cfn-nag 0.8.0 → 0.8.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e4c41df0b3f754ff3eed8026a43244578095abe1ce06be4c89a2457af83c718b
-  data.tar.gz: 7c648f6838985bc45f6bb2a4f600ea93c05b8f10b1078a0e83b936c7e7449e59
+  metadata.gz: 8bcd7a2b51e44dcad5d3d5f0514cd1f670913c0ce8074f6af6dfe9b9c5c28c4e
+  data.tar.gz: 5bc5eba04f176db1d734aa7d32806f53d9f55402e128b56c5a50e6367974ef4f
 SHA512:
-  metadata.gz: 1e90784cea9ee178aed35ae2f0bc27ecaeb3115307bd21553a45b2504dcd2e02aa561d9dd6150fdc7f2e1ee96632488bc6160422df7c7a1a7a466e1e5ceed585
-  data.tar.gz: d2937c0bf6c1b4d2326b6ab11ea68149c8635de02722d93ac4d6c5824d8fa1b885ce2691d30901044a3f889019227956faaaec489609178d4e1f63812e036de9
+  metadata.gz: '028736d712ade96898ea014e859955bd94d68012e2cdca469b5dbf1b38cd86b42ec316710f06353e5ff5d82895a75df330830a149a3e9ecfc750a4f2bf108c88'
+  data.tar.gz: f02924cf126fc681df943225f2d2231628d6309feed5dbf7db67aab0ae53ef466d6e4e6236a820bfe677946b75cc47b9e1f087c8ad3dda2fb97bcc4c6cab60ce

data/bin/cfn_nag_rules

@@ -6,7 +6,7 @@ require 'cfn-nag'
 require 'rubygems/specification'
 
 opts = Optimist.options do
-  version Gem::Specification.find_by_name('cfn-nag').version
+  version CfnNagVersion::VERSION
 
   opt :rule_directory, 'Extra rule directories', type: :io,
                                                  required: false,

data/lib/cfn-nag/base_rule.rb

@@ -20,10 +20,16 @@ class CfnNag
       logical_resource_ids = audit_impl(cfn_model)
       return if logical_resource_ids.empty?
 
+      violation(logical_resource_ids)
+    end
+
+    def violation(logical_resource_ids, line_numbers = nil)
       Violation.new(id: rule_id,
+                    name: self.class.name,
                     type: rule_type,
                     message: rule_text,
-                    logical_resource_ids: logical_resource_ids)
+                    logical_resource_ids: logical_resource_ids,
+                    line_numbers: line_numbers)
     end
   end
 end

data/lib/cfn-nag/cfn_nag.rb

@@ -8,6 +8,7 @@ require_relative 'result_view/stdout_results'
 require_relative 'result_view/simple_stdout_results'
 require_relative 'result_view/colored_stdout_results'
 require_relative 'result_view/json_results'
+require_relative 'result_view/sarif_results'
 require 'cfn-model'
 
 # Top-level CfnNag class for running profiles
@@ -94,12 +95,12 @@ class CfnNag
       )
 
       violations = filter_violations_by_deny_list_and_profile(violations)
-      violations = mark_line_numbers(violations, cfn_model)
+      violations = mark_line_numbers_and_element_types(violations, cfn_model)
     rescue RuleRepoException, Psych::SyntaxError, ParserError => fatal_error
-      violations << fatal_violation(fatal_error.to_s)
+      violations << Violation.fatal_violation(fatal_error.to_s)
     rescue JSON::ParserError => json_parameters_error
       error = "JSON Parameter values parse error: #{json_parameters_error}"
-      violations << fatal_violation(error)
+      violations << Violation.fatal_violation(error)
     end
 
     violations = prune_fatal_violations(violations) if @config.ignore_fatal
@@ -112,15 +113,16 @@ class CfnNag
 
   def render_results(aggregate_results:,
                      output_format:)
-    results_renderer(output_format).new.render(aggregate_results)
+    results_renderer(output_format).new.render(aggregate_results, @config.custom_rule_loader.rule_definitions)
   end
 
   private
 
-  def mark_line_numbers(violations, cfn_model)
+  def mark_line_numbers_and_element_types(violations, cfn_model)
     violations.each do |violation|
       violation.logical_resource_ids.each do |logical_resource_id|
         violation.line_numbers << cfn_model.line_numbers[logical_resource_id]
+        violation.element_types << cfn_model.element_types[logical_resource_id]
       end
     end
 
@@ -141,7 +143,7 @@ class CfnNag
       violations: violations
     )
   rescue StandardError => deny_list_or_profile_parse_error
-    violations << fatal_violation(deny_list_or_profile_parse_error.to_s)
+    violations << Violation.fatal_violation(deny_list_or_profile_parse_error.to_s)
     violations
   end
 
@@ -152,17 +154,12 @@ class CfnNag
     }
   end
 
-  def fatal_violation(message)
-    Violation.new(id: 'FATAL',
-                  type: Violation::FAILING_VIOLATION,
-                  message: message)
-  end
-
   def results_renderer(output_format)
     registry = {
       'colortxt' => ColoredStdoutResults,
       'txt' => SimpleStdoutResults,
-      'json' => JsonResults
+      'json' => JsonResults,
+      'sarif' => SarifResults
     }
     registry[output_format]
   end

data/lib/cfn-nag/cfn_nag_executor.rb

@@ -74,9 +74,9 @@ class CfnNagExecutor
   end
 
   def validate_options(opts)
-    unless opts[:output_format].nil? || %w[colortxt txt json].include?(opts[:output_format])
+    unless opts[:output_format].nil? || %w[colortxt txt json sarif].include?(opts[:output_format])
       Optimist.die(:output_format,
-                   'Must be colortxt, txt, or json')
+                   'Must be colortxt, txt, json or sarif')
     end
 
     opts[:rule_arguments]&.each do |rule_argument|

data/lib/cfn-nag/cli_options.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require 'optimist'
+require_relative 'version'
 
 # rubocop:disable Metrics/ClassLength
 class Options
@@ -8,7 +9,7 @@ class Options
                                     'emit the exception without stack trace ' \
                                     'and keep chugging'
 
-  @version = Gem::Specification.find_by_name('cfn-nag').version
+  @version = CfnNagVersion::VERSION
 
   def self.for(type)
     case type
@@ -89,7 +90,7 @@ class Options
           required: false,
           default: false
       opt :output_format,
-          'Format of results: [txt, json, colortxt]',
+          'Format of results: [txt, json, colortxt, sarif]',
           type: :string,
           default: 'colortxt'
       opt :rule_repository,
@@ -132,7 +133,7 @@ class Options
           type: :string,
           required: true
       opt :output_format,
-          'Format of results: [txt, json, colortxt]',
+          'Format of results: [txt, json, colortxt, sarif]',
           type: :string,
           default: 'colortxt'
       opt :debug,

data/lib/cfn-nag/custom_rules/base.rb

@@ -19,9 +19,16 @@ class BaseRule
     logical_resource_ids = audit_impl(cfn_model)
     return if logical_resource_ids.empty?
 
+    violation(logical_resource_ids)
+  end
+
+  def violation(logical_resource_ids, line_numbers = [], element_types = [])
     Violation.new(id: rule_id,
+                  name: self.class.name,
                   type: rule_type,
                   message: rule_text,
-                  logical_resource_ids: logical_resource_ids)
+                  logical_resource_ids: logical_resource_ids,
+                  line_numbers: line_numbers,
+                  element_types: element_types)
   end
 end

data/lib/cfn-nag/result_view/colored_stdout_results.rb

@@ -10,7 +10,8 @@ class ColoredStdoutResults < StdoutResults
               color:,
               message:,
               logical_resource_ids: nil,
-              line_numbers: [])
+              line_numbers: [],
+              element_types: [])
 
     logical_resource_ids = nil if logical_resource_ids == []
 
@@ -18,7 +19,7 @@ class ColoredStdoutResults < StdoutResults
     puts
     puts colorize(color, "| #{message_type.upcase}")
     puts colorize(color, '|')
-    puts colorize(color, "| Resources: #{logical_resource_ids}") unless logical_resource_ids.nil?
+    puts colorize(color, "| #{element_type(element_types)}: #{logical_resource_ids}") unless logical_resource_ids.nil?
     puts colorize(color, "| Line Numbers: #{line_numbers}") unless line_numbers.empty?
     puts colorize(color, '|') unless line_numbers.empty? && logical_resource_ids.nil?
     puts colorize(color, "| #{message}")
@@ -38,4 +39,12 @@ class ColoredStdoutResults < StdoutResults
   def colorize(color_symbol, str)
     "\e[#{color_code(color_symbol)}m#{str}\e[0m"
   end
+
+  def element_type(element_types)
+    if element_types == [] || element_types.first.nil?
+      'Element'
+    elsif !element_types.first.nil?
+      element_types.first.capitalize
+    end
+  end
 end

data/lib/cfn-nag/result_view/json_results.rb

@@ -3,7 +3,7 @@
 require 'json'
 
 class JsonResults
-  def render(results)
+  def render(results, _rule_registry)
     hashified_results = results.each do |result|
       result[:file_results][:violations] = result[:file_results][:violations].map(&:to_h)
     end

data/lib/cfn-nag/result_view/sarif_results.rb

@@ -0,0 +1,103 @@
+# frozen_string_literal: true
+
+require 'json'
+require 'pathname'
+
+class SarifResults
+  def render(results, rule_registry)
+    sarif_results = []
+    results.each do |file|
+      # For each file in the results, review the violations
+      file[:file_results][:violations].each do |violation|
+        # For each violation, generate a sarif result for each logical resource id in the violation
+        violation.logical_resource_ids.each_with_index do |_logical_resource_id, index|
+          sarif_results << sarif_result(file_name: file[:filename], violation: violation, index: index)
+        end
+      end
+    end
+
+    sarif_report = {
+      version: '2.1.0',
+      '$schema': 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json',
+      runs: [
+        tool: {
+          driver: driver(rule_registry.rules)
+        },
+        results: sarif_results
+      ]
+    }
+
+    puts JSON.pretty_generate(sarif_report)
+  end
+
+  # Generates a SARIF driver object, which describes the tool and the rules used
+  def driver(rules)
+    {
+      name: 'cfn_nag',
+      informationUri: 'https://github.com/stelligent/cfn_nag',
+      semanticVersion: CfnNagVersion::VERSION,
+      rules: rules.map do |rule_definition|
+        {
+          id: "CFN_NAG_#{rule_definition.id}",
+          name: rule_definition.name,
+          fullDescription: {
+            text: rule_definition.message
+          }
+        }
+      end
+    }
+  end
+
+  # Given a cfn_nag Violation object, and index, generates a SARIF result object for the finding
+  def sarif_result(file_name:, violation:, index:)
+    {
+      ruleId: "CFN_NAG_#{violation.id}",
+      level: sarif_level(violation.type),
+      message: {
+        text: violation.message
+      },
+      locations: [
+        {
+          physicalLocation: {
+            artifactLocation: {
+              uri: relative_path(file_name),
+              uriBaseId: '%SRCROOT%'
+            },
+            region: {
+              startLine: sarif_line_number(violation.line_numbers[index])
+            }
+          },
+          logicalLocations: [
+            {
+              name: violation.logical_resource_ids[index]
+            }
+          ]
+        }
+      ]
+    }
+  end
+
+  # Line number defaults to 1 unless provided with valid number
+  def sarif_line_number(line_number)
+    line_number.nil? || line_number.to_i < 1 ? 1 : line_number.to_i
+  end
+
+  def sarif_level(violation_type)
+    case violation_type
+    when RuleDefinition::WARNING
+      'warning'
+    else
+      'error'
+    end
+  end
+
+  def relative_path(file_name)
+    file_pathname = Pathname.new(file_name)
+
+    if file_pathname.relative?
+      file_pathname.to_s
+    else
+      file_pathname.relative_path_from(Pathname.pwd).to_s
+    end
+  end
+end

data/lib/cfn-nag/result_view/simple_stdout_results.rb

@@ -11,7 +11,8 @@ class SimpleStdoutResults < StdoutResults
               message:,
               color:,
               logical_resource_ids: nil,
-              line_numbers: [])
+              line_numbers: [],
+              element_types: [])
 
     logical_resource_ids = nil if logical_resource_ids == []
 
@@ -19,10 +20,18 @@ class SimpleStdoutResults < StdoutResults
     puts
     puts "| #{message_type.upcase}"
     puts '|'
-    puts "| Resources: #{logical_resource_ids}" unless logical_resource_ids.nil?
+    puts "| #{element_type(element_types)}: #{logical_resource_ids}" unless logical_resource_ids.nil?
     puts "| Line Numbers: #{line_numbers}" unless line_numbers.empty?
     puts '|' unless line_numbers.empty? && logical_resource_ids.nil?
     puts "| #{message}"
   end
   # rubocop:enable Lint/UnusedMethodArgument
+
+  def element_type(element_types)
+    if element_types == [] || element_types.first.nil?
+      'Element'
+    elsif !element_types.first.nil?
+      element_types.first.capitalize
+    end
+  end
 end

data/lib/cfn-nag/result_view/stdout_results.rb

@@ -12,7 +12,8 @@ class StdoutResults
               color: color,
               message: violation.message,
               logical_resource_ids: violation.logical_resource_ids,
-              line_numbers: violation.line_numbers
+              line_numbers: violation.line_numbers,
+              element_types: violation.element_types
     end
   end
 
@@ -24,7 +25,7 @@ class StdoutResults
     puts "Warnings count: #{Violation.count_warnings(violations)}"
   end
 
-  def render(results)
+  def render(results, _rule_definitions)
     results.each do |result|
       60.times { print '-' }
       puts "\n#{result[:filename]}"

data/lib/cfn-nag/rule_definition.rb

@@ -4,27 +4,30 @@ class RuleDefinition
   WARNING = 'WARN'
   FAILING_VIOLATION = 'FAIL'
 
-  attr_reader :id, :type, :message
+  attr_reader :id, :name, :type, :message
 
   def initialize(id:,
+                 name:,
                  type:,
                  message:)
     @id = id
+    @name = name
     @type = type
     @message = message
 
-    [@id, @type, @message].each do |required|
+    [@id, @type, @name, @message].each do |required|
       raise 'No parameters to Violation constructor can be nil' if required.nil?
     end
   end
 
   def to_s
-    "#{@id} #{@type} #{@message}"
+    "#{@id} #{name} #{@type} #{@message}"
   end
 
   def to_h
     {
       id: @id,
+      name: @name,
       type: @type,
       message: @message
     }

data/lib/cfn-nag/rule_registry.rb

@@ -43,6 +43,7 @@ class RuleRegistry
     if existing_def.nil?
       rule_definition = RuleDefinition.new(
         id: rule.rule_id,
+        name: rule_class.name,
         type: rule.rule_type,
         message: rule.rule_text
       )

data/lib/cfn-nag/version.rb

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+module CfnNagVersion
+  # This is managed at release time via scripts/publish.sh
+  VERSION = '0.8.4'
+end

data/lib/cfn-nag/violation.rb

@@ -4,20 +4,26 @@ require_relative 'rule_definition'
 
 # Rule definition for violations
 class Violation < RuleDefinition
-  attr_reader :logical_resource_ids, :line_numbers
+  attr_reader :logical_resource_ids, :line_numbers, :element_types
 
+  # rubocop:disable Metrics/ParameterLists
   def initialize(id:,
+                 name:,
                  type:,
                  message:,
                  logical_resource_ids: [],
-                 line_numbers: [])
+                 line_numbers: [],
+                 element_types: [])
     super id: id,
+          name: name,
           type: type,
           message: message
 
     @logical_resource_ids = logical_resource_ids
     @line_numbers = line_numbers
+    @element_types = element_types
   end
+  # rubocop:enable Metrics/ParameterLists
 
   def to_s
     "#{super} #{@logical_resource_ids}"
@@ -26,7 +32,8 @@ class Violation < RuleDefinition
   def to_h
     super.to_h.merge(
       logical_resource_ids: @logical_resource_ids,
-      line_numbers: @line_numbers
+      line_numbers: @line_numbers,
+      element_types: @element_types
     )
   end
 
@@ -57,6 +64,13 @@ class Violation < RuleDefinition
       end
     end
 
+    def fatal_violation(message)
+      Violation.new(id: 'FATAL',
+                    name: 'system',
+                    type: Violation::FAILING_VIOLATION,
+                    message: message)
+    end
+
     private
 
     def empty?(array)

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-nag
 version: !ruby/object:Gem::Version
-  version: 0.8.0
+  version: 0.8.4
 platform: ruby
 authors:
 - Eric Kascic
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-10-07 00:00:00.000000000 Z
+date: 2021-10-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -72,14 +72,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.6.3
+        version: 0.6.6
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.6.3
+        version: 0.6.6
 - !ruby/object:Gem::Dependency
   name: logging
   requirement: !ruby/object:Gem::Requirement
@@ -371,6 +371,7 @@ files:
 - lib/cfn-nag/result_view/colored_stdout_results.rb
 - lib/cfn-nag/result_view/json_results.rb
 - lib/cfn-nag/result_view/rules_view.rb
+- lib/cfn-nag/result_view/sarif_results.rb
 - lib/cfn-nag/result_view/simple_stdout_results.rb
 - lib/cfn-nag/result_view/stdout_results.rb
 - lib/cfn-nag/rule_definition.rb
@@ -388,6 +389,7 @@ files:
 - lib/cfn-nag/util/enforce_string_or_dynamic_reference.rb
 - lib/cfn-nag/util/truthy.rb
 - lib/cfn-nag/util/wildcard_patterns.rb
+- lib/cfn-nag/version.rb
 - lib/cfn-nag/violation.rb
 - lib/cfn-nag/violation_filtering.rb
 homepage: https://github.com/stelligent/cfn_nag