/cfn-nag.rb
|
182
182
|
- lib/cfn-nag/base_rule.rb
|
183
|
-
- lib/cfn-nag/blacklist_loader.rb
|
184
183
|
- lib/cfn-nag/cfn_nag.rb
|
185
184
|
- lib/cfn-nag/cfn_nag_config.rb
|
186
185
|
- lib/cfn-nag/cfn_nag_executor.rb
|
@@ -359,6 +358,7 @@ files:
|
|
359
358
|
- lib/cfn-nag/custom_rules/password_base_rule.rb
|
360
359
|
- lib/cfn-nag/custom_rules/resource_base_rule.rb
|
361
360
|
- lib/cfn-nag/custom_rules/sub_property_with_list_password_base_rule.rb
|
361
|
+
- lib/cfn-nag/deny_list_loader.rb
|
362
362
|
- lib/cfn-nag/iam_complexity_metric/condition_metric.rb
|
363
363
|
- lib/cfn-nag/iam_complexity_metric/html_results_renderer.rb
|
364
364
|
- lib/cfn-nag/iam_complexity_metric/policy_document_metric.rb
|
@@ -394,7 +394,7 @@ homepage: https://github.com/stelligent/cfn_nag
|
|
394
394
|
licenses:
|
395
395
|
- MIT
|
396
396
|
metadata: {}
|
397
|
-
post_install_message:
|
397
|
+
post_install_message:
|
398
398
|
rdoc_options: []
|
399
399
|
require_paths:
|
400
400
|
- lib
|
@@ -411,7 +411,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
411
411
|
version: '0'
|
412
412
|
requirements: []
|
413
413
|
rubygems_version: 3.1.2
|
414
|
-
signing_key:
|
414
|
+
signing_key:
|
415
415
|
specification_version: 4
|
416
416
|
summary: cfn-nag
|
417
417
|
test_files: []
|
@@ -1,43 +0,0 @@
|
|
1
|
-
# frozen_string_literal: true
|
2
|
-
|
3
|
-
require 'yaml'
|
4
|
-
|
5
|
-
class BlackListLoader
|
6
|
-
def initialize(rules_registry)
|
7
|
-
@rules_registry = rules_registry
|
8
|
-
end
|
9
|
-
|
10
|
-
def load(blacklist_definition:)
|
11
|
-
raise 'Empty profile' if blacklist_definition.strip == ''
|
12
|
-
|
13
|
-
blacklist_ruleset = RuleIdSet.new
|
14
|
-
|
15
|
-
blacklist_hash = load_blacklist_yaml(blacklist_definition)
|
16
|
-
raise 'Blacklist is malformed' unless blacklist_hash.is_a? Hash
|
17
|
-
|
18
|
-
rules_to_suppress = blacklist_hash.fetch('RulesToSuppress', {})
|
19
|
-
raise 'Missing RulesToSuppress key in black list' if rules_to_suppress.empty?
|
20
|
-
|
21
|
-
rule_ids_to_suppress = rules_to_suppress.map { |rule| rule['id'] }
|
22
|
-
rule_ids_to_suppress.each do |rule_id|
|
23
|
-
check_valid_rule_id rule_id
|
24
|
-
blacklist_ruleset.add_rule rule_id
|
25
|
-
end
|
26
|
-
|
27
|
-
blacklist_ruleset
|
28
|
-
end
|
29
|
-
|
30
|
-
private
|
31
|
-
|
32
|
-
def load_blacklist_yaml(blacklist_definition)
|
33
|
-
YAML.safe_load(blacklist_definition)
|
34
|
-
rescue StandardError => yaml_parse_error
|
35
|
-
raise "YAML parse of blacklist failed: #{yaml_parse_error}"
|
36
|
-
end
|
37
|
-
|
38
|
-
def check_valid_rule_id(rule_id)
|
39
|
-
return true unless @rules_registry.by_id(rule_id).nil?
|
40
|
-
|
41
|
-
raise "#{rule_id} is not a legal rule identifier from: #{@rules_registry.ids}"
|
42
|
-
end
|
43
|
-
end
|