cfn-nag 0.8.7 → 0.8.10

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5802d950eab38e40f6073fa29cc4736a052885451e106ff8e6501128e877ad84
-  data.tar.gz: 36b602473c0e8586b360641825d44aa911a5511afafa614bd4c40c912bee1efc
+  metadata.gz: 40a08198632607ba6b27da6855a68dce9296ac85e7d5c0b511efd64297c24089
+  data.tar.gz: df6fb8ea0508ebff5ae8d5f74dd4e403294152adfcf43b306e426de33b12eec8
 SHA512:
-  metadata.gz: a10f0637676007bfd8c4498f579d71eea6e29e0ae01fe1ad9b82e51b77fc97bf9a2b9f69350b948a5b9794b2970e0e52191783ea50254aeccb5028db3a0b0a68
-  data.tar.gz: 9bade29b10f95b488c6be7711329c5ea11c21a32169badb0b9c1e83dcd930aac757601ba1ad722da34aaeb2d8c23bf46bdda458be5dcc0b17d2b32b519236ec7
+  metadata.gz: bc4b6426631b6777c2a77eb3c7be2fbf776ae1027675c9f420c558cbcc6e2682368889438e05e52a91b0709b06cd4bfcef46ea67d2b051d62b0bbc84b2e843a2
+  data.tar.gz: 69874dc93fee2a9f3aca39c2eef7b5d27f2d2805350792b5dcbb8e8b5ad0d9b4a97c97f98f7d15bf75d1588dfee0c6c31a2ad9a4962a6b834aa8babf9ae7cfaa

data/lib/cfn-nag/cfn_nag_config.rb

@@ -11,14 +11,16 @@ class CfnNagConfig
                  fail_on_warnings: false,
                  ignore_fatal: false,
                  rule_repository_definitions: [],
-                 rule_arguments: {})
+                 rule_arguments: {},
+                 rule_directory_recursive: false)
     @rule_directory = rule_directory
     @custom_rule_loader = CustomRuleLoader.new(
       rule_directory: rule_directory,
       allow_suppression: allow_suppression,
       print_suppression: print_suppression,
       isolate_custom_rule_exceptions: isolate_custom_rule_exceptions,
-      rule_repository_definitions: rule_repository_definitions
+      rule_repository_definitions: rule_repository_definitions,
+      rule_directory_recursive: rule_directory_recursive
     )
     @profile_definition = profile_definition
     @deny_list_definition = deny_list_definition

data/lib/cfn-nag/cfn_nag_executor.rb

@@ -130,7 +130,8 @@ class CfnNagExecutor
       fail_on_warnings: opts[:fail_on_warnings],
       rule_repository_definitions: @rule_repository_definitions,
       ignore_fatal: opts[:ignore_fatal],
-      rule_arguments: merge_rule_arguments(opts)
+      rule_arguments: merge_rule_arguments(opts),
+      rule_directory_recursive: opts[:rule_directory_recursive]
     )
   end
 

data/lib/cfn-nag/cli_options.rb

@@ -54,6 +54,11 @@ class Options
           type: :string,
           required: false,
           default: nil
+      opt :rule_directory_recursive,
+          'Recursively search extra rule directory',
+          type: :boolean,
+          required: false,
+          default: false
       opt :profile_path,
           'Path to a profile file',
           type: :string,

data/lib/cfn-nag/custom_rule_loader.rb

@@ -27,12 +27,14 @@ class CustomRuleLoader
                  allow_suppression: true,
                  print_suppression: false,
                  isolate_custom_rule_exceptions: false,
-                 rule_repository_definitions: [])
+                 rule_repository_definitions: [],
+                 rule_directory_recursive: false)
     @rule_directory = rule_directory
     @allow_suppression = allow_suppression
     @print_suppression = print_suppression
     @isolate_custom_rule_exceptions = isolate_custom_rule_exceptions
     @rule_repository_definitions = rule_repository_definitions
+    @rule_directory_recursive = rule_directory_recursive
     @registry = nil
   end
 
@@ -43,7 +45,8 @@ class CustomRuleLoader
   #
   def rule_definitions(force_refresh: false)
     if @registry.nil? || force_refresh
-      @registry = FileBasedRuleRepo.new(@rule_directory).discover_rules
+      @registry = FileBasedRuleRepo.new(@rule_directory,
+                                        rule_directory_recursive: @rule_directory_recursive).discover_rules
       @registry.merge! GemBasedRuleRepo.new.discover_rules
 
       @registry = RuleRepositoryLoader.new.merge(@registry, @rule_repository_definitions)

data/lib/cfn-nag/custom_rules/IamRolePassRoleWildcardResourceRule.rb

@@ -23,7 +23,7 @@ class IamRolePassRoleWildcardResourceRule < BaseRule
     violating_roles = cfn_model.resources_by_type('AWS::IAM::Role').select do |role|
       violating_policies = role.policy_objects.select do |policy|
         violating_statements = policy.policy_document.statements.select do |statement|
-          passrole_action?(statement) && wildcard_resource?(statement)
+          statement.effect == 'Allow' && passrole_action?(statement) && wildcard_resource?(statement)
         end
         !violating_statements.empty?
       end

data/lib/cfn-nag/custom_rules/passrole_base_rule.rb

@@ -16,7 +16,7 @@ class PassRoleBaseRule < BaseRule
 
     violating_policies = policies.select do |policy|
       violating_statements = policy.policy_document.statements.select do |statement|
-        passrole_action?(statement) && wildcard_resource?(statement)
+        statement.effect == 'Allow' && passrole_action?(statement) && wildcard_resource?(statement)
       end
       !violating_statements.empty?
     end

data/lib/cfn-nag/rule_repos/file_based_rule_repo.rb

@@ -8,8 +8,9 @@ require 'logging'
 # client's choosing
 #
 class FileBasedRuleRepo
-  def initialize(rule_directory)
+  def initialize(rule_directory, rule_directory_recursive: false)
     @rule_directory = rule_directory
+    @rule_directory_recursive = rule_directory_recursive
     validate_extra_rule_directory rule_directory
   end
 
@@ -19,7 +20,8 @@ class FileBasedRuleRepo
     # we look on the file system, and we load from the file system into a Class
     # that the runtime can refer back to later from the registry which is effectively
     # just a set of rule definitons
-    discover_rule_classes(@rule_directory).each do |rule_class|
+    discover_rule_classes(@rule_directory,
+                          rule_directory_recursive: @rule_directory_recursive).each do |rule_class|
       rule_registry.definition(rule_class)
     end
 
@@ -34,12 +36,18 @@ class FileBasedRuleRepo
     raise "Not a real directory #{rule_directory}"
   end
 
-  def discover_rule_filenames(rule_directory)
+  def locate_rule_files(rule_directory, rule_directory_recursive)
+    return Dir.glob(File.join(rule_directory, '**/*Rule.rb')).sort if rule_directory_recursive
+
+    Dir[File.join(rule_directory, '*Rule.rb')].sort
+  end
+
+  def discover_rule_filenames(rule_directory, rule_directory_recursive: false)
     rule_filenames = []
     unless rule_directory.nil?
-      rule_filenames += Dir[File.join(rule_directory, '*Rule.rb')].sort
+      rule_filenames += locate_rule_files(rule_directory, rule_directory_recursive)
     end
-    rule_filenames += Dir[File.join(__dir__, '..', 'custom_rules', '*Rule.rb')].sort
+    rule_filenames += locate_rule_files(File.join(__dir__, '..', 'custom_rules'), rule_directory_recursive)
 
     # Windows fix when running ruby from Command Prompt and not bash
     rule_filenames.reject! { |filename| filename =~ /_rule.rb$/ }
@@ -47,10 +55,13 @@ class FileBasedRuleRepo
     rule_filenames
   end
 
-  def discover_rule_classes(rule_directory)
+  def discover_rule_classes(rule_directory, rule_directory_recursive: false)
     rule_classes = []
 
-    rule_filenames = discover_rule_filenames(rule_directory)
+    rule_filenames = discover_rule_filenames(
+      rule_directory,
+      rule_directory_recursive: rule_directory_recursive
+    )
     rule_filenames.each do |rule_filename|
       require(File.absolute_path(rule_filename))
       rule_classname = File.basename(rule_filename, '.rb')

data/lib/cfn-nag/version.rb

@@ -2,5 +2,5 @@
 
 module CfnNagVersion
   # This is managed at release time via scripts/publish.sh
-  VERSION = '0.8.7'
+  VERSION = '0.8.10'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-nag
 version: !ruby/object:Gem::Version
-  version: 0.8.7
+  version: 0.8.10
 platform: ruby
 authors:
 - Eric Kascic
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-10-29 00:00:00.000000000 Z
+date: 2022-05-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake