cfn-nag 0.7.16 → 0.8.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/cfn-nag/cfn_nag.rb +7 -7
- data/lib/cfn-nag/cfn_nag_config.rb +3 -3
- data/lib/cfn-nag/cfn_nag_executor.rb +3 -3
- data/lib/cfn-nag/cli_options.rb +12 -2
- data/lib/cfn-nag/custom_rules/GameLiftFleetInboundPortRangeRule.rb +2 -0
- data/lib/cfn-nag/deny_list_loader.rb +43 -0
- data/lib/cfn-nag/violation_filtering.rb +9 -9
- metadata +3 -3
- data/lib/cfn-nag/blacklist_loader.rb +0 -43
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: e4c41df0b3f754ff3eed8026a43244578095abe1ce06be4c89a2457af83c718b
|
|
4
|
+
data.tar.gz: 7c648f6838985bc45f6bb2a4f600ea93c05b8f10b1078a0e83b936c7e7449e59
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 1e90784cea9ee178aed35ae2f0bc27ecaeb3115307bd21553a45b2504dcd2e02aa561d9dd6150fdc7f2e1ee96632488bc6160422df7c7a1a7a466e1e5ceed585
|
|
7
|
+
data.tar.gz: d2937c0bf6c1b4d2326b6ab11ea68149c8635de02722d93ac4d6c5824d8fa1b885ce2691d30901044a3f889019227956faaaec489609178d4e1f63812e036de9
|
data/lib/cfn-nag/cfn_nag.rb
CHANGED
|
@@ -93,7 +93,7 @@ class CfnNag
|
|
|
93
93
|
@config.custom_rule_loader.rule_definitions
|
|
94
94
|
)
|
|
95
95
|
|
|
96
|
-
violations =
|
|
96
|
+
violations = filter_violations_by_deny_list_and_profile(violations)
|
|
97
97
|
violations = mark_line_numbers(violations, cfn_model)
|
|
98
98
|
rescue RuleRepoException, Psych::SyntaxError, ParserError => fatal_error
|
|
99
99
|
violations << fatal_violation(fatal_error.to_s)
|
|
@@ -127,21 +127,21 @@ class CfnNag
|
|
|
127
127
|
violations
|
|
128
128
|
end
|
|
129
129
|
|
|
130
|
-
def
|
|
130
|
+
def filter_violations_by_deny_list_and_profile(violations)
|
|
131
131
|
violations = filter_violations_by_profile(
|
|
132
132
|
profile_definition: @config.profile_definition,
|
|
133
133
|
rule_definitions: @config.custom_rule_loader.rule_definitions,
|
|
134
134
|
violations: violations
|
|
135
135
|
)
|
|
136
136
|
|
|
137
|
-
# this must come after -
|
|
138
|
-
|
|
139
|
-
|
|
137
|
+
# this must come after - deny list should always win
|
|
138
|
+
filter_violations_by_deny_list(
|
|
139
|
+
deny_list_definition: @config.deny_list_definition,
|
|
140
140
|
rule_definitions: @config.custom_rule_loader.rule_definitions,
|
|
141
141
|
violations: violations
|
|
142
142
|
)
|
|
143
|
-
rescue StandardError =>
|
|
144
|
-
violations << fatal_violation(
|
|
143
|
+
rescue StandardError => deny_list_or_profile_parse_error
|
|
144
|
+
violations << fatal_violation(deny_list_or_profile_parse_error.to_s)
|
|
145
145
|
violations
|
|
146
146
|
end
|
|
147
147
|
|
|
@@ -3,7 +3,7 @@
|
|
|
3
3
|
class CfnNagConfig
|
|
4
4
|
# rubocop:disable Metrics/ParameterLists
|
|
5
5
|
def initialize(profile_definition: nil,
|
|
6
|
-
|
|
6
|
+
deny_list_definition: nil,
|
|
7
7
|
rule_directory: nil,
|
|
8
8
|
allow_suppression: true,
|
|
9
9
|
print_suppression: false,
|
|
@@ -21,7 +21,7 @@ class CfnNagConfig
|
|
|
21
21
|
rule_repository_definitions: rule_repository_definitions
|
|
22
22
|
)
|
|
23
23
|
@profile_definition = profile_definition
|
|
24
|
-
@
|
|
24
|
+
@deny_list_definition = deny_list_definition
|
|
25
25
|
@fail_on_warnings = fail_on_warnings
|
|
26
26
|
@rule_repositories = rule_repositories
|
|
27
27
|
@rule_arguments = rule_arguments
|
|
@@ -29,6 +29,6 @@ class CfnNagConfig
|
|
|
29
29
|
end
|
|
30
30
|
# rubocop:enable Metrics/ParameterLists
|
|
31
31
|
|
|
32
|
-
attr_reader :rule_arguments, :rule_directory, :custom_rule_loader, :profile_definition, :
|
|
32
|
+
attr_reader :rule_arguments, :rule_directory, :custom_rule_loader, :profile_definition, :deny_list_definition, \
|
|
33
33
|
:fail_on_warnings, :rule_repositories, :ignore_fatal
|
|
34
34
|
end
|
|
@@ -7,7 +7,7 @@ require 'cfn-nag/cfn_nag_config'
|
|
|
7
7
|
class CfnNagExecutor
|
|
8
8
|
def initialize
|
|
9
9
|
@profile_definition = nil
|
|
10
|
-
@
|
|
10
|
+
@deny_list_definition = nil
|
|
11
11
|
@parameter_values_string = nil
|
|
12
12
|
@condition_values_string = nil
|
|
13
13
|
@rule_repository_definitions = []
|
|
@@ -89,7 +89,7 @@ class CfnNagExecutor
|
|
|
89
89
|
def execute_io_options(opts)
|
|
90
90
|
@profile_definition = read_conditionally(opts[:profile_path])
|
|
91
91
|
|
|
92
|
-
@
|
|
92
|
+
@deny_list_definition = read_conditionally(opts[:deny_list_path]) || read_conditionally(opts[:blacklist_path])
|
|
93
93
|
|
|
94
94
|
@parameter_values_string = read_conditionally(opts[:parameter_values_path])
|
|
95
95
|
|
|
@@ -122,7 +122,7 @@ class CfnNagExecutor
|
|
|
122
122
|
def cfn_nag_config(opts)
|
|
123
123
|
CfnNagConfig.new(
|
|
124
124
|
profile_definition: @profile_definition,
|
|
125
|
-
|
|
125
|
+
deny_list_definition: @deny_list_definition,
|
|
126
126
|
rule_directory: opts[:rule_directory],
|
|
127
127
|
allow_suppression: opts[:allow_suppression],
|
|
128
128
|
print_suppression: opts[:print_suppression],
|
data/lib/cfn-nag/cli_options.rb
CHANGED
|
@@ -58,8 +58,13 @@ class Options
|
|
|
58
58
|
type: :string,
|
|
59
59
|
required: false,
|
|
60
60
|
default: nil
|
|
61
|
+
opt :deny_list_path,
|
|
62
|
+
'Path to a deny list file',
|
|
63
|
+
type: :string,
|
|
64
|
+
required: false,
|
|
65
|
+
default: nil
|
|
61
66
|
opt :blacklist_path,
|
|
62
|
-
'Path to a
|
|
67
|
+
'(Deprecated) Path to a deny list file',
|
|
63
68
|
type: :string,
|
|
64
69
|
required: false,
|
|
65
70
|
default: nil
|
|
@@ -145,8 +150,13 @@ class Options
|
|
|
145
150
|
type: :string,
|
|
146
151
|
required: false,
|
|
147
152
|
default: nil
|
|
153
|
+
opt :deny_list_path,
|
|
154
|
+
'Path to a deny list file',
|
|
155
|
+
type: :string,
|
|
156
|
+
required: false,
|
|
157
|
+
default: nil
|
|
148
158
|
opt :blacklist_path,
|
|
149
|
-
'Path to a
|
|
159
|
+
'(Deprecated) Path to a deny list file',
|
|
150
160
|
type: :string,
|
|
151
161
|
required: false,
|
|
152
162
|
default: nil
|
|
@@ -18,6 +18,8 @@ class GameLiftFleetInboundPortRangeRule < BaseRule
|
|
|
18
18
|
|
|
19
19
|
def audit_impl(cfn_model)
|
|
20
20
|
violating_gamelift_fleets = cfn_model.resources_by_type('AWS::GameLift::Fleet').select do |gamelift_fleet|
|
|
21
|
+
next false if gamelift_fleet.eC2InboundPermissions.nil?
|
|
22
|
+
|
|
21
23
|
violating_permissions = gamelift_fleet.eC2InboundPermissions.select do |permission|
|
|
22
24
|
# Cast to strings incase template provided mixed types
|
|
23
25
|
permission['FromPort'].to_s != permission['ToPort'].to_s
|
|
@@ -0,0 +1,43 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require 'yaml'
|
|
4
|
+
|
|
5
|
+
class DenyListLoader
|
|
6
|
+
def initialize(rules_registry)
|
|
7
|
+
@rules_registry = rules_registry
|
|
8
|
+
end
|
|
9
|
+
|
|
10
|
+
def load(deny_list_definition:)
|
|
11
|
+
raise 'Empty profile' if deny_list_definition.strip == ''
|
|
12
|
+
|
|
13
|
+
deny_list_ruleset = RuleIdSet.new
|
|
14
|
+
|
|
15
|
+
deny_list_hash = load_deny_list_yaml(deny_list_definition)
|
|
16
|
+
raise 'Deny list is malformed' unless deny_list_hash.is_a? Hash
|
|
17
|
+
|
|
18
|
+
rules_to_suppress = deny_list_hash.fetch('RulesToSuppress', {})
|
|
19
|
+
raise 'Missing RulesToSuppress key in deny list' if rules_to_suppress.empty?
|
|
20
|
+
|
|
21
|
+
rule_ids_to_suppress = rules_to_suppress.map { |rule| rule['id'] }
|
|
22
|
+
rule_ids_to_suppress.each do |rule_id|
|
|
23
|
+
check_valid_rule_id rule_id
|
|
24
|
+
deny_list_ruleset.add_rule rule_id
|
|
25
|
+
end
|
|
26
|
+
|
|
27
|
+
deny_list_ruleset
|
|
28
|
+
end
|
|
29
|
+
|
|
30
|
+
private
|
|
31
|
+
|
|
32
|
+
def load_deny_list_yaml(deny_list_definition)
|
|
33
|
+
YAML.safe_load(deny_list_definition)
|
|
34
|
+
rescue StandardError => yaml_parse_error
|
|
35
|
+
raise "YAML parse of deny list failed: #{yaml_parse_error}"
|
|
36
|
+
end
|
|
37
|
+
|
|
38
|
+
def check_valid_rule_id(rule_id)
|
|
39
|
+
return true unless @rules_registry.by_id(rule_id).nil?
|
|
40
|
+
|
|
41
|
+
raise "#{rule_id} is not a legal rule identifier from: #{@rules_registry.ids}"
|
|
42
|
+
end
|
|
43
|
+
end
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
# frozen_string_literal: true
|
|
2
2
|
|
|
3
3
|
require 'cfn-nag/profile_loader'
|
|
4
|
-
require 'cfn-nag/
|
|
4
|
+
require 'cfn-nag/deny_list_loader'
|
|
5
5
|
|
|
6
6
|
module ViolationFiltering
|
|
7
7
|
def filter_violations_by_profile(profile_definition:, rule_definitions:, violations:)
|
|
@@ -20,19 +20,19 @@ module ViolationFiltering
|
|
|
20
20
|
end
|
|
21
21
|
end
|
|
22
22
|
|
|
23
|
-
def
|
|
24
|
-
|
|
25
|
-
unless
|
|
23
|
+
def filter_violations_by_deny_list(deny_list_definition:, rule_definitions:, violations:)
|
|
24
|
+
deny_list = nil
|
|
25
|
+
unless deny_list_definition.nil?
|
|
26
26
|
begin
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
rescue StandardError =>
|
|
30
|
-
raise "
|
|
27
|
+
deny_list = DenyListLoader.new(rule_definitions)
|
|
28
|
+
.load(deny_list_definition: deny_list_definition)
|
|
29
|
+
rescue StandardError => deny_list_load_error
|
|
30
|
+
raise "Deny list loading error: #{deny_list_load_error}"
|
|
31
31
|
end
|
|
32
32
|
end
|
|
33
33
|
|
|
34
34
|
violations.reject do |violation|
|
|
35
|
-
!
|
|
35
|
+
!deny_list.nil? && deny_list.contains_rule?(violation.id)
|
|
36
36
|
end
|
|
37
37
|
end
|
|
38
38
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: cfn-nag
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.8.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Eric Kascic
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2021-10-
|
|
11
|
+
date: 2021-10-07 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rake
|
|
@@ -180,7 +180,6 @@ files:
|
|
|
180
180
|
- bin/spcm_scan
|
|
181
181
|
- lib/cfn-nag.rb
|
|
182
182
|
- lib/cfn-nag/base_rule.rb
|
|
183
|
-
- lib/cfn-nag/blacklist_loader.rb
|
|
184
183
|
- lib/cfn-nag/cfn_nag.rb
|
|
185
184
|
- lib/cfn-nag/cfn_nag_config.rb
|
|
186
185
|
- lib/cfn-nag/cfn_nag_executor.rb
|
|
@@ -359,6 +358,7 @@ files:
|
|
|
359
358
|
- lib/cfn-nag/custom_rules/password_base_rule.rb
|
|
360
359
|
- lib/cfn-nag/custom_rules/resource_base_rule.rb
|
|
361
360
|
- lib/cfn-nag/custom_rules/sub_property_with_list_password_base_rule.rb
|
|
361
|
+
- lib/cfn-nag/deny_list_loader.rb
|
|
362
362
|
- lib/cfn-nag/iam_complexity_metric/condition_metric.rb
|
|
363
363
|
- lib/cfn-nag/iam_complexity_metric/html_results_renderer.rb
|
|
364
364
|
- lib/cfn-nag/iam_complexity_metric/policy_document_metric.rb
|
|
@@ -1,43 +0,0 @@
|
|
|
1
|
-
# frozen_string_literal: true
|
|
2
|
-
|
|
3
|
-
require 'yaml'
|
|
4
|
-
|
|
5
|
-
class BlackListLoader
|
|
6
|
-
def initialize(rules_registry)
|
|
7
|
-
@rules_registry = rules_registry
|
|
8
|
-
end
|
|
9
|
-
|
|
10
|
-
def load(blacklist_definition:)
|
|
11
|
-
raise 'Empty profile' if blacklist_definition.strip == ''
|
|
12
|
-
|
|
13
|
-
blacklist_ruleset = RuleIdSet.new
|
|
14
|
-
|
|
15
|
-
blacklist_hash = load_blacklist_yaml(blacklist_definition)
|
|
16
|
-
raise 'Blacklist is malformed' unless blacklist_hash.is_a? Hash
|
|
17
|
-
|
|
18
|
-
rules_to_suppress = blacklist_hash.fetch('RulesToSuppress', {})
|
|
19
|
-
raise 'Missing RulesToSuppress key in black list' if rules_to_suppress.empty?
|
|
20
|
-
|
|
21
|
-
rule_ids_to_suppress = rules_to_suppress.map { |rule| rule['id'] }
|
|
22
|
-
rule_ids_to_suppress.each do |rule_id|
|
|
23
|
-
check_valid_rule_id rule_id
|
|
24
|
-
blacklist_ruleset.add_rule rule_id
|
|
25
|
-
end
|
|
26
|
-
|
|
27
|
-
blacklist_ruleset
|
|
28
|
-
end
|
|
29
|
-
|
|
30
|
-
private
|
|
31
|
-
|
|
32
|
-
def load_blacklist_yaml(blacklist_definition)
|
|
33
|
-
YAML.safe_load(blacklist_definition)
|
|
34
|
-
rescue StandardError => yaml_parse_error
|
|
35
|
-
raise "YAML parse of blacklist failed: #{yaml_parse_error}"
|
|
36
|
-
end
|
|
37
|
-
|
|
38
|
-
def check_valid_rule_id(rule_id)
|
|
39
|
-
return true unless @rules_registry.by_id(rule_id).nil?
|
|
40
|
-
|
|
41
|
-
raise "#{rule_id} is not a legal rule identifier from: #{@rules_registry.ids}"
|
|
42
|
-
end
|
|
43
|
-
end
|