cfn-nag 0.7.13 → 0.8.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (69) hide show
  1. checksums.yaml +4 -4
  2. data/bin/cfn_nag_rules +2 -2
  3. data/bin/spcm_scan +1 -1
  4. data/lib/cfn-nag/cfn_nag.rb +11 -11
  5. data/lib/cfn-nag/cfn_nag_config.rb +3 -3
  6. data/lib/cfn-nag/cfn_nag_executor.rb +5 -5
  7. data/lib/cfn-nag/cli_options.rb +15 -5
  8. data/lib/cfn-nag/custom_rules/AlexaASKSkillAuthenticationConfigurationClientSecretRule.rb +1 -1
  9. data/lib/cfn-nag/custom_rules/AlexaASKSkillAuthenticationConfigurationRefreshTokenRule.rb +1 -1
  10. data/lib/cfn-nag/custom_rules/AmazonMQBrokerUsersPasswordRule.rb +1 -1
  11. data/lib/cfn-nag/custom_rules/AmplifyAppAccessTokenRule.rb +2 -2
  12. data/lib/cfn-nag/custom_rules/AmplifyAppBasicAuthConfigPasswordRule.rb +2 -2
  13. data/lib/cfn-nag/custom_rules/AmplifyAppOauthTokenRule.rb +2 -2
  14. data/lib/cfn-nag/custom_rules/AmplifyBranchBasicAuthConfigPasswordRule.rb +2 -2
  15. data/lib/cfn-nag/custom_rules/ApiGatewayAccessLoggingRule.rb +1 -1
  16. data/lib/cfn-nag/custom_rules/ApiGatewayCacheEncryptedRule.rb +1 -1
  17. data/lib/cfn-nag/custom_rules/ApiGatewayMethodAuthorizationTypeRule.rb +1 -1
  18. data/lib/cfn-nag/custom_rules/AppStreamDirectoryConfigServiceAccountCredentialsAccountPasswordRule.rb +3 -3
  19. data/lib/cfn-nag/custom_rules/CodePipelineWebhookAuthenticationConfigurationSecretTokenRule.rb +2 -2
  20. data/lib/cfn-nag/custom_rules/CognitoIdentityPoolAllowUnauthenticatedIdentitiesRule.rb +1 -1
  21. data/lib/cfn-nag/custom_rules/DMSEndpointMongoDbSettingsPasswordRule.rb +2 -2
  22. data/lib/cfn-nag/custom_rules/DMSEndpointPasswordRule.rb +2 -2
  23. data/lib/cfn-nag/custom_rules/DirectoryServiceMicrosoftADPasswordRule.rb +2 -2
  24. data/lib/cfn-nag/custom_rules/DirectoryServiceSimpleADPasswordRule.rb +2 -2
  25. data/lib/cfn-nag/custom_rules/DocDBDBClusterMasterUserPasswordRule.rb +2 -2
  26. data/lib/cfn-nag/custom_rules/EC2NetworkAclEntryProtocolRule.rb +3 -7
  27. data/lib/cfn-nag/custom_rules/EKSClusterEncryptionRule.rb +1 -3
  28. data/lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesADDomainJoinPasswordRule.rb +2 -2
  29. data/lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesCrossRealmTrustPrincipalPasswordRule.rb +3 -3
  30. data/lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesKdcAdminPasswordRule.rb +2 -2
  31. data/lib/cfn-nag/custom_rules/ElastiCacheReplicationGroupAuthTokenRule.rb +2 -2
  32. data/lib/cfn-nag/custom_rules/GameLiftFleetInboundPortRangeRule.rb +2 -0
  33. data/lib/cfn-nag/custom_rules/IAMUserLoginProfilePasswordRule.rb +2 -2
  34. data/lib/cfn-nag/custom_rules/IamUserLoginProfilePasswordResetRule.rb +4 -6
  35. data/lib/cfn-nag/custom_rules/KMSKeyWildcardPrincipalRule.rb +1 -1
  36. data/lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamRedshiftDestinationConfigurationPasswordRule.rb +3 -3
  37. data/lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamSplunkDestinationConfigurationHECTokenRule.rb +3 -3
  38. data/lib/cfn-nag/custom_rules/KinesisStreamStreamEncryptionRule.rb +3 -5
  39. data/lib/cfn-nag/custom_rules/LambdaPermissionEventSourceTokenRule.rb +2 -2
  40. data/lib/cfn-nag/custom_rules/LambdaPermissionInvokeFunctionActionRule.rb +1 -1
  41. data/lib/cfn-nag/custom_rules/ManagedBlockchainMemberMemberFabricConfigurationAdminPasswordRule.rb +4 -7
  42. data/lib/cfn-nag/custom_rules/OpsWorksAppAppSourcePasswordRule.rb +2 -2
  43. data/lib/cfn-nag/custom_rules/OpsWorksAppSslConfigurationPrivateKeyRule.rb +2 -2
  44. data/lib/cfn-nag/custom_rules/OpsWorksStackCustomCookbooksSourcePasswordRule.rb +2 -2
  45. data/lib/cfn-nag/custom_rules/OpsWorksStackRdsDbInstancesDbPasswordRule.rb +2 -2
  46. data/lib/cfn-nag/custom_rules/PinpointAPNSChannelPrivateKeyRule.rb +2 -2
  47. data/lib/cfn-nag/custom_rules/PinpointAPNSChannelTokenKeyRule.rb +2 -2
  48. data/lib/cfn-nag/custom_rules/PinpointAPNSSandboxChannelPrivateKeyRule.rb +2 -2
  49. data/lib/cfn-nag/custom_rules/PinpointAPNSSandboxChannelTokenKeyRule.rb +2 -2
  50. data/lib/cfn-nag/custom_rules/PinpointAPNSVoipChannelPrivateKeyRule.rb +2 -2
  51. data/lib/cfn-nag/custom_rules/PinpointAPNSVoipChannelTokenKeyRule.rb +2 -2
  52. data/lib/cfn-nag/custom_rules/PinpointAPNSVoipSandboxChannelPrivateKeyRule.rb +2 -2
  53. data/lib/cfn-nag/custom_rules/PinpointAPNSVoipSandboxChannelTokenKeyRule.rb +2 -2
  54. data/lib/cfn-nag/custom_rules/RDSDBClusterMasterUserPasswordRule.rb +2 -2
  55. data/lib/cfn-nag/custom_rules/RDSDBInstanceMasterUserPasswordRule.rb +2 -2
  56. data/lib/cfn-nag/custom_rules/RDSDBInstanceMasterUsernameRule.rb +2 -2
  57. data/lib/cfn-nag/custom_rules/RedshiftClusterMasterUserPasswordRule.rb +2 -2
  58. data/lib/cfn-nag/custom_rules/ResourceWithExplicitNameRule.rb +1 -1
  59. data/lib/cfn-nag/custom_rules/SecretsManagerSecretKmsKeyIdRule.rb +1 -1
  60. data/lib/cfn-nag/custom_rules/SecurityGroupIngressOpenToWorldRule.rb +1 -1
  61. data/lib/cfn-nag/custom_rules/SecurityGroupIngressPortRangeRule.rb +1 -1
  62. data/lib/cfn-nag/custom_rules/SecurityGroupMissingEgressRule.rb +1 -1
  63. data/lib/cfn-nag/custom_rules/SecurityGroupRuleDescriptionRule.rb +2 -2
  64. data/lib/cfn-nag/deny_list_loader.rb +43 -0
  65. data/lib/cfn-nag/iam_complexity_metric/spcm.rb +3 -3
  66. data/lib/cfn-nag/util/enforce_reference_parameter.rb +1 -1
  67. data/lib/cfn-nag/violation_filtering.rb +9 -9
  68. metadata +9 -9
  69. data/lib/cfn-nag/blacklist_loader.rb +0 -43
@@ -6,7 +6,7 @@ require_relative 'base'
6
6
  class LambdaPermissionInvokeFunctionActionRule < BaseRule
7
7
  def rule_text
8
8
  'Lambda permission beside InvokeFunction might not be what you want? ' \
9
- 'Not sure!?'
9
+ 'Not sure!?'
10
10
  end
11
11
 
12
12
  def rule_type
@@ -8,7 +8,7 @@ require_relative 'base'
8
8
  class ManagedBlockchainMemberMemberFabricConfigurationAdminPasswordRule < BaseRule
9
9
  def rule_text
10
10
  'ManagedBlockchain Member MemberFabricConfiguration AdminPasswordRule must ' \
11
- 'not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.'
11
+ 'not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.'
12
12
  end
13
13
 
14
14
  def rule_type
@@ -42,14 +42,11 @@ class ManagedBlockchainMemberMemberFabricConfigurationAdminPasswordRule < BaseRu
42
42
  # 'MemberFabricConfiguration'
43
43
  # 'AdminPassword'
44
44
  def password_property_does_not_exist(member)
45
- if member.memberConfiguration['MemberFrameworkConfiguration'].nil?
46
- true
47
- elsif member.memberConfiguration['MemberFrameworkConfiguration']['MemberFabricConfiguration'].nil?
48
- true
49
- elsif member.memberConfiguration['MemberFrameworkConfiguration']['MemberFabricConfiguration']['AdminPassword'].nil?
45
+ if member.memberConfiguration['MemberFrameworkConfiguration'].nil? ||
46
+ member.memberConfiguration['MemberFrameworkConfiguration']['MemberFabricConfiguration'].nil?
50
47
  true
51
48
  else
52
- false
49
+ member.memberConfiguration['MemberFrameworkConfiguration']['MemberFabricConfiguration']['AdminPassword'].nil?
53
50
  end
54
51
  end
55
52
  end
@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
6
6
  class OpsWorksAppAppSourcePasswordRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'OpsWorks App AppSource Password must not be a plaintext ' \
9
- 'string or a Ref to a Parameter with a Default value. ' \
10
- 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
9
+ 'string or a Ref to a Parameter with a Default value. ' \
10
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
11
11
  end
12
12
 
13
13
  def rule_type
@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
6
6
  class OpsWorksAppSslConfigurationPrivateKeyRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'OpsWorks App SslConfiguration PrivateKey must not be a plaintext ' \
9
- 'string or a Ref to a Parameter with a Default value. ' \
10
- 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
9
+ 'string or a Ref to a Parameter with a Default value. ' \
10
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
11
11
  end
12
12
 
13
13
  def rule_type
@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
6
6
  class OpsWorksStackCustomCookbooksSourcePasswordRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'OpsWorks Stack CustomCookbooksSource Password must not be a plaintext ' \
9
- 'string or a Ref to a Parameter with a Default value. ' \
10
- 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
9
+ 'string or a Ref to a Parameter with a Default value. ' \
10
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
11
11
  end
12
12
 
13
13
  def rule_type
@@ -6,8 +6,8 @@ require_relative 'sub_property_with_list_password_base_rule'
6
6
  class OpsWorksStackRdsDbInstancesDbPasswordRule < SubPropertyWithListPasswordBaseRule
7
7
  def rule_text
8
8
  'OpsWorks Stack RDS DbInstance DbPassword must not be a plaintext string '\
9
- 'or a Ref to a Parameter with a Default value. ' \
10
- 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
9
+ 'or a Ref to a Parameter with a Default value. ' \
10
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
11
11
  end
12
12
 
13
13
  def rule_type
@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
6
6
  class PinpointAPNSChannelPrivateKeyRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'Pinpoint APNSChannel PrivateKey must not be a plaintext string ' \
9
- 'or a Ref to a Parameter with a Default value. ' \
10
- 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
9
+ 'or a Ref to a Parameter with a Default value. ' \
10
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
11
11
  end
12
12
 
13
13
  def rule_type
@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
6
6
  class PinpointAPNSChannelTokenKeyRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'Pinpoint APNSChannel TokenKey must not be a plaintext string ' \
9
- 'or a Ref to a Parameter with a Default value. ' \
10
- 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
9
+ 'or a Ref to a Parameter with a Default value. ' \
10
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
11
11
  end
12
12
 
13
13
  def rule_type
@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
6
6
  class PinpointAPNSSandboxChannelPrivateKeyRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'Pinpoint APNSSandboxChannel PrivateKey must not be a plaintext string ' \
9
- 'or a Ref to a Parameter with a Default value. ' \
10
- 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
9
+ 'or a Ref to a Parameter with a Default value. ' \
10
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
11
11
  end
12
12
 
13
13
  def rule_type
@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
6
6
  class PinpointAPNSSandboxChannelTokenKeyRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'Pinpoint APNSSandboxChannel TokenKey must not be a plaintext string ' \
9
- 'or a Ref to a Parameter with a Default value. ' \
10
- 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
9
+ 'or a Ref to a Parameter with a Default value. ' \
10
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
11
11
  end
12
12
 
13
13
  def rule_type
@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
6
6
  class PinpointAPNSVoipChannelPrivateKeyRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'Pinpoint APNSVoipChannel PrivateKey must not be a plaintext string ' \
9
- 'or a Ref to a Parameter with a Default value. ' \
10
- 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
9
+ 'or a Ref to a Parameter with a Default value. ' \
10
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
11
11
  end
12
12
 
13
13
  def rule_type
@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
6
6
  class PinpointAPNSVoipChannelTokenKeyRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'Pinpoint APNSChannel TokenKey must not be a plaintext string ' \
9
- 'or a Ref to a Parameter with a Default value. ' \
10
- 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
9
+ 'or a Ref to a Parameter with a Default value. ' \
10
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
11
11
  end
12
12
 
13
13
  def rule_type
@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
6
6
  class PinpointAPNSVoipSandboxChannelPrivateKeyRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'Pinpoint APNSVoipSandboxChannel PrivateKey must not be a plaintext ' \
9
- 'string or a Ref to a Parameter with a Default value. ' \
10
- 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
9
+ 'string or a Ref to a Parameter with a Default value. ' \
10
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
11
11
  end
12
12
 
13
13
  def rule_type
@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
6
6
  class PinpointAPNSVoipSandboxChannelTokenKeyRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'Pinpoint APNSVoipSandboxChannel TokenKey must not be a plaintext string ' \
9
- 'or a Ref to a Parameter with a Default value. ' \
10
- 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
9
+ 'or a Ref to a Parameter with a Default value. ' \
10
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
11
11
  end
12
12
 
13
13
  def rule_type
@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
6
6
  class RDSDBClusterMasterUserPasswordRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'RDS DB Cluster master user password must not be a plaintext string ' \
9
- 'or a Ref to a Parameter with a Default value. ' \
10
- 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
9
+ 'or a Ref to a Parameter with a Default value. ' \
10
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
11
11
  end
12
12
 
13
13
  def rule_type
@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
6
6
  class RDSDBInstanceMasterUserPasswordRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'RDS instance master user password must not be a plaintext string ' \
9
- 'or a Ref to a Parameter with a Default value. ' \
10
- 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
9
+ 'or a Ref to a Parameter with a Default value. ' \
10
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
11
11
  end
12
12
 
13
13
  def rule_type
@@ -7,8 +7,8 @@ require_relative 'password_base_rule'
7
7
  class RDSDBInstanceMasterUsernameRule < PasswordBaseRule
8
8
  def rule_text
9
9
  'RDS instance master username must not be a plaintext string ' \
10
- 'or a Ref to a Parameter with a Default value. ' \
11
- 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
10
+ 'or a Ref to a Parameter with a Default value. ' \
11
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
12
12
  end
13
13
 
14
14
  def rule_type
@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
6
6
  class RedshiftClusterMasterUserPasswordRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'Redshift Cluster master user password must not be a plaintext string ' \
9
- 'or a Ref to a Parameter with a Default value. ' \
10
- 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
9
+ 'or a Ref to a Parameter with a Default value. ' \
10
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
11
11
  end
12
12
 
13
13
  def rule_type
@@ -26,7 +26,7 @@ class ResourceWithExplicitNameRule < BaseRule
26
26
 
27
27
  def rule_text
28
28
  'Resource found with an explicit name, this disallows updates that ' \
29
- 'require replacement of this resource'
29
+ 'require replacement of this resource'
30
30
  end
31
31
 
32
32
  def rule_type
@@ -6,7 +6,7 @@ require_relative 'boolean_base_rule'
6
6
  class SecretsManagerSecretKmsKeyIdRule < BooleanBaseRule
7
7
  def rule_text
8
8
  'Secrets Manager Secret should explicitly specify KmsKeyId.' \
9
- ' Besides control of the key this will allow the secret to be shared cross-account'
9
+ ' Besides control of the key this will allow the secret to be shared cross-account'
10
10
  end
11
11
 
12
12
  def rule_type
@@ -9,7 +9,7 @@ class SecurityGroupIngressOpenToWorldRule < BaseRule
9
9
 
10
10
  def rule_text
11
11
  'Security Groups found with cidr open to world on ingress. This should ' \
12
- 'never be true on instance. Permissible on ELB'
12
+ 'never be true on instance. Permissible on ELB'
13
13
  end
14
14
 
15
15
  def rule_type
@@ -6,7 +6,7 @@ require_relative 'base'
6
6
  class SecurityGroupIngressPortRangeRule < BaseRule
7
7
  def rule_text
8
8
  'Security Groups found ingress with port range instead of just a single ' \
9
- 'port'
9
+ 'port'
10
10
  end
11
11
 
12
12
  def rule_type
@@ -6,7 +6,7 @@ require_relative 'base'
6
6
  class SecurityGroupMissingEgressRule < BaseRule
7
7
  def rule_text
8
8
  'Missing egress rule means all traffic is allowed outbound. Make this ' \
9
- 'explicit if it is desired configuration'
9
+ 'explicit if it is desired configuration'
10
10
  end
11
11
 
12
12
  def rule_type
@@ -8,8 +8,8 @@ require 'cfn-nag/util/blank'
8
8
  class SecurityGroupRuleDescriptionRule < BaseRule
9
9
  def rule_text
10
10
  'Security group rules without a description obscure their purpose and may '\
11
- 'lead to bad practices in ensuring they only allow traffic from the ports '\
12
- 'and sources/destinations required.'
11
+ 'lead to bad practices in ensuring they only allow traffic from the ports '\
12
+ 'and sources/destinations required.'
13
13
  end
14
14
 
15
15
  def rule_type
@@ -0,0 +1,43 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'yaml'
4
+
5
+ class DenyListLoader
6
+ def initialize(rules_registry)
7
+ @rules_registry = rules_registry
8
+ end
9
+
10
+ def load(deny_list_definition:)
11
+ raise 'Empty profile' if deny_list_definition.strip == ''
12
+
13
+ deny_list_ruleset = RuleIdSet.new
14
+
15
+ deny_list_hash = load_deny_list_yaml(deny_list_definition)
16
+ raise 'Deny list is malformed' unless deny_list_hash.is_a? Hash
17
+
18
+ rules_to_suppress = deny_list_hash.fetch('RulesToSuppress', {})
19
+ raise 'Missing RulesToSuppress key in deny list' if rules_to_suppress.empty?
20
+
21
+ rule_ids_to_suppress = rules_to_suppress.map { |rule| rule['id'] }
22
+ rule_ids_to_suppress.each do |rule_id|
23
+ check_valid_rule_id rule_id
24
+ deny_list_ruleset.add_rule rule_id
25
+ end
26
+
27
+ deny_list_ruleset
28
+ end
29
+
30
+ private
31
+
32
+ def load_deny_list_yaml(deny_list_definition)
33
+ YAML.safe_load(deny_list_definition)
34
+ rescue StandardError => yaml_parse_error
35
+ raise "YAML parse of deny list failed: #{yaml_parse_error}"
36
+ end
37
+
38
+ def check_valid_rule_id(rule_id)
39
+ return true unless @rules_registry.by_id(rule_id).nil?
40
+
41
+ raise "#{rule_id} is not a legal rule identifier from: #{@rules_registry.ids}"
42
+ end
43
+ end
@@ -11,8 +11,8 @@ class SPCM
11
11
  parameter_values_path: nil,
12
12
  condition_values_path: nil,
13
13
  template_pattern: DEFAULT_TEMPLATE_PATTERN)
14
- parameter_values_string = parameter_values_path.nil? ? nil : IO.read(parameter_values_path)
15
- condition_values_string = condition_values_path.nil? ? nil : IO.read(condition_values_path)
14
+ parameter_values_string = parameter_values_path.nil? ? nil : File.read(parameter_values_path)
15
+ condition_values_string = condition_values_path.nil? ? nil : File.read(condition_values_path)
16
16
 
17
17
  templates = TemplateDiscovery.new.discover_templates(input_json_path: input_path,
18
18
  template_pattern: template_pattern)
@@ -21,7 +21,7 @@ class SPCM
21
21
  aggregate_results << {
22
22
  filename: template,
23
23
  file_results: metric(
24
- cloudformation_string: IO.read(template),
24
+ cloudformation_string: File.read(template),
25
25
  parameter_values_string: parameter_values_string,
26
26
  condition_values_string: condition_values_string
27
27
  )
@@ -29,5 +29,5 @@ end
29
29
  # is not present; otherwise returns true
30
30
  def no_echo_and_no_default_parameter_check(cfn_model, key_to_check)
31
31
  parameter = cfn_model.parameters[key_to_check['Ref']]
32
- truthy?(parameter.noEcho) && parameter.default.nil? ? false : true
32
+ !(truthy?(parameter.noEcho) && parameter.default.nil?)
33
33
  end
@@ -1,7 +1,7 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  require 'cfn-nag/profile_loader'
4
- require 'cfn-nag/blacklist_loader'
4
+ require 'cfn-nag/deny_list_loader'
5
5
 
6
6
  module ViolationFiltering
7
7
  def filter_violations_by_profile(profile_definition:, rule_definitions:, violations:)
@@ -20,19 +20,19 @@ module ViolationFiltering
20
20
  end
21
21
  end
22
22
 
23
- def filter_violations_by_blacklist(blacklist_definition:, rule_definitions:, violations:)
24
- blacklist = nil
25
- unless blacklist_definition.nil?
23
+ def filter_violations_by_deny_list(deny_list_definition:, rule_definitions:, violations:)
24
+ deny_list = nil
25
+ unless deny_list_definition.nil?
26
26
  begin
27
- blacklist = BlackListLoader.new(rule_definitions)
28
- .load(blacklist_definition: blacklist_definition)
29
- rescue StandardError => blacklist_load_error
30
- raise "Blacklist loading error: #{blacklist_load_error}"
27
+ deny_list = DenyListLoader.new(rule_definitions)
28
+ .load(deny_list_definition: deny_list_definition)
29
+ rescue StandardError => deny_list_load_error
30
+ raise "Deny list loading error: #{deny_list_load_error}"
31
31
  end
32
32
  end
33
33
 
34
34
  violations.reject do |violation|
35
- !blacklist.nil? && blacklist.contains_rule?(violation.id)
35
+ !deny_list.nil? && deny_list.contains_rule?(violation.id)
36
36
  end
37
37
  end
38
38
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: cfn-nag
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.7.13
4
+ version: 0.8.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Eric Kascic
8
- autorequire:
8
+ autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-05-11 00:00:00.000000000 Z
11
+ date: 2021-10-07 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake
@@ -72,14 +72,14 @@ dependencies:
72
72
  requirements:
73
73
  - - '='
74
74
  - !ruby/object:Gem::Version
75
- version: 0.6.0
75
+ version: 0.6.3
76
76
  type: :runtime
77
77
  prerelease: false
78
78
  version_requirements: !ruby/object:Gem::Requirement
79
79
  requirements:
80
80
  - - '='
81
81
  - !ruby/object:Gem::Version
82
- version: 0.6.0
82
+ version: 0.6.3
83
83
  - !ruby/object:Gem::Dependency
84
84
  name: logging
85
85
  requirement: !ruby/object:Gem::Requirement
@@ -165,7 +165,7 @@ dependencies:
165
165
  - !ruby/object:Gem::Version
166
166
  version: '0'
167
167
  description: Auditing tool for CloudFormation templates
168
- email:
168
+ email:
169
169
  executables:
170
170
  - cfn_nag
171
171
  - cfn_nag_rules
@@ -180,7 +180,6 @@ files:
180
180
  - bin/spcm_scan
181
181
  - lib/cfn-nag.rb
182
182
  - lib/cfn-nag/base_rule.rb
183
- - lib/cfn-nag/blacklist_loader.rb
184
183
  - lib/cfn-nag/cfn_nag.rb
185
184
  - lib/cfn-nag/cfn_nag_config.rb
186
185
  - lib/cfn-nag/cfn_nag_executor.rb
@@ -359,6 +358,7 @@ files:
359
358
  - lib/cfn-nag/custom_rules/password_base_rule.rb
360
359
  - lib/cfn-nag/custom_rules/resource_base_rule.rb
361
360
  - lib/cfn-nag/custom_rules/sub_property_with_list_password_base_rule.rb
361
+ - lib/cfn-nag/deny_list_loader.rb
362
362
  - lib/cfn-nag/iam_complexity_metric/condition_metric.rb
363
363
  - lib/cfn-nag/iam_complexity_metric/html_results_renderer.rb
364
364
  - lib/cfn-nag/iam_complexity_metric/policy_document_metric.rb
@@ -394,7 +394,7 @@ homepage: https://github.com/stelligent/cfn_nag
394
394
  licenses:
395
395
  - MIT
396
396
  metadata: {}
397
- post_install_message:
397
+ post_install_message:
398
398
  rdoc_options: []
399
399
  require_paths:
400
400
  - lib
@@ -411,7 +411,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
411
411
  version: '0'
412
412
  requirements: []
413
413
  rubygems_version: 3.1.2
414
- signing_key:
414
+ signing_key:
415
415
  specification_version: 4
416
416
  summary: cfn-nag
417
417
  test_files: []
@@ -1,43 +0,0 @@
1
- # frozen_string_literal: true
2
-
3
- require 'yaml'
4
-
5
- class BlackListLoader
6
- def initialize(rules_registry)
7
- @rules_registry = rules_registry
8
- end
9
-
10
- def load(blacklist_definition:)
11
- raise 'Empty profile' if blacklist_definition.strip == ''
12
-
13
- blacklist_ruleset = RuleIdSet.new
14
-
15
- blacklist_hash = load_blacklist_yaml(blacklist_definition)
16
- raise 'Blacklist is malformed' unless blacklist_hash.is_a? Hash
17
-
18
- rules_to_suppress = blacklist_hash.fetch('RulesToSuppress', {})
19
- raise 'Missing RulesToSuppress key in black list' if rules_to_suppress.empty?
20
-
21
- rule_ids_to_suppress = rules_to_suppress.map { |rule| rule['id'] }
22
- rule_ids_to_suppress.each do |rule_id|
23
- check_valid_rule_id rule_id
24
- blacklist_ruleset.add_rule rule_id
25
- end
26
-
27
- blacklist_ruleset
28
- end
29
-
30
- private
31
-
32
- def load_blacklist_yaml(blacklist_definition)
33
- YAML.safe_load(blacklist_definition)
34
- rescue StandardError => yaml_parse_error
35
- raise "YAML parse of blacklist failed: #{yaml_parse_error}"
36
- end
37
-
38
- def check_valid_rule_id(rule_id)
39
- return true unless @rules_registry.by_id(rule_id).nil?
40
-
41
- raise "#{rule_id} is not a legal rule identifier from: #{@rules_registry.ids}"
42
- end
43
- end