cfn-nag 0.7.16 → 0.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a9a486bbd59b0cd5de04ba5ad9a133e6ce20697320a22655bdfc99bd41849638
-  data.tar.gz: 1fb8c617610cd079026a094a2fdf6aa3d63e2de4c65fd9ae3f608b3256909875
+  metadata.gz: e4c41df0b3f754ff3eed8026a43244578095abe1ce06be4c89a2457af83c718b
+  data.tar.gz: 7c648f6838985bc45f6bb2a4f600ea93c05b8f10b1078a0e83b936c7e7449e59
 SHA512:
-  metadata.gz: f86d2ee1986cec5903811516b44e549c6c544b4ada13149433bcc8ff1a0b945528dd6d33e32ee877154aaec3d483991d37501595fae6e20cd92aecfa1efd4371
-  data.tar.gz: a702b10e0326c3903eaada403e27290544d094c6d696e68de9b87e2c2b4457462b3c106da5e535952dc83df9bf49851e230091e9fb6ee50a1c09515f58e9e9e9
+  metadata.gz: 1e90784cea9ee178aed35ae2f0bc27ecaeb3115307bd21553a45b2504dcd2e02aa561d9dd6150fdc7f2e1ee96632488bc6160422df7c7a1a7a466e1e5ceed585
+  data.tar.gz: d2937c0bf6c1b4d2326b6ab11ea68149c8635de02722d93ac4d6c5824d8fa1b885ce2691d30901044a3f889019227956faaaec489609178d4e1f63812e036de9

data/lib/cfn-nag/cfn_nag.rb

@@ -93,7 +93,7 @@ class CfnNag
         @config.custom_rule_loader.rule_definitions
       )
 
-      violations = filter_violations_by_blacklist_and_profile(violations)
+      violations = filter_violations_by_deny_list_and_profile(violations)
       violations = mark_line_numbers(violations, cfn_model)
     rescue RuleRepoException, Psych::SyntaxError, ParserError => fatal_error
       violations << fatal_violation(fatal_error.to_s)
@@ -127,21 +127,21 @@ class CfnNag
     violations
   end
 
-  def filter_violations_by_blacklist_and_profile(violations)
+  def filter_violations_by_deny_list_and_profile(violations)
     violations = filter_violations_by_profile(
       profile_definition: @config.profile_definition,
       rule_definitions: @config.custom_rule_loader.rule_definitions,
       violations: violations
     )
 
-    # this must come after - blacklist should always win
-    filter_violations_by_blacklist(
-      blacklist_definition: @config.blacklist_definition,
+    # this must come after - deny list should always win
+    filter_violations_by_deny_list(
+      deny_list_definition: @config.deny_list_definition,
       rule_definitions: @config.custom_rule_loader.rule_definitions,
       violations: violations
     )
-  rescue StandardError => blacklist_or_profile_parse_error
-    violations << fatal_violation(blacklist_or_profile_parse_error.to_s)
+  rescue StandardError => deny_list_or_profile_parse_error
+    violations << fatal_violation(deny_list_or_profile_parse_error.to_s)
     violations
   end
 

data/lib/cfn-nag/cfn_nag_config.rb

@@ -3,7 +3,7 @@
 class CfnNagConfig
   # rubocop:disable Metrics/ParameterLists
   def initialize(profile_definition: nil,
-                 blacklist_definition: nil,
+                 deny_list_definition: nil,
                  rule_directory: nil,
                  allow_suppression: true,
                  print_suppression: false,
@@ -21,7 +21,7 @@ class CfnNagConfig
       rule_repository_definitions: rule_repository_definitions
     )
     @profile_definition = profile_definition
-    @blacklist_definition = blacklist_definition
+    @deny_list_definition = deny_list_definition
     @fail_on_warnings = fail_on_warnings
     @rule_repositories = rule_repositories
     @rule_arguments = rule_arguments
@@ -29,6 +29,6 @@ class CfnNagConfig
   end
   # rubocop:enable Metrics/ParameterLists
 
-  attr_reader :rule_arguments, :rule_directory, :custom_rule_loader, :profile_definition, :blacklist_definition, \
+  attr_reader :rule_arguments, :rule_directory, :custom_rule_loader, :profile_definition, :deny_list_definition, \
               :fail_on_warnings, :rule_repositories, :ignore_fatal
 end

data/lib/cfn-nag/cfn_nag_executor.rb

@@ -7,7 +7,7 @@ require 'cfn-nag/cfn_nag_config'
 class CfnNagExecutor
   def initialize
     @profile_definition = nil
-    @blacklist_definition = nil
+    @deny_list_definition = nil
     @parameter_values_string = nil
     @condition_values_string = nil
     @rule_repository_definitions = []
@@ -89,7 +89,7 @@ class CfnNagExecutor
   def execute_io_options(opts)
     @profile_definition = read_conditionally(opts[:profile_path])
 
-    @blacklist_definition = read_conditionally(opts[:blacklist_path])
+    @deny_list_definition = read_conditionally(opts[:deny_list_path]) || read_conditionally(opts[:blacklist_path])
 
     @parameter_values_string = read_conditionally(opts[:parameter_values_path])
 
@@ -122,7 +122,7 @@ class CfnNagExecutor
   def cfn_nag_config(opts)
     CfnNagConfig.new(
       profile_definition: @profile_definition,
-      blacklist_definition: @blacklist_definition,
+      deny_list_definition: @deny_list_definition,
       rule_directory: opts[:rule_directory],
       allow_suppression: opts[:allow_suppression],
       print_suppression: opts[:print_suppression],

data/lib/cfn-nag/cli_options.rb

@@ -58,8 +58,13 @@ class Options
           type: :string,
           required: false,
           default: nil
+      opt :deny_list_path,
+          'Path to a deny list file',
+          type: :string,
+          required: false,
+          default: nil
       opt :blacklist_path,
-          'Path to a blacklist file',
+          '(Deprecated) Path to a deny list file',
           type: :string,
           required: false,
           default: nil
@@ -145,8 +150,13 @@ class Options
           type: :string,
           required: false,
           default: nil
+      opt :deny_list_path,
+          'Path to a deny list file',
+          type: :string,
+          required: false,
+          default: nil
       opt :blacklist_path,
-          'Path to a blacklist file',
+          '(Deprecated) Path to a deny list file',
           type: :string,
           required: false,
           default: nil

data/lib/cfn-nag/custom_rules/GameLiftFleetInboundPortRangeRule.rb

@@ -18,6 +18,8 @@ class GameLiftFleetInboundPortRangeRule < BaseRule
 
   def audit_impl(cfn_model)
     violating_gamelift_fleets = cfn_model.resources_by_type('AWS::GameLift::Fleet').select do |gamelift_fleet|
+      next false if gamelift_fleet.eC2InboundPermissions.nil?
+
       violating_permissions = gamelift_fleet.eC2InboundPermissions.select do |permission|
         # Cast to strings incase template provided mixed types
         permission['FromPort'].to_s != permission['ToPort'].to_s

data/lib/cfn-nag/deny_list_loader.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+require 'yaml'
+
+class DenyListLoader
+  def initialize(rules_registry)
+    @rules_registry = rules_registry
+  end
+
+  def load(deny_list_definition:)
+    raise 'Empty profile' if deny_list_definition.strip == ''
+
+    deny_list_ruleset = RuleIdSet.new
+
+    deny_list_hash = load_deny_list_yaml(deny_list_definition)
+    raise 'Deny list is malformed' unless deny_list_hash.is_a? Hash
+
+    rules_to_suppress = deny_list_hash.fetch('RulesToSuppress', {})
+    raise 'Missing RulesToSuppress key in deny list' if rules_to_suppress.empty?
+
+    rule_ids_to_suppress = rules_to_suppress.map { |rule| rule['id'] }
+    rule_ids_to_suppress.each do |rule_id|
+      check_valid_rule_id rule_id
+      deny_list_ruleset.add_rule rule_id
+    end
+
+    deny_list_ruleset
+  end
+
+  private
+
+  def load_deny_list_yaml(deny_list_definition)
+    YAML.safe_load(deny_list_definition)
+  rescue StandardError => yaml_parse_error
+    raise "YAML parse of deny list failed: #{yaml_parse_error}"
+  end
+
+  def check_valid_rule_id(rule_id)
+    return true unless @rules_registry.by_id(rule_id).nil?
+
+    raise "#{rule_id} is not a legal rule identifier from: #{@rules_registry.ids}"
+  end
+end

data/lib/cfn-nag/violation_filtering.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 require 'cfn-nag/profile_loader'
-require 'cfn-nag/blacklist_loader'
+require 'cfn-nag/deny_list_loader'
 
 module ViolationFiltering
   def filter_violations_by_profile(profile_definition:, rule_definitions:, violations:)
@@ -20,19 +20,19 @@ module ViolationFiltering
     end
   end
 
-  def filter_violations_by_blacklist(blacklist_definition:, rule_definitions:, violations:)
-    blacklist = nil
-    unless blacklist_definition.nil?
+  def filter_violations_by_deny_list(deny_list_definition:, rule_definitions:, violations:)
+    deny_list = nil
+    unless deny_list_definition.nil?
       begin
-        blacklist = BlackListLoader.new(rule_definitions)
-                                   .load(blacklist_definition: blacklist_definition)
-      rescue StandardError => blacklist_load_error
-        raise "Blacklist loading error: #{blacklist_load_error}"
+        deny_list = DenyListLoader.new(rule_definitions)
+                                  .load(deny_list_definition: deny_list_definition)
+      rescue StandardError => deny_list_load_error
+        raise "Deny list loading error: #{deny_list_load_error}"
       end
     end
 
     violations.reject do |violation|
-      !blacklist.nil? && blacklist.contains_rule?(violation.id)
+      !deny_list.nil? && deny_list.contains_rule?(violation.id)
     end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-nag
 version: !ruby/object:Gem::Version
-  version: 0.7.16
+  version: 0.8.0
 platform: ruby
 authors:
 - Eric Kascic
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-10-04 00:00:00.000000000 Z
+date: 2021-10-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -180,7 +180,6 @@ files:
 - bin/spcm_scan
 - lib/cfn-nag.rb
 - lib/cfn-nag/base_rule.rb
-- lib/cfn-nag/blacklist_loader.rb
 - lib/cfn-nag/cfn_nag.rb
 - lib/cfn-nag/cfn_nag_config.rb
 - lib/cfn-nag/cfn_nag_executor.rb
@@ -359,6 +358,7 @@ files:
 - lib/cfn-nag/custom_rules/password_base_rule.rb
 - lib/cfn-nag/custom_rules/resource_base_rule.rb
 - lib/cfn-nag/custom_rules/sub_property_with_list_password_base_rule.rb
+- lib/cfn-nag/deny_list_loader.rb
 - lib/cfn-nag/iam_complexity_metric/condition_metric.rb
 - lib/cfn-nag/iam_complexity_metric/html_results_renderer.rb
 - lib/cfn-nag/iam_complexity_metric/policy_document_metric.rb

data/lib/cfn-nag/blacklist_loader.rb

@@ -1,43 +0,0 @@
-# frozen_string_literal: true
-
-require 'yaml'
-
-class BlackListLoader
-  def initialize(rules_registry)
-    @rules_registry = rules_registry
-  end
-
-  def load(blacklist_definition:)
-    raise 'Empty profile' if blacklist_definition.strip == ''
-
-    blacklist_ruleset = RuleIdSet.new
-
-    blacklist_hash = load_blacklist_yaml(blacklist_definition)
-    raise 'Blacklist is malformed' unless blacklist_hash.is_a? Hash
-
-    rules_to_suppress = blacklist_hash.fetch('RulesToSuppress', {})
-    raise 'Missing RulesToSuppress key in black list' if rules_to_suppress.empty?
-
-    rule_ids_to_suppress = rules_to_suppress.map { |rule| rule['id'] }
-    rule_ids_to_suppress.each do |rule_id|
-      check_valid_rule_id rule_id
-      blacklist_ruleset.add_rule rule_id
-    end
-
-    blacklist_ruleset
-  end
-
-  private
-
-  def load_blacklist_yaml(blacklist_definition)
-    YAML.safe_load(blacklist_definition)
-  rescue StandardError => yaml_parse_error
-    raise "YAML parse of blacklist failed: #{yaml_parse_error}"
-  end
-
-  def check_valid_rule_id(rule_id)
-    return true unless @rules_registry.by_id(rule_id).nil?
-
-    raise "#{rule_id} is not a legal rule identifier from: #{@rules_registry.ids}"
-  end
-end