cfn-nag 0.7.16 → 0.8.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a9a486bbd59b0cd5de04ba5ad9a133e6ce20697320a22655bdfc99bd41849638
-  data.tar.gz: 1fb8c617610cd079026a094a2fdf6aa3d63e2de4c65fd9ae3f608b3256909875
+  metadata.gz: e016d95eb663b1bd6a4c7d8d968ea35de3396da8521f03dc33afb69fef6d0adc
+  data.tar.gz: 2e29005bceb483b4b14d6f35b32857775d89b81025d5eb2a9e2032730b36def6
 SHA512:
-  metadata.gz: f86d2ee1986cec5903811516b44e549c6c544b4ada13149433bcc8ff1a0b945528dd6d33e32ee877154aaec3d483991d37501595fae6e20cd92aecfa1efd4371
-  data.tar.gz: a702b10e0326c3903eaada403e27290544d094c6d696e68de9b87e2c2b4457462b3c106da5e535952dc83df9bf49851e230091e9fb6ee50a1c09515f58e9e9e9
+  metadata.gz: 5ed62f5cc0fa8b820c226b760ca9ac68fb942245c83511dbab69dece8dac99a389b210f5f832d5d73ca935fdc36ca1037ce953b648267c1035e8767b43a46850
+  data.tar.gz: d54be264eb1f5418df550667b78d6860e76dcd27f6319d01706569e66bff682c2ccf7157df0757887725467c00219ee0519056c40ef227365bee79204312f855

data/bin/cfn_nag_rules

@@ -6,7 +6,7 @@ require 'cfn-nag'
 require 'rubygems/specification'
 
 opts = Optimist.options do
-  version Gem::Specification.find_by_name('cfn-nag').version
+  version CfnNagVersion::VERSION
 
   opt :rule_directory, 'Extra rule directories', type: :io,
                                                  required: false,

data/lib/cfn-nag/base_rule.rb

@@ -20,10 +20,16 @@ class CfnNag
       logical_resource_ids = audit_impl(cfn_model)
       return if logical_resource_ids.empty?
 
+      violation(logical_resource_ids)
+    end
+
+    def violation(logical_resource_ids, line_numbers = nil)
       Violation.new(id: rule_id,
+                    name: self.class.name,
                     type: rule_type,
                     message: rule_text,
-                    logical_resource_ids: logical_resource_ids)
+                    logical_resource_ids: logical_resource_ids,
+                    line_numbers: line_numbers)
     end
   end
 end

data/lib/cfn-nag/cfn_nag.rb

@@ -8,6 +8,7 @@ require_relative 'result_view/stdout_results'
 require_relative 'result_view/simple_stdout_results'
 require_relative 'result_view/colored_stdout_results'
 require_relative 'result_view/json_results'
+require_relative 'result_view/sarif_results'
 require 'cfn-model'
 
 # Top-level CfnNag class for running profiles
@@ -93,13 +94,13 @@ class CfnNag
         @config.custom_rule_loader.rule_definitions
       )
 
-      violations = filter_violations_by_blacklist_and_profile(violations)
+      violations = filter_violations_by_deny_list_and_profile(violations)
       violations = mark_line_numbers(violations, cfn_model)
     rescue RuleRepoException, Psych::SyntaxError, ParserError => fatal_error
-      violations << fatal_violation(fatal_error.to_s)
+      violations << Violation.fatal_violation(fatal_error.to_s)
     rescue JSON::ParserError => json_parameters_error
       error = "JSON Parameter values parse error: #{json_parameters_error}"
-      violations << fatal_violation(error)
+      violations << Violation.fatal_violation(error)
     end
 
     violations = prune_fatal_violations(violations) if @config.ignore_fatal
@@ -112,7 +113,7 @@ class CfnNag
 
   def render_results(aggregate_results:,
                      output_format:)
-    results_renderer(output_format).new.render(aggregate_results)
+    results_renderer(output_format).new.render(aggregate_results, @config.custom_rule_loader.rule_definitions)
   end
 
   private
@@ -127,21 +128,21 @@ class CfnNag
     violations
   end
 
-  def filter_violations_by_blacklist_and_profile(violations)
+  def filter_violations_by_deny_list_and_profile(violations)
     violations = filter_violations_by_profile(
       profile_definition: @config.profile_definition,
       rule_definitions: @config.custom_rule_loader.rule_definitions,
       violations: violations
     )
 
-    # this must come after - blacklist should always win
-    filter_violations_by_blacklist(
-      blacklist_definition: @config.blacklist_definition,
+    # this must come after - deny list should always win
+    filter_violations_by_deny_list(
+      deny_list_definition: @config.deny_list_definition,
       rule_definitions: @config.custom_rule_loader.rule_definitions,
       violations: violations
     )
-  rescue StandardError => blacklist_or_profile_parse_error
-    violations << fatal_violation(blacklist_or_profile_parse_error.to_s)
+  rescue StandardError => deny_list_or_profile_parse_error
+    violations << Violation.fatal_violation(deny_list_or_profile_parse_error.to_s)
     violations
   end
 
@@ -152,17 +153,12 @@ class CfnNag
     }
   end
 
-  def fatal_violation(message)
-    Violation.new(id: 'FATAL',
-                  type: Violation::FAILING_VIOLATION,
-                  message: message)
-  end
-
   def results_renderer(output_format)
     registry = {
       'colortxt' => ColoredStdoutResults,
       'txt' => SimpleStdoutResults,
-      'json' => JsonResults
+      'json' => JsonResults,
+      'sarif' => SarifResults
     }
     registry[output_format]
   end

data/lib/cfn-nag/cfn_nag_config.rb

@@ -3,7 +3,7 @@
 class CfnNagConfig
   # rubocop:disable Metrics/ParameterLists
   def initialize(profile_definition: nil,
-                 blacklist_definition: nil,
+                 deny_list_definition: nil,
                  rule_directory: nil,
                  allow_suppression: true,
                  print_suppression: false,
@@ -21,7 +21,7 @@ class CfnNagConfig
       rule_repository_definitions: rule_repository_definitions
     )
     @profile_definition = profile_definition
-    @blacklist_definition = blacklist_definition
+    @deny_list_definition = deny_list_definition
     @fail_on_warnings = fail_on_warnings
     @rule_repositories = rule_repositories
     @rule_arguments = rule_arguments
@@ -29,6 +29,6 @@ class CfnNagConfig
   end
   # rubocop:enable Metrics/ParameterLists
 
-  attr_reader :rule_arguments, :rule_directory, :custom_rule_loader, :profile_definition, :blacklist_definition, \
+  attr_reader :rule_arguments, :rule_directory, :custom_rule_loader, :profile_definition, :deny_list_definition, \
               :fail_on_warnings, :rule_repositories, :ignore_fatal
 end

data/lib/cfn-nag/cfn_nag_executor.rb

@@ -7,7 +7,7 @@ require 'cfn-nag/cfn_nag_config'
 class CfnNagExecutor
   def initialize
     @profile_definition = nil
-    @blacklist_definition = nil
+    @deny_list_definition = nil
     @parameter_values_string = nil
     @condition_values_string = nil
     @rule_repository_definitions = []
@@ -74,9 +74,9 @@ class CfnNagExecutor
   end
 
   def validate_options(opts)
-    unless opts[:output_format].nil? || %w[colortxt txt json].include?(opts[:output_format])
+    unless opts[:output_format].nil? || %w[colortxt txt json sarif].include?(opts[:output_format])
       Optimist.die(:output_format,
-                   'Must be colortxt, txt, or json')
+                   'Must be colortxt, txt, json or sarif')
     end
 
     opts[:rule_arguments]&.each do |rule_argument|
@@ -89,7 +89,7 @@ class CfnNagExecutor
   def execute_io_options(opts)
     @profile_definition = read_conditionally(opts[:profile_path])
 
-    @blacklist_definition = read_conditionally(opts[:blacklist_path])
+    @deny_list_definition = read_conditionally(opts[:deny_list_path]) || read_conditionally(opts[:blacklist_path])
 
     @parameter_values_string = read_conditionally(opts[:parameter_values_path])
 
@@ -122,7 +122,7 @@ class CfnNagExecutor
   def cfn_nag_config(opts)
     CfnNagConfig.new(
       profile_definition: @profile_definition,
-      blacklist_definition: @blacklist_definition,
+      deny_list_definition: @deny_list_definition,
       rule_directory: opts[:rule_directory],
       allow_suppression: opts[:allow_suppression],
       print_suppression: opts[:print_suppression],

data/lib/cfn-nag/cli_options.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require 'optimist'
+require_relative 'version'
 
 # rubocop:disable Metrics/ClassLength
 class Options
@@ -8,7 +9,7 @@ class Options
                                     'emit the exception without stack trace ' \
                                     'and keep chugging'
 
-  @version = Gem::Specification.find_by_name('cfn-nag').version
+  @version = CfnNagVersion::VERSION
 
   def self.for(type)
     case type
@@ -58,8 +59,13 @@ class Options
           type: :string,
           required: false,
           default: nil
+      opt :deny_list_path,
+          'Path to a deny list file',
+          type: :string,
+          required: false,
+          default: nil
       opt :blacklist_path,
-          'Path to a blacklist file',
+          '(Deprecated) Path to a deny list file',
           type: :string,
           required: false,
           default: nil
@@ -84,7 +90,7 @@ class Options
           required: false,
           default: false
       opt :output_format,
-          'Format of results: [txt, json, colortxt]',
+          'Format of results: [txt, json, colortxt, sarif]',
           type: :string,
           default: 'colortxt'
       opt :rule_repository,
@@ -127,7 +133,7 @@ class Options
           type: :string,
           required: true
       opt :output_format,
-          'Format of results: [txt, json, colortxt]',
+          'Format of results: [txt, json, colortxt, sarif]',
           type: :string,
           default: 'colortxt'
       opt :debug,
@@ -145,8 +151,13 @@ class Options
           type: :string,
           required: false,
           default: nil
+      opt :deny_list_path,
+          'Path to a deny list file',
+          type: :string,
+          required: false,
+          default: nil
       opt :blacklist_path,
-          'Path to a blacklist file',
+          '(Deprecated) Path to a deny list file',
           type: :string,
           required: false,
           default: nil

data/lib/cfn-nag/custom_rules/GameLiftFleetInboundPortRangeRule.rb

@@ -18,6 +18,8 @@ class GameLiftFleetInboundPortRangeRule < BaseRule
 
   def audit_impl(cfn_model)
     violating_gamelift_fleets = cfn_model.resources_by_type('AWS::GameLift::Fleet').select do |gamelift_fleet|
+      next false if gamelift_fleet.eC2InboundPermissions.nil?
+
       violating_permissions = gamelift_fleet.eC2InboundPermissions.select do |permission|
         # Cast to strings incase template provided mixed types
         permission['FromPort'].to_s != permission['ToPort'].to_s

data/lib/cfn-nag/custom_rules/base.rb

@@ -19,9 +19,15 @@ class BaseRule
     logical_resource_ids = audit_impl(cfn_model)
     return if logical_resource_ids.empty?
 
+    violation(logical_resource_ids)
+  end
+
+  def violation(logical_resource_ids, line_numbers = [])
     Violation.new(id: rule_id,
+                  name: self.class.name,
                   type: rule_type,
                   message: rule_text,
-                  logical_resource_ids: logical_resource_ids)
+                  logical_resource_ids: logical_resource_ids,
+                  line_numbers: line_numbers)
   end
 end

data/lib/cfn-nag/deny_list_loader.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+require 'yaml'
+
+class DenyListLoader
+  def initialize(rules_registry)
+    @rules_registry = rules_registry
+  end
+
+  def load(deny_list_definition:)
+    raise 'Empty profile' if deny_list_definition.strip == ''
+
+    deny_list_ruleset = RuleIdSet.new
+
+    deny_list_hash = load_deny_list_yaml(deny_list_definition)
+    raise 'Deny list is malformed' unless deny_list_hash.is_a? Hash
+
+    rules_to_suppress = deny_list_hash.fetch('RulesToSuppress', {})
+    raise 'Missing RulesToSuppress key in deny list' if rules_to_suppress.empty?
+
+    rule_ids_to_suppress = rules_to_suppress.map { |rule| rule['id'] }
+    rule_ids_to_suppress.each do |rule_id|
+      check_valid_rule_id rule_id
+      deny_list_ruleset.add_rule rule_id
+    end
+
+    deny_list_ruleset
+  end
+
+  private
+
+  def load_deny_list_yaml(deny_list_definition)
+    YAML.safe_load(deny_list_definition)
+  rescue StandardError => yaml_parse_error
+    raise "YAML parse of deny list failed: #{yaml_parse_error}"
+  end
+
+  def check_valid_rule_id(rule_id)
+    return true unless @rules_registry.by_id(rule_id).nil?
+
+    raise "#{rule_id} is not a legal rule identifier from: #{@rules_registry.ids}"
+  end
+end

data/lib/cfn-nag/result_view/json_results.rb

@@ -3,7 +3,7 @@
 require 'json'
 
 class JsonResults
-  def render(results)
+  def render(results, _rule_registry)
     hashified_results = results.each do |result|
       result[:file_results][:violations] = result[:file_results][:violations].map(&:to_h)
     end

data/lib/cfn-nag/result_view/sarif_results.rb

@@ -0,0 +1,103 @@
+# frozen_string_literal: true
+
+require 'json'
+require 'pathname'
+
+class SarifResults
+  def render(results, rule_registry)
+    sarif_results = []
+    results.each do |file|
+      # For each file in the results, review the violations
+      file[:file_results][:violations].each do |violation|
+        # For each violation, generate a sarif result for each logical resource id in the violation
+        violation.logical_resource_ids.each_with_index do |_logical_resource_id, index|
+          sarif_results << sarif_result(file_name: file[:filename], violation: violation, index: index)
+        end
+      end
+    end
+
+    sarif_report = {
+      version: '2.1.0',
+      '$schema': 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json',
+      runs: [
+        tool: {
+          driver: driver(rule_registry.rules)
+        },
+        results: sarif_results
+      ]
+    }
+
+    puts JSON.pretty_generate(sarif_report)
+  end
+
+  # Generates a SARIF driver object, which describes the tool and the rules used
+  def driver(rules)
+    {
+      name: 'cfn_nag',
+      informationUri: 'https://github.com/stelligent/cfn_nag',
+      semanticVersion: CfnNagVersion::VERSION,
+      rules: rules.map do |rule_definition|
+        {
+          id: "CFN_NAG_#{rule_definition.id}",
+          name: rule_definition.name,
+          fullDescription: {
+            text: rule_definition.message
+          }
+        }
+      end
+    }
+  end
+
+  # Given a cfn_nag Violation object, and index, generates a SARIF result object for the finding
+  def sarif_result(file_name:, violation:, index:)
+    {
+      ruleId: "CFN_NAG_#{violation.id}",
+      level: sarif_level(violation.type),
+      message: {
+        text: violation.message
+      },
+      locations: [
+        {
+          physicalLocation: {
+            artifactLocation: {
+              uri: relative_path(file_name),
+              uriBaseId: '%SRCROOT%'
+            },
+            region: {
+              startLine: sarif_line_number(violation.line_numbers[index])
+            }
+          },
+          logicalLocations: [
+            {
+              name: violation.logical_resource_ids[index]
+            }
+          ]
+        }
+      ]
+    }
+  end
+
+  # Line number defaults to 1 unless provided with valid number
+  def sarif_line_number(line_number)
+    line_number.nil? || line_number.to_i < 1 ? 1 : line_number.to_i
+  end
+
+  def sarif_level(violation_type)
+    case violation_type
+    when RuleDefinition::WARNING
+      'warning'
+    else
+      'error'
+    end
+  end
+
+  def relative_path(file_name)
+    file_pathname = Pathname.new(file_name)
+
+    if file_pathname.relative?
+      file_pathname.to_s
+    else
+      file_pathname.relative_path_from(Pathname.pwd).to_s
+    end
+  end
+end

data/lib/cfn-nag/result_view/stdout_results.rb

@@ -24,7 +24,7 @@ class StdoutResults
     puts "Warnings count: #{Violation.count_warnings(violations)}"
   end
 
-  def render(results)
+  def render(results, _rule_definitions)
     results.each do |result|
       60.times { print '-' }
       puts "\n#{result[:filename]}"

data/lib/cfn-nag/rule_definition.rb

@@ -4,27 +4,30 @@ class RuleDefinition
   WARNING = 'WARN'
   FAILING_VIOLATION = 'FAIL'
 
-  attr_reader :id, :type, :message
+  attr_reader :id, :name, :type, :message
 
   def initialize(id:,
+                 name:,
                  type:,
                  message:)
     @id = id
+    @name = name
     @type = type
     @message = message
 
-    [@id, @type, @message].each do |required|
+    [@id, @type, @name, @message].each do |required|
       raise 'No parameters to Violation constructor can be nil' if required.nil?
     end
   end
 
   def to_s
-    "#{@id} #{@type} #{@message}"
+    "#{@id} #{name} #{@type} #{@message}"
   end
 
   def to_h
     {
       id: @id,
+      name: @name,
       type: @type,
       message: @message
     }

data/lib/cfn-nag/rule_registry.rb

@@ -43,6 +43,7 @@ class RuleRegistry
     if existing_def.nil?
       rule_definition = RuleDefinition.new(
         id: rule.rule_id,
+        name: rule_class.name,
         type: rule.rule_type,
         message: rule.rule_text
       )

data/lib/cfn-nag/version.rb

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+module CfnNagVersion
+  # This is managed at release time via scripts/publish.sh
+  VERSION = '0.8.3'
+end

data/lib/cfn-nag/violation.rb

@@ -6,18 +6,22 @@ require_relative 'rule_definition'
 class Violation < RuleDefinition
   attr_reader :logical_resource_ids, :line_numbers
 
+  # rubocop:disable Metrics/ParameterLists
   def initialize(id:,
+                 name:,
                  type:,
                  message:,
                  logical_resource_ids: [],
                  line_numbers: [])
     super id: id,
+          name: name,
           type: type,
           message: message
 
     @logical_resource_ids = logical_resource_ids
     @line_numbers = line_numbers
   end
+  # rubocop:enable Metrics/ParameterLists
 
   def to_s
     "#{super} #{@logical_resource_ids}"
@@ -57,6 +61,13 @@ class Violation < RuleDefinition
       end
     end
 
+    def fatal_violation(message)
+      Violation.new(id: 'FATAL',
+                    name: 'system',
+                    type: Violation::FAILING_VIOLATION,
+                    message: message)
+    end
+
     private
 
     def empty?(array)

data/lib/cfn-nag/violation_filtering.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 require 'cfn-nag/profile_loader'
-require 'cfn-nag/blacklist_loader'
+require 'cfn-nag/deny_list_loader'
 
 module ViolationFiltering
   def filter_violations_by_profile(profile_definition:, rule_definitions:, violations:)
@@ -20,19 +20,19 @@ module ViolationFiltering
     end
   end
 
-  def filter_violations_by_blacklist(blacklist_definition:, rule_definitions:, violations:)
-    blacklist = nil
-    unless blacklist_definition.nil?
+  def filter_violations_by_deny_list(deny_list_definition:, rule_definitions:, violations:)
+    deny_list = nil
+    unless deny_list_definition.nil?
       begin
-        blacklist = BlackListLoader.new(rule_definitions)
-                                   .load(blacklist_definition: blacklist_definition)
-      rescue StandardError => blacklist_load_error
-        raise "Blacklist loading error: #{blacklist_load_error}"
+        deny_list = DenyListLoader.new(rule_definitions)
+                                  .load(deny_list_definition: deny_list_definition)
+      rescue StandardError => deny_list_load_error
+        raise "Deny list loading error: #{deny_list_load_error}"
       end
     end
 
     violations.reject do |violation|
-      !blacklist.nil? && blacklist.contains_rule?(violation.id)
+      !deny_list.nil? && deny_list.contains_rule?(violation.id)
     end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-nag
 version: !ruby/object:Gem::Version
-  version: 0.7.16
+  version: 0.8.3
 platform: ruby
 authors:
 - Eric Kascic
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-10-04 00:00:00.000000000 Z
+date: 2021-10-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -72,14 +72,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.6.3
+        version: 0.6.5
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.6.3
+        version: 0.6.5
 - !ruby/object:Gem::Dependency
   name: logging
   requirement: !ruby/object:Gem::Requirement
@@ -180,7 +180,6 @@ files:
 - bin/spcm_scan
 - lib/cfn-nag.rb
 - lib/cfn-nag/base_rule.rb
-- lib/cfn-nag/blacklist_loader.rb
 - lib/cfn-nag/cfn_nag.rb
 - lib/cfn-nag/cfn_nag_config.rb
 - lib/cfn-nag/cfn_nag_executor.rb
@@ -359,6 +358,7 @@ files:
 - lib/cfn-nag/custom_rules/password_base_rule.rb
 - lib/cfn-nag/custom_rules/resource_base_rule.rb
 - lib/cfn-nag/custom_rules/sub_property_with_list_password_base_rule.rb
+- lib/cfn-nag/deny_list_loader.rb
 - lib/cfn-nag/iam_complexity_metric/condition_metric.rb
 - lib/cfn-nag/iam_complexity_metric/html_results_renderer.rb
 - lib/cfn-nag/iam_complexity_metric/policy_document_metric.rb
@@ -371,6 +371,7 @@ files:
 - lib/cfn-nag/result_view/colored_stdout_results.rb
 - lib/cfn-nag/result_view/json_results.rb
 - lib/cfn-nag/result_view/rules_view.rb
+- lib/cfn-nag/result_view/sarif_results.rb
 - lib/cfn-nag/result_view/simple_stdout_results.rb
 - lib/cfn-nag/result_view/stdout_results.rb
 - lib/cfn-nag/rule_definition.rb
@@ -388,6 +389,7 @@ files:
 - lib/cfn-nag/util/enforce_string_or_dynamic_reference.rb
 - lib/cfn-nag/util/truthy.rb
 - lib/cfn-nag/util/wildcard_patterns.rb
+- lib/cfn-nag/version.rb
 - lib/cfn-nag/violation.rb
 - lib/cfn-nag/violation_filtering.rb
 homepage: https://github.com/stelligent/cfn_nag

data/lib/cfn-nag/blacklist_loader.rb

@@ -1,43 +0,0 @@
-# frozen_string_literal: true
-
-require 'yaml'
-
-class BlackListLoader
-  def initialize(rules_registry)
-    @rules_registry = rules_registry
-  end
-
-  def load(blacklist_definition:)
-    raise 'Empty profile' if blacklist_definition.strip == ''
-
-    blacklist_ruleset = RuleIdSet.new
-
-    blacklist_hash = load_blacklist_yaml(blacklist_definition)
-    raise 'Blacklist is malformed' unless blacklist_hash.is_a? Hash
-
-    rules_to_suppress = blacklist_hash.fetch('RulesToSuppress', {})
-    raise 'Missing RulesToSuppress key in black list' if rules_to_suppress.empty?
-
-    rule_ids_to_suppress = rules_to_suppress.map { |rule| rule['id'] }
-    rule_ids_to_suppress.each do |rule_id|
-      check_valid_rule_id rule_id
-      blacklist_ruleset.add_rule rule_id
-    end
-
-    blacklist_ruleset
-  end
-
-  private
-
-  def load_blacklist_yaml(blacklist_definition)
-    YAML.safe_load(blacklist_definition)
-  rescue StandardError => yaml_parse_error
-    raise "YAML parse of blacklist failed: #{yaml_parse_error}"
-  end
-
-  def check_valid_rule_id(rule_id)
-    return true unless @rules_registry.by_id(rule_id).nil?
-
-    raise "#{rule_id} is not a legal rule identifier from: #{@rules_registry.ids}"
-  end
-end