cfn-nag 0.8.1 → 0.8.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8aceb287830823e0d3aa5f6254e14e5d12fd5405c48ec9d41ce1e098023320cf
-  data.tar.gz: 8137ee2a1a7282e2025d6659229b1a9d1eb6e01a7db51c727dd6d37f0acda745
+  metadata.gz: c39c81a107025c553d08bce79ffdf244838c3e26fd1a853814f367a1abf732a7
+  data.tar.gz: d000e3ff73010f5796d2821a30d94dd361607384aaafeab64843af3d54913e3b
 SHA512:
-  metadata.gz: 9000f354e1fc834f08d6688580f8f79fa0846a4d2ff9c54bdc5995eae0fd3cad8a7f003178565da1209d1067585e1ba6d841f90c6e991891ad0b0a5b8714b98d
-  data.tar.gz: 8c726d52d37b174b91c3eb0abe6c97cd946ce324ad20bf63d75bc176661aa9af782d8a9e69a589368d4859fbb68bdd73af541e27e9020aba267756cf1de6187f
+  metadata.gz: 5d3b5cea49310d56c8735e16b49ca7bbbd605d8d00dd52bb1f243d1a39c52f3b9d01db3089fd248006939c873f33706fef01d014d0b7fc87095683eb62e3c20d
+  data.tar.gz: cc016234fbbc9c19c39ff7655667f58961a7abfd236285c4a148b13f846130f6fc007a3eabc8c7f9bd523363d1759749f889d453104a5dc9f165775318cdcd4a

data/bin/cfn_nag_rules

@@ -6,7 +6,7 @@ require 'cfn-nag'
 require 'rubygems/specification'
 
 opts = Optimist.options do
-  version Gem::Specification.find_by_name('cfn-nag').version
+  version CfnNagVersion::VERSION
 
   opt :rule_directory, 'Extra rule directories', type: :io,
                                                  required: false,

data/lib/cfn-nag/base_rule.rb

@@ -20,10 +20,16 @@ class CfnNag
       logical_resource_ids = audit_impl(cfn_model)
       return if logical_resource_ids.empty?
 
+      violation(logical_resource_ids)
+    end
+
+    def violation(logical_resource_ids, line_numbers = nil)
       Violation.new(id: rule_id,
+                    name: self.class.name,
                     type: rule_type,
                     message: rule_text,
-                    logical_resource_ids: logical_resource_ids)
+                    logical_resource_ids: logical_resource_ids,
+                    line_numbers: line_numbers)
     end
   end
 end

data/lib/cfn-nag/cfn_nag.rb

@@ -8,6 +8,7 @@ require_relative 'result_view/stdout_results'
 require_relative 'result_view/simple_stdout_results'
 require_relative 'result_view/colored_stdout_results'
 require_relative 'result_view/json_results'
+require_relative 'result_view/sarif_results'
 require 'cfn-model'
 
 # Top-level CfnNag class for running profiles
@@ -94,12 +95,12 @@ class CfnNag
       )
 
       violations = filter_violations_by_deny_list_and_profile(violations)
-      violations = mark_line_numbers(violations, cfn_model)
+      violations = mark_line_numbers_and_element_types(violations, cfn_model)
     rescue RuleRepoException, Psych::SyntaxError, ParserError => fatal_error
-      violations << fatal_violation(fatal_error.to_s)
+      violations << Violation.fatal_violation(fatal_error.to_s)
     rescue JSON::ParserError => json_parameters_error
       error = "JSON Parameter values parse error: #{json_parameters_error}"
-      violations << fatal_violation(error)
+      violations << Violation.fatal_violation(error)
     end
 
     violations = prune_fatal_violations(violations) if @config.ignore_fatal
@@ -112,15 +113,16 @@ class CfnNag
 
   def render_results(aggregate_results:,
                      output_format:)
-    results_renderer(output_format).new.render(aggregate_results)
+    results_renderer(output_format).new.render(aggregate_results, @config.custom_rule_loader.rule_definitions)
   end
 
   private
 
-  def mark_line_numbers(violations, cfn_model)
+  def mark_line_numbers_and_element_types(violations, cfn_model)
     violations.each do |violation|
       violation.logical_resource_ids.each do |logical_resource_id|
         violation.line_numbers << cfn_model.line_numbers[logical_resource_id]
+        violation.element_types << cfn_model.element_types[logical_resource_id]
       end
     end
 
@@ -141,7 +143,7 @@ class CfnNag
       violations: violations
     )
   rescue StandardError => deny_list_or_profile_parse_error
-    violations << fatal_violation(deny_list_or_profile_parse_error.to_s)
+    violations << Violation.fatal_violation(deny_list_or_profile_parse_error.to_s)
     violations
   end
 
@@ -152,17 +154,12 @@ class CfnNag
     }
   end
 
-  def fatal_violation(message)
-    Violation.new(id: 'FATAL',
-                  type: Violation::FAILING_VIOLATION,
-                  message: message)
-  end
-
   def results_renderer(output_format)
     registry = {
       'colortxt' => ColoredStdoutResults,
       'txt' => SimpleStdoutResults,
-      'json' => JsonResults
+      'json' => JsonResults,
+      'sarif' => SarifResults
     }
     registry[output_format]
   end

data/lib/cfn-nag/cfn_nag_executor.rb

@@ -74,9 +74,9 @@ class CfnNagExecutor
   end
 
   def validate_options(opts)
-    unless opts[:output_format].nil? || %w[colortxt txt json].include?(opts[:output_format])
+    unless opts[:output_format].nil? || %w[colortxt txt json sarif].include?(opts[:output_format])
       Optimist.die(:output_format,
-                   'Must be colortxt, txt, or json')
+                   'Must be colortxt, txt, json or sarif')
     end
 
     opts[:rule_arguments]&.each do |rule_argument|

data/lib/cfn-nag/cli_options.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require 'optimist'
+require_relative 'version'
 
 # rubocop:disable Metrics/ClassLength
 class Options
@@ -8,7 +9,7 @@ class Options
                                     'emit the exception without stack trace ' \
                                     'and keep chugging'
 
-  @version = Gem::Specification.find_by_name('cfn-nag').version
+  @version = CfnNagVersion::VERSION
 
   def self.for(type)
     case type
@@ -89,7 +90,7 @@ class Options
           required: false,
           default: false
       opt :output_format,
-          'Format of results: [txt, json, colortxt]',
+          'Format of results: [txt, json, colortxt, sarif]',
           type: :string,
           default: 'colortxt'
       opt :rule_repository,
@@ -132,7 +133,7 @@ class Options
           type: :string,
           required: true
       opt :output_format,
-          'Format of results: [txt, json, colortxt]',
+          'Format of results: [txt, json, colortxt, sarif]',
           type: :string,
           default: 'colortxt'
       opt :debug,

data/lib/cfn-nag/custom_rules/base.rb

@@ -19,9 +19,16 @@ class BaseRule
     logical_resource_ids = audit_impl(cfn_model)
     return if logical_resource_ids.empty?
 
+    violation(logical_resource_ids)
+  end
+
+  def violation(logical_resource_ids, line_numbers = [], element_types = [])
     Violation.new(id: rule_id,
+                  name: self.class.name,
                   type: rule_type,
                   message: rule_text,
-                  logical_resource_ids: logical_resource_ids)
+                  logical_resource_ids: logical_resource_ids,
+                  line_numbers: line_numbers,
+                  element_types: element_types)
   end
 end

data/lib/cfn-nag/result_view/colored_stdout_results.rb

@@ -10,7 +10,8 @@ class ColoredStdoutResults < StdoutResults
               color:,
               message:,
               logical_resource_ids: nil,
-              line_numbers: [])
+              line_numbers: [],
+              element_types: [])
 
     logical_resource_ids = nil if logical_resource_ids == []
 
@@ -18,7 +19,7 @@ class ColoredStdoutResults < StdoutResults
     puts
     puts colorize(color, "| #{message_type.upcase}")
     puts colorize(color, '|')
-    puts colorize(color, "| Resources: #{logical_resource_ids}") unless logical_resource_ids.nil?
+    puts colorize(color, "| #{element_type(element_types)}: #{logical_resource_ids}") unless logical_resource_ids.nil?
     puts colorize(color, "| Line Numbers: #{line_numbers}") unless line_numbers.empty?
     puts colorize(color, '|') unless line_numbers.empty? && logical_resource_ids.nil?
     puts colorize(color, "| #{message}")
@@ -38,4 +39,12 @@ class ColoredStdoutResults < StdoutResults
   def colorize(color_symbol, str)
     "\e[#{color_code(color_symbol)}m#{str}\e[0m"
   end
+
+  def element_type(element_types)
+    if element_types == [] || element_types.first.nil?
+      'Element'
+    elsif !element_types.first.nil?
+      element_types.first.capitalize
+    end
+  end
 end

data/lib/cfn-nag/result_view/json_results.rb

@@ -3,7 +3,7 @@
 require 'json'
 
 class JsonResults
-  def render(results)
+  def render(results, _rule_registry)
     hashified_results = results.each do |result|
       result[:file_results][:violations] = result[:file_results][:violations].map(&:to_h)
     end

data/lib/cfn-nag/result_view/sarif_results.rb

@@ -0,0 +1,103 @@
+# frozen_string_literal: true
+
+require 'json'
+require 'pathname'
+
+class SarifResults
+  def render(results, rule_registry)
+    sarif_results = []
+    results.each do |file|
+      # For each file in the results, review the violations
+      file[:file_results][:violations].each do |violation|
+        # For each violation, generate a sarif result for each logical resource id in the violation
+        violation.logical_resource_ids.each_with_index do |_logical_resource_id, index|
+          sarif_results << sarif_result(file_name: file[:filename], violation: violation, index: index)
+        end
+      end
+    end
+
+    sarif_report = {
+      version: '2.1.0',
+      '$schema': 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json',
+      runs: [
+        tool: {
+          driver: driver(rule_registry.rules)
+        },
+        results: sarif_results
+      ]
+    }
+
+    puts JSON.pretty_generate(sarif_report)
+  end
+
+  # Generates a SARIF driver object, which describes the tool and the rules used
+  def driver(rules)
+    {
+      name: 'cfn_nag',
+      informationUri: 'https://github.com/stelligent/cfn_nag',
+      semanticVersion: CfnNagVersion::VERSION,
+      rules: rules.map do |rule_definition|
+        {
+          id: "CFN_NAG_#{rule_definition.id}",
+          name: rule_definition.name,
+          fullDescription: {
+            text: rule_definition.message
+          }
+        }
+      end
+    }
+  end
+
+  # Given a cfn_nag Violation object, and index, generates a SARIF result object for the finding
+  def sarif_result(file_name:, violation:, index:)
+    {
+      ruleId: "CFN_NAG_#{violation.id}",
+      level: sarif_level(violation.type),
+      message: {
+        text: violation.message
+      },
+      locations: [
+        {
+          physicalLocation: {
+            artifactLocation: {
+              uri: relative_path(file_name),
+              uriBaseId: '%SRCROOT%'
+            },
+            region: {
+              startLine: sarif_line_number(violation.line_numbers[index])
+            }
+          },
+          logicalLocations: [
+            {
+              name: violation.logical_resource_ids[index]
+            }
+          ]
+        }
+      ]
+    }
+  end
+
+  # Line number defaults to 1 unless provided with valid number
+  def sarif_line_number(line_number)
+    line_number.nil? || line_number.to_i < 1 ? 1 : line_number.to_i
+  end
+
+  def sarif_level(violation_type)
+    case violation_type
+    when RuleDefinition::WARNING
+      'warning'
+    else
+      'error'
+    end
+  end
+
+  def relative_path(file_name)
+    file_pathname = Pathname.new(file_name)
+
+    if file_pathname.relative?
+      file_pathname.to_s
+    else
+      file_pathname.relative_path_from(Pathname.pwd).to_s
+    end
+  end
+end

data/lib/cfn-nag/result_view/simple_stdout_results.rb

@@ -11,7 +11,8 @@ class SimpleStdoutResults < StdoutResults
               message:,
               color:,
               logical_resource_ids: nil,
-              line_numbers: [])
+              line_numbers: [],
+              element_types: [])
 
     logical_resource_ids = nil if logical_resource_ids == []
 
@@ -19,10 +20,18 @@ class SimpleStdoutResults < StdoutResults
     puts
     puts "| #{message_type.upcase}"
     puts '|'
-    puts "| Resources: #{logical_resource_ids}" unless logical_resource_ids.nil?
+    puts "| #{element_type(element_types)}: #{logical_resource_ids}" unless logical_resource_ids.nil?
     puts "| Line Numbers: #{line_numbers}" unless line_numbers.empty?
     puts '|' unless line_numbers.empty? && logical_resource_ids.nil?
     puts "| #{message}"
   end
   # rubocop:enable Lint/UnusedMethodArgument
+
+  def element_type(element_types)
+    if element_types == [] || element_types.first.nil?
+      'Element'
+    elsif !element_types.first.nil?
+      element_types.first.capitalize
+    end
+  end
 end

data/lib/cfn-nag/result_view/stdout_results.rb

@@ -12,7 +12,8 @@ class StdoutResults
               color: color,
               message: violation.message,
               logical_resource_ids: violation.logical_resource_ids,
-              line_numbers: violation.line_numbers
+              line_numbers: violation.line_numbers,
+              element_types: violation.element_types
     end
   end
 
@@ -24,7 +25,7 @@ class StdoutResults
     puts "Warnings count: #{Violation.count_warnings(violations)}"
   end
 
-  def render(results)
+  def render(results, _rule_definitions)
     results.each do |result|
       60.times { print '-' }
       puts "\n#{result[:filename]}"

data/lib/cfn-nag/rule_definition.rb

@@ -4,27 +4,30 @@ class RuleDefinition
   WARNING = 'WARN'
   FAILING_VIOLATION = 'FAIL'
 
-  attr_reader :id, :type, :message
+  attr_reader :id, :name, :type, :message
 
   def initialize(id:,
+                 name:,
                  type:,
                  message:)
     @id = id
+    @name = name
     @type = type
     @message = message
 
-    [@id, @type, @message].each do |required|
+    [@id, @type, @name, @message].each do |required|
       raise 'No parameters to Violation constructor can be nil' if required.nil?
     end
   end
 
   def to_s
-    "#{@id} #{@type} #{@message}"
+    "#{@id} #{name} #{@type} #{@message}"
   end
 
   def to_h
     {
       id: @id,
+      name: @name,
       type: @type,
       message: @message
     }

data/lib/cfn-nag/rule_registry.rb

@@ -43,6 +43,7 @@ class RuleRegistry
     if existing_def.nil?
       rule_definition = RuleDefinition.new(
         id: rule.rule_id,
+        name: rule_class.name,
         type: rule.rule_type,
         message: rule.rule_text
       )

data/lib/cfn-nag/version.rb

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+module CfnNagVersion
+  # This is managed at release time via scripts/publish.sh
+  VERSION = '0.8.5'
+end

data/lib/cfn-nag/violation.rb

@@ -4,20 +4,26 @@ require_relative 'rule_definition'
 
 # Rule definition for violations
 class Violation < RuleDefinition
-  attr_reader :logical_resource_ids, :line_numbers
+  attr_reader :logical_resource_ids, :line_numbers, :element_types
 
+  # rubocop:disable Metrics/ParameterLists
   def initialize(id:,
+                 name:,
                  type:,
                  message:,
                  logical_resource_ids: [],
-                 line_numbers: [])
+                 line_numbers: [],
+                 element_types: [])
     super id: id,
+          name: name,
           type: type,
           message: message
 
     @logical_resource_ids = logical_resource_ids
     @line_numbers = line_numbers
+    @element_types = element_types
   end
+  # rubocop:enable Metrics/ParameterLists
 
   def to_s
     "#{super} #{@logical_resource_ids}"
@@ -26,7 +32,8 @@ class Violation < RuleDefinition
   def to_h
     super.to_h.merge(
       logical_resource_ids: @logical_resource_ids,
-      line_numbers: @line_numbers
+      line_numbers: @line_numbers,
+      element_types: @element_types
     )
   end
 
@@ -57,6 +64,13 @@ class Violation < RuleDefinition
       end
     end
 
+    def fatal_violation(message)
+      Violation.new(id: 'FATAL',
+                    name: 'system',
+                    type: Violation::FAILING_VIOLATION,
+                    message: message)
+    end
+
     private
 
     def empty?(array)

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-nag
 version: !ruby/object:Gem::Version
-  version: 0.8.1
+  version: 0.8.5
 platform: ruby
 authors:
 - Eric Kascic
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-10-15 00:00:00.000000000 Z
+date: 2021-10-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -72,14 +72,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.6.4
+        version: 0.6.6
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.6.4
+        version: 0.6.6
 - !ruby/object:Gem::Dependency
   name: logging
   requirement: !ruby/object:Gem::Requirement
@@ -371,6 +371,7 @@ files:
 - lib/cfn-nag/result_view/colored_stdout_results.rb
 - lib/cfn-nag/result_view/json_results.rb
 - lib/cfn-nag/result_view/rules_view.rb
+- lib/cfn-nag/result_view/sarif_results.rb
 - lib/cfn-nag/result_view/simple_stdout_results.rb
 - lib/cfn-nag/result_view/stdout_results.rb
 - lib/cfn-nag/rule_definition.rb
@@ -388,6 +389,7 @@ files:
 - lib/cfn-nag/util/enforce_string_or_dynamic_reference.rb
 - lib/cfn-nag/util/truthy.rb
 - lib/cfn-nag/util/wildcard_patterns.rb
+- lib/cfn-nag/version.rb
 - lib/cfn-nag/violation.rb
 - lib/cfn-nag/violation_filtering.rb
 homepage: https://github.com/stelligent/cfn_nag