RubyGems - cfn-nag - Versions diffs - 0.7.2 → 0.7.7 - Mend

cfn-nag 0.7.2 → 0.7.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f180cde695c0a172b8ef42bdd38f58cc403adf10847a22f57af36dd0fb8ab743
-  data.tar.gz: 48b315081d53ca804e8d6f2ba5d245dd117beb07a057c368ab7edeeadd5140ff
+  metadata.gz: ad2861d55fc444c4f16cba45a818e6d755124fe97f66ff2d3c9f138f2187b48b
+  data.tar.gz: c7af2ff8b96f46bb610303b546a1c8f62250c7e11af74f48bb1cabd7632e1d1d
 SHA512:
-  metadata.gz: efc72eac3b1fbd17e420e19b7e1d61a55136083c00516490bdeee626cb39bf4e6a64cb75a1ac5b5ccc3321ba58774fe639855d919bcd439e0c88633d2728b12f
-  data.tar.gz: bef1eeac336bc1c3a0c1c566a744f6eb7fdbe8dd9e15aeccd819caed044b7c37d66bbc4102e70522b79e71cd0fd1b6709bfa5362ff2c7e8c902ca2b79db49dcb
+  metadata.gz: f4e8d41c2622ca328127c8baef0f34bd921b98239eaca3653e871db500cfb9e35cf107ffe50151ae3972f0874f8227d6a17767b325f9e1e38a66335d69f935a0
+  data.tar.gz: b5be427253e61a463d0fefa7477e5f426176a37abd85ba955a18f42b61ffe12ef15bcf9c09f23197df0274ff4405c510f4ee4771b9ae55b01108128afe2eb9f3

data/lib/cfn-nag/custom_rules/ApiGatewayCacheEncryptedRule.rb ADDED Viewed

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+require 'cfn-nag/violation'
+require_relative 'base'
+class ApiGatewayCacheEncryptedRule < BaseRule
+  def rule_text
+    'ApiGateway Deployment should have cache data encryption enabled when caching is enabled' \
+    ' in StageDescription properties'
+  end
+  def rule_type
+    Violation::WARNING
+  end
+  def rule_id
+    'W87'
+  end
+  def audit_impl(cfn_model)
+    violating_deployments = cfn_model.resources_by_type('AWS::ApiGateway::Deployment').select do |deployment|
+      violating_deployment?(deployment)
+    end
+    violating_deployments.map(&:logical_resource_id)
+  end
+  private
+  def violating_deployment?(deployment)
+    !deployment.stageDescription.nil? && truthy?(deployment.stageDescription['CachingEnabled']) \
+    && !truthy?(deployment.stageDescription['CacheDataEncrypted'])
+  end
+end

data/lib/cfn-nag/custom_rules/CloudfrontMinimumProtocolVersionRule.rb CHANGED Viewed

@@ -28,11 +28,12 @@ class CloudfrontMinimumProtocolVersionRule < BaseRule
   private
   def tls_version?(viewer_certificate)
-    cert_has_bad_tls_version?(viewer_certificate) || override_tls_config?(viewer_certificate)
+    cert_has_bad_tls_version?(viewer_certificate['MinimumProtocolVersion']) || override_tls_config?(viewer_certificate)
   end
-  def cert_has_bad_tls_version?(viewer_certificate)
-    viewer_certificate['MinimumProtocolVersion'].nil? || viewer_certificate['MinimumProtocolVersion'] != 'TLSv1.2_2018'
+  def cert_has_bad_tls_version?(min_protocol_version)
+    min_protocol_version.nil? ||
+      (min_protocol_version.is_a?(String) && !min_protocol_version.start_with?('TLSv1.2'))
   end
   def override_tls_config?(viewer_certificate)

data/lib/cfn-nag/custom_rules/ECRRepositoryScanOnPushRule.rb CHANGED Viewed

@@ -6,7 +6,7 @@ require_relative 'base'
 class ECRRepositoryScanOnPushRule < BaseRule
   def rule_text
-    'ECR Repository should have scanOnPush enabled'
+    'ECR Repository should have ScanOnPush enabled'
   end
   def rule_type
@@ -20,7 +20,7 @@ class ECRRepositoryScanOnPushRule < BaseRule
   def audit_impl(cfn_model)
     violating_ecr_registries = cfn_model.resources_by_type('AWS::ECR::Repository').select do |registry|
       registry.imageScanningConfiguration.nil? ||
-        !truthy?(registry.imageScanningConfiguration['scanOnPush'].to_s)
+        !truthy?(registry.imageScanningConfiguration['ScanOnPush'].to_s)
     end
     violating_ecr_registries.map(&:logical_resource_id)

data/lib/cfn-nag/custom_rules/ElasticsearchDomainInsideVPCRule.rb ADDED Viewed

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+require 'cfn-nag/violation'
+require_relative 'base'
+class ElasticsearchDomainInsideVPCRule < BaseRule
+  def rule_text
+    'ElasticsearchcDomain should be inside vpc, should specify VPCOptions'
+  end
+  def rule_type
+    Violation::WARNING
+  end
+  def rule_id
+    'W90'
+  end
+  def audit_impl(cfn_model)
+    violating_domains = cfn_model.resources_by_type('AWS::Elasticsearch::Domain').select do |domain|
+      domain.vPCOptions.nil?
+    end
+    violating_domains.map(&:logical_resource_id)
+  end
+end

data/lib/cfn-nag/custom_rules/LambdaFunctionInsideVPCRule.rb ADDED Viewed

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+require 'cfn-nag/violation'
+require_relative 'base'
+class LambdaFunctionInsideVPCRule < BaseRule
+  def rule_text
+    'Lambda functions should be deployed inside a VPC'
+  end
+  def rule_type
+    Violation::WARNING
+  end
+  def rule_id
+    'W89'
+  end
+  def audit_impl(cfn_model)
+    lambda_functions = cfn_model.resources_by_type('AWS::Lambda::Function')
+    violating_lambda_functions = lambda_functions.select do |lambda_function|
+      lambda_function.vpcConfig.nil?
+    end
+    violating_lambda_functions.map(&:logical_resource_id)
+  end
+end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-nag
 version: !ruby/object:Gem::Version
-  version: 0.7.2
+  version: 0.7.7
 platform: ruby
 authors:
 - Eric Kascic
-autorequire:
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-02-15 00:00:00.000000000 Z
+date: 2021-04-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -165,7 +165,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 description: Auditing tool for CloudFormation templates
-email:
+email:
 executables:
 - cfn_nag
 - cfn_nag_rules
@@ -197,6 +197,7 @@ files:
 - lib/cfn-nag/custom_rules/AmplifyAppOauthTokenRule.rb
 - lib/cfn-nag/custom_rules/AmplifyBranchBasicAuthConfigPasswordRule.rb
 - lib/cfn-nag/custom_rules/ApiGatewayAccessLoggingRule.rb
+- lib/cfn-nag/custom_rules/ApiGatewayCacheEncryptedRule.rb
 - lib/cfn-nag/custom_rules/ApiGatewayDeploymentUsagePlanRule.rb
 - lib/cfn-nag/custom_rules/ApiGatewayMethodAuthorizationTypeRule.rb
 - lib/cfn-nag/custom_rules/ApiGatewaySecurityPolicyRule.rb
@@ -246,6 +247,7 @@ files:
 - lib/cfn-nag/custom_rules/ElasticLoadBalancerV2ListenerProtocolRule.rb
 - lib/cfn-nag/custom_rules/ElasticLoadBalancerV2ListenerSslPolicyRule.rb
 - lib/cfn-nag/custom_rules/ElasticsearchDomainEncryptionAtRestOptionsRule.rb
+- lib/cfn-nag/custom_rules/ElasticsearchDomainInsideVPCRule.rb
 - lib/cfn-nag/custom_rules/ElasticsearchDomainNodeToNodeEncryptionOptionsRule.rb
 - lib/cfn-nag/custom_rules/GameLiftFleetInboundPortRangeRule.rb
 - lib/cfn-nag/custom_rules/IAMUserLoginProfilePasswordRule.rb
@@ -280,6 +282,7 @@ files:
 - lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamSplunkDestinationConfigurationHECTokenRule.rb
 - lib/cfn-nag/custom_rules/KinesisStreamStreamEncryptionRule.rb
 - lib/cfn-nag/custom_rules/LambdaFunctionCloudWatchLogsRule.rb
+- lib/cfn-nag/custom_rules/LambdaFunctionInsideVPCRule.rb
 - lib/cfn-nag/custom_rules/LambdaPermissionEventSourceTokenRule.rb
 - lib/cfn-nag/custom_rules/LambdaPermissionInvokeFunctionActionRule.rb
 - lib/cfn-nag/custom_rules/LambdaPermissionWildcardPrincipalRule.rb
@@ -389,7 +392,7 @@ homepage: https://github.com/stelligent/cfn_nag
 licenses:
 - MIT
 metadata: {}
-post_install_message:
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -405,9 +408,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project:
-rubygems_version: 2.7.6
-signing_key:
+rubygems_version: 3.1.2
+signing_key:
 specification_version: 4
 summary: cfn-nag
 test_files: []