Enable NewCops for Rubocop and fix errors (#566)

* BAM: Enable all new cops

* BAM: Upgrade rubocop gem to match dockerfile

* BAM: rubocop -a to fix files

* BAM: rubocop -A to fix missed files

* BAM: Fixing Duplicate branch body detections

.rubocop.yml

@@ -3,6 +3,7 @@ AllCops:
   Exclude:
     - 'spec/**/*'
     - 'vendor/**/*'
+  NewCops: enable
 
 Style/IfUnlessModifier:
   Enabled: false

Gemfile.lock

@@ -13,7 +13,7 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    ast (2.4.1)
+    ast (2.4.2)
     aws-eventstream (1.1.1)
     aws-partitions (1.487.0)
     aws-sdk-core (3.119.0)
@@ -45,13 +45,13 @@ GEM
     multi_json (1.15.0)
     netaddr (2.0.4)
     optimist (3.0.1)
-    parallel (1.19.2)
-    parser (2.7.2.0)
+    parallel (1.21.0)
+    parser (3.0.2.0)
       ast (~> 2.4.1)
     psych (3.3.2)
     rainbow (3.0.0)
     rake (13.0.1)
-    regexp_parser (1.8.2)
+    regexp_parser (2.1.1)
     rexml (3.2.5)
     rspec (3.9.0)
       rspec-core (~> 3.9.0)
@@ -66,25 +66,25 @@ GEM
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.9.0)
     rspec-support (3.9.2)
-    rubocop (1.1.0)
+    rubocop (1.22.0)
       parallel (~> 1.10)
-      parser (>= 2.7.1.5)
+      parser (>= 3.0.0.0)
       rainbow (>= 2.2.2, < 4.0)
-      regexp_parser (>= 1.8)
+      regexp_parser (>= 1.8, < 3.0)
       rexml
-      rubocop-ast (>= 1.0.1)
+      rubocop-ast (>= 1.12.0, < 2.0)
       ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 1.4.0, < 2.0)
-    rubocop-ast (1.1.0)
-      parser (>= 2.7.1.5)
-    ruby-progressbar (1.10.1)
+      unicode-display_width (>= 1.4.0, < 3.0)
+    rubocop-ast (1.12.0)
+      parser (>= 3.0.1.1)
+    ruby-progressbar (1.11.0)
     simplecov (0.21.2)
       docile (~> 1.1)
       simplecov-html (~> 0.11)
       simplecov_json_formatter (~> 0.1)
     simplecov-html (0.12.3)
     simplecov_json_formatter (0.1.2)
-    unicode-display_width (1.7.0)
+    unicode-display_width (2.1.0)
 
 PLATFORMS
   ruby
@@ -97,4 +97,4 @@ DEPENDENCIES
   simplecov (~> 0.21)
 
 BUNDLED WITH
-   2.1.4
+   2.2.28

Rakefile

@@ -16,9 +16,9 @@ end
 # If the command is run outside a Docker container then it will just use the regular local '$(pwd)' as the mount source.
 def docker_run_prefix
   docker_env = "#{docker_command} run --tty --rm --mount source=$DND_PWD,target=/usr/src/app,type=bind " \
-    '--workdir /usr/src/app cfn-nag-dev:latest'
+               '--workdir /usr/src/app cfn-nag-dev:latest'
   local_env = "#{docker_command} run --tty --rm --mount source=#{Dir.pwd},target=/usr/src/app,type=bind " \
-    '--workdir /usr/src/app cfn-nag-dev:latest'
+              '--workdir /usr/src/app cfn-nag-dev:latest'
   File.file?('/.dockerenv') ? docker_env : local_env
 end
 

bin/cfn_nag_rules

@@ -27,12 +27,12 @@ end
 
 profile_definition = nil
 unless opts[:profile_path].nil?
-  profile_definition = IO.read(opts[:profile_path])
+  profile_definition = File.read(opts[:profile_path])
 end
 
 rule_repository_definitions = []
 opts[:rule_repository]&.each do |rule_repository|
-  rule_repository_definitions << IO.read(rule_repository)
+  rule_repository_definitions << File.read(rule_repository)
 end
 
 rule_dumper = CfnNagRuleDumper.new(profile_definition: profile_definition,

bin/spcm_scan

@@ -41,7 +41,7 @@ end
 
 def read_conditionally(path)
   unless path.nil?
-    IO.read(path)
+    File.read(path)
   end
 end
 

lib/cfn-nag/cfn_nag.rb

@@ -55,16 +55,16 @@ def audit_aggregate_across_files(input_path:,
                                    parameter_values_path: nil,
                                    condition_values_path: nil,
                                    template_pattern: DEFAULT_TEMPLATE_PATTERN)
-    parameter_values_string = parameter_values_path.nil? ? nil : IO.read(parameter_values_path)
-    condition_values_string = condition_values_path.nil? ? nil : IO.read(condition_values_path)
+    parameter_values_string = parameter_values_path.nil? ? nil : File.read(parameter_values_path)
+    condition_values_string = condition_values_path.nil? ? nil : File.read(condition_values_path)
 
     templates = TemplateDiscovery.new.discover_templates(input_json_path: input_path,
                                                          template_pattern: template_pattern)
     aggregate_results = []
     templates.each do |template|
       aggregate_results << {
         filename: template,
-        file_results: audit(cloudformation_string: IO.read(template),
+        file_results: audit(cloudformation_string: File.read(template),
                             parameter_values_string: parameter_values_string,
                             condition_values_string: condition_values_string)
       }

lib/cfn-nag/cfn_nag_executor.rb

@@ -98,13 +98,13 @@ def execute_io_options(opts)
     @rule_arguments_string = read_conditionally(opts[:rule_arguments_path])
 
     opts[:rule_repository]&.each do |rule_repository|
-      @rule_repository_definitions << IO.read(rule_repository)
+      @rule_repository_definitions << File.read(rule_repository)
     end
   end
 
   def read_conditionally(path)
     unless path.nil?
-      IO.read(path)
+      File.read(path)
     end
   end
 

lib/cfn-nag/cli_options.rb

@@ -5,8 +5,8 @@
 # rubocop:disable Metrics/ClassLength
 class Options
   @custom_rule_exceptions_message = 'Isolate custom rule exceptions - just ' \
-                                   'emit the exception without stack trace ' \
-                                   'and keep chugging'
+                                    'emit the exception without stack trace ' \
+                                    'and keep chugging'
 
   @version = Gem::Specification.find_by_name('cfn-nag').version
 
@@ -25,7 +25,7 @@ def self.for(type)
   # rubocop:disable Metrics/MethodLength
   def self.file_options
     options_message = '[options] <cloudformation template path ...>|' \
-                        '<cloudformation template in STDIN>'
+                      '<cloudformation template in STDIN>'
     custom_rule_exceptions_message = @custom_rule_exceptions_message
     version = @version
 

lib/cfn-nag/custom_rules/AlexaASKSkillAuthenticationConfigurationClientSecretRule.rb

@@ -8,7 +8,7 @@
 class AlexaASKSkillAuthenticationConfigurationClientSecretRule < BaseRule
   def rule_text
     'Alexa ASK Skill AuthenticationConfiguration ClientSecret must not be ' \
-    'a plaintext string or a Ref to a NoEcho Parameter with a Default value.'
+      'a plaintext string or a Ref to a NoEcho Parameter with a Default value.'
   end
 
   def rule_type

lib/cfn-nag/custom_rules/AlexaASKSkillAuthenticationConfigurationRefreshTokenRule.rb

@@ -8,7 +8,7 @@
 class AlexaASKSkillAuthenticationConfigurationRefreshTokenRule < BaseRule
   def rule_text
     'Alexa ASK Skill AuthenticationConfiguration RefreshToken must not be ' \
-    'a plaintext string or a Ref to a NoEcho Parameter with a Default value.'
+      'a plaintext string or a Ref to a NoEcho Parameter with a Default value.'
   end
 
   def rule_type

lib/cfn-nag/custom_rules/AmazonMQBrokerUsersPasswordRule.rb

@@ -6,7 +6,7 @@
 class AmazonMQBrokerUsersPasswordRule < SubPropertyWithListPasswordBaseRule
   def rule_text
     'AmazonMQ Broker Users Password must not be a plaintext string or a Ref to a Parameter with a Default value. ' \
-    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
+      'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
 
   def rule_type

lib/cfn-nag/custom_rules/AmplifyAppAccessTokenRule.rb

@@ -6,8 +6,8 @@
 class AmplifyAppAccessTokenRule < PasswordBaseRule
   def rule_text
     'Amplify App AccessToken must not be a plaintext string ' \
-    'or a Ref to a Parameter with a Default value.  ' \
-    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
+      'or a Ref to a Parameter with a Default value.  ' \
+      'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
 
   def rule_type

lib/cfn-nag/custom_rules/AmplifyAppBasicAuthConfigPasswordRule.rb

@@ -6,8 +6,8 @@
 class AmplifyAppBasicAuthConfigPasswordRule < PasswordBaseRule
   def rule_text
     'Amplify App BasicAuthConfig Password must not be a plaintext string ' \
-    'or a Ref to a Parameter with a Default value.  ' \
-    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
+      'or a Ref to a Parameter with a Default value.  ' \
+      'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
 
   def rule_type

lib/cfn-nag/custom_rules/AmplifyAppOauthTokenRule.rb

@@ -6,8 +6,8 @@
 class AmplifyAppOauthTokenRule < PasswordBaseRule
   def rule_text
     'Amplify App OauthToken must not be a plaintext string ' \
-    'or a Ref to a Parameter with a Default value.  ' \
-    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
+      'or a Ref to a Parameter with a Default value.  ' \
+      'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
 
   def rule_type

lib/cfn-nag/custom_rules/AmplifyBranchBasicAuthConfigPasswordRule.rb

@@ -6,8 +6,8 @@
 class AmplifyBranchBasicAuthConfigPasswordRule < PasswordBaseRule
   def rule_text
     'Amplify Branch BasicAuthConfig Password must not be a plaintext ' \
-    'string or a Ref to a Parameter with a Default value.  ' \
-    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
+      'string or a Ref to a Parameter with a Default value.  ' \
+      'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
 
   def rule_type

lib/cfn-nag/custom_rules/ApiGatewayAccessLoggingRule.rb

@@ -6,7 +6,7 @@
 class ApiGatewayAccessLoggingRule < BaseRule
   def rule_text
     'ApiGateway Deployment resource should have AccessLogSetting property configured when creating an ' \
-    'API Stage itself (through specifying the StageName and StageDescription properties).'
+      'API Stage itself (through specifying the StageName and StageDescription properties).'
   end
 
   def rule_type

lib/cfn-nag/custom_rules/ApiGatewayCacheEncryptedRule.rb

@@ -6,7 +6,7 @@
 class ApiGatewayCacheEncryptedRule < BaseRule
   def rule_text
     'ApiGateway Deployment should have cache data encryption enabled when caching is enabled' \
-    ' in StageDescription properties'
+      ' in StageDescription properties'
   end
 
   def rule_type

lib/cfn-nag/custom_rules/ApiGatewayMethodAuthorizationTypeRule.rb

@@ -6,7 +6,7 @@
 class ApiGatewayMethodAuthorizationTypeRule < BaseRule
   def rule_text
     "AWS::ApiGateway::Method should not have AuthorizationType set to 'NONE' unless it is of " \
-    'HttpMethod: OPTIONS.'
+      'HttpMethod: OPTIONS.'
   end
 
   def rule_type

lib/cfn-nag/custom_rules/AppStreamDirectoryConfigServiceAccountCredentialsAccountPasswordRule.rb

@@ -6,9 +6,9 @@
 class AppStreamDirectoryConfigServiceAccountCredentialsAccountPasswordRule < PasswordBaseRule
   def rule_text
     'AppStream DirectoryConfig ServiceAccountCredentials AccountPassword ' \
-    'must not be a plaintext string or a Ref to a Parameter ' \
-    'with a Default value.  ' \
-    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
+      'must not be a plaintext string or a Ref to a Parameter ' \
+      'with a Default value.  ' \
+      'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
 
   def rule_type

lib/cfn-nag/custom_rules/CodePipelineWebhookAuthenticationConfigurationSecretTokenRule.rb

@@ -6,8 +6,8 @@
 class CodePipelineWebhookAuthenticationConfigurationSecretTokenRule < PasswordBaseRule
   def rule_text
     'CodePipeline Webhook AuthenticationConfiguration SecretToken must not be ' \
-    'a plaintext string or a Ref to a Parameter with a Default value.  ' \
-    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
+      'a plaintext string or a Ref to a Parameter with a Default value.  ' \
+      'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
 
   def rule_type

lib/cfn-nag/custom_rules/CognitoIdentityPoolAllowUnauthenticatedIdentitiesRule.rb

@@ -7,7 +7,7 @@
 class CognitoIdentityPoolAllowUnauthenticatedIdentitiesRule < BaseRule
   def rule_text
     'AWS::Cognito::IdentityPool AllowUnauthenticatedIdentities property should be false ' \
-    'but CAN be true if proper restrictive IAM roles and permissions are established for unauthenticated users.'
+      'but CAN be true if proper restrictive IAM roles and permissions are established for unauthenticated users.'
   end
 
   def rule_type

lib/cfn-nag/custom_rules/DMSEndpointMongoDbSettingsPasswordRule.rb

@@ -6,8 +6,8 @@
 class DMSEndpointMongoDbSettingsPasswordRule < PasswordBaseRule
   def rule_text
     'DMS Endpoint MongoDbSettings Password must not be a plaintext string ' \
-    'or a Ref to a Parameter with a Default value.  ' \
-    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
+      'or a Ref to a Parameter with a Default value.  ' \
+      'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
 
   def rule_type

lib/cfn-nag/custom_rules/DMSEndpointPasswordRule.rb

@@ -6,8 +6,8 @@
 class DMSEndpointPasswordRule < PasswordBaseRule
   def rule_text
     'DMS Endpoint password must not be a plaintext string ' \
-    'or a Ref to a Parameter with a Default value.  ' \
-    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
+      'or a Ref to a Parameter with a Default value.  ' \
+      'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
 
   def rule_type

lib/cfn-nag/custom_rules/DirectoryServiceMicrosoftADPasswordRule.rb

@@ -7,8 +7,8 @@
 class DirectoryServiceMicrosoftADPasswordRule < PasswordBaseRule
   def rule_text
     'Directory Service Microsoft AD password must not be a plaintext string ' \
-    'or a Ref to a Parameter with a Default value.  ' \
-    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
+      'or a Ref to a Parameter with a Default value.  ' \
+      'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
   end
 
   def rule_type

lib/cfn-nag/custom_rules/DirectoryServiceSimpleADPasswordRule.rb

@@ -7,8 +7,8 @@
 class DirectoryServiceSimpleADPasswordRule < PasswordBaseRule
   def rule_text
     'DirectoryService SimpleAD password must not be a plaintext string ' \
-    'or a Ref to a Parameter with a Default value.  ' \
-    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
+      'or a Ref to a Parameter with a Default value.  ' \
+      'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
   end
 
   def rule_type

lib/cfn-nag/custom_rules/DocDBDBClusterMasterUserPasswordRule.rb

@@ -6,8 +6,8 @@
 class DocDBDBClusterMasterUserPasswordRule < PasswordBaseRule
   def rule_text
     'DocDB DB Cluster master user password must not be a plaintext string ' \
-    'or a Ref to a Parameter with a Default value.  ' \
-    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
+      'or a Ref to a Parameter with a Default value.  ' \
+      'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
 
   def rule_type

lib/cfn-nag/custom_rules/EC2NetworkAclEntryProtocolRule.rb

@@ -6,7 +6,7 @@
 class EC2NetworkAclEntryProtocolRule < BaseRule
   def rule_text
     'To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 ' \
-    '(for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code).'
+      '(for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code).'
   end
 
   def rule_type
@@ -53,12 +53,8 @@ def icmpv6_protocol?(network_acl_entry)
 
   def violating_network_acl_entries?(network_acl_entry)
     if rule_action_allow?(network_acl_entry)
-      if tcp_udp_icmp_protocol?(network_acl_entry) ||
-         icmpv6_protocol?(network_acl_entry)
-        false
-      else
-        true
-      end
+      !(tcp_udp_icmp_protocol?(network_acl_entry) ||
+         icmpv6_protocol?(network_acl_entry))
     end
   end
 end

lib/cfn-nag/custom_rules/EKSClusterEncryptionRule.rb

@@ -18,9 +18,7 @@ def rule_id
 
   def audit_impl(cfn_model)
     violating_clusters = cfn_model.resources_by_type('AWS::EKS::Cluster').select do |cluster|
-      if cluster.encryptionConfig.nil?
-        true
-      elsif violating_configs?(cluster)
+      if cluster.encryptionConfig.nil? || violating_configs?(cluster)
         true
       else
         violating_providers?(cluster)

lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesADDomainJoinPasswordRule.rb

@@ -6,8 +6,8 @@
 class EMRClusterKerberosAttributesADDomainJoinPasswordRule < PasswordBaseRule
   def rule_text
     'EMR Cluster KerberosAttributes AD Domain JoinPassword must not be a ' \
-    'plaintext string or a Ref to a Parameter with a Default value.  ' \
-    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
+      'plaintext string or a Ref to a Parameter with a Default value.  ' \
+      'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
 
   def rule_type