RubyGems - cfn-nag - Versions diffs - 0.7.15 → 0.7.16 - Mend

cfn-nag 0.7.15 → 0.7.16

Files changed (64) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 21844ee26ff22655e7c4ca236ff4f27511c6c538450c5a67ee5981aa739c40ae
-  data.tar.gz: 151d8518421441674483e09ecdec0454da73e973c58b8d3826f95417d9423917
+  metadata.gz: a9a486bbd59b0cd5de04ba5ad9a133e6ce20697320a22655bdfc99bd41849638
+  data.tar.gz: 1fb8c617610cd079026a094a2fdf6aa3d63e2de4c65fd9ae3f608b3256909875
 SHA512:
-  metadata.gz: b09918a74b3c26e097b63d171bd3af8fe2ff83d72b6782c03fe56b23f99a5f10e43bd6b111ea1a8ae4381bb4e376d71efcc4d8484d5ddb32266096294a869e95
-  data.tar.gz: 1f5558eb98f3455d2fd2a195ef887d51a6899f7a62bcd7515b048b0e451d783d99bb4cca84a6e8a584f0e66cdde05ca4573115f8c3e723aa2d8e10d3ff00a2f7
+  metadata.gz: f86d2ee1986cec5903811516b44e549c6c544b4ada13149433bcc8ff1a0b945528dd6d33e32ee877154aaec3d483991d37501595fae6e20cd92aecfa1efd4371
+  data.tar.gz: a702b10e0326c3903eaada403e27290544d094c6d696e68de9b87e2c2b4457462b3c106da5e535952dc83df9bf49851e230091e9fb6ee50a1c09515f58e9e9e9

data/bin/cfn_nag_rules CHANGED Viewed

@@ -27,12 +27,12 @@ end
 profile_definition = nil
 unless opts[:profile_path].nil?
-  profile_definition = IO.read(opts[:profile_path])
+  profile_definition = File.read(opts[:profile_path])
 end
 rule_repository_definitions = []
 opts[:rule_repository]&.each do |rule_repository|
-  rule_repository_definitions << IO.read(rule_repository)
+  rule_repository_definitions << File.read(rule_repository)
 end
 rule_dumper = CfnNagRuleDumper.new(profile_definition: profile_definition,

data/bin/spcm_scan CHANGED Viewed

@@ -41,7 +41,7 @@ end
 def read_conditionally(path)
   unless path.nil?
-    IO.read(path)
+    File.read(path)
   end
 end

data/lib/cfn-nag/cfn_nag.rb CHANGED Viewed

@@ -55,8 +55,8 @@ class CfnNag
                                    parameter_values_path: nil,
                                    condition_values_path: nil,
                                    template_pattern: DEFAULT_TEMPLATE_PATTERN)
-    parameter_values_string = parameter_values_path.nil? ? nil : IO.read(parameter_values_path)
-    condition_values_string = condition_values_path.nil? ? nil : IO.read(condition_values_path)
+    parameter_values_string = parameter_values_path.nil? ? nil : File.read(parameter_values_path)
+    condition_values_string = condition_values_path.nil? ? nil : File.read(condition_values_path)
     templates = TemplateDiscovery.new.discover_templates(input_json_path: input_path,
                                                          template_pattern: template_pattern)
@@ -64,7 +64,7 @@ class CfnNag
     templates.each do |template|
       aggregate_results << {
         filename: template,
-        file_results: audit(cloudformation_string: IO.read(template),
+        file_results: audit(cloudformation_string: File.read(template),
                             parameter_values_string: parameter_values_string,
                             condition_values_string: condition_values_string)
       }

data/lib/cfn-nag/cfn_nag_executor.rb CHANGED Viewed

@@ -98,13 +98,13 @@ class CfnNagExecutor
     @rule_arguments_string = read_conditionally(opts[:rule_arguments_path])
     opts[:rule_repository]&.each do |rule_repository|
-      @rule_repository_definitions << IO.read(rule_repository)
+      @rule_repository_definitions << File.read(rule_repository)
     end
   end
   def read_conditionally(path)
     unless path.nil?
-      IO.read(path)
+      File.read(path)
     end
   end

data/lib/cfn-nag/cli_options.rb CHANGED Viewed

@@ -5,8 +5,8 @@ require 'optimist'
 # rubocop:disable Metrics/ClassLength
 class Options
   @custom_rule_exceptions_message = 'Isolate custom rule exceptions - just ' \
-                                   'emit the exception without stack trace ' \
-                                   'and keep chugging'
+                                    'emit the exception without stack trace ' \
+                                    'and keep chugging'
   @version = Gem::Specification.find_by_name('cfn-nag').version
@@ -25,7 +25,7 @@ class Options
   # rubocop:disable Metrics/MethodLength
   def self.file_options
     options_message = '[options] <cloudformation template path ...>|' \
-                        '<cloudformation template in STDIN>'
+                      '<cloudformation template in STDIN>'
     custom_rule_exceptions_message = @custom_rule_exceptions_message
     version = @version

data/lib/cfn-nag/custom_rules/AlexaASKSkillAuthenticationConfigurationClientSecretRule.rb CHANGED Viewed

@@ -8,7 +8,7 @@ require_relative 'base'
 class AlexaASKSkillAuthenticationConfigurationClientSecretRule < BaseRule
   def rule_text
     'Alexa ASK Skill AuthenticationConfiguration ClientSecret must not be ' \
-    'a plaintext string or a Ref to a NoEcho Parameter with a Default value.'
+      'a plaintext string or a Ref to a NoEcho Parameter with a Default value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/AlexaASKSkillAuthenticationConfigurationRefreshTokenRule.rb CHANGED Viewed

@@ -8,7 +8,7 @@ require_relative 'base'
 class AlexaASKSkillAuthenticationConfigurationRefreshTokenRule < BaseRule
   def rule_text
     'Alexa ASK Skill AuthenticationConfiguration RefreshToken must not be ' \
-    'a plaintext string or a Ref to a NoEcho Parameter with a Default value.'
+      'a plaintext string or a Ref to a NoEcho Parameter with a Default value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/AmazonMQBrokerUsersPasswordRule.rb CHANGED Viewed

@@ -6,7 +6,7 @@ require_relative 'sub_property_with_list_password_base_rule'
 class AmazonMQBrokerUsersPasswordRule < SubPropertyWithListPasswordBaseRule
   def rule_text
     'AmazonMQ Broker Users Password must not be a plaintext string or a Ref to a Parameter with a Default value. ' \
-    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
+      'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/AmplifyAppAccessTokenRule.rb CHANGED Viewed

@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
 class AmplifyAppAccessTokenRule < PasswordBaseRule
   def rule_text
     'Amplify App AccessToken must not be a plaintext string ' \
-    'or a Ref to a Parameter with a Default value.  ' \
-    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
+      'or a Ref to a Parameter with a Default value.  ' \
+      'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/AmplifyAppBasicAuthConfigPasswordRule.rb CHANGED Viewed

@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
 class AmplifyAppBasicAuthConfigPasswordRule < PasswordBaseRule
   def rule_text
     'Amplify App BasicAuthConfig Password must not be a plaintext string ' \
-    'or a Ref to a Parameter with a Default value.  ' \
-    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
+      'or a Ref to a Parameter with a Default value.  ' \
+      'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/AmplifyAppOauthTokenRule.rb CHANGED Viewed

@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
 class AmplifyAppOauthTokenRule < PasswordBaseRule
   def rule_text
     'Amplify App OauthToken must not be a plaintext string ' \
-    'or a Ref to a Parameter with a Default value.  ' \
-    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
+      'or a Ref to a Parameter with a Default value.  ' \
+      'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/AmplifyBranchBasicAuthConfigPasswordRule.rb CHANGED Viewed

@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
 class AmplifyBranchBasicAuthConfigPasswordRule < PasswordBaseRule
   def rule_text
     'Amplify Branch BasicAuthConfig Password must not be a plaintext ' \
-    'string or a Ref to a Parameter with a Default value.  ' \
-    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
+      'string or a Ref to a Parameter with a Default value.  ' \
+      'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/ApiGatewayAccessLoggingRule.rb CHANGED Viewed

@@ -6,7 +6,7 @@ require_relative 'base'
 class ApiGatewayAccessLoggingRule < BaseRule
   def rule_text
     'ApiGateway Deployment resource should have AccessLogSetting property configured when creating an ' \
-    'API Stage itself (through specifying the StageName and StageDescription properties).'
+      'API Stage itself (through specifying the StageName and StageDescription properties).'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/ApiGatewayCacheEncryptedRule.rb CHANGED Viewed

@@ -6,7 +6,7 @@ require_relative 'base'
 class ApiGatewayCacheEncryptedRule < BaseRule
   def rule_text
     'ApiGateway Deployment should have cache data encryption enabled when caching is enabled' \
-    ' in StageDescription properties'
+      ' in StageDescription properties'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/ApiGatewayMethodAuthorizationTypeRule.rb CHANGED Viewed

@@ -6,7 +6,7 @@ require_relative 'base'
 class ApiGatewayMethodAuthorizationTypeRule < BaseRule
   def rule_text
     "AWS::ApiGateway::Method should not have AuthorizationType set to 'NONE' unless it is of " \
-    'HttpMethod: OPTIONS.'
+      'HttpMethod: OPTIONS.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/AppStreamDirectoryConfigServiceAccountCredentialsAccountPasswordRule.rb CHANGED Viewed

@@ -6,9 +6,9 @@ require_relative 'password_base_rule'
 class AppStreamDirectoryConfigServiceAccountCredentialsAccountPasswordRule < PasswordBaseRule
   def rule_text
     'AppStream DirectoryConfig ServiceAccountCredentials AccountPassword ' \
-    'must not be a plaintext string or a Ref to a Parameter ' \
-    'with a Default value.  ' \
-    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
+      'must not be a plaintext string or a Ref to a Parameter ' \
+      'with a Default value.  ' \
+      'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/CodePipelineWebhookAuthenticationConfigurationSecretTokenRule.rb CHANGED Viewed

@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
 class CodePipelineWebhookAuthenticationConfigurationSecretTokenRule < PasswordBaseRule
   def rule_text
     'CodePipeline Webhook AuthenticationConfiguration SecretToken must not be ' \
-    'a plaintext string or a Ref to a Parameter with a Default value.  ' \
-    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
+      'a plaintext string or a Ref to a Parameter with a Default value.  ' \
+      'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/CognitoIdentityPoolAllowUnauthenticatedIdentitiesRule.rb CHANGED Viewed

@@ -7,7 +7,7 @@ require_relative 'base'
 class CognitoIdentityPoolAllowUnauthenticatedIdentitiesRule < BaseRule
   def rule_text
     'AWS::Cognito::IdentityPool AllowUnauthenticatedIdentities property should be false ' \
-    'but CAN be true if proper restrictive IAM roles and permissions are established for unauthenticated users.'
+      'but CAN be true if proper restrictive IAM roles and permissions are established for unauthenticated users.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/DMSEndpointMongoDbSettingsPasswordRule.rb CHANGED Viewed

@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
 class DMSEndpointMongoDbSettingsPasswordRule < PasswordBaseRule
   def rule_text
     'DMS Endpoint MongoDbSettings Password must not be a plaintext string ' \
-    'or a Ref to a Parameter with a Default value.  ' \
-    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
+      'or a Ref to a Parameter with a Default value.  ' \
+      'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/DMSEndpointPasswordRule.rb CHANGED Viewed

@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
 class DMSEndpointPasswordRule < PasswordBaseRule
   def rule_text
     'DMS Endpoint password must not be a plaintext string ' \
-    'or a Ref to a Parameter with a Default value.  ' \
-    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
+      'or a Ref to a Parameter with a Default value.  ' \
+      'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/DirectoryServiceMicrosoftADPasswordRule.rb CHANGED Viewed

@@ -7,8 +7,8 @@ require_relative 'password_base_rule'
 class DirectoryServiceMicrosoftADPasswordRule < PasswordBaseRule
   def rule_text
     'Directory Service Microsoft AD password must not be a plaintext string ' \
-    'or a Ref to a Parameter with a Default value.  ' \
-    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
+      'or a Ref to a Parameter with a Default value.  ' \
+      'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/DirectoryServiceSimpleADPasswordRule.rb CHANGED Viewed

@@ -7,8 +7,8 @@ require_relative 'password_base_rule'
 class DirectoryServiceSimpleADPasswordRule < PasswordBaseRule
   def rule_text
     'DirectoryService SimpleAD password must not be a plaintext string ' \
-    'or a Ref to a Parameter with a Default value.  ' \
-    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
+      'or a Ref to a Parameter with a Default value.  ' \
+      'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/DocDBDBClusterMasterUserPasswordRule.rb CHANGED Viewed

@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
 class DocDBDBClusterMasterUserPasswordRule < PasswordBaseRule
   def rule_text
     'DocDB DB Cluster master user password must not be a plaintext string ' \
-    'or a Ref to a Parameter with a Default value.  ' \
-    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
+      'or a Ref to a Parameter with a Default value.  ' \
+      'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/EC2NetworkAclEntryProtocolRule.rb CHANGED Viewed

@@ -6,7 +6,7 @@ require_relative 'base'
 class EC2NetworkAclEntryProtocolRule < BaseRule
   def rule_text
     'To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 ' \
-    '(for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code).'
+      '(for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code).'
   end
   def rule_type
@@ -53,12 +53,8 @@ class EC2NetworkAclEntryProtocolRule < BaseRule
   def violating_network_acl_entries?(network_acl_entry)
     if rule_action_allow?(network_acl_entry)
-      if tcp_udp_icmp_protocol?(network_acl_entry) ||
-         icmpv6_protocol?(network_acl_entry)
-        false
-      else
-        true
-      end
+      !(tcp_udp_icmp_protocol?(network_acl_entry) ||
+         icmpv6_protocol?(network_acl_entry))
     end
   end
 end

data/lib/cfn-nag/custom_rules/EKSClusterEncryptionRule.rb CHANGED Viewed

@@ -18,9 +18,7 @@ class EKSClusterEncryptionRule < BaseRule
   def audit_impl(cfn_model)
     violating_clusters = cfn_model.resources_by_type('AWS::EKS::Cluster').select do |cluster|
-      if cluster.encryptionConfig.nil?
-        true
-      elsif violating_configs?(cluster)
+      if cluster.encryptionConfig.nil? || violating_configs?(cluster)
         true
       else
         violating_providers?(cluster)

data/lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesADDomainJoinPasswordRule.rb CHANGED Viewed

@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
 class EMRClusterKerberosAttributesADDomainJoinPasswordRule < PasswordBaseRule
   def rule_text
     'EMR Cluster KerberosAttributes AD Domain JoinPassword must not be a ' \
-    'plaintext string or a Ref to a Parameter with a Default value.  ' \
-    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
+      'plaintext string or a Ref to a Parameter with a Default value.  ' \
+      'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesCrossRealmTrustPrincipalPasswordRule.rb CHANGED Viewed

@@ -6,9 +6,9 @@ require_relative 'password_base_rule'
 class EMRClusterKerberosAttributesCrossRealmTrustPrincipalPasswordRule < PasswordBaseRule
   def rule_text
     'EMR Cluster KerberosAttributes CrossRealmTrustPrincipal Password must ' \
-    'not be a plaintext string or a Ref to a Parameter with a ' \
-    'Default value.  ' \
-    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
+      'not be a plaintext string or a Ref to a Parameter with a ' \
+      'Default value.  ' \
+      'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesKdcAdminPasswordRule.rb CHANGED Viewed

@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
 class EMRClusterKerberosAttributesKdcAdminPasswordRule < PasswordBaseRule
   def rule_text
     'EMR Cluster KerberosAttributes KdcAdmin Password must not be a ' \
-    'plaintext string or a Ref to a Parameter with a Default value.  ' \
-    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
+      'plaintext string or a Ref to a Parameter with a Default value.  ' \
+      'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/ElastiCacheReplicationGroupAuthTokenRule.rb CHANGED Viewed

@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
 class ElastiCacheReplicationGroupAuthTokenRule < PasswordBaseRule
   def rule_text
     'ElastiCache ReplicationGroup AuthToken must not be a plaintext string ' \
-    'or a Ref to a Parameter with a Default value.  ' \
-    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
+      'or a Ref to a Parameter with a Default value.  ' \
+      'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/IAMUserLoginProfilePasswordRule.rb CHANGED Viewed

@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
 class IAMUserLoginProfilePasswordRule < PasswordBaseRule
   def rule_text
     'IAM User LoginProfile Password must not be a plaintext string or ' \
-    'a Ref to a Parameter with a Default value.  ' \
-    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
+      'a Ref to a Parameter with a Default value.  ' \
+      'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/IamUserLoginProfilePasswordResetRule.rb CHANGED Viewed

@@ -29,9 +29,7 @@ class IamUserLoginProfilePasswordResetRule < BaseRule
   def iam_user_password_reset_required_key?(login_profile)
     if login_profile.key? 'PasswordResetRequired'
-      if login_profile['PasswordResetRequired'].nil?
-        true
-      elsif not_truthy?(login_profile['PasswordResetRequired'])
+      if login_profile['PasswordResetRequired'].nil? || not_truthy?(login_profile['PasswordResetRequired'])
         true
       end
     else
@@ -40,10 +38,10 @@ class IamUserLoginProfilePasswordResetRule < BaseRule
   end
   def violating_iam_users?(iam_user)
-    if !iam_user.loginProfile.nil?
-      iam_user_password_reset_required_key?(iam_user.loginProfile)
-    else
+    if iam_user.loginProfile.nil?
       false
+    else
+      iam_user_password_reset_required_key?(iam_user.loginProfile)
     end
   end
 end

data/lib/cfn-nag/custom_rules/KMSKeyWildcardPrincipalRule.rb CHANGED Viewed

@@ -6,7 +6,7 @@ require_relative 'base'
 class KMSKeyWildcardPrincipalRule < BaseRule
   def rule_text
     'KMS key should not allow * principal ' \
-    '(https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html)'
+      '(https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html)'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamRedshiftDestinationConfigurationPasswordRule.rb CHANGED Viewed

@@ -6,9 +6,9 @@ require_relative 'password_base_rule'
 class KinesisFirehoseDeliveryStreamRedshiftDestinationConfigurationPasswordRule < PasswordBaseRule
   def rule_text
     'Kinesis Firehose DeliveryStream RedshiftDestinationConfiguration Password ' \
-    'must not be a plaintext string or a Ref to a Parameter with a ' \
-    'Default value.  ' \
-    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
+      'must not be a plaintext string or a Ref to a Parameter with a ' \
+      'Default value.  ' \
+      'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamSplunkDestinationConfigurationHECTokenRule.rb CHANGED Viewed

@@ -6,9 +6,9 @@ require_relative 'password_base_rule'
 class KinesisFirehoseDeliveryStreamSplunkDestinationConfigurationHECTokenRule < PasswordBaseRule
   def rule_text
     'Kinesis Firehose DeliveryStream SplunkDestinationConfiguration HECToken ' \
-    'must not be a plaintext string or a Ref to a Parameter with a ' \
-    'Default value.  ' \
-    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
+      'must not be a plaintext string or a Ref to a Parameter with a ' \
+      'Default value.  ' \
+      'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/KinesisStreamStreamEncryptionRule.rb CHANGED Viewed

@@ -27,11 +27,9 @@ class KinesisStreamStreamEncryptionRule < BaseRule
   private
   def violating_kinesis_streams?(kinesis_stream)
-    if kinesis_stream.streamEncryption.nil?
-      true
-    elsif kinesis_stream.streamEncryption['EncryptionType'].nil?
-      true
-    elsif kinesis_stream.streamEncryption['KeyId'].nil?
+    if kinesis_stream.streamEncryption.nil? ||
+       kinesis_stream.streamEncryption['EncryptionType'].nil? ||
+       kinesis_stream.streamEncryption['KeyId'].nil?
       true
     else
       kinesis_stream.streamEncryption['EncryptionType'] == 'NONE'

data/lib/cfn-nag/custom_rules/LambdaPermissionEventSourceTokenRule.rb CHANGED Viewed

@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
 class LambdaPermissionEventSourceTokenRule < PasswordBaseRule
   def rule_text
     'Lambda Permission EventSourceToken must not be a plaintext string ' \
-    'or a Ref to a Parameter with a Default value.  ' \
-    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
+      'or a Ref to a Parameter with a Default value.  ' \
+      'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/LambdaPermissionInvokeFunctionActionRule.rb CHANGED Viewed

@@ -6,7 +6,7 @@ require_relative 'base'
 class LambdaPermissionInvokeFunctionActionRule < BaseRule
   def rule_text
     'Lambda permission beside InvokeFunction might not be what you want? ' \
-    'Not sure!?'
+      'Not sure!?'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/ManagedBlockchainMemberMemberFabricConfigurationAdminPasswordRule.rb CHANGED Viewed

@@ -8,7 +8,7 @@ require_relative 'base'
 class ManagedBlockchainMemberMemberFabricConfigurationAdminPasswordRule < BaseRule
   def rule_text
     'ManagedBlockchain Member MemberFabricConfiguration AdminPasswordRule must ' \
-    'not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.'
+      'not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.'
   end
   def rule_type
@@ -42,14 +42,11 @@ class ManagedBlockchainMemberMemberFabricConfigurationAdminPasswordRule < BaseRu
   #   'MemberFabricConfiguration'
   #   'AdminPassword'
   def password_property_does_not_exist(member)
-    if member.memberConfiguration['MemberFrameworkConfiguration'].nil?
-      true
-    elsif member.memberConfiguration['MemberFrameworkConfiguration']['MemberFabricConfiguration'].nil?
-      true
-    elsif member.memberConfiguration['MemberFrameworkConfiguration']['MemberFabricConfiguration']['AdminPassword'].nil?
+    if member.memberConfiguration['MemberFrameworkConfiguration'].nil? ||
+       member.memberConfiguration['MemberFrameworkConfiguration']['MemberFabricConfiguration'].nil?
       true
     else
-      false
+      member.memberConfiguration['MemberFrameworkConfiguration']['MemberFabricConfiguration']['AdminPassword'].nil?
     end
   end
 end

data/lib/cfn-nag/custom_rules/OpsWorksAppAppSourcePasswordRule.rb CHANGED Viewed

@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
 class OpsWorksAppAppSourcePasswordRule < PasswordBaseRule
   def rule_text
     'OpsWorks App AppSource Password must not be a plaintext ' \
-    'string or a Ref to a Parameter with a Default value.  ' \
-    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
+      'string or a Ref to a Parameter with a Default value.  ' \
+      'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/OpsWorksAppSslConfigurationPrivateKeyRule.rb CHANGED Viewed

@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
 class OpsWorksAppSslConfigurationPrivateKeyRule < PasswordBaseRule
   def rule_text
     'OpsWorks App SslConfiguration PrivateKey must not be a plaintext ' \
-    'string or a Ref to a Parameter with a Default value.  ' \
-    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
+      'string or a Ref to a Parameter with a Default value.  ' \
+      'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/OpsWorksStackCustomCookbooksSourcePasswordRule.rb CHANGED Viewed

@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
 class OpsWorksStackCustomCookbooksSourcePasswordRule < PasswordBaseRule
   def rule_text
     'OpsWorks Stack CustomCookbooksSource Password must not be a plaintext ' \
-    'string or a Ref to a Parameter with a Default value.  ' \
-    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
+      'string or a Ref to a Parameter with a Default value.  ' \
+      'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/OpsWorksStackRdsDbInstancesDbPasswordRule.rb CHANGED Viewed

@@ -6,8 +6,8 @@ require_relative 'sub_property_with_list_password_base_rule'
 class OpsWorksStackRdsDbInstancesDbPasswordRule < SubPropertyWithListPasswordBaseRule
   def rule_text
     'OpsWorks Stack RDS DbInstance DbPassword must not be a plaintext string '\
-    'or a Ref to a Parameter with a Default value.  ' \
-    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
+      'or a Ref to a Parameter with a Default value.  ' \
+      'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/PinpointAPNSChannelPrivateKeyRule.rb CHANGED Viewed

@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
 class PinpointAPNSChannelPrivateKeyRule < PasswordBaseRule
   def rule_text
     'Pinpoint APNSChannel PrivateKey must not be a plaintext string ' \
-    'or a Ref to a Parameter with a Default value.  ' \
-    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
+      'or a Ref to a Parameter with a Default value.  ' \
+      'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/PinpointAPNSChannelTokenKeyRule.rb CHANGED Viewed

@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
 class PinpointAPNSChannelTokenKeyRule < PasswordBaseRule
   def rule_text
     'Pinpoint APNSChannel TokenKey must not be a plaintext string ' \
-    'or a Ref to a Parameter with a Default value.  ' \
-    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
+      'or a Ref to a Parameter with a Default value.  ' \
+      'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/PinpointAPNSSandboxChannelPrivateKeyRule.rb CHANGED Viewed

@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
 class PinpointAPNSSandboxChannelPrivateKeyRule < PasswordBaseRule
   def rule_text
     'Pinpoint APNSSandboxChannel PrivateKey must not be a plaintext string ' \
-    'or a Ref to a Parameter with a Default value.  ' \
-    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
+      'or a Ref to a Parameter with a Default value.  ' \
+      'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/PinpointAPNSSandboxChannelTokenKeyRule.rb CHANGED Viewed

@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
 class PinpointAPNSSandboxChannelTokenKeyRule < PasswordBaseRule
   def rule_text
     'Pinpoint APNSSandboxChannel TokenKey must not be a plaintext string ' \
-    'or a Ref to a Parameter with a Default value.  ' \
-    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
+      'or a Ref to a Parameter with a Default value.  ' \
+      'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/PinpointAPNSVoipChannelPrivateKeyRule.rb CHANGED Viewed

@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
 class PinpointAPNSVoipChannelPrivateKeyRule < PasswordBaseRule
   def rule_text
     'Pinpoint APNSVoipChannel PrivateKey must not be a plaintext string ' \
-    'or a Ref to a Parameter with a Default value.  ' \
-    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
+      'or a Ref to a Parameter with a Default value.  ' \
+      'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/PinpointAPNSVoipChannelTokenKeyRule.rb CHANGED Viewed

@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
 class PinpointAPNSVoipChannelTokenKeyRule < PasswordBaseRule
   def rule_text
     'Pinpoint APNSChannel TokenKey must not be a plaintext string ' \
-    'or a Ref to a Parameter with a Default value.  ' \
-    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
+      'or a Ref to a Parameter with a Default value.  ' \
+      'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/PinpointAPNSVoipSandboxChannelPrivateKeyRule.rb CHANGED Viewed

@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
 class PinpointAPNSVoipSandboxChannelPrivateKeyRule < PasswordBaseRule
   def rule_text
     'Pinpoint APNSVoipSandboxChannel PrivateKey must not be a plaintext ' \
-    'string or a Ref to a Parameter with a Default value.  ' \
-    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
+      'string or a Ref to a Parameter with a Default value.  ' \
+      'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/PinpointAPNSVoipSandboxChannelTokenKeyRule.rb CHANGED Viewed

@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
 class PinpointAPNSVoipSandboxChannelTokenKeyRule < PasswordBaseRule
   def rule_text
     'Pinpoint APNSVoipSandboxChannel TokenKey must not be a plaintext string ' \
-    'or a Ref to a Parameter with a Default value.  ' \
-    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
+      'or a Ref to a Parameter with a Default value.  ' \
+      'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/RDSDBClusterMasterUserPasswordRule.rb CHANGED Viewed

@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
 class RDSDBClusterMasterUserPasswordRule < PasswordBaseRule
   def rule_text
     'RDS DB Cluster master user password must not be a plaintext string ' \
-    'or a Ref to a Parameter with a Default value.  ' \
-    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
+      'or a Ref to a Parameter with a Default value.  ' \
+      'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/RDSDBInstanceMasterUserPasswordRule.rb CHANGED Viewed

@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
 class RDSDBInstanceMasterUserPasswordRule < PasswordBaseRule
   def rule_text
     'RDS instance master user password must not be a plaintext string ' \
-    'or a Ref to a Parameter with a Default value.  ' \
-    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
+      'or a Ref to a Parameter with a Default value.  ' \
+      'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/RDSDBInstanceMasterUsernameRule.rb CHANGED Viewed

@@ -7,8 +7,8 @@ require_relative 'password_base_rule'
 class RDSDBInstanceMasterUsernameRule < PasswordBaseRule
   def rule_text
     'RDS instance master username must not be a plaintext string ' \
-    'or a Ref to a Parameter with a Default value.  ' \
-    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
+      'or a Ref to a Parameter with a Default value.  ' \
+      'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/RedshiftClusterMasterUserPasswordRule.rb CHANGED Viewed

@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
 class RedshiftClusterMasterUserPasswordRule < PasswordBaseRule
   def rule_text
     'Redshift Cluster master user password must not be a plaintext string ' \
-    'or a Ref to a Parameter with a Default value.  ' \
-    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
+      'or a Ref to a Parameter with a Default value.  ' \
+      'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/ResourceWithExplicitNameRule.rb CHANGED Viewed

@@ -26,7 +26,7 @@ class ResourceWithExplicitNameRule < BaseRule
   def rule_text
     'Resource found with an explicit name, this disallows updates that ' \
-    'require replacement of this resource'
+      'require replacement of this resource'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/SecretsManagerSecretKmsKeyIdRule.rb CHANGED Viewed

@@ -6,7 +6,7 @@ require_relative 'boolean_base_rule'
 class SecretsManagerSecretKmsKeyIdRule < BooleanBaseRule
   def rule_text
     'Secrets Manager Secret should explicitly specify KmsKeyId.' \
-    ' Besides control of the key this will allow the secret to be shared cross-account'
+      ' Besides control of the key this will allow the secret to be shared cross-account'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/SecurityGroupIngressOpenToWorldRule.rb CHANGED Viewed

@@ -9,7 +9,7 @@ class SecurityGroupIngressOpenToWorldRule < BaseRule
   def rule_text
     'Security Groups found with cidr open to world on ingress.  This should ' \
-    'never be true on instance.  Permissible on ELB'
+      'never be true on instance.  Permissible on ELB'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/SecurityGroupIngressPortRangeRule.rb CHANGED Viewed

@@ -6,7 +6,7 @@ require_relative 'base'
 class SecurityGroupIngressPortRangeRule < BaseRule
   def rule_text
     'Security Groups found ingress with port range instead of just a single ' \
-    'port'
+      'port'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/SecurityGroupMissingEgressRule.rb CHANGED Viewed

@@ -6,7 +6,7 @@ require_relative 'base'
 class SecurityGroupMissingEgressRule < BaseRule
   def rule_text
     'Missing egress rule means all traffic is allowed outbound.  Make this ' \
-    'explicit if it is desired configuration'
+      'explicit if it is desired configuration'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/SecurityGroupRuleDescriptionRule.rb CHANGED Viewed

@@ -8,8 +8,8 @@ require 'cfn-nag/util/blank'
 class SecurityGroupRuleDescriptionRule < BaseRule
   def rule_text
     'Security group rules without a description obscure their purpose and may '\
-    'lead to bad practices in ensuring they only allow traffic from the ports '\
-    'and sources/destinations required.'
+      'lead to bad practices in ensuring they only allow traffic from the ports '\
+      'and sources/destinations required.'
   end
   def rule_type

data/lib/cfn-nag/iam_complexity_metric/spcm.rb CHANGED Viewed

@@ -11,8 +11,8 @@ class SPCM
                         parameter_values_path: nil,
                         condition_values_path: nil,
                         template_pattern: DEFAULT_TEMPLATE_PATTERN)
-    parameter_values_string = parameter_values_path.nil? ? nil : IO.read(parameter_values_path)
-    condition_values_string = condition_values_path.nil? ? nil : IO.read(condition_values_path)
+    parameter_values_string = parameter_values_path.nil? ? nil : File.read(parameter_values_path)
+    condition_values_string = condition_values_path.nil? ? nil : File.read(condition_values_path)
     templates = TemplateDiscovery.new.discover_templates(input_json_path: input_path,
                                                          template_pattern: template_pattern)
@@ -21,7 +21,7 @@ class SPCM
       aggregate_results << {
         filename: template,
         file_results: metric(
-          cloudformation_string: IO.read(template),
+          cloudformation_string: File.read(template),
           parameter_values_string: parameter_values_string,
           condition_values_string: condition_values_string
         )

data/lib/cfn-nag/util/enforce_reference_parameter.rb CHANGED Viewed

@@ -29,5 +29,5 @@ end
 # is not present; otherwise returns true
 def no_echo_and_no_default_parameter_check(cfn_model, key_to_check)
   parameter = cfn_model.parameters[key_to_check['Ref']]
-  truthy?(parameter.noEcho) && parameter.default.nil? ? false : true
+  !(truthy?(parameter.noEcho) && parameter.default.nil?)
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-nag
 version: !ruby/object:Gem::Version
-  version: 0.7.15
+  version: 0.7.16
 platform: ruby
 authors:
 - Eric Kascic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-08-23 00:00:00.000000000 Z
+date: 2021-10-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake