Only filter out fatal errors rather than actual violations (#556)

* Only filter out fatal errors rather than actual violations Fixes #555 * Add tests
stelligent · Jun 15, 2021 · 6eaefdd · 6eaefdd
1 parent dde65bf
commit 6eaefdd
Show file tree

Hide file tree

Showing 4 changed files with 42 additions and 2 deletions.
diff --git a/lib/cfn-nag/cfn_nag.rb b/lib/cfn-nag/cfn_nag.rb
@@ -107,7 +107,7 @@ def audit(cloudformation_string:, parameter_values_string: nil, condition_values
   end
 
   def prune_fatal_violations(violations)
-    violations.reject { |violation| violation.type == Violation::FAILING_VIOLATION }
+    violations.reject { |violation| violation.id == 'FATAL' }
   end
 
   def render_results(aggregate_results:,

diff --git a/spec/cfn_nag_integration/cfn_nag_executor_spec.rb b/spec/cfn_nag_integration/cfn_nag_executor_spec.rb
@@ -140,7 +140,6 @@
       cli_options = @default_cli_options.clone
       cli_options[:input_path] = 'spec/test_templates/json/neptune'
       expect(Options).to receive(:scan_options).and_return(cli_options)
-      puts cli_options
 
       cfn_nag_executor = CfnNagExecutor.new
 
@@ -200,4 +199,34 @@
       expect {Options.for('invalid')}.to raise_error(RuntimeError)
     end
   end
+
+  context 'multi file cfn_nag with ignore fatal' do
+    it 'returns failed result' do
+      cli_options = @default_cli_options.clone
+      cli_options[:input_path] = 'spec/test_templates/yaml/ignore_fatal'
+      cli_options[:ignore_fatal] = true
+      expect(Options).to receive(:scan_options).and_return(cli_options)
+
+      cfn_nag_executor = CfnNagExecutor.new
+
+      result = cfn_nag_executor.scan(options_type: 'scan')
+
+      expect(result).to eq 1
+    end
+  end
+
+  context 'multi file cfn_nag not ignornig fatal errors' do
+    it 'returns two failed results' do
+      cli_options = @default_cli_options.clone
+      cli_options[:input_path] = 'spec/test_templates/yaml/ignore_fatal'
+      cli_options[:ignore_fatal] = false
+      expect(Options).to receive(:scan_options).and_return(cli_options)
+
+      cfn_nag_executor = CfnNagExecutor.new
+
+      result = cfn_nag_executor.scan(options_type: 'scan')
+
+      expect(result).to eq 2
+    end
+  end
 end
diff --git a/spec/test_templates/yaml/ignore_fatal/iam_user_login_profile_password_not_set.yaml b/spec/test_templates/yaml/ignore_fatal/iam_user_login_profile_password_not_set.yaml
@@ -0,0 +1,7 @@
+---
+Resources:
+  IAMUser:
+    Type: AWS::IAM::User
+    Properties: 
+      LoginProfile: 
+        PasswordResetRequired: True
diff --git a/spec/test_templates/yaml/ignore_fatal/non_cfn.yml b/spec/test_templates/yaml/ignore_fatal/non_cfn.yml
@@ -0,0 +1,4 @@
+TestYaml:
+  Hello:
+    - example
+    - list