cfn-nag 0.3.43 → 0.3.44
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/cfn-nag/cfn_nag.rb +19 -21
- data/lib/cfn-nag/custom_rule_loader.rb +39 -29
- data/lib/cfn-nag/custom_rules/CloudFormationAuthenticationRule.rb +1 -0
- data/lib/cfn-nag/custom_rules/CloudFrontDistributionAccessLoggingRule.rb +1 -0
- data/lib/cfn-nag/custom_rules/base.rb +6 -7
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: d94e81c63455c6eda830af691fecf9da6bbec732818c879fd77b24341443b834
|
|
4
|
+
data.tar.gz: 170e6a4f324a2b58e19f38e9c36ab3c27c31daf2144ea0d94630de3ce661438f
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 735a3bdfbbff963559a7eacabea92a28fe6f5451bf9aabadb05b6e94921d98d369b3c37d2d747a060b111e1886d19fed4461cdde1001d250a12e271b53a8197a
|
|
7
|
+
data.tar.gz: 2b8412e8c7d1aae3371d177045ddb14e2c7c71ecc312d7fa910dbdee592853abd2e995bc538f481f0f02cd19c971c2194e01bd99afcb20c988c8a58260725018
|
data/lib/cfn-nag/cfn_nag.rb
CHANGED
|
@@ -7,6 +7,7 @@ require_relative 'result_view/json_results'
|
|
|
7
7
|
require 'cfn-model'
|
|
8
8
|
require 'logging'
|
|
9
9
|
|
|
10
|
+
# Top-level CfnNag class for running profiles
|
|
10
11
|
class CfnNag
|
|
11
12
|
def initialize(profile_definition: nil,
|
|
12
13
|
rule_directory: nil,
|
|
@@ -42,6 +43,8 @@ class CfnNag
|
|
|
42
43
|
end
|
|
43
44
|
end
|
|
44
45
|
|
|
46
|
+
# rubocop:disable Metrics/MethodLength
|
|
47
|
+
|
|
45
48
|
##
|
|
46
49
|
# Given a file or directory path, return aggregate results
|
|
47
50
|
#
|
|
@@ -59,6 +62,9 @@ class CfnNag
|
|
|
59
62
|
end
|
|
60
63
|
aggregate_results
|
|
61
64
|
end
|
|
65
|
+
# rubocop:enable Metrics/MethodLength
|
|
66
|
+
|
|
67
|
+
# rubocop:disable Metrics/MethodLength
|
|
62
68
|
|
|
63
69
|
##
|
|
64
70
|
# Given cloudformation json/yml, run all the rules against it
|
|
@@ -69,29 +75,21 @@ class CfnNag
|
|
|
69
75
|
# Return a hash with failure count
|
|
70
76
|
#
|
|
71
77
|
def audit(cloudformation_string:, parameter_values_string: nil)
|
|
72
|
-
stop_processing = false
|
|
73
78
|
violations = []
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
|
|
79
|
-
violations
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
|
|
85
|
-
|
|
86
|
-
violations += @custom_rule_loader.execute_custom_rules(cfn_model)
|
|
87
|
-
violations = filter_violations_by_profile violations
|
|
88
|
-
end
|
|
89
|
-
|
|
90
|
-
{
|
|
91
|
-
failure_count: Violation.count_failures(violations),
|
|
92
|
-
violations: violations
|
|
93
|
-
}
|
|
79
|
+
cfn_model = CfnParser.new.parse cloudformation_string,
|
|
80
|
+
parameter_values_string
|
|
81
|
+
violations += @custom_rule_loader.execute_custom_rules(cfn_model)
|
|
82
|
+
violations = filter_violations_by_profile violations
|
|
83
|
+
{ failure_count: Violation.count_failures(violations),
|
|
84
|
+
violations: violations }
|
|
85
|
+
rescue Psych::SyntaxError, ParserError => parser_error
|
|
86
|
+
violations << Violation.new(id: 'FATAL',
|
|
87
|
+
type: Violation::FAILING_VIOLATION,
|
|
88
|
+
message: parser_error.to_s)
|
|
89
|
+
{ failure_count: Violation.count_failures(violations),
|
|
90
|
+
violations: violations }
|
|
94
91
|
end
|
|
92
|
+
# rubocop:enable Metrics/MethodLength
|
|
95
93
|
|
|
96
94
|
def self.configure_logging(opts)
|
|
97
95
|
logger = Logging.logger['log']
|
|
@@ -24,10 +24,8 @@ class CustomRuleLoader
|
|
|
24
24
|
rule_registry = RuleRegistry.new
|
|
25
25
|
|
|
26
26
|
discover_rule_classes(@rule_directory).each do |rule_class|
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
type: rule.rule_type,
|
|
30
|
-
message: rule.rule_text)
|
|
27
|
+
rule_registry
|
|
28
|
+
.definition(**rule_registry_from_rule_class(rule_class))
|
|
31
29
|
end
|
|
32
30
|
|
|
33
31
|
discover_jmespath_filenames(@rule_directory).each do |jmespath_file|
|
|
@@ -47,6 +45,33 @@ class CustomRuleLoader
|
|
|
47
45
|
|
|
48
46
|
validate_cfn_nag_metadata(cfn_model)
|
|
49
47
|
|
|
48
|
+
filter_rule_classes cfn_model, violations
|
|
49
|
+
|
|
50
|
+
filter_jmespath_filenames cfn_model, violations
|
|
51
|
+
|
|
52
|
+
violations
|
|
53
|
+
end
|
|
54
|
+
|
|
55
|
+
private
|
|
56
|
+
|
|
57
|
+
def rule_registry_from_rule_class(rule_class)
|
|
58
|
+
rule = rule_class.new
|
|
59
|
+
{ id: rule.rule_id,
|
|
60
|
+
type: rule.rule_type,
|
|
61
|
+
message: rule.rule_text }
|
|
62
|
+
end
|
|
63
|
+
|
|
64
|
+
def filter_jmespath_filenames(cfn_model, violations)
|
|
65
|
+
discover_jmespath_filenames(@rule_directory).each do |jmespath_file|
|
|
66
|
+
evaluator = JmesPathEvaluator.new cfn_model
|
|
67
|
+
evaluator.instance_eval do
|
|
68
|
+
eval IO.read jmespath_file
|
|
69
|
+
end
|
|
70
|
+
violations += evaluator.violations
|
|
71
|
+
end
|
|
72
|
+
end
|
|
73
|
+
|
|
74
|
+
def filter_rule_classes(cfn_model, violations)
|
|
50
75
|
discover_rule_classes(@rule_directory).each do |rule_class|
|
|
51
76
|
begin
|
|
52
77
|
filtered_cfn_model = cfn_model_with_suppressed_resources_removed \
|
|
@@ -55,26 +80,12 @@ class CustomRuleLoader
|
|
|
55
80
|
audit_result = rule_class.new.audit(filtered_cfn_model)
|
|
56
81
|
violations << audit_result unless audit_result.nil?
|
|
57
82
|
rescue Exception => exception
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
else
|
|
61
|
-
raise exception
|
|
62
|
-
end
|
|
83
|
+
raise exception unless @isolate_custom_rule_exceptions
|
|
84
|
+
STDERR.puts exception
|
|
63
85
|
end
|
|
64
86
|
end
|
|
65
|
-
|
|
66
|
-
discover_jmespath_filenames(@rule_directory).each do |jmespath_file|
|
|
67
|
-
evaluator = JmesPathEvaluator.new cfn_model
|
|
68
|
-
evaluator.instance_eval do
|
|
69
|
-
eval IO.read jmespath_file
|
|
70
|
-
end
|
|
71
|
-
violations += evaluator.violations
|
|
72
|
-
end
|
|
73
|
-
violations
|
|
74
87
|
end
|
|
75
88
|
|
|
76
|
-
private
|
|
77
|
-
|
|
78
89
|
def rules_to_suppress(resource)
|
|
79
90
|
if resource.metadata &&
|
|
80
91
|
resource.metadata['cfn_nag'] &&
|
|
@@ -84,19 +95,18 @@ class CustomRuleLoader
|
|
|
84
95
|
end
|
|
85
96
|
end
|
|
86
97
|
|
|
98
|
+
# XXX given mangled_metadatas is never used or returned,
|
|
99
|
+
# STDERR emit can be moved to unless block
|
|
87
100
|
def validate_cfn_nag_metadata(cfn_model)
|
|
88
101
|
mangled_metadatas = []
|
|
89
102
|
cfn_model.resources.each do |logical_resource_id, resource|
|
|
90
103
|
resource_rules_to_suppress = rules_to_suppress resource
|
|
91
|
-
if resource_rules_to_suppress.nil?
|
|
92
|
-
|
|
93
|
-
|
|
94
|
-
|
|
95
|
-
|
|
96
|
-
|
|
97
|
-
unless mangled_rules.empty?
|
|
98
|
-
mangled_metadatas << [logical_resource_id, mangled_rules]
|
|
99
|
-
end
|
|
104
|
+
next if resource_rules_to_suppress.nil?
|
|
105
|
+
mangled_rules = resource_rules_to_suppress.select do |rule_to_suppress|
|
|
106
|
+
rule_to_suppress['id'].nil?
|
|
107
|
+
end
|
|
108
|
+
unless mangled_rules.empty?
|
|
109
|
+
mangled_metadatas << [logical_resource_id, mangled_rules]
|
|
100
110
|
end
|
|
101
111
|
end
|
|
102
112
|
mangled_metadatas.each do |mangled_metadata|
|
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
require 'cfn-nag/violation'
|
|
2
2
|
|
|
3
|
+
# Base class all Rules should subclass
|
|
3
4
|
class BaseRule
|
|
4
5
|
##
|
|
5
6
|
# Returns a collection of logical resource ids
|
|
@@ -14,12 +15,10 @@ class BaseRule
|
|
|
14
15
|
#
|
|
15
16
|
def audit(cfn_model)
|
|
16
17
|
logical_resource_ids = audit_impl(cfn_model)
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
logical_resource_ids: logical_resource_ids)
|
|
23
|
-
end
|
|
18
|
+
return if logical_resource_ids.empty?
|
|
19
|
+
Violation.new(id: rule_id,
|
|
20
|
+
type: rule_type,
|
|
21
|
+
message: rule_text,
|
|
22
|
+
logical_resource_ids: logical_resource_ids)
|
|
24
23
|
end
|
|
25
24
|
end
|