diff --git a/.rubocop.yml b/.rubocop.yml index 2e5aa81e..3e762017 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -3,6 +3,7 @@ AllCops: Exclude: - 'spec/**/*' - 'vendor/**/*' + NewCops: enable Style/IfUnlessModifier: Enabled: false diff --git a/Gemfile.lock b/Gemfile.lock index 51d1c690..9a19eccc 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -13,7 +13,7 @@ PATH GEM remote: https://rubygems.org/ specs: - ast (2.4.1) + ast (2.4.2) aws-eventstream (1.1.1) aws-partitions (1.487.0) aws-sdk-core (3.119.0) @@ -45,13 +45,13 @@ GEM multi_json (1.15.0) netaddr (2.0.4) optimist (3.0.1) - parallel (1.19.2) - parser (2.7.2.0) + parallel (1.21.0) + parser (3.0.2.0) ast (~> 2.4.1) psych (3.3.2) rainbow (3.0.0) rake (13.0.1) - regexp_parser (1.8.2) + regexp_parser (2.1.1) rexml (3.2.5) rspec (3.9.0) rspec-core (~> 3.9.0) @@ -66,25 +66,25 @@ GEM diff-lcs (>= 1.2.0, < 2.0) rspec-support (~> 3.9.0) rspec-support (3.9.2) - rubocop (1.1.0) + rubocop (1.22.0) parallel (~> 1.10) - parser (>= 2.7.1.5) + parser (>= 3.0.0.0) rainbow (>= 2.2.2, < 4.0) - regexp_parser (>= 1.8) + regexp_parser (>= 1.8, < 3.0) rexml - rubocop-ast (>= 1.0.1) + rubocop-ast (>= 1.12.0, < 2.0) ruby-progressbar (~> 1.7) - unicode-display_width (>= 1.4.0, < 2.0) - rubocop-ast (1.1.0) - parser (>= 2.7.1.5) - ruby-progressbar (1.10.1) + unicode-display_width (>= 1.4.0, < 3.0) + rubocop-ast (1.12.0) + parser (>= 3.0.1.1) + ruby-progressbar (1.11.0) simplecov (0.21.2) docile (~> 1.1) simplecov-html (~> 0.11) simplecov_json_formatter (~> 0.1) simplecov-html (0.12.3) simplecov_json_formatter (0.1.2) - unicode-display_width (1.7.0) + unicode-display_width (2.1.0) PLATFORMS ruby @@ -97,4 +97,4 @@ DEPENDENCIES simplecov (~> 0.21) BUNDLED WITH - 2.1.4 + 2.2.28 diff --git a/Rakefile b/Rakefile index 30ca459c..09da15ee 100644 --- a/Rakefile +++ b/Rakefile @@ -16,9 +16,9 @@ end # If the command is run outside a Docker container then it will just use the regular local '$(pwd)' as the mount source. def docker_run_prefix docker_env = "#{docker_command} run --tty --rm --mount source=$DND_PWD,target=/usr/src/app,type=bind " \ - '--workdir /usr/src/app cfn-nag-dev:latest' + '--workdir /usr/src/app cfn-nag-dev:latest' local_env = "#{docker_command} run --tty --rm --mount source=#{Dir.pwd},target=/usr/src/app,type=bind " \ - '--workdir /usr/src/app cfn-nag-dev:latest' + '--workdir /usr/src/app cfn-nag-dev:latest' File.file?('/.dockerenv') ? docker_env : local_env end diff --git a/bin/cfn_nag_rules b/bin/cfn_nag_rules index c794f269..362d20e6 100755 --- a/bin/cfn_nag_rules +++ b/bin/cfn_nag_rules @@ -27,12 +27,12 @@ end profile_definition = nil unless opts[:profile_path].nil? - profile_definition = IO.read(opts[:profile_path]) + profile_definition = File.read(opts[:profile_path]) end rule_repository_definitions = [] opts[:rule_repository]&.each do |rule_repository| - rule_repository_definitions << IO.read(rule_repository) + rule_repository_definitions << File.read(rule_repository) end rule_dumper = CfnNagRuleDumper.new(profile_definition: profile_definition, diff --git a/bin/spcm_scan b/bin/spcm_scan index 87757b99..7f85d185 100755 --- a/bin/spcm_scan +++ b/bin/spcm_scan @@ -41,7 +41,7 @@ end def read_conditionally(path) unless path.nil? - IO.read(path) + File.read(path) end end diff --git a/lib/cfn-nag/cfn_nag.rb b/lib/cfn-nag/cfn_nag.rb index ebee3a16..f6fb50f5 100644 --- a/lib/cfn-nag/cfn_nag.rb +++ b/lib/cfn-nag/cfn_nag.rb @@ -55,8 +55,8 @@ def audit_aggregate_across_files(input_path:, parameter_values_path: nil, condition_values_path: nil, template_pattern: DEFAULT_TEMPLATE_PATTERN) - parameter_values_string = parameter_values_path.nil? ? nil : IO.read(parameter_values_path) - condition_values_string = condition_values_path.nil? ? nil : IO.read(condition_values_path) + parameter_values_string = parameter_values_path.nil? ? nil : File.read(parameter_values_path) + condition_values_string = condition_values_path.nil? ? nil : File.read(condition_values_path) templates = TemplateDiscovery.new.discover_templates(input_json_path: input_path, template_pattern: template_pattern) @@ -64,7 +64,7 @@ def audit_aggregate_across_files(input_path:, templates.each do |template| aggregate_results << { filename: template, - file_results: audit(cloudformation_string: IO.read(template), + file_results: audit(cloudformation_string: File.read(template), parameter_values_string: parameter_values_string, condition_values_string: condition_values_string) } diff --git a/lib/cfn-nag/cfn_nag_executor.rb b/lib/cfn-nag/cfn_nag_executor.rb index 6dd2de42..92783e1a 100644 --- a/lib/cfn-nag/cfn_nag_executor.rb +++ b/lib/cfn-nag/cfn_nag_executor.rb @@ -98,13 +98,13 @@ def execute_io_options(opts) @rule_arguments_string = read_conditionally(opts[:rule_arguments_path]) opts[:rule_repository]&.each do |rule_repository| - @rule_repository_definitions << IO.read(rule_repository) + @rule_repository_definitions << File.read(rule_repository) end end def read_conditionally(path) unless path.nil? - IO.read(path) + File.read(path) end end diff --git a/lib/cfn-nag/cli_options.rb b/lib/cfn-nag/cli_options.rb index 40e2a18e..bb809342 100644 --- a/lib/cfn-nag/cli_options.rb +++ b/lib/cfn-nag/cli_options.rb @@ -5,8 +5,8 @@ # rubocop:disable Metrics/ClassLength class Options @custom_rule_exceptions_message = 'Isolate custom rule exceptions - just ' \ - 'emit the exception without stack trace ' \ - 'and keep chugging' + 'emit the exception without stack trace ' \ + 'and keep chugging' @version = Gem::Specification.find_by_name('cfn-nag').version @@ -25,7 +25,7 @@ def self.for(type) # rubocop:disable Metrics/MethodLength def self.file_options options_message = '[options] |' \ - '' + '' custom_rule_exceptions_message = @custom_rule_exceptions_message version = @version diff --git a/lib/cfn-nag/custom_rules/AlexaASKSkillAuthenticationConfigurationClientSecretRule.rb b/lib/cfn-nag/custom_rules/AlexaASKSkillAuthenticationConfigurationClientSecretRule.rb index 755ace11..71de2d9f 100644 --- a/lib/cfn-nag/custom_rules/AlexaASKSkillAuthenticationConfigurationClientSecretRule.rb +++ b/lib/cfn-nag/custom_rules/AlexaASKSkillAuthenticationConfigurationClientSecretRule.rb @@ -8,7 +8,7 @@ class AlexaASKSkillAuthenticationConfigurationClientSecretRule < BaseRule def rule_text 'Alexa ASK Skill AuthenticationConfiguration ClientSecret must not be ' \ - 'a plaintext string or a Ref to a NoEcho Parameter with a Default value.' + 'a plaintext string or a Ref to a NoEcho Parameter with a Default value.' end def rule_type diff --git a/lib/cfn-nag/custom_rules/AlexaASKSkillAuthenticationConfigurationRefreshTokenRule.rb b/lib/cfn-nag/custom_rules/AlexaASKSkillAuthenticationConfigurationRefreshTokenRule.rb index 3d03423e..1afb8f9c 100644 --- a/lib/cfn-nag/custom_rules/AlexaASKSkillAuthenticationConfigurationRefreshTokenRule.rb +++ b/lib/cfn-nag/custom_rules/AlexaASKSkillAuthenticationConfigurationRefreshTokenRule.rb @@ -8,7 +8,7 @@ class AlexaASKSkillAuthenticationConfigurationRefreshTokenRule < BaseRule def rule_text 'Alexa ASK Skill AuthenticationConfiguration RefreshToken must not be ' \ - 'a plaintext string or a Ref to a NoEcho Parameter with a Default value.' + 'a plaintext string or a Ref to a NoEcho Parameter with a Default value.' end def rule_type diff --git a/lib/cfn-nag/custom_rules/AmazonMQBrokerUsersPasswordRule.rb b/lib/cfn-nag/custom_rules/AmazonMQBrokerUsersPasswordRule.rb index 1587927f..f48b387f 100644 --- a/lib/cfn-nag/custom_rules/AmazonMQBrokerUsersPasswordRule.rb +++ b/lib/cfn-nag/custom_rules/AmazonMQBrokerUsersPasswordRule.rb @@ -6,7 +6,7 @@ class AmazonMQBrokerUsersPasswordRule < SubPropertyWithListPasswordBaseRule def rule_text 'AmazonMQ Broker Users Password must not be a plaintext string or a Ref to a Parameter with a Default value. ' \ - 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' + 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' end def rule_type diff --git a/lib/cfn-nag/custom_rules/AmplifyAppAccessTokenRule.rb b/lib/cfn-nag/custom_rules/AmplifyAppAccessTokenRule.rb index e3e6b341..59bf01b6 100644 --- a/lib/cfn-nag/custom_rules/AmplifyAppAccessTokenRule.rb +++ b/lib/cfn-nag/custom_rules/AmplifyAppAccessTokenRule.rb @@ -6,8 +6,8 @@ class AmplifyAppAccessTokenRule < PasswordBaseRule def rule_text 'Amplify App AccessToken must not be a plaintext string ' \ - 'or a Ref to a Parameter with a Default value. ' \ - 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' + 'or a Ref to a Parameter with a Default value. ' \ + 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' end def rule_type diff --git a/lib/cfn-nag/custom_rules/AmplifyAppBasicAuthConfigPasswordRule.rb b/lib/cfn-nag/custom_rules/AmplifyAppBasicAuthConfigPasswordRule.rb index 7423a375..508d4b0c 100644 --- a/lib/cfn-nag/custom_rules/AmplifyAppBasicAuthConfigPasswordRule.rb +++ b/lib/cfn-nag/custom_rules/AmplifyAppBasicAuthConfigPasswordRule.rb @@ -6,8 +6,8 @@ class AmplifyAppBasicAuthConfigPasswordRule < PasswordBaseRule def rule_text 'Amplify App BasicAuthConfig Password must not be a plaintext string ' \ - 'or a Ref to a Parameter with a Default value. ' \ - 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' + 'or a Ref to a Parameter with a Default value. ' \ + 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' end def rule_type diff --git a/lib/cfn-nag/custom_rules/AmplifyAppOauthTokenRule.rb b/lib/cfn-nag/custom_rules/AmplifyAppOauthTokenRule.rb index 375016ba..06b256ba 100644 --- a/lib/cfn-nag/custom_rules/AmplifyAppOauthTokenRule.rb +++ b/lib/cfn-nag/custom_rules/AmplifyAppOauthTokenRule.rb @@ -6,8 +6,8 @@ class AmplifyAppOauthTokenRule < PasswordBaseRule def rule_text 'Amplify App OauthToken must not be a plaintext string ' \ - 'or a Ref to a Parameter with a Default value. ' \ - 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' + 'or a Ref to a Parameter with a Default value. ' \ + 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' end def rule_type diff --git a/lib/cfn-nag/custom_rules/AmplifyBranchBasicAuthConfigPasswordRule.rb b/lib/cfn-nag/custom_rules/AmplifyBranchBasicAuthConfigPasswordRule.rb index 06f22dab..a88bd378 100644 --- a/lib/cfn-nag/custom_rules/AmplifyBranchBasicAuthConfigPasswordRule.rb +++ b/lib/cfn-nag/custom_rules/AmplifyBranchBasicAuthConfigPasswordRule.rb @@ -6,8 +6,8 @@ class AmplifyBranchBasicAuthConfigPasswordRule < PasswordBaseRule def rule_text 'Amplify Branch BasicAuthConfig Password must not be a plaintext ' \ - 'string or a Ref to a Parameter with a Default value. ' \ - 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' + 'string or a Ref to a Parameter with a Default value. ' \ + 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' end def rule_type diff --git a/lib/cfn-nag/custom_rules/ApiGatewayAccessLoggingRule.rb b/lib/cfn-nag/custom_rules/ApiGatewayAccessLoggingRule.rb index ef9e4e15..91eca153 100644 --- a/lib/cfn-nag/custom_rules/ApiGatewayAccessLoggingRule.rb +++ b/lib/cfn-nag/custom_rules/ApiGatewayAccessLoggingRule.rb @@ -6,7 +6,7 @@ class ApiGatewayAccessLoggingRule < BaseRule def rule_text 'ApiGateway Deployment resource should have AccessLogSetting property configured when creating an ' \ - 'API Stage itself (through specifying the StageName and StageDescription properties).' + 'API Stage itself (through specifying the StageName and StageDescription properties).' end def rule_type diff --git a/lib/cfn-nag/custom_rules/ApiGatewayCacheEncryptedRule.rb b/lib/cfn-nag/custom_rules/ApiGatewayCacheEncryptedRule.rb index 2992aa6e..e45f2b7f 100644 --- a/lib/cfn-nag/custom_rules/ApiGatewayCacheEncryptedRule.rb +++ b/lib/cfn-nag/custom_rules/ApiGatewayCacheEncryptedRule.rb @@ -6,7 +6,7 @@ class ApiGatewayCacheEncryptedRule < BaseRule def rule_text 'ApiGateway Deployment should have cache data encryption enabled when caching is enabled' \ - ' in StageDescription properties' + ' in StageDescription properties' end def rule_type diff --git a/lib/cfn-nag/custom_rules/ApiGatewayMethodAuthorizationTypeRule.rb b/lib/cfn-nag/custom_rules/ApiGatewayMethodAuthorizationTypeRule.rb index f90716de..986efbc5 100644 --- a/lib/cfn-nag/custom_rules/ApiGatewayMethodAuthorizationTypeRule.rb +++ b/lib/cfn-nag/custom_rules/ApiGatewayMethodAuthorizationTypeRule.rb @@ -6,7 +6,7 @@ class ApiGatewayMethodAuthorizationTypeRule < BaseRule def rule_text "AWS::ApiGateway::Method should not have AuthorizationType set to 'NONE' unless it is of " \ - 'HttpMethod: OPTIONS.' + 'HttpMethod: OPTIONS.' end def rule_type diff --git a/lib/cfn-nag/custom_rules/AppStreamDirectoryConfigServiceAccountCredentialsAccountPasswordRule.rb b/lib/cfn-nag/custom_rules/AppStreamDirectoryConfigServiceAccountCredentialsAccountPasswordRule.rb index f1d65318..20145de2 100644 --- a/lib/cfn-nag/custom_rules/AppStreamDirectoryConfigServiceAccountCredentialsAccountPasswordRule.rb +++ b/lib/cfn-nag/custom_rules/AppStreamDirectoryConfigServiceAccountCredentialsAccountPasswordRule.rb @@ -6,9 +6,9 @@ class AppStreamDirectoryConfigServiceAccountCredentialsAccountPasswordRule < PasswordBaseRule def rule_text 'AppStream DirectoryConfig ServiceAccountCredentials AccountPassword ' \ - 'must not be a plaintext string or a Ref to a Parameter ' \ - 'with a Default value. ' \ - 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' + 'must not be a plaintext string or a Ref to a Parameter ' \ + 'with a Default value. ' \ + 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' end def rule_type diff --git a/lib/cfn-nag/custom_rules/CodePipelineWebhookAuthenticationConfigurationSecretTokenRule.rb b/lib/cfn-nag/custom_rules/CodePipelineWebhookAuthenticationConfigurationSecretTokenRule.rb index 4fa88828..0ca37113 100644 --- a/lib/cfn-nag/custom_rules/CodePipelineWebhookAuthenticationConfigurationSecretTokenRule.rb +++ b/lib/cfn-nag/custom_rules/CodePipelineWebhookAuthenticationConfigurationSecretTokenRule.rb @@ -6,8 +6,8 @@ class CodePipelineWebhookAuthenticationConfigurationSecretTokenRule < PasswordBaseRule def rule_text 'CodePipeline Webhook AuthenticationConfiguration SecretToken must not be ' \ - 'a plaintext string or a Ref to a Parameter with a Default value. ' \ - 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' + 'a plaintext string or a Ref to a Parameter with a Default value. ' \ + 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' end def rule_type diff --git a/lib/cfn-nag/custom_rules/CognitoIdentityPoolAllowUnauthenticatedIdentitiesRule.rb b/lib/cfn-nag/custom_rules/CognitoIdentityPoolAllowUnauthenticatedIdentitiesRule.rb index f9359cbb..52535288 100644 --- a/lib/cfn-nag/custom_rules/CognitoIdentityPoolAllowUnauthenticatedIdentitiesRule.rb +++ b/lib/cfn-nag/custom_rules/CognitoIdentityPoolAllowUnauthenticatedIdentitiesRule.rb @@ -7,7 +7,7 @@ class CognitoIdentityPoolAllowUnauthenticatedIdentitiesRule < BaseRule def rule_text 'AWS::Cognito::IdentityPool AllowUnauthenticatedIdentities property should be false ' \ - 'but CAN be true if proper restrictive IAM roles and permissions are established for unauthenticated users.' + 'but CAN be true if proper restrictive IAM roles and permissions are established for unauthenticated users.' end def rule_type diff --git a/lib/cfn-nag/custom_rules/DMSEndpointMongoDbSettingsPasswordRule.rb b/lib/cfn-nag/custom_rules/DMSEndpointMongoDbSettingsPasswordRule.rb index 1d366aad..c9646865 100644 --- a/lib/cfn-nag/custom_rules/DMSEndpointMongoDbSettingsPasswordRule.rb +++ b/lib/cfn-nag/custom_rules/DMSEndpointMongoDbSettingsPasswordRule.rb @@ -6,8 +6,8 @@ class DMSEndpointMongoDbSettingsPasswordRule < PasswordBaseRule def rule_text 'DMS Endpoint MongoDbSettings Password must not be a plaintext string ' \ - 'or a Ref to a Parameter with a Default value. ' \ - 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' + 'or a Ref to a Parameter with a Default value. ' \ + 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' end def rule_type diff --git a/lib/cfn-nag/custom_rules/DMSEndpointPasswordRule.rb b/lib/cfn-nag/custom_rules/DMSEndpointPasswordRule.rb index dfbaa077..ddd62e8a 100644 --- a/lib/cfn-nag/custom_rules/DMSEndpointPasswordRule.rb +++ b/lib/cfn-nag/custom_rules/DMSEndpointPasswordRule.rb @@ -6,8 +6,8 @@ class DMSEndpointPasswordRule < PasswordBaseRule def rule_text 'DMS Endpoint password must not be a plaintext string ' \ - 'or a Ref to a Parameter with a Default value. ' \ - 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' + 'or a Ref to a Parameter with a Default value. ' \ + 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' end def rule_type diff --git a/lib/cfn-nag/custom_rules/DirectoryServiceMicrosoftADPasswordRule.rb b/lib/cfn-nag/custom_rules/DirectoryServiceMicrosoftADPasswordRule.rb index a87fc5a7..215f5ecf 100644 --- a/lib/cfn-nag/custom_rules/DirectoryServiceMicrosoftADPasswordRule.rb +++ b/lib/cfn-nag/custom_rules/DirectoryServiceMicrosoftADPasswordRule.rb @@ -7,8 +7,8 @@ class DirectoryServiceMicrosoftADPasswordRule < PasswordBaseRule def rule_text 'Directory Service Microsoft AD password must not be a plaintext string ' \ - 'or a Ref to a Parameter with a Default value. ' \ - 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.' + 'or a Ref to a Parameter with a Default value. ' \ + 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.' end def rule_type diff --git a/lib/cfn-nag/custom_rules/DirectoryServiceSimpleADPasswordRule.rb b/lib/cfn-nag/custom_rules/DirectoryServiceSimpleADPasswordRule.rb index 26365131..4902c1e6 100644 --- a/lib/cfn-nag/custom_rules/DirectoryServiceSimpleADPasswordRule.rb +++ b/lib/cfn-nag/custom_rules/DirectoryServiceSimpleADPasswordRule.rb @@ -7,8 +7,8 @@ class DirectoryServiceSimpleADPasswordRule < PasswordBaseRule def rule_text 'DirectoryService SimpleAD password must not be a plaintext string ' \ - 'or a Ref to a Parameter with a Default value. ' \ - 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.' + 'or a Ref to a Parameter with a Default value. ' \ + 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.' end def rule_type diff --git a/lib/cfn-nag/custom_rules/DocDBDBClusterMasterUserPasswordRule.rb b/lib/cfn-nag/custom_rules/DocDBDBClusterMasterUserPasswordRule.rb index c093fc7d..b8e52802 100644 --- a/lib/cfn-nag/custom_rules/DocDBDBClusterMasterUserPasswordRule.rb +++ b/lib/cfn-nag/custom_rules/DocDBDBClusterMasterUserPasswordRule.rb @@ -6,8 +6,8 @@ class DocDBDBClusterMasterUserPasswordRule < PasswordBaseRule def rule_text 'DocDB DB Cluster master user password must not be a plaintext string ' \ - 'or a Ref to a Parameter with a Default value. ' \ - 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' + 'or a Ref to a Parameter with a Default value. ' \ + 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' end def rule_type diff --git a/lib/cfn-nag/custom_rules/EC2NetworkAclEntryProtocolRule.rb b/lib/cfn-nag/custom_rules/EC2NetworkAclEntryProtocolRule.rb index a6489692..3f9adcb7 100644 --- a/lib/cfn-nag/custom_rules/EC2NetworkAclEntryProtocolRule.rb +++ b/lib/cfn-nag/custom_rules/EC2NetworkAclEntryProtocolRule.rb @@ -6,7 +6,7 @@ class EC2NetworkAclEntryProtocolRule < BaseRule def rule_text 'To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 ' \ - '(for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code).' + '(for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code).' end def rule_type @@ -53,12 +53,8 @@ def icmpv6_protocol?(network_acl_entry) def violating_network_acl_entries?(network_acl_entry) if rule_action_allow?(network_acl_entry) - if tcp_udp_icmp_protocol?(network_acl_entry) || - icmpv6_protocol?(network_acl_entry) - false - else - true - end + !(tcp_udp_icmp_protocol?(network_acl_entry) || + icmpv6_protocol?(network_acl_entry)) end end end diff --git a/lib/cfn-nag/custom_rules/EKSClusterEncryptionRule.rb b/lib/cfn-nag/custom_rules/EKSClusterEncryptionRule.rb index 8db9aaf1..8b1abecd 100644 --- a/lib/cfn-nag/custom_rules/EKSClusterEncryptionRule.rb +++ b/lib/cfn-nag/custom_rules/EKSClusterEncryptionRule.rb @@ -18,9 +18,7 @@ def rule_id def audit_impl(cfn_model) violating_clusters = cfn_model.resources_by_type('AWS::EKS::Cluster').select do |cluster| - if cluster.encryptionConfig.nil? - true - elsif violating_configs?(cluster) + if cluster.encryptionConfig.nil? || violating_configs?(cluster) true else violating_providers?(cluster) diff --git a/lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesADDomainJoinPasswordRule.rb b/lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesADDomainJoinPasswordRule.rb index 3d67c806..fb84b449 100644 --- a/lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesADDomainJoinPasswordRule.rb +++ b/lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesADDomainJoinPasswordRule.rb @@ -6,8 +6,8 @@ class EMRClusterKerberosAttributesADDomainJoinPasswordRule < PasswordBaseRule def rule_text 'EMR Cluster KerberosAttributes AD Domain JoinPassword must not be a ' \ - 'plaintext string or a Ref to a Parameter with a Default value. ' \ - 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' + 'plaintext string or a Ref to a Parameter with a Default value. ' \ + 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' end def rule_type diff --git a/lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesCrossRealmTrustPrincipalPasswordRule.rb b/lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesCrossRealmTrustPrincipalPasswordRule.rb index 3100d631..758b949d 100644 --- a/lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesCrossRealmTrustPrincipalPasswordRule.rb +++ b/lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesCrossRealmTrustPrincipalPasswordRule.rb @@ -6,9 +6,9 @@ class EMRClusterKerberosAttributesCrossRealmTrustPrincipalPasswordRule < PasswordBaseRule def rule_text 'EMR Cluster KerberosAttributes CrossRealmTrustPrincipal Password must ' \ - 'not be a plaintext string or a Ref to a Parameter with a ' \ - 'Default value. ' \ - 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' + 'not be a plaintext string or a Ref to a Parameter with a ' \ + 'Default value. ' \ + 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' end def rule_type diff --git a/lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesKdcAdminPasswordRule.rb b/lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesKdcAdminPasswordRule.rb index 6766713b..511607c2 100644 --- a/lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesKdcAdminPasswordRule.rb +++ b/lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesKdcAdminPasswordRule.rb @@ -6,8 +6,8 @@ class EMRClusterKerberosAttributesKdcAdminPasswordRule < PasswordBaseRule def rule_text 'EMR Cluster KerberosAttributes KdcAdmin Password must not be a ' \ - 'plaintext string or a Ref to a Parameter with a Default value. ' \ - 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' + 'plaintext string or a Ref to a Parameter with a Default value. ' \ + 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' end def rule_type diff --git a/lib/cfn-nag/custom_rules/ElastiCacheReplicationGroupAuthTokenRule.rb b/lib/cfn-nag/custom_rules/ElastiCacheReplicationGroupAuthTokenRule.rb index 6e787d59..c4a68505 100644 --- a/lib/cfn-nag/custom_rules/ElastiCacheReplicationGroupAuthTokenRule.rb +++ b/lib/cfn-nag/custom_rules/ElastiCacheReplicationGroupAuthTokenRule.rb @@ -6,8 +6,8 @@ class ElastiCacheReplicationGroupAuthTokenRule < PasswordBaseRule def rule_text 'ElastiCache ReplicationGroup AuthToken must not be a plaintext string ' \ - 'or a Ref to a Parameter with a Default value. ' \ - 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.' + 'or a Ref to a Parameter with a Default value. ' \ + 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.' end def rule_type diff --git a/lib/cfn-nag/custom_rules/IAMUserLoginProfilePasswordRule.rb b/lib/cfn-nag/custom_rules/IAMUserLoginProfilePasswordRule.rb index 250c4d81..7d510e18 100644 --- a/lib/cfn-nag/custom_rules/IAMUserLoginProfilePasswordRule.rb +++ b/lib/cfn-nag/custom_rules/IAMUserLoginProfilePasswordRule.rb @@ -6,8 +6,8 @@ class IAMUserLoginProfilePasswordRule < PasswordBaseRule def rule_text 'IAM User LoginProfile Password must not be a plaintext string or ' \ - 'a Ref to a Parameter with a Default value. ' \ - 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' + 'a Ref to a Parameter with a Default value. ' \ + 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' end def rule_type diff --git a/lib/cfn-nag/custom_rules/IamUserLoginProfilePasswordResetRule.rb b/lib/cfn-nag/custom_rules/IamUserLoginProfilePasswordResetRule.rb index 49089b4c..e2c14299 100644 --- a/lib/cfn-nag/custom_rules/IamUserLoginProfilePasswordResetRule.rb +++ b/lib/cfn-nag/custom_rules/IamUserLoginProfilePasswordResetRule.rb @@ -29,9 +29,7 @@ def audit_impl(cfn_model) def iam_user_password_reset_required_key?(login_profile) if login_profile.key? 'PasswordResetRequired' - if login_profile['PasswordResetRequired'].nil? - true - elsif not_truthy?(login_profile['PasswordResetRequired']) + if login_profile['PasswordResetRequired'].nil? || not_truthy?(login_profile['PasswordResetRequired']) true end else @@ -40,10 +38,10 @@ def iam_user_password_reset_required_key?(login_profile) end def violating_iam_users?(iam_user) - if !iam_user.loginProfile.nil? - iam_user_password_reset_required_key?(iam_user.loginProfile) - else + if iam_user.loginProfile.nil? false + else + iam_user_password_reset_required_key?(iam_user.loginProfile) end end end diff --git a/lib/cfn-nag/custom_rules/KMSKeyWildcardPrincipalRule.rb b/lib/cfn-nag/custom_rules/KMSKeyWildcardPrincipalRule.rb index 2efa5fcd..1833eda4 100644 --- a/lib/cfn-nag/custom_rules/KMSKeyWildcardPrincipalRule.rb +++ b/lib/cfn-nag/custom_rules/KMSKeyWildcardPrincipalRule.rb @@ -6,7 +6,7 @@ class KMSKeyWildcardPrincipalRule < BaseRule def rule_text 'KMS key should not allow * principal ' \ - '(https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html)' + '(https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html)' end def rule_type diff --git a/lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamRedshiftDestinationConfigurationPasswordRule.rb b/lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamRedshiftDestinationConfigurationPasswordRule.rb index a2a65641..485da7ca 100644 --- a/lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamRedshiftDestinationConfigurationPasswordRule.rb +++ b/lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamRedshiftDestinationConfigurationPasswordRule.rb @@ -6,9 +6,9 @@ class KinesisFirehoseDeliveryStreamRedshiftDestinationConfigurationPasswordRule < PasswordBaseRule def rule_text 'Kinesis Firehose DeliveryStream RedshiftDestinationConfiguration Password ' \ - 'must not be a plaintext string or a Ref to a Parameter with a ' \ - 'Default value. ' \ - 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.' + 'must not be a plaintext string or a Ref to a Parameter with a ' \ + 'Default value. ' \ + 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.' end def rule_type diff --git a/lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamSplunkDestinationConfigurationHECTokenRule.rb b/lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamSplunkDestinationConfigurationHECTokenRule.rb index 35725c34..ad75eb3e 100644 --- a/lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamSplunkDestinationConfigurationHECTokenRule.rb +++ b/lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamSplunkDestinationConfigurationHECTokenRule.rb @@ -6,9 +6,9 @@ class KinesisFirehoseDeliveryStreamSplunkDestinationConfigurationHECTokenRule < PasswordBaseRule def rule_text 'Kinesis Firehose DeliveryStream SplunkDestinationConfiguration HECToken ' \ - 'must not be a plaintext string or a Ref to a Parameter with a ' \ - 'Default value. ' \ - 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' + 'must not be a plaintext string or a Ref to a Parameter with a ' \ + 'Default value. ' \ + 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' end def rule_type diff --git a/lib/cfn-nag/custom_rules/KinesisStreamStreamEncryptionRule.rb b/lib/cfn-nag/custom_rules/KinesisStreamStreamEncryptionRule.rb index 64210fa0..8bdbaee6 100644 --- a/lib/cfn-nag/custom_rules/KinesisStreamStreamEncryptionRule.rb +++ b/lib/cfn-nag/custom_rules/KinesisStreamStreamEncryptionRule.rb @@ -27,11 +27,9 @@ def audit_impl(cfn_model) private def violating_kinesis_streams?(kinesis_stream) - if kinesis_stream.streamEncryption.nil? - true - elsif kinesis_stream.streamEncryption['EncryptionType'].nil? - true - elsif kinesis_stream.streamEncryption['KeyId'].nil? + if kinesis_stream.streamEncryption.nil? || + kinesis_stream.streamEncryption['EncryptionType'].nil? || + kinesis_stream.streamEncryption['KeyId'].nil? true else kinesis_stream.streamEncryption['EncryptionType'] == 'NONE' diff --git a/lib/cfn-nag/custom_rules/LambdaPermissionEventSourceTokenRule.rb b/lib/cfn-nag/custom_rules/LambdaPermissionEventSourceTokenRule.rb index 4f3bddcf..9e28e2bd 100644 --- a/lib/cfn-nag/custom_rules/LambdaPermissionEventSourceTokenRule.rb +++ b/lib/cfn-nag/custom_rules/LambdaPermissionEventSourceTokenRule.rb @@ -6,8 +6,8 @@ class LambdaPermissionEventSourceTokenRule < PasswordBaseRule def rule_text 'Lambda Permission EventSourceToken must not be a plaintext string ' \ - 'or a Ref to a Parameter with a Default value. ' \ - 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' + 'or a Ref to a Parameter with a Default value. ' \ + 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' end def rule_type diff --git a/lib/cfn-nag/custom_rules/LambdaPermissionInvokeFunctionActionRule.rb b/lib/cfn-nag/custom_rules/LambdaPermissionInvokeFunctionActionRule.rb index 589a67f6..924d1542 100644 --- a/lib/cfn-nag/custom_rules/LambdaPermissionInvokeFunctionActionRule.rb +++ b/lib/cfn-nag/custom_rules/LambdaPermissionInvokeFunctionActionRule.rb @@ -6,7 +6,7 @@ class LambdaPermissionInvokeFunctionActionRule < BaseRule def rule_text 'Lambda permission beside InvokeFunction might not be what you want? ' \ - 'Not sure!?' + 'Not sure!?' end def rule_type diff --git a/lib/cfn-nag/custom_rules/ManagedBlockchainMemberMemberFabricConfigurationAdminPasswordRule.rb b/lib/cfn-nag/custom_rules/ManagedBlockchainMemberMemberFabricConfigurationAdminPasswordRule.rb index 33170ca0..b648d33c 100644 --- a/lib/cfn-nag/custom_rules/ManagedBlockchainMemberMemberFabricConfigurationAdminPasswordRule.rb +++ b/lib/cfn-nag/custom_rules/ManagedBlockchainMemberMemberFabricConfigurationAdminPasswordRule.rb @@ -8,7 +8,7 @@ class ManagedBlockchainMemberMemberFabricConfigurationAdminPasswordRule < BaseRule def rule_text 'ManagedBlockchain Member MemberFabricConfiguration AdminPasswordRule must ' \ - 'not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.' + 'not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.' end def rule_type @@ -42,14 +42,11 @@ def audit_impl(cfn_model) # 'MemberFabricConfiguration' # 'AdminPassword' def password_property_does_not_exist(member) - if member.memberConfiguration['MemberFrameworkConfiguration'].nil? - true - elsif member.memberConfiguration['MemberFrameworkConfiguration']['MemberFabricConfiguration'].nil? - true - elsif member.memberConfiguration['MemberFrameworkConfiguration']['MemberFabricConfiguration']['AdminPassword'].nil? + if member.memberConfiguration['MemberFrameworkConfiguration'].nil? || + member.memberConfiguration['MemberFrameworkConfiguration']['MemberFabricConfiguration'].nil? true else - false + member.memberConfiguration['MemberFrameworkConfiguration']['MemberFabricConfiguration']['AdminPassword'].nil? end end end diff --git a/lib/cfn-nag/custom_rules/OpsWorksAppAppSourcePasswordRule.rb b/lib/cfn-nag/custom_rules/OpsWorksAppAppSourcePasswordRule.rb index 650f3e6c..ac864e6f 100644 --- a/lib/cfn-nag/custom_rules/OpsWorksAppAppSourcePasswordRule.rb +++ b/lib/cfn-nag/custom_rules/OpsWorksAppAppSourcePasswordRule.rb @@ -6,8 +6,8 @@ class OpsWorksAppAppSourcePasswordRule < PasswordBaseRule def rule_text 'OpsWorks App AppSource Password must not be a plaintext ' \ - 'string or a Ref to a Parameter with a Default value. ' \ - 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.' + 'string or a Ref to a Parameter with a Default value. ' \ + 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.' end def rule_type diff --git a/lib/cfn-nag/custom_rules/OpsWorksAppSslConfigurationPrivateKeyRule.rb b/lib/cfn-nag/custom_rules/OpsWorksAppSslConfigurationPrivateKeyRule.rb index 0d56260f..0bd4ff41 100644 --- a/lib/cfn-nag/custom_rules/OpsWorksAppSslConfigurationPrivateKeyRule.rb +++ b/lib/cfn-nag/custom_rules/OpsWorksAppSslConfigurationPrivateKeyRule.rb @@ -6,8 +6,8 @@ class OpsWorksAppSslConfigurationPrivateKeyRule < PasswordBaseRule def rule_text 'OpsWorks App SslConfiguration PrivateKey must not be a plaintext ' \ - 'string or a Ref to a Parameter with a Default value. ' \ - 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' + 'string or a Ref to a Parameter with a Default value. ' \ + 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' end def rule_type diff --git a/lib/cfn-nag/custom_rules/OpsWorksStackCustomCookbooksSourcePasswordRule.rb b/lib/cfn-nag/custom_rules/OpsWorksStackCustomCookbooksSourcePasswordRule.rb index a22be557..428ec91a 100644 --- a/lib/cfn-nag/custom_rules/OpsWorksStackCustomCookbooksSourcePasswordRule.rb +++ b/lib/cfn-nag/custom_rules/OpsWorksStackCustomCookbooksSourcePasswordRule.rb @@ -6,8 +6,8 @@ class OpsWorksStackCustomCookbooksSourcePasswordRule < PasswordBaseRule def rule_text 'OpsWorks Stack CustomCookbooksSource Password must not be a plaintext ' \ - 'string or a Ref to a Parameter with a Default value. ' \ - 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.' + 'string or a Ref to a Parameter with a Default value. ' \ + 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.' end def rule_type diff --git a/lib/cfn-nag/custom_rules/OpsWorksStackRdsDbInstancesDbPasswordRule.rb b/lib/cfn-nag/custom_rules/OpsWorksStackRdsDbInstancesDbPasswordRule.rb index cc3dc56c..5ef76470 100644 --- a/lib/cfn-nag/custom_rules/OpsWorksStackRdsDbInstancesDbPasswordRule.rb +++ b/lib/cfn-nag/custom_rules/OpsWorksStackRdsDbInstancesDbPasswordRule.rb @@ -6,8 +6,8 @@ class OpsWorksStackRdsDbInstancesDbPasswordRule < SubPropertyWithListPasswordBaseRule def rule_text 'OpsWorks Stack RDS DbInstance DbPassword must not be a plaintext string '\ - 'or a Ref to a Parameter with a Default value. ' \ - 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.' + 'or a Ref to a Parameter with a Default value. ' \ + 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.' end def rule_type diff --git a/lib/cfn-nag/custom_rules/PinpointAPNSChannelPrivateKeyRule.rb b/lib/cfn-nag/custom_rules/PinpointAPNSChannelPrivateKeyRule.rb index 2b290802..d8396fd7 100644 --- a/lib/cfn-nag/custom_rules/PinpointAPNSChannelPrivateKeyRule.rb +++ b/lib/cfn-nag/custom_rules/PinpointAPNSChannelPrivateKeyRule.rb @@ -6,8 +6,8 @@ class PinpointAPNSChannelPrivateKeyRule < PasswordBaseRule def rule_text 'Pinpoint APNSChannel PrivateKey must not be a plaintext string ' \ - 'or a Ref to a Parameter with a Default value. ' \ - 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' + 'or a Ref to a Parameter with a Default value. ' \ + 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' end def rule_type diff --git a/lib/cfn-nag/custom_rules/PinpointAPNSChannelTokenKeyRule.rb b/lib/cfn-nag/custom_rules/PinpointAPNSChannelTokenKeyRule.rb index 8194abe6..a8565d47 100644 --- a/lib/cfn-nag/custom_rules/PinpointAPNSChannelTokenKeyRule.rb +++ b/lib/cfn-nag/custom_rules/PinpointAPNSChannelTokenKeyRule.rb @@ -6,8 +6,8 @@ class PinpointAPNSChannelTokenKeyRule < PasswordBaseRule def rule_text 'Pinpoint APNSChannel TokenKey must not be a plaintext string ' \ - 'or a Ref to a Parameter with a Default value. ' \ - 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' + 'or a Ref to a Parameter with a Default value. ' \ + 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' end def rule_type diff --git a/lib/cfn-nag/custom_rules/PinpointAPNSSandboxChannelPrivateKeyRule.rb b/lib/cfn-nag/custom_rules/PinpointAPNSSandboxChannelPrivateKeyRule.rb index 06e8d35b..0ff8c542 100644 --- a/lib/cfn-nag/custom_rules/PinpointAPNSSandboxChannelPrivateKeyRule.rb +++ b/lib/cfn-nag/custom_rules/PinpointAPNSSandboxChannelPrivateKeyRule.rb @@ -6,8 +6,8 @@ class PinpointAPNSSandboxChannelPrivateKeyRule < PasswordBaseRule def rule_text 'Pinpoint APNSSandboxChannel PrivateKey must not be a plaintext string ' \ - 'or a Ref to a Parameter with a Default value. ' \ - 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' + 'or a Ref to a Parameter with a Default value. ' \ + 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' end def rule_type diff --git a/lib/cfn-nag/custom_rules/PinpointAPNSSandboxChannelTokenKeyRule.rb b/lib/cfn-nag/custom_rules/PinpointAPNSSandboxChannelTokenKeyRule.rb index 6ee43a04..c244e4af 100644 --- a/lib/cfn-nag/custom_rules/PinpointAPNSSandboxChannelTokenKeyRule.rb +++ b/lib/cfn-nag/custom_rules/PinpointAPNSSandboxChannelTokenKeyRule.rb @@ -6,8 +6,8 @@ class PinpointAPNSSandboxChannelTokenKeyRule < PasswordBaseRule def rule_text 'Pinpoint APNSSandboxChannel TokenKey must not be a plaintext string ' \ - 'or a Ref to a Parameter with a Default value. ' \ - 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' + 'or a Ref to a Parameter with a Default value. ' \ + 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' end def rule_type diff --git a/lib/cfn-nag/custom_rules/PinpointAPNSVoipChannelPrivateKeyRule.rb b/lib/cfn-nag/custom_rules/PinpointAPNSVoipChannelPrivateKeyRule.rb index a91f0d27..ab991f9d 100644 --- a/lib/cfn-nag/custom_rules/PinpointAPNSVoipChannelPrivateKeyRule.rb +++ b/lib/cfn-nag/custom_rules/PinpointAPNSVoipChannelPrivateKeyRule.rb @@ -6,8 +6,8 @@ class PinpointAPNSVoipChannelPrivateKeyRule < PasswordBaseRule def rule_text 'Pinpoint APNSVoipChannel PrivateKey must not be a plaintext string ' \ - 'or a Ref to a Parameter with a Default value. ' \ - 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' + 'or a Ref to a Parameter with a Default value. ' \ + 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' end def rule_type diff --git a/lib/cfn-nag/custom_rules/PinpointAPNSVoipChannelTokenKeyRule.rb b/lib/cfn-nag/custom_rules/PinpointAPNSVoipChannelTokenKeyRule.rb index d4fc0cc7..8ab0d859 100644 --- a/lib/cfn-nag/custom_rules/PinpointAPNSVoipChannelTokenKeyRule.rb +++ b/lib/cfn-nag/custom_rules/PinpointAPNSVoipChannelTokenKeyRule.rb @@ -6,8 +6,8 @@ class PinpointAPNSVoipChannelTokenKeyRule < PasswordBaseRule def rule_text 'Pinpoint APNSChannel TokenKey must not be a plaintext string ' \ - 'or a Ref to a Parameter with a Default value. ' \ - 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' + 'or a Ref to a Parameter with a Default value. ' \ + 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' end def rule_type diff --git a/lib/cfn-nag/custom_rules/PinpointAPNSVoipSandboxChannelPrivateKeyRule.rb b/lib/cfn-nag/custom_rules/PinpointAPNSVoipSandboxChannelPrivateKeyRule.rb index 06d28f92..eb171ddf 100644 --- a/lib/cfn-nag/custom_rules/PinpointAPNSVoipSandboxChannelPrivateKeyRule.rb +++ b/lib/cfn-nag/custom_rules/PinpointAPNSVoipSandboxChannelPrivateKeyRule.rb @@ -6,8 +6,8 @@ class PinpointAPNSVoipSandboxChannelPrivateKeyRule < PasswordBaseRule def rule_text 'Pinpoint APNSVoipSandboxChannel PrivateKey must not be a plaintext ' \ - 'string or a Ref to a Parameter with a Default value. ' \ - 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' + 'string or a Ref to a Parameter with a Default value. ' \ + 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' end def rule_type diff --git a/lib/cfn-nag/custom_rules/PinpointAPNSVoipSandboxChannelTokenKeyRule.rb b/lib/cfn-nag/custom_rules/PinpointAPNSVoipSandboxChannelTokenKeyRule.rb index 88110f05..603c1c2c 100644 --- a/lib/cfn-nag/custom_rules/PinpointAPNSVoipSandboxChannelTokenKeyRule.rb +++ b/lib/cfn-nag/custom_rules/PinpointAPNSVoipSandboxChannelTokenKeyRule.rb @@ -6,8 +6,8 @@ class PinpointAPNSVoipSandboxChannelTokenKeyRule < PasswordBaseRule def rule_text 'Pinpoint APNSVoipSandboxChannel TokenKey must not be a plaintext string ' \ - 'or a Ref to a Parameter with a Default value. ' \ - 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' + 'or a Ref to a Parameter with a Default value. ' \ + 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' end def rule_type diff --git a/lib/cfn-nag/custom_rules/RDSDBClusterMasterUserPasswordRule.rb b/lib/cfn-nag/custom_rules/RDSDBClusterMasterUserPasswordRule.rb index b84270f2..feacafb6 100644 --- a/lib/cfn-nag/custom_rules/RDSDBClusterMasterUserPasswordRule.rb +++ b/lib/cfn-nag/custom_rules/RDSDBClusterMasterUserPasswordRule.rb @@ -6,8 +6,8 @@ class RDSDBClusterMasterUserPasswordRule < PasswordBaseRule def rule_text 'RDS DB Cluster master user password must not be a plaintext string ' \ - 'or a Ref to a Parameter with a Default value. ' \ - 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.' + 'or a Ref to a Parameter with a Default value. ' \ + 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.' end def rule_type diff --git a/lib/cfn-nag/custom_rules/RDSDBInstanceMasterUserPasswordRule.rb b/lib/cfn-nag/custom_rules/RDSDBInstanceMasterUserPasswordRule.rb index 37abfdd4..9a4c8750 100644 --- a/lib/cfn-nag/custom_rules/RDSDBInstanceMasterUserPasswordRule.rb +++ b/lib/cfn-nag/custom_rules/RDSDBInstanceMasterUserPasswordRule.rb @@ -6,8 +6,8 @@ class RDSDBInstanceMasterUserPasswordRule < PasswordBaseRule def rule_text 'RDS instance master user password must not be a plaintext string ' \ - 'or a Ref to a Parameter with a Default value. ' \ - 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.' + 'or a Ref to a Parameter with a Default value. ' \ + 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.' end def rule_type diff --git a/lib/cfn-nag/custom_rules/RDSDBInstanceMasterUsernameRule.rb b/lib/cfn-nag/custom_rules/RDSDBInstanceMasterUsernameRule.rb index df94ce47..72a6c020 100644 --- a/lib/cfn-nag/custom_rules/RDSDBInstanceMasterUsernameRule.rb +++ b/lib/cfn-nag/custom_rules/RDSDBInstanceMasterUsernameRule.rb @@ -7,8 +7,8 @@ class RDSDBInstanceMasterUsernameRule < PasswordBaseRule def rule_text 'RDS instance master username must not be a plaintext string ' \ - 'or a Ref to a Parameter with a Default value. ' \ - 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' + 'or a Ref to a Parameter with a Default value. ' \ + 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.' end def rule_type diff --git a/lib/cfn-nag/custom_rules/RedshiftClusterMasterUserPasswordRule.rb b/lib/cfn-nag/custom_rules/RedshiftClusterMasterUserPasswordRule.rb index f5450f07..08431c86 100644 --- a/lib/cfn-nag/custom_rules/RedshiftClusterMasterUserPasswordRule.rb +++ b/lib/cfn-nag/custom_rules/RedshiftClusterMasterUserPasswordRule.rb @@ -6,8 +6,8 @@ class RedshiftClusterMasterUserPasswordRule < PasswordBaseRule def rule_text 'Redshift Cluster master user password must not be a plaintext string ' \ - 'or a Ref to a Parameter with a Default value. ' \ - 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.' + 'or a Ref to a Parameter with a Default value. ' \ + 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.' end def rule_type diff --git a/lib/cfn-nag/custom_rules/ResourceWithExplicitNameRule.rb b/lib/cfn-nag/custom_rules/ResourceWithExplicitNameRule.rb index 4b9da064..569aba4a 100644 --- a/lib/cfn-nag/custom_rules/ResourceWithExplicitNameRule.rb +++ b/lib/cfn-nag/custom_rules/ResourceWithExplicitNameRule.rb @@ -26,7 +26,7 @@ class ResourceWithExplicitNameRule < BaseRule def rule_text 'Resource found with an explicit name, this disallows updates that ' \ - 'require replacement of this resource' + 'require replacement of this resource' end def rule_type diff --git a/lib/cfn-nag/custom_rules/SecretsManagerSecretKmsKeyIdRule.rb b/lib/cfn-nag/custom_rules/SecretsManagerSecretKmsKeyIdRule.rb index bc401c1d..4f3981fd 100644 --- a/lib/cfn-nag/custom_rules/SecretsManagerSecretKmsKeyIdRule.rb +++ b/lib/cfn-nag/custom_rules/SecretsManagerSecretKmsKeyIdRule.rb @@ -6,7 +6,7 @@ class SecretsManagerSecretKmsKeyIdRule < BooleanBaseRule def rule_text 'Secrets Manager Secret should explicitly specify KmsKeyId.' \ - ' Besides control of the key this will allow the secret to be shared cross-account' + ' Besides control of the key this will allow the secret to be shared cross-account' end def rule_type diff --git a/lib/cfn-nag/custom_rules/SecurityGroupIngressOpenToWorldRule.rb b/lib/cfn-nag/custom_rules/SecurityGroupIngressOpenToWorldRule.rb index 3785c79f..73fc8b50 100644 --- a/lib/cfn-nag/custom_rules/SecurityGroupIngressOpenToWorldRule.rb +++ b/lib/cfn-nag/custom_rules/SecurityGroupIngressOpenToWorldRule.rb @@ -9,7 +9,7 @@ class SecurityGroupIngressOpenToWorldRule < BaseRule def rule_text 'Security Groups found with cidr open to world on ingress. This should ' \ - 'never be true on instance. Permissible on ELB' + 'never be true on instance. Permissible on ELB' end def rule_type diff --git a/lib/cfn-nag/custom_rules/SecurityGroupIngressPortRangeRule.rb b/lib/cfn-nag/custom_rules/SecurityGroupIngressPortRangeRule.rb index 21e95b91..e49f3796 100644 --- a/lib/cfn-nag/custom_rules/SecurityGroupIngressPortRangeRule.rb +++ b/lib/cfn-nag/custom_rules/SecurityGroupIngressPortRangeRule.rb @@ -6,7 +6,7 @@ class SecurityGroupIngressPortRangeRule < BaseRule def rule_text 'Security Groups found ingress with port range instead of just a single ' \ - 'port' + 'port' end def rule_type diff --git a/lib/cfn-nag/custom_rules/SecurityGroupMissingEgressRule.rb b/lib/cfn-nag/custom_rules/SecurityGroupMissingEgressRule.rb index 75f04681..0e8a150f 100644 --- a/lib/cfn-nag/custom_rules/SecurityGroupMissingEgressRule.rb +++ b/lib/cfn-nag/custom_rules/SecurityGroupMissingEgressRule.rb @@ -6,7 +6,7 @@ class SecurityGroupMissingEgressRule < BaseRule def rule_text 'Missing egress rule means all traffic is allowed outbound. Make this ' \ - 'explicit if it is desired configuration' + 'explicit if it is desired configuration' end def rule_type diff --git a/lib/cfn-nag/custom_rules/SecurityGroupRuleDescriptionRule.rb b/lib/cfn-nag/custom_rules/SecurityGroupRuleDescriptionRule.rb index 0be07115..b378edc8 100644 --- a/lib/cfn-nag/custom_rules/SecurityGroupRuleDescriptionRule.rb +++ b/lib/cfn-nag/custom_rules/SecurityGroupRuleDescriptionRule.rb @@ -8,8 +8,8 @@ class SecurityGroupRuleDescriptionRule < BaseRule def rule_text 'Security group rules without a description obscure their purpose and may '\ - 'lead to bad practices in ensuring they only allow traffic from the ports '\ - 'and sources/destinations required.' + 'lead to bad practices in ensuring they only allow traffic from the ports '\ + 'and sources/destinations required.' end def rule_type diff --git a/lib/cfn-nag/iam_complexity_metric/spcm.rb b/lib/cfn-nag/iam_complexity_metric/spcm.rb index dadb5a53..8c2ff1b4 100644 --- a/lib/cfn-nag/iam_complexity_metric/spcm.rb +++ b/lib/cfn-nag/iam_complexity_metric/spcm.rb @@ -11,8 +11,8 @@ def aggregate_metrics(input_path:, parameter_values_path: nil, condition_values_path: nil, template_pattern: DEFAULT_TEMPLATE_PATTERN) - parameter_values_string = parameter_values_path.nil? ? nil : IO.read(parameter_values_path) - condition_values_string = condition_values_path.nil? ? nil : IO.read(condition_values_path) + parameter_values_string = parameter_values_path.nil? ? nil : File.read(parameter_values_path) + condition_values_string = condition_values_path.nil? ? nil : File.read(condition_values_path) templates = TemplateDiscovery.new.discover_templates(input_json_path: input_path, template_pattern: template_pattern) @@ -21,7 +21,7 @@ def aggregate_metrics(input_path:, aggregate_results << { filename: template, file_results: metric( - cloudformation_string: IO.read(template), + cloudformation_string: File.read(template), parameter_values_string: parameter_values_string, condition_values_string: condition_values_string ) diff --git a/lib/cfn-nag/util/enforce_reference_parameter.rb b/lib/cfn-nag/util/enforce_reference_parameter.rb index b0ce0015..301fdf34 100644 --- a/lib/cfn-nag/util/enforce_reference_parameter.rb +++ b/lib/cfn-nag/util/enforce_reference_parameter.rb @@ -29,5 +29,5 @@ def insecure_parameter?(cfn_model, key_to_check) # is not present; otherwise returns true def no_echo_and_no_default_parameter_check(cfn_model, key_to_check) parameter = cfn_model.parameters[key_to_check['Ref']] - truthy?(parameter.noEcho) && parameter.default.nil? ? false : true + !(truthy?(parameter.noEcho) && parameter.default.nil?) end