Update Network ACL overlapping port rule (Fixes #487, #483) #491
Conversation
…stelligent#483) - Test for port values from references - Test for entries without logical nacl resource - Test for correctly evaluating metadata to ignore warning Fix up various linting errors in yaml templates Refactor nacl grouping logic
| end | ||
|
|
||
| def tcp_or_udp_protocol?(entry1, entry2) | ||
| %w[6 17].include?(entry1.protocol.to_s) && %w[6 17].include?(entry2.protocol.to_s) | ||
| def valid_ports?(entry) |
There was a problem hiding this comment.
When running the test cfn_nag_scan --input-path spec/test_templates/yaml/ec2_networkaclentry/ec2_networkaclentry_missing_port_range.yml, we fail here with this response:
Traceback (most recent call last):
21: from /Users/stephengoncher/.rvm/gems/ruby-2.6.6/bin/ruby_executable_hooks:24:in<main>' 20: from /Users/stephengoncher/.rvm/gems/ruby-2.6.6/bin/ruby_executable_hooks:24:ineval'
19: from /Users/stephengoncher/.rvm/gems/ruby-2.6.6/bin/cfn_nag_scan:23:in<main>' 18: from /Users/stephengoncher/.rvm/gems/ruby-2.6.6/bin/cfn_nag_scan:23:inload'
17: from /private/tmp/arothian_cfn_nag/bin/cfn_nag_scan:11:in<top (required)>' 16: from /private/tmp/arothian_cfn_nag/lib/cfn-nag/cfn_nag_executor.rb:30:inscan'
15: from /private/tmp/arothian_cfn_nag/lib/cfn-nag/cfn_nag_executor.rb:50:inexecute_aggregate_scan' 14: from /private/tmp/arothian_cfn_nag/lib/cfn-nag/cfn_nag.rb:34:inaudit_aggregate_across_files_and_render_results'
13: from /private/tmp/arothian_cfn_nag/lib/cfn-nag/cfn_nag.rb:64:inaudit_aggregate_across_files' 12: from /private/tmp/arothian_cfn_nag/lib/cfn-nag/cfn_nag.rb:64:ineach'
11: from /private/tmp/arothian_cfn_nag/lib/cfn-nag/cfn_nag.rb:67:inblock in audit_aggregate_across_files' 10: from /private/tmp/arothian_cfn_nag/lib/cfn-nag/cfn_nag.rb:91:inaudit'
9: from /private/tmp/arothian_cfn_nag/lib/cfn-nag/custom_rule_loader.rb:64:inexecute_custom_rules' 8: from /private/tmp/arothian_cfn_nag/lib/cfn-nag/custom_rule_loader.rb:81:infilter_rule_classes'
7: from /Users/stephengoncher/.rvm/rubies/ruby-2.6.6/lib/ruby/2.6.0/set.rb:338:ineach' 6: from /Users/stephengoncher/.rvm/rubies/ruby-2.6.6/lib/ruby/2.6.0/set.rb:338:ineach_key'
5: from /private/tmp/arothian_cfn_nag/lib/cfn-nag/custom_rule_loader.rb:91:inblock in filter_rule_classes' 4: from /private/tmp/arothian_cfn_nag/lib/cfn-nag/custom_rules/base.rb:19:inaudit'
3: from /private/tmp/arothian_cfn_nag/lib/cfn-nag/custom_rules/EC2NetworkAclEntryOverlappingPortsRule.rb:24:inaudit_impl' 2: from /private/tmp/arothian_cfn_nag/lib/cfn-nag/custom_rules/EC2NetworkAclEntryOverlappingPortsRule.rb:24:inselect!'
1: from /private/tmp/arothian_cfn_nag/lib/cfn-nag/custom_rules/EC2NetworkAclEntryOverlappingPortsRule.rb:25:inblock in audit_impl' /private/tmp/arothian_cfn_nag/lib/cfn-nag/custom_rules/EC2NetworkAclEntryOverlappingPortsRule.rb:46:invalid_ports?': undefined method `[]' for nil:NilClass (NoMethodError)
Fix issue with evaluating NACL entries using non-literal ports
Fix issue with evaluating NACL entries without direct NACL resource in the same template
Fix issue with metadata not ignoring warnings on NACL entries
Fix up various lint errors in yaml test templates
Refactor NACL grouping logic