UNPKG

cdk-nag

Version:

Check CDK v2 applications for best practices using a combination on available rule packs.

160 lines • 24 kB
"use strict"; var _a; Object.defineProperty(exports, "__esModule", { value: true }); exports.NagPack = void 0; const JSII_RTTI_SYMBOL_1 = Symbol.for("jsii.rtti"); /* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: Apache-2.0 */ const aws_cdk_lib_1 = require("aws-cdk-lib"); const ignore_suppression_conditions_1 = require("./ignore-suppression-conditions"); const nag_logger_1 = require("./nag-logger"); const nag_rules_1 = require("./nag-rules"); const nag_suppression_helper_1 = require("./utils/nag-suppression-helper"); /** * Base class for all rule packs. */ class NagPack { constructor(props) { this.loggers = new Array(); this.packName = ''; this.userGlobalSuppressionIgnore = props?.suppressionIgnoreCondition; this.loggers.push(new nag_logger_1.AnnotationLogger({ verbose: props?.verbose, logIgnores: props?.logIgnores, })); if (props?.reports ?? true) { const formats = props?.reportFormats ? props.reportFormats : [nag_logger_1.NagReportFormat.CSV]; this.loggers.push(new nag_logger_1.NagReportLogger({ formats })); } if (props?.additionalLoggers) { this.loggers.push(...props.additionalLoggers); } } get readPackName() { return this.packName; } /** * Create a rule to be used in the NagPack. * @param params The @IApplyRule interface with rule details. */ applyRule(params) { if (this.packName === '') { throw Error('The NagPack does not have a pack name, therefore the rule could not be applied. Set a packName in the NagPack constructor.'); } const allSuppressions = nag_suppression_helper_1.NagSuppressionHelper.getSuppressions(params.node); const ruleSuffix = params.ruleSuffixOverride ? params.ruleSuffixOverride : params.rule.name; const ruleId = `${this.packName}-${ruleSuffix}`; const base = { nagPackName: this.packName, resource: params.node, ruleId: ruleId, ruleOriginalName: params.rule.name, ruleInfo: params.info, ruleExplanation: params.explanation, ruleLevel: params.level, }; try { const ruleCompliance = params.rule(params.node); if (ruleCompliance === nag_rules_1.NagRuleCompliance.COMPLIANT) { this.loggers.forEach((t) => t.onCompliance(base)); } else if (this.isNonCompliant(ruleCompliance)) { const findings = this.asFindings(ruleCompliance); for (const findingId of findings) { const suppressionReason = this.ignoreRule(allSuppressions, ruleId, findingId, params.node, params.level, params.ignoreSuppressionCondition); if (suppressionReason) { this.loggers.forEach((t) => t.onSuppressed({ ...base, suppressionReason, findingId, })); } else { this.loggers.forEach((t) => t.onNonCompliance({ ...base, findingId, })); } } } else if (ruleCompliance === nag_rules_1.NagRuleCompliance.NOT_APPLICABLE) { this.loggers.forEach((t) => t.onNotApplicable({ ...base, })); } } catch (error) { const reason = this.ignoreRule(allSuppressions, nag_rules_1.VALIDATION_FAILURE_ID, '', params.node, params.level, params.ignoreSuppressionCondition); if (reason) { this.loggers.forEach((t) => t.onSuppressedError({ ...base, errorMessage: error.message, errorSuppressionReason: reason, })); } else { this.loggers.forEach((t) => t.onError({ ...base, errorMessage: error.message, })); } } } /** * Check whether a specific rule should be ignored. * @param suppressions The suppressions listed in the cdk-nag metadata. * @param ruleId The id of the rule to ignore. * @param resource The resource being evaluated. * @param findingId The id of the finding that is being checked. * @returns The reason the rule was ignored, or an empty string. */ ignoreRule(suppressions, ruleId, findingId, resource, level, ignoreSuppressionCondition) { for (let suppression of suppressions) { if (nag_suppression_helper_1.NagSuppressionHelper.doesApply(suppression, ruleId, findingId)) { const ignoreMessage = new ignore_suppression_conditions_1.SuppressionIgnoreOr(this.userGlobalSuppressionIgnore ?? new ignore_suppression_conditions_1.SuppressionIgnoreNever(), this.packGlobalSuppressionIgnore ?? new ignore_suppression_conditions_1.SuppressionIgnoreNever(), ignoreSuppressionCondition ?? new ignore_suppression_conditions_1.SuppressionIgnoreNever()).createMessage({ resource, reason: suppression.reason, ruleId, findingId, ruleLevel: level, }); if (ignoreMessage) { let id = findingId ? `${ruleId}[${findingId}]` : `${ruleId}`; aws_cdk_lib_1.Annotations.of(resource).addInfo(`The suppression for ${id} was ignored for the following reason(s).\n\t${ignoreMessage}`); } else { if (!suppression.appliesTo) { // the rule is not granular so it always applies return suppression.reason; } else { return `[${findingId}] ${suppression.reason}`; } } } } return ''; } isNonCompliant(ruleResult) { return (ruleResult === nag_rules_1.NagRuleCompliance.NON_COMPLIANT || Array.isArray(ruleResult)); } asFindings(ruleResult) { if (Array.isArray(ruleResult)) { return ruleResult; } else { return ['']; } } } exports.NagPack = NagPack; _a = JSII_RTTI_SYMBOL_1; NagPack[_a] = { fqn: "cdk-nag.NagPack", version: "2.28.194" }; //# sourceMappingURL=data:application/json;base64,{"version":3,"file":"nag-pack.js","sourceRoot":"","sources":["../src/nag-pack.ts"],"names":[],"mappings":";;;;;AAAA;;;EAGE;AACF,6CAAgE;AAEhE,mFAIyC;AAEzC,6CAMsB;AACtB,2CAMqB;AACrB,2EAAsE;AAwEtE;;GAEG;AACH,MAAsB,OAAO;IAM3B,YAAY,KAAoB;QALtB,YAAO,GAAG,IAAI,KAAK,EAAc,CAAC;QAClC,aAAQ,GAAG,EAAE,CAAC;QAKtB,IAAI,CAAC,2BAA2B,GAAG,KAAK,EAAE,0BAA0B,CAAC;QACrE,IAAI,CAAC,OAAO,CAAC,IAAI,CACf,IAAI,6BAAgB,CAAC;YACnB,OAAO,EAAE,KAAK,EAAE,OAAO;YACvB,UAAU,EAAE,KAAK,EAAE,UAAU;SAC9B,CAAC,CACH,CAAC;QACF,IAAI,KAAK,EAAE,OAAO,IAAI,IAAI,EAAE;YAC1B,MAAM,OAAO,GAAG,KAAK,EAAE,aAAa;gBAClC,CAAC,CAAC,KAAK,CAAC,aAAa;gBACrB,CAAC,CAAC,CAAC,4BAAe,CAAC,GAAG,CAAC,CAAC;YAC1B,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,4BAAe,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC;SACrD;QACD,IAAI,KAAK,EAAE,iBAAiB,EAAE;YAC5B,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC,iBAAiB,CAAC,CAAC;SAC/C;IACH,CAAC;IAED,IAAW,YAAY;QACrB,OAAO,IAAI,CAAC,QAAQ,CAAC;IACvB,CAAC;IAOD;;;OAGG;IACO,SAAS,CAAC,MAAkB;QACpC,IAAI,IAAI,CAAC,QAAQ,KAAK,EAAE,EAAE;YACxB,MAAM,KAAK,CACT,4HAA4H,CAC7H,CAAC;SACH;QACD,MAAM,eAAe,GAAG,6CAAoB,CAAC,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAC1E,MAAM,UAAU,GAAG,MAAM,CAAC,kBAAkB;YAC1C,CAAC,CAAC,MAAM,CAAC,kBAAkB;YAC3B,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC;QACrB,MAAM,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,IAAI,UAAU,EAAE,CAAC;QAChD,MAAM,IAAI,GAAsB;YAC9B,WAAW,EAAE,IAAI,CAAC,QAAQ;YAC1B,QAAQ,EAAE,MAAM,CAAC,IAAI;YACrB,MAAM,EAAE,MAAM;YACd,gBAAgB,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI;YAClC,QAAQ,EAAE,MAAM,CAAC,IAAI;YACrB,eAAe,EAAE,MAAM,CAAC,WAAW;YACnC,SAAS,EAAE,MAAM,CAAC,KAAK;SACxB,CAAC;QACF,IAAI;YACF,MAAM,cAAc,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YAChD,IAAI,cAAc,KAAK,6BAAiB,CAAC,SAAS,EAAE;gBAClD,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC;aACnD;iBAAM,IAAI,IAAI,CAAC,cAAc,CAAC,cAAc,CAAC,EAAE;gBAC9C,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC,CAAC;gBACjD,KAAK,MAAM,SAAS,IAAI,QAAQ,EAAE;oBAChC,MAAM,iBAAiB,GAAG,IAAI,CAAC,UAAU,CACvC,eAAe,EACf,MAAM,EACN,SAAS,EACT,MAAM,CAAC,IAAI,EACX,MAAM,CAAC,KAAK,EACZ,MAAM,CAAC,0BAA0B,CAClC,CAAC;oBACF,IAAI,iBAAiB,EAAE;wBACrB,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CACzB,CAAC,CAAC,YAAY,CAAC;4BACb,GAAG,IAAI;4BACP,iBAAiB;4BACjB,SAAS;yBACV,CAAC,CACH,CAAC;qBACH;yBAAM;wBACL,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CACzB,CAAC,CAAC,eAAe,CAAC;4BAChB,GAAG,IAAI;4BACP,SAAS;yBACV,CAAC,CACH,CAAC;qBACH;iBACF;aACF;iBAAM,IAAI,cAAc,KAAK,6BAAiB,CAAC,cAAc,EAAE;gBAC9D,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CACzB,CAAC,CAAC,eAAe,CAAC;oBAChB,GAAG,IAAI;iBACR,CAAC,CACH,CAAC;aACH;SACF;QAAC,OAAO,KAAK,EAAE;YACd,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,CAC5B,eAAe,EACf,iCAAqB,EACrB,EAAE,EACF,MAAM,CAAC,IAAI,EACX,MAAM,CAAC,KAAK,EACZ,MAAM,CAAC,0BAA0B,CAClC,CAAC;YACF,IAAI,MAAM,EAAE;gBACV,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CACzB,CAAC,CAAC,iBAAiB,CAAC;oBAClB,GAAG,IAAI;oBACP,YAAY,EAAG,KAAe,CAAC,OAAO;oBACtC,sBAAsB,EAAE,MAAM;iBAC/B,CAAC,CACH,CAAC;aACH;iBAAM;gBACL,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CACzB,CAAC,CAAC,OAAO,CAAC;oBACR,GAAG,IAAI;oBACP,YAAY,EAAG,KAAe,CAAC,OAAO;iBACvC,CAAC,CACH,CAAC;aACH;SACF;IACH,CAAC;IAED;;;;;;;OAOG;IACO,UAAU,CAClB,YAAkC,EAClC,MAAc,EACd,SAAiB,EACjB,QAAqB,EACrB,KAAsB,EACtB,0BAAkD;QAElD,KAAK,IAAI,WAAW,IAAI,YAAY,EAAE;YACpC,IAAI,6CAAoB,CAAC,SAAS,CAAC,WAAW,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE;gBAClE,MAAM,aAAa,GAAG,IAAI,mDAAmB,CAC3C,IAAI,CAAC,2BAA2B,IAAI,IAAI,sDAAsB,EAAE,EAChE,IAAI,CAAC,2BAA2B,IAAI,IAAI,sDAAsB,EAAE,EAChE,0BAA0B,IAAI,IAAI,sDAAsB,EAAE,CAC3D,CAAC,aAAa,CAAC;oBACd,QAAQ;oBACR,MAAM,EAAE,WAAW,CAAC,MAAM;oBAC1B,MAAM;oBACN,SAAS;oBACT,SAAS,EAAE,KAAK;iBACjB,CAAC,CAAC;gBACH,IAAI,aAAa,EAAE;oBACjB,IAAI,EAAE,GAAG,SAAS,CAAC,CAAC,CAAC,GAAG,MAAM,IAAI,SAAS,GAAG,CAAC,CAAC,CAAC,GAAG,MAAM,EAAE,CAAC;oBAC7D,yBAAW,CAAC,EAAE,CAAC,QAAQ,CAAC,CAAC,OAAO,CAC9B,uBAAuB,EAAE,gDAAgD,aAAa,EAAE,CACzF,CAAC;iBACH;qBAAM;oBACL,IAAI,CAAC,WAAW,CAAC,SAAS,EAAE;wBAC1B,gDAAgD;wBAChD,OAAO,WAAW,CAAC,MAAM,CAAC;qBAC3B;yBAAM;wBACL,OAAO,IAAI,SAAS,KAAK,WAAW,CAAC,MAAM,EAAE,CAAC;qBAC/C;iBACF;aACF;SACF;QACD,OAAO,EAAE,CAAC;IACZ,CAAC;IAEO,cAAc,CAAC,UAAyB;QAC9C,OAAO,CACL,UAAU,KAAK,6BAAiB,CAAC,aAAa;YAC9C,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,CAC1B,CAAC;IACJ,CAAC;IAEO,UAAU,CAAC,UAAyB;QAC1C,IAAI,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE;YAC7B,OAAO,UAAU,CAAC;SACnB;aAAM;YACL,OAAO,CAAC,EAAE,CAAC,CAAC;SACb;IACH,CAAC;;AAzLH,0BA0LC","sourcesContent":["/*\nCopyright Amazon.com, Inc. or its affiliates. All Rights Reserved.\nSPDX-License-Identifier: Apache-2.0\n*/\nimport { Annotations, CfnResource, IAspect } from 'aws-cdk-lib';\nimport { IConstruct } from 'constructs';\nimport {\n  INagSuppressionIgnore,\n  SuppressionIgnoreNever,\n  SuppressionIgnoreOr,\n} from './ignore-suppression-conditions';\nimport { NagPackSuppression } from './models/nag-suppression';\nimport {\n  AnnotationLogger,\n  INagLogger,\n  NagLoggerBaseData,\n  NagReportFormat,\n  NagReportLogger,\n} from './nag-logger';\nimport {\n  NagMessageLevel,\n  NagRuleCompliance,\n  NagRuleFindings,\n  NagRuleResult,\n  VALIDATION_FAILURE_ID,\n} from './nag-rules';\nimport { NagSuppressionHelper } from './utils/nag-suppression-helper';\n\n/**\n * Interface for creating a NagPack.\n */\nexport interface NagPackProps {\n  /**\n   * Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages (default: false).\n   */\n  readonly verbose?: boolean;\n\n  /**\n   * Whether or not to log suppressed rule violations as informational messages (default: false).\n   */\n  readonly logIgnores?: boolean;\n\n  /**\n   * Whether or not to generate compliance reports for applied Stacks in the App's output directory (default: true).\n   */\n  readonly reports?: boolean;\n\n  /**\n   * If reports are enabled, the output formats of compliance reports in the App's output directory (default: only CSV).\n   */\n  readonly reportFormats?: NagReportFormat[];\n\n  /**\n   * Conditionally prevent rules from being suppressed (default: no user provided condition).\n   */\n  readonly suppressionIgnoreCondition?: INagSuppressionIgnore;\n\n  /**\n   * Additional NagLoggers for logging rule validation outputs.\n   */\n  readonly additionalLoggers?: INagLogger[];\n}\n\n/**\n * Interface for JSII interoperability for passing parameters and the Rule Callback to @applyRule method.\n */\nexport interface IApplyRule {\n  /**\n   * Override for the suffix of the Rule ID for this rule\n   */\n  ruleSuffixOverride?: string;\n  /**\n   * Why the rule was triggered.\n   */\n  info: string;\n  /**\n   * Why the rule exists.\n   */\n  explanation: string;\n  /**\n   * The annotations message level to apply to the rule if triggered.\n   */\n  level: NagMessageLevel;\n  /**\n   * A condition in which a suppression should be ignored.\n   */\n  ignoreSuppressionCondition?: INagSuppressionIgnore;\n  /**\n   * The CfnResource to check\n   */\n  node: CfnResource;\n  /**\n   * The callback to the rule.\n   * @param node The CfnResource to check.\n   */\n  rule(node: CfnResource): NagRuleResult;\n}\n\n/**\n * Base class for all rule packs.\n */\nexport abstract class NagPack implements IAspect {\n  protected loggers = new Array<INagLogger>();\n  protected packName = '';\n  protected userGlobalSuppressionIgnore?: INagSuppressionIgnore;\n  protected packGlobalSuppressionIgnore?: INagSuppressionIgnore;\n\n  constructor(props?: NagPackProps) {\n    this.userGlobalSuppressionIgnore = props?.suppressionIgnoreCondition;\n    this.loggers.push(\n      new AnnotationLogger({\n        verbose: props?.verbose,\n        logIgnores: props?.logIgnores,\n      })\n    );\n    if (props?.reports ?? true) {\n      const formats = props?.reportFormats\n        ? props.reportFormats\n        : [NagReportFormat.CSV];\n      this.loggers.push(new NagReportLogger({ formats }));\n    }\n    if (props?.additionalLoggers) {\n      this.loggers.push(...props.additionalLoggers);\n    }\n  }\n\n  public get readPackName(): string {\n    return this.packName;\n  }\n\n  /**\n   * All aspects can visit an IConstruct.\n   */\n  public abstract visit(node: IConstruct): void;\n\n  /**\n   * Create a rule to be used in the NagPack.\n   * @param params The @IApplyRule interface with rule details.\n   */\n  protected applyRule(params: IApplyRule): void {\n    if (this.packName === '') {\n      throw Error(\n        'The NagPack does not have a pack name, therefore the rule could not be applied. Set a packName in the NagPack constructor.'\n      );\n    }\n    const allSuppressions = NagSuppressionHelper.getSuppressions(params.node);\n    const ruleSuffix = params.ruleSuffixOverride\n      ? params.ruleSuffixOverride\n      : params.rule.name;\n    const ruleId = `${this.packName}-${ruleSuffix}`;\n    const base: NagLoggerBaseData = {\n      nagPackName: this.packName,\n      resource: params.node,\n      ruleId: ruleId,\n      ruleOriginalName: params.rule.name,\n      ruleInfo: params.info,\n      ruleExplanation: params.explanation,\n      ruleLevel: params.level,\n    };\n    try {\n      const ruleCompliance = params.rule(params.node);\n      if (ruleCompliance === NagRuleCompliance.COMPLIANT) {\n        this.loggers.forEach((t) => t.onCompliance(base));\n      } else if (this.isNonCompliant(ruleCompliance)) {\n        const findings = this.asFindings(ruleCompliance);\n        for (const findingId of findings) {\n          const suppressionReason = this.ignoreRule(\n            allSuppressions,\n            ruleId,\n            findingId,\n            params.node,\n            params.level,\n            params.ignoreSuppressionCondition\n          );\n          if (suppressionReason) {\n            this.loggers.forEach((t) =>\n              t.onSuppressed({\n                ...base,\n                suppressionReason,\n                findingId,\n              })\n            );\n          } else {\n            this.loggers.forEach((t) =>\n              t.onNonCompliance({\n                ...base,\n                findingId,\n              })\n            );\n          }\n        }\n      } else if (ruleCompliance === NagRuleCompliance.NOT_APPLICABLE) {\n        this.loggers.forEach((t) =>\n          t.onNotApplicable({\n            ...base,\n          })\n        );\n      }\n    } catch (error) {\n      const reason = this.ignoreRule(\n        allSuppressions,\n        VALIDATION_FAILURE_ID,\n        '',\n        params.node,\n        params.level,\n        params.ignoreSuppressionCondition\n      );\n      if (reason) {\n        this.loggers.forEach((t) =>\n          t.onSuppressedError({\n            ...base,\n            errorMessage: (error as Error).message,\n            errorSuppressionReason: reason,\n          })\n        );\n      } else {\n        this.loggers.forEach((t) =>\n          t.onError({\n            ...base,\n            errorMessage: (error as Error).message,\n          })\n        );\n      }\n    }\n  }\n\n  /**\n   * Check whether a specific rule should be ignored.\n   * @param suppressions The suppressions listed in the cdk-nag metadata.\n   * @param ruleId The id of the rule to ignore.\n   * @param resource The resource being evaluated.\n   * @param findingId The id of the finding that is being checked.\n   * @returns The reason the rule was ignored, or an empty string.\n   */\n  protected ignoreRule(\n    suppressions: NagPackSuppression[],\n    ruleId: string,\n    findingId: string,\n    resource: CfnResource,\n    level: NagMessageLevel,\n    ignoreSuppressionCondition?: INagSuppressionIgnore\n  ): string {\n    for (let suppression of suppressions) {\n      if (NagSuppressionHelper.doesApply(suppression, ruleId, findingId)) {\n        const ignoreMessage = new SuppressionIgnoreOr(\n          this.userGlobalSuppressionIgnore ?? new SuppressionIgnoreNever(),\n          this.packGlobalSuppressionIgnore ?? new SuppressionIgnoreNever(),\n          ignoreSuppressionCondition ?? new SuppressionIgnoreNever()\n        ).createMessage({\n          resource,\n          reason: suppression.reason,\n          ruleId,\n          findingId,\n          ruleLevel: level,\n        });\n        if (ignoreMessage) {\n          let id = findingId ? `${ruleId}[${findingId}]` : `${ruleId}`;\n          Annotations.of(resource).addInfo(\n            `The suppression for ${id} was ignored for the following reason(s).\\n\\t${ignoreMessage}`\n          );\n        } else {\n          if (!suppression.appliesTo) {\n            // the rule is not granular so it always applies\n            return suppression.reason;\n          } else {\n            return `[${findingId}] ${suppression.reason}`;\n          }\n        }\n      }\n    }\n    return '';\n  }\n\n  private isNonCompliant(ruleResult: NagRuleResult) {\n    return (\n      ruleResult === NagRuleCompliance.NON_COMPLIANT ||\n      Array.isArray(ruleResult)\n    );\n  }\n\n  private asFindings(ruleResult: NagRuleResult): NagRuleFindings {\n    if (Array.isArray(ruleResult)) {\n      return ruleResult;\n    } else {\n      return [''];\n    }\n  }\n}\n"]}