cfn-nag 0.3.69 → 0.3.70
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 87b103419c81f7993bac0aaea152c9d4f5fb90df1a266d219b768e31e93c962f
|
|
4
|
+
data.tar.gz: ad57b13ca5e9d12ae76e9ab0ab2190b30f3edf82f12ad4cb4fde137fda9fa7ce
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 9c944634f99d05d4233c336052d88305be821d95c03e488d3ee5620191e18a66833bfdac7a6c2e5bbe64c83a79bee4e5cf878be060c08de9533adbe67d57a64f
|
|
7
|
+
data.tar.gz: 15ca6d74a6c3aa6813d8a31c2e4e6bd1f4535e91abf23525a3d4f96a738ed4c655635516e181be08447e3624cbc7e25a2fe8c50e2080d79874f1f76441a84a7d
|
data/lib/cfn-nag/cfn_nag.rb
CHANGED
|
@@ -85,7 +85,7 @@ class CfnNag
|
|
|
85
85
|
rescue Psych::SyntaxError, ParserError => parser_error
|
|
86
86
|
violations << fatal_violation(parser_error.to_s)
|
|
87
87
|
rescue JSON::ParserError => json_parameters_error
|
|
88
|
-
error = "JSON Parameter values parse error: #{json_parameters_error
|
|
88
|
+
error = "JSON Parameter values parse error: #{json_parameters_error}"
|
|
89
89
|
violations << fatal_violation(error)
|
|
90
90
|
end
|
|
91
91
|
|
|
@@ -85,9 +85,9 @@ class CustomRuleLoader
|
|
|
85
85
|
)
|
|
86
86
|
audit_result = rule_class.new.audit(filtered_cfn_model)
|
|
87
87
|
violations << audit_result unless audit_result.nil?
|
|
88
|
-
rescue
|
|
89
|
-
raise
|
|
90
|
-
STDERR.puts
|
|
88
|
+
rescue ScriptError, StandardError => rule_error
|
|
89
|
+
raise rule_error unless @isolate_custom_rule_exceptions
|
|
90
|
+
STDERR.puts rule_error
|
|
91
91
|
end
|
|
92
92
|
end
|
|
93
93
|
end
|
|
@@ -17,21 +17,22 @@ class CloudFormationAuthenticationRule < BaseRule
|
|
|
17
17
|
end
|
|
18
18
|
|
|
19
19
|
def audit_impl(cfn_model)
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
unless resource['Metadata'].nil?
|
|
23
|
-
unless resource['Metadata']['AWS::CloudFormation::Authentication'].nil?
|
|
24
|
-
|
|
25
|
-
resource['Metadata']['AWS::CloudFormation::Authentication'].each do |auth_name, auth|
|
|
26
|
-
if potentially_sensitive_credentials? auth
|
|
27
|
-
logical_resource_ids << resource_name
|
|
28
|
-
end
|
|
29
|
-
end
|
|
30
|
-
|
|
31
|
-
end
|
|
32
|
-
end
|
|
20
|
+
violating_resources = cfn_model.raw_model['Resources'].select do |_resource_name, resource|
|
|
21
|
+
resource_has_authentication?(resource) && resource_has_sensitive_credentials?(resource)
|
|
33
22
|
end
|
|
34
|
-
|
|
23
|
+
violating_resources.keys
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
private
|
|
27
|
+
|
|
28
|
+
def resource_has_sensitive_credentials?(resource)
|
|
29
|
+
resource['Metadata']['AWS::CloudFormation::Authentication'].find do |_auth_name, auth|
|
|
30
|
+
potentially_sensitive_credentials? auth
|
|
31
|
+
end
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
def resource_has_authentication?(resource)
|
|
35
|
+
resource['Metadata'] && resource['Metadata']['AWS::CloudFormation::Authentication']
|
|
35
36
|
end
|
|
36
37
|
|
|
37
38
|
def potentially_sensitive_credentials?(auth)
|
|
@@ -5,13 +5,13 @@ class JmesPathDiscovery
|
|
|
5
5
|
@rule_registry = rule_registry
|
|
6
6
|
end
|
|
7
7
|
|
|
8
|
-
def warning(id:,
|
|
8
|
+
def warning(id:, message:)
|
|
9
9
|
@rule_registry.definition(id: id,
|
|
10
10
|
type: Violation::WARNING,
|
|
11
11
|
message: message)
|
|
12
12
|
end
|
|
13
13
|
|
|
14
|
-
def failure(id:,
|
|
14
|
+
def failure(id:, message:)
|
|
15
15
|
@rule_registry.definition(id: id,
|
|
16
16
|
type: Violation::FAILING_VIOLATION,
|
|
17
17
|
message: message)
|