From ee87c543b79ba6ee019ff2e26f1746e4a5c112f9 Mon Sep 17 00:00:00 2001 From: Saurabh Chakraborthy Date: Sat, 18 Nov 2023 20:34:54 +0530 Subject: [PATCH] Add compliant and non-compliant examples of aws-kmskey-encryption-cdk, api-logging-disabled-cdk --- .../api_logging_disabled_cdk.ts | 51 +++++++++++++++++ .../aws_kmskey_encryption_cdk.ts | 55 +++++++++++++++++++ 2 files changed, 106 insertions(+) create mode 100644 src/typescript/detector/high/api_logging_disabled_cdk/api_logging_disabled_cdk.ts create mode 100644 src/typescript/detector/high/aws_kmskey_encryption_cdk/aws_kmskey_encryption_cdk.ts diff --git a/src/typescript/detector/high/api_logging_disabled_cdk/api_logging_disabled_cdk.ts b/src/typescript/detector/high/api_logging_disabled_cdk/api_logging_disabled_cdk.ts new file mode 100644 index 0000000..827c483 --- /dev/null +++ b/src/typescript/detector/high/api_logging_disabled_cdk/api_logging_disabled_cdk.ts @@ -0,0 +1,51 @@ +/* + * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. + * SPDX-License-Identifier: Apache-2.0 + */ + + +// {fact rule=api-logging-disabled-cdk@v1.0 defects=1} +import * as cdk from "@aws-cdk/core" +import { CfnStage as CfnV2Stage } from "aws-cdk-lib/aws-apigatewayv2" +import { Stack } from "aws-cdk-lib/core" + + +export class CdkStarterStack extends cdk.Stack { + + constructor(scope: cdk.App, id: string, props?: cdk.StackProps) { + super(scope, id, props) + + // Noncompliant: Logging disabled + new CfnV2Stage(Stack, "rHttpApiDefaultStage", { + apiId: "foo", + stageName: "baz" + }) + + } +} +// {/fact} + +// {fact rule=api-logging-disabled-cdk@v1.0 defects=0} +import * as cdk from "@aws-cdk/core" +import { CfnStage as CfnV2Stage } from "aws-cdk-lib/aws-apigatewayv2" +import { Stack } from "aws-cdk-lib/core" + + +export class CdkStarterStack extends cdk.Stack { + + constructor(scope: cdk.App, id: string, props?: cdk.StackProps) { + super(scope, id, props); + + // Compliant: Logging present + new CfnV2Stage(Stack, "rStage", { + accessLogSettings: { + destinationArn: "foo", + format: "$context.requestId" + }, + apiId: "bar", + stageName: "baz" + }) + + } +} +// {/fact} diff --git a/src/typescript/detector/high/aws_kmskey_encryption_cdk/aws_kmskey_encryption_cdk.ts b/src/typescript/detector/high/aws_kmskey_encryption_cdk/aws_kmskey_encryption_cdk.ts new file mode 100644 index 0000000..1680620 --- /dev/null +++ b/src/typescript/detector/high/aws_kmskey_encryption_cdk/aws_kmskey_encryption_cdk.ts @@ -0,0 +1,55 @@ +/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. + * SPDX-License-Identifier: Apache-2.0 + */ + + +// {fact rule=aws-kmskey-encryption-cdk@v1.0 defects=1} +import { BuildSpec, Project } from "aws-cdk-lib/aws-codebuild"; +import * as cdk from "@aws-cdk/core"; +import { Stack } from "aws-cdk-lib/core"; + + +export class CdkStarterStack extends cdk.Stack { + constructor(scope: cdk.App, id: string, props?: cdk.StackProps) { + super(scope, id, props); + + //Noncompliant: KMS key encryption configuration is not present + new Project(Stack, "rBuildProject", { + buildSpec: BuildSpec.fromObjectToYaml( + { + version: 0.2, + phases: { + build: { commands: ['echo "foo"'], } } + } + ) + }); + } +} +// {/fact} + +// {fact rule=aws-kmskey-encryption-cdk@v1.0 defects=0} +import { BuildSpec, Project } from "aws-cdk-lib/aws-codebuild"; +import * as cdk from "@aws-cdk/core"; +import { Stack } from "aws-cdk-lib/core"; +import { Key } from "aws-cdk-lib/aws-kms"; + + +export class CdkStarterStack extends cdk.Stack { + constructor(scope: cdk.App, id: string, props?: cdk.StackProps) { + super(scope, id, props); + + //Compliant: KMS key encryption configuration is present + new Project(Stack, "rBuildProject", { + buildSpec: BuildSpec.fromObjectToYaml( + { + version: 0.2, + phases: { + build: { commands: ['echo "foo"'] } + } + }), + encryptionKey: new Key(Stack, "rBuildKey") + + }); + } +} +// {/fact}