From 6eaefddba07e131e13b2220e6106d42e0adbd52d Mon Sep 17 00:00:00 2001 From: Kevin Formsma Date: Tue, 15 Jun 2021 18:09:14 -0400 Subject: [PATCH] Only filter out fatal errors rather than actual violations (#556) * Only filter out fatal errors rather than actual violations Fixes #555 * Add tests --- lib/cfn-nag/cfn_nag.rb | 2 +- .../cfn_nag_executor_spec.rb | 31 ++++++++++++++++++- ...m_user_login_profile_password_not_set.yaml | 7 +++++ .../yaml/ignore_fatal/non_cfn.yml | 4 +++ 4 files changed, 42 insertions(+), 2 deletions(-) create mode 100644 spec/test_templates/yaml/ignore_fatal/iam_user_login_profile_password_not_set.yaml create mode 100644 spec/test_templates/yaml/ignore_fatal/non_cfn.yml diff --git a/lib/cfn-nag/cfn_nag.rb b/lib/cfn-nag/cfn_nag.rb index 812318f1..ebee3a16 100644 --- a/lib/cfn-nag/cfn_nag.rb +++ b/lib/cfn-nag/cfn_nag.rb @@ -107,7 +107,7 @@ def audit(cloudformation_string:, parameter_values_string: nil, condition_values end def prune_fatal_violations(violations) - violations.reject { |violation| violation.type == Violation::FAILING_VIOLATION } + violations.reject { |violation| violation.id == 'FATAL' } end def render_results(aggregate_results:, diff --git a/spec/cfn_nag_integration/cfn_nag_executor_spec.rb b/spec/cfn_nag_integration/cfn_nag_executor_spec.rb index dd720574..06e75072 100644 --- a/spec/cfn_nag_integration/cfn_nag_executor_spec.rb +++ b/spec/cfn_nag_integration/cfn_nag_executor_spec.rb @@ -140,7 +140,6 @@ cli_options = @default_cli_options.clone cli_options[:input_path] = 'spec/test_templates/json/neptune' expect(Options).to receive(:scan_options).and_return(cli_options) - puts cli_options cfn_nag_executor = CfnNagExecutor.new @@ -200,4 +199,34 @@ expect {Options.for('invalid')}.to raise_error(RuntimeError) end end + + context 'multi file cfn_nag with ignore fatal' do + it 'returns failed result' do + cli_options = @default_cli_options.clone + cli_options[:input_path] = 'spec/test_templates/yaml/ignore_fatal' + cli_options[:ignore_fatal] = true + expect(Options).to receive(:scan_options).and_return(cli_options) + + cfn_nag_executor = CfnNagExecutor.new + + result = cfn_nag_executor.scan(options_type: 'scan') + + expect(result).to eq 1 + end + end + + context 'multi file cfn_nag not ignornig fatal errors' do + it 'returns two failed results' do + cli_options = @default_cli_options.clone + cli_options[:input_path] = 'spec/test_templates/yaml/ignore_fatal' + cli_options[:ignore_fatal] = false + expect(Options).to receive(:scan_options).and_return(cli_options) + + cfn_nag_executor = CfnNagExecutor.new + + result = cfn_nag_executor.scan(options_type: 'scan') + + expect(result).to eq 2 + end + end end diff --git a/spec/test_templates/yaml/ignore_fatal/iam_user_login_profile_password_not_set.yaml b/spec/test_templates/yaml/ignore_fatal/iam_user_login_profile_password_not_set.yaml new file mode 100644 index 00000000..5ab254d9 --- /dev/null +++ b/spec/test_templates/yaml/ignore_fatal/iam_user_login_profile_password_not_set.yaml @@ -0,0 +1,7 @@ +--- +Resources: + IAMUser: + Type: AWS::IAM::User + Properties: + LoginProfile: + PasswordResetRequired: True \ No newline at end of file diff --git a/spec/test_templates/yaml/ignore_fatal/non_cfn.yml b/spec/test_templates/yaml/ignore_fatal/non_cfn.yml new file mode 100644 index 00000000..d15a19f6 --- /dev/null +++ b/spec/test_templates/yaml/ignore_fatal/non_cfn.yml @@ -0,0 +1,4 @@ +TestYaml: + Hello: + - example + - list \ No newline at end of file