RubyGems - cfn-nag - Versions diffs - 0.4.37 → 0.4.38 - Mend

cfn-nag 0.4.37 → 0.4.38

Files changed (4) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c63f7a83ba068114a9895b55e32158e25dd87f67cd1ec027487bc64102457364
-  data.tar.gz: 661de07e06346df408a824655e8d148a161df50833244e85a0aa0d57a127d6ee
+  metadata.gz: 2fb1bee12e87bb5e68bdfe15ba0a3ff77525fa2b9aca01d75707a323365de8bb
+  data.tar.gz: b21e9a17e5131846e0440b2b254b705bfead9d360f76bbe29775391469ab211a
 SHA512:
-  metadata.gz: e917e24120ff829d3c12291e02f6ae360cdebdc97e0aef5db42ecae9a85f74061423fe1565c22dc622baa94e7b3f1197e7fc6f4acb6b5481e4ba08c9d32fde8a
-  data.tar.gz: bc6b05f9068133fd662416fe4f21243ba78277ec61855d1c01bb4e3a5ca0283a4f3f19c20751bdb93db6544d18add75a825f7f012f4628278e6e8e29562fc7c1
+  metadata.gz: 34a547ee71bd06ebdeee34e4f3a6b9155e44d6999b6ebdbbd15172ab120ae36cdfcda159a8578a4d45a690f780f8b7a56d3bb2dbd277f543cbd5273e00a1e16f
+  data.tar.gz: 199fce4055e59caab622deb66a5a82111e94adf4be7923255c392243ef41b13e4080e0f655b79e32f3d6e963b09fd9351c8e8720b1ae956416d65975e595bbc0

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+require 'cfn-nag/violation'
+require_relative 'base'
+class SecurityGroupEgressAllProtocolsRule < BaseRule
+  def rule_text
+    'Security Groups egress with an IpProtocol of -1 found'
+  end
+  def rule_type
+    Violation::WARNING
+  end
+  def rule_id
+    'W40'
+  end
+  ##
+  # This will behave slightly different than the legacy jq based rule which was
+  # targeted against inline ingress only
+  def audit_impl(cfn_model)
+    violating_security_groups = cfn_model.security_groups.select do |security_group|
+      violating_egresses = security_group.egresses.select do |egress|
+        egress.ipProtocol.to_i == -1
+      end
+      !violating_egresses.empty?
+    end
+    violating_egresses = cfn_model.standalone_egress.select do |standalone_egress|
+      standalone_egress.ipProtocol.to_i == -1
+    end
+    violating_security_groups.map(&:logical_resource_id) + violating_egresses.map(&:logical_resource_id)
+  end
+end

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+require 'cfn-nag/violation'
+require_relative 'base'
+class SecurityGroupIngressAllProtocolsRule < BaseRule
+  def rule_text
+    'Security Groups ingress with an ipProtocol of -1 found '
+  end
+  def rule_type
+    Violation::WARNING
+  end
+  def rule_id
+    'W42'
+  end
+  ##
+  # This will behave slightly different than the legacy jq based rule which was
+  # targeted against inline ingress only
+  def audit_impl(cfn_model)
+    violating_security_groups = cfn_model.security_groups.select do |security_group|
+      violating_ingresses = security_group.ingresses.select do |ingress|
+        ingress.ipProtocol.to_i == -1
+      end
+      !violating_ingresses.empty?
+    end
+    violating_ingresses = cfn_model.standalone_ingress.select do |standalone_ingress|
+      standalone_ingress.ipProtocol.to_i == -1
+    end
+    violating_security_groups.map(&:logical_resource_id) + violating_ingresses.map(&:logical_resource_id)
+  end
+end

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: cfn-nag
 version: !ruby/object:Gem::Version
-  version: 0.4.37
+  version: 0.4.38
 platform: ruby
 authors:
 - Eric Kascic
@@ -228,8 +228,10 @@ files:
 - lib/cfn-nag/custom_rules/S3BucketPolicyWildcardPrincipalRule.rb
 - lib/cfn-nag/custom_rules/S3BucketPublicReadAclRule.rb
 - lib/cfn-nag/custom_rules/S3BucketPublicReadWriteAclRule.rb
+- lib/cfn-nag/custom_rules/SecurityGroupEgressAllProtocolsRule.rb
 - lib/cfn-nag/custom_rules/SecurityGroupEgressOpenToWorldRule.rb
 - lib/cfn-nag/custom_rules/SecurityGroupEgressPortRangeRule.rb
+- lib/cfn-nag/custom_rules/SecurityGroupIngressAllProtocolsRule.rb
 - lib/cfn-nag/custom_rules/SecurityGroupIngressCidrNon32Rule.rb
 - lib/cfn-nag/custom_rules/SecurityGroupIngressOpenToWorldRule.rb
 - lib/cfn-nag/custom_rules/SecurityGroupIngressPortRangeRule.rb