add rules

Author: pethers

src/main/java/com/hack23/sonar/cloudformation/CloudformationQualityProfile.java

@@ -68,6 +68,10 @@ public final class CloudformationQualityProfile implements BuiltInQualityProfile
 		SUPPORTED_RULES.add("F35");
 		SUPPORTED_RULES.add("F36");
 		SUPPORTED_RULES.add("F37");		
+		SUPPORTED_RULES.add("F38");		
+		SUPPORTED_RULES.add("F39");		
+		SUPPORTED_RULES.add("F40");		
+		SUPPORTED_RULES.add("F50");		
 
 		SUPPORTED_RULES.add("F665");
 		SUPPORTED_RULES.add("F1000");
@@ -101,6 +105,8 @@ public final class CloudformationQualityProfile implements BuiltInQualityProfile
 		SUPPORTED_RULES.add("W33");
 		SUPPORTED_RULES.add("W34");
 		SUPPORTED_RULES.add("W35");
+		SUPPORTED_RULES.add("W36");
+		SUPPORTED_RULES.add("W37");
 
 	}
 

src/main/resources/cloudformation-rules.xml

@@ -552,6 +552,66 @@
 		<tag>owasp-a6</tag>
 		<remediationFunction>CONSTANT_ISSUE</remediationFunction>
         <remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
+     </rule>
+	<rule>
+		<key>F38</key>
+		<name>IAM role should not allow * resource with PassRole action on its permissions policy.</name>
+		<internalKey>F38</internalKey>
+		<description>IAM role should not allow * resource with PassRole action on its permissions policy.</description>
+		<severity>BLOCKER</severity>
+		<cardinality>SINGLE</cardinality>
+		<status>READY</status>
+		<type>VULNERABILITY</type>
+		<tag>security</tag>
+		<tag>cfn-nag</tag>	
+		<tag>owasp-a6</tag>
+		<remediationFunction>CONSTANT_ISSUE</remediationFunction>
+        <remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
+     </rule>
+	<rule>
+		<key>F39</key>
+		<name>IAM policy should not allow * resource with PassRole action.</name>
+		<internalKey>F39</internalKey>
+		<description>IAM policy should not allow * resource with PassRole action.</description>
+		<severity>BLOCKER</severity>
+		<cardinality>SINGLE</cardinality>
+		<status>READY</status>
+		<type>VULNERABILITY</type>
+		<tag>security</tag>
+		<tag>cfn-nag</tag>	
+		<tag>owasp-a6</tag>
+		<remediationFunction>CONSTANT_ISSUE</remediationFunction>
+        <remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
+     </rule>
+	<rule>
+		<key>F40</key>
+		<name>IAM managed policy should not allow a * resource with PassRole action.</name>
+		<internalKey>F40</internalKey>
+		<description>IAM managed policy should not allow a * resource with PassRole action.</description>
+		<severity>BLOCKER</severity>
+		<cardinality>SINGLE</cardinality>
+		<status>READY</status>
+		<type>VULNERABILITY</type>
+		<tag>security</tag>
+		<tag>cfn-nag</tag>	
+		<tag>owasp-a6</tag>
+		<remediationFunction>CONSTANT_ISSUE</remediationFunction>
+        <remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
+     </rule>
+	<rule>
+		<key>F50</key>
+		<name>Amplify App BasicAuthConfig Password must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.</name>
+		<internalKey>F50</internalKey>
+		<description>Amplify App BasicAuthConfig Password must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.</description>
+		<severity>BLOCKER</severity>
+		<cardinality>SINGLE</cardinality>
+		<status>READY</status>
+		<type>VULNERABILITY</type>
+		<tag>security</tag>
+		<tag>cfn-nag</tag>	
+		<tag>owasp-a6</tag>
+		<remediationFunction>CONSTANT_ISSUE</remediationFunction>
+        <remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
      </rule>
 	<rule>
 		<key>F665</key>
@@ -1042,5 +1102,37 @@
 		<tag>owasp-a10</tag>
 		<remediationFunction>CONSTANT_ISSUE</remediationFunction>
         <remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
-     </rule>          
+     </rule>   
+	<rule>
+		<key>W36</key>
+		<name>Security group rules without a description</name>
+		<internalKey>W36</internalKey>
+		<description>Security group rules without a description obscure their purpose and may lead to bad practices in ensuring they only allow traffic from the ports and sources/destinations required.</description>
+		<severity>MAJOR</severity>
+		<cardinality>SINGLE</cardinality>
+		<status>READY</status>
+		<type>VULNERABILITY</type>
+		<tag>security</tag>
+		<tag>cfn-nag</tag>	
+		<tag>owasp-a6</tag>
+		<tag>cweid-732</tag>		
+		<remediationFunction>CONSTANT_ISSUE</remediationFunction>
+        <remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
+     </rule>
+	<rule>
+		<key>W37</key>
+		<name>EBS Volume should specify a KmsKeyId value</name>
+		<internalKey>W37</internalKey>
+		<description>EBS Volume should specify a KmsKeyId value</description>
+		<severity>MAJOR</severity>
+		<cardinality>SINGLE</cardinality>
+		<status>READY</status>
+		<type>VULNERABILITY</type>
+		<tag>security</tag>
+		<tag>cfn-nag</tag>	
+		<tag>owasp-a6</tag>
+		<tag>cweid-311</tag>		
+		<remediationFunction>CONSTANT_ISSUE</remediationFunction>
+        <remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
+     </rule>     
 </cloudformation-rules>

src/test/java/com/hack23/sonar/cloudformation/CloudformationQualityProfileTest.java

@@ -39,7 +39,7 @@ public void defineTest() {
 		final BuiltInQualityProfile qualityProfile = context.profile(CloudformationLanguage.KEY,"Cloudformation Rules");
 		assertNotNull(qualityProfile);
 		assertTrue(qualityProfile.isDefault());
-		assertEquals(66,qualityProfile.rules().size());
+		assertEquals(72,qualityProfile.rules().size());
 
 
 	}