cfn-nag 0.3.69 → 0.3.70
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 87b103419c81f7993bac0aaea152c9d4f5fb90df1a266d219b768e31e93c962f
|
4
|
+
data.tar.gz: ad57b13ca5e9d12ae76e9ab0ab2190b30f3edf82f12ad4cb4fde137fda9fa7ce
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 9c944634f99d05d4233c336052d88305be821d95c03e488d3ee5620191e18a66833bfdac7a6c2e5bbe64c83a79bee4e5cf878be060c08de9533adbe67d57a64f
|
7
|
+
data.tar.gz: 15ca6d74a6c3aa6813d8a31c2e4e6bd1f4535e91abf23525a3d4f96a738ed4c655635516e181be08447e3624cbc7e25a2fe8c50e2080d79874f1f76441a84a7d
|
data/lib/cfn-nag/cfn_nag.rb
CHANGED
@@ -85,7 +85,7 @@ class CfnNag
|
|
85
85
|
rescue Psych::SyntaxError, ParserError => parser_error
|
86
86
|
violations << fatal_violation(parser_error.to_s)
|
87
87
|
rescue JSON::ParserError => json_parameters_error
|
88
|
-
error = "JSON Parameter values parse error: #{json_parameters_error
|
88
|
+
error = "JSON Parameter values parse error: #{json_parameters_error}"
|
89
89
|
violations << fatal_violation(error)
|
90
90
|
end
|
91
91
|
|
@@ -85,9 +85,9 @@ class CustomRuleLoader
|
|
85
85
|
)
|
86
86
|
audit_result = rule_class.new.audit(filtered_cfn_model)
|
87
87
|
violations << audit_result unless audit_result.nil?
|
88
|
-
rescue
|
89
|
-
raise
|
90
|
-
STDERR.puts
|
88
|
+
rescue ScriptError, StandardError => rule_error
|
89
|
+
raise rule_error unless @isolate_custom_rule_exceptions
|
90
|
+
STDERR.puts rule_error
|
91
91
|
end
|
92
92
|
end
|
93
93
|
end
|
@@ -17,21 +17,22 @@ class CloudFormationAuthenticationRule < BaseRule
|
|
17
17
|
end
|
18
18
|
|
19
19
|
def audit_impl(cfn_model)
|
20
|
-
|
21
|
-
|
22
|
-
unless resource['Metadata'].nil?
|
23
|
-
unless resource['Metadata']['AWS::CloudFormation::Authentication'].nil?
|
24
|
-
|
25
|
-
resource['Metadata']['AWS::CloudFormation::Authentication'].each do |auth_name, auth|
|
26
|
-
if potentially_sensitive_credentials? auth
|
27
|
-
logical_resource_ids << resource_name
|
28
|
-
end
|
29
|
-
end
|
30
|
-
|
31
|
-
end
|
32
|
-
end
|
20
|
+
violating_resources = cfn_model.raw_model['Resources'].select do |_resource_name, resource|
|
21
|
+
resource_has_authentication?(resource) && resource_has_sensitive_credentials?(resource)
|
33
22
|
end
|
34
|
-
|
23
|
+
violating_resources.keys
|
24
|
+
end
|
25
|
+
|
26
|
+
private
|
27
|
+
|
28
|
+
def resource_has_sensitive_credentials?(resource)
|
29
|
+
resource['Metadata']['AWS::CloudFormation::Authentication'].find do |_auth_name, auth|
|
30
|
+
potentially_sensitive_credentials? auth
|
31
|
+
end
|
32
|
+
end
|
33
|
+
|
34
|
+
def resource_has_authentication?(resource)
|
35
|
+
resource['Metadata'] && resource['Metadata']['AWS::CloudFormation::Authentication']
|
35
36
|
end
|
36
37
|
|
37
38
|
def potentially_sensitive_credentials?(auth)
|
@@ -5,13 +5,13 @@ class JmesPathDiscovery
|
|
5
5
|
@rule_registry = rule_registry
|
6
6
|
end
|
7
7
|
|
8
|
-
def warning(id:,
|
8
|
+
def warning(id:, message:)
|
9
9
|
@rule_registry.definition(id: id,
|
10
10
|
type: Violation::WARNING,
|
11
11
|
message: message)
|
12
12
|
end
|
13
13
|
|
14
|
-
def failure(id:,
|
14
|
+
def failure(id:, message:)
|
15
15
|
@rule_registry.definition(id: id,
|
16
16
|
type: Violation::FAILING_VIOLATION,
|
17
17
|
message: message)
|