cfn-nag 0.4.25 → 0.4.26

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5831535337b294e5987a1320faf81cdac048d6dbcd635ebbf06ad9846296abfb
-  data.tar.gz: 7392d1f5274a0846021ddd74abdfd02dcc469667f3e683a58a3d03102da10602
+  metadata.gz: ef0acd9549dce74e9f5ef0dca9b82fce29c80e193ccddafc258609a45451ce35
+  data.tar.gz: 93fc908b9ca4982528956237adbdd5f1d205696837ef048f52beefa3ba035646
 SHA512:
-  metadata.gz: de914e0aa4dafe15b44a26695d08c7a192077b1091ffc6772d54012421620addac79cabdd80c7ab0d0b99c7d55f93977cc07ff48ef9fd5156b906d2e8b21e05d
-  data.tar.gz: ca733a6edfcf84523d34156aeb3f2f55035d100a603495d1d78755178013855152d341ae158ce71e9b3cf3d504b241945d6642db7049819341969b004fce05bc
+  metadata.gz: d00ea40e225b0e2f7854949c6aae70ee6f81ebbec3f19c578cc590384c7ba94293cb4a784e267e6b2b96e301d57f7d40916099798a78c84e3b5ae3fdfdc20e94
+  data.tar.gz: 164fa35a935ad405bc02f035cb460edc061fabd81467a6b2a9c65918e36ba059addc646d986bbf5a7ad66d36cd1bcb4b716d03a18094feda790997a71d51aa10

data/lib/cfn-nag/custom_rules/SecurityGroupRuleDescriptionRule.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+require 'cfn-nag/violation'
+require_relative 'base'
+require 'cfn-nag/ip_addr'
+require 'cfn-nag/util/blank.rb'
+
+class SecurityGroupRuleDescriptionRule < BaseRule
+  def rule_text
+    'Security group rules without a description obscure their purpose and may '\
+    'lead to bad practices in ensuring they only allow traffic from the ports '\
+    'and sources/destinations required.'
+  end
+
+  def rule_type
+    Violation::WARNING
+  end
+
+  def rule_id
+    'W36'
+  end
+
+  def audit_impl(cfn_model)
+    violating_security_groups?(cfn_model) +
+      violating_ingress?(cfn_model) +
+      violating_egress?(cfn_model)
+  end
+
+  private
+
+  def violating_sg_component(sg_component)
+    sg_component.select do |item|
+      blank?(item['Description'])
+    end
+  end
+
+  def violating_security_groups?(cfn_model)
+    violating_security_groups = cfn_model.security_groups.select do |security_group|
+      !violating_sg_component(security_group.securityGroupIngress).empty? ||
+        !violating_sg_component(security_group.securityGroupEgress).empty?
+    end
+    violating_security_groups.map(&:logical_resource_id)
+  end
+
+  def violating_ingress?(cfn_model)
+    violating_ingress = cfn_model.resources_by_type('AWS::EC2::SecurityGroupIngress').select do |standalone_ingress|
+      blank?(standalone_ingress.description)
+    end
+    violating_ingress.map(&:logical_resource_id)
+  end
+
+  def violating_egress?(cfn_model)
+    violating_egress = cfn_model.resources_by_type('AWS::EC2::SecurityGroupEgress').select do |standalone_egress|
+      blank?(standalone_egress.description)
+    end
+    violating_egress.map(&:logical_resource_id)
+  end
+end

data/lib/cfn-nag/util/blank.rb

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+# Checks a string for being missing, empty, or only containing spaces
+def blank?(str)
+  str.nil? || str.to_s.strip == ''
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: cfn-nag
 version: !ruby/object:Gem::Version
-  version: 0.4.25
+  version: 0.4.26
 platform: ruby
 authors:
 - Eric Kascic
@@ -226,6 +226,7 @@ files:
 - lib/cfn-nag/custom_rules/SecurityGroupIngressOpenToWorldRule.rb
 - lib/cfn-nag/custom_rules/SecurityGroupIngressPortRangeRule.rb
 - lib/cfn-nag/custom_rules/SecurityGroupMissingEgressRule.rb
+- lib/cfn-nag/custom_rules/SecurityGroupRuleDescriptionRule.rb
 - lib/cfn-nag/custom_rules/SnsTopicPolicyNotActionRule.rb
 - lib/cfn-nag/custom_rules/SnsTopicPolicyNotPrincipalRule.rb
 - lib/cfn-nag/custom_rules/SnsTopicPolicyWildcardPrincipalRule.rb
@@ -252,6 +253,7 @@ files:
 - lib/cfn-nag/rule_id_set.rb
 - lib/cfn-nag/rule_registry.rb
 - lib/cfn-nag/template_discovery.rb
+- lib/cfn-nag/util/blank.rb
 - lib/cfn-nag/util/enforce_reference_parameter.rb
 - lib/cfn-nag/util/enforce_string_or_dynamic_reference.rb
 - lib/cfn-nag/util/truthy.rb