prepare release of legacy version.

Author: pethers

pom.xml

@@ -8,7 +8,7 @@
   </parent>
   <groupId>com.hack23.sonar</groupId>
   <artifactId>sonar-cloudformation-plugin</artifactId>
-  <version>1.6.0</version>
+  <version>1.6.1-SNAPSHOT</version>
   <packaging>sonar-plugin</packaging>
   <name>Sonar cloudformation plugin</name>
   <url>https://hack23.github.io/sonar-cloudformation-plugin/</url>
@@ -30,7 +30,7 @@
   <scm>
     <connection>scm:git:https://github.com/Hack23/sonar-cloudformation-plugin.git</connection>
     <developerConnection>scm:git:https://github.com/Hack23/sonar-cloudformation-plugin.git</developerConnection>
-    <tag>sonar-cloudformation-plugin-1.6.0</tag>
+    <tag>HEAD</tag>
     <url>https://github.com/Hack23/sonar-cloudformation-plugin</url>
   </scm>
   <issueManagement>
@@ -100,7 +100,7 @@
     <dependency>
       <groupId>org.apache.commons</groupId>
       <artifactId>commons-lang3</artifactId>
-      <version>3.9</version>
+      <version>3.10</version>
     </dependency>
     <dependency>
       <groupId>com.fasterxml.staxmate</groupId>
@@ -110,7 +110,7 @@
     <dependency>
       <groupId>com.fasterxml.jackson.core</groupId>
       <artifactId>jackson-databind</artifactId>
-      <version>2.10.3</version>
+      <version>2.11.0</version>
     </dependency>
     <dependency>
       <groupId>junit</groupId>
@@ -127,7 +127,7 @@
     <dependency>
       <groupId>org.mockito</groupId>
       <artifactId>mockito-core</artifactId>
-      <version>3.3.3</version>
+      <version>3.3.9</version>
       <scope>test</scope>
     </dependency>
   </dependencies>
@@ -157,11 +157,11 @@
   </pluginRepositories>
   <build>
     <pluginManagement>
-      <plugins> 
+      <plugins>
 		<plugin>
 			<groupId>org.owasp</groupId>
 			<artifactId>dependency-check-maven</artifactId>
-			<version>5.3.1</version>
+			<version>5.3.2</version>
 			<dependencies>
 				<dependency>
 					<groupId>com.h2database</groupId>
@@ -183,7 +183,7 @@
         <plugin>
           <groupId>org.apache.maven.plugins</groupId>
           <artifactId>maven-gpg-plugin</artifactId>
-          <version>1.6</version>
+          <version>3.0.0</version>
         </plugin>
         <plugin>
           <groupId>org.apache.maven.plugins</groupId>
@@ -366,7 +366,7 @@
           <docletArtifact>
             <groupId>nl.talsmasoftware</groupId>
             <artifactId>umldoclet</artifactId>
-            <version>2.0.8</version>
+            <version>2.0.9</version>
           </docletArtifact>
           <useStandardDocletOptions>true</useStandardDocletOptions>
           <charset>UTF-8</charset>
@@ -496,7 +496,7 @@
           </plugin>
           <plugin>
             <artifactId>maven-source-plugin</artifactId>
-            <version>3.0.1</version>
+            <version>3.2.1</version>
             <executions>
               <execution>
                 <id>bundle-sources</id>

src/main/java/com/hack23/sonar/cloudformation/CloudformationQualityProfile.java

@@ -107,6 +107,9 @@ public final class CloudformationQualityProfile implements BuiltInQualityProfile
 		SUPPORTED_RULES.add("F76");
 		SUPPORTED_RULES.add("F77");
 		SUPPORTED_RULES.add("F78");
+		SUPPORTED_RULES.add("F79");
+		SUPPORTED_RULES.add("F80");
+
 		SUPPORTED_RULES.add("F665");
 		SUPPORTED_RULES.add("F1000");
 		SUPPORTED_RULES.add("F2000");
@@ -173,6 +176,15 @@ public final class CloudformationQualityProfile implements BuiltInQualityProfile
 		SUPPORTED_RULES.add("W67");
 		SUPPORTED_RULES.add("W68");
 		SUPPORTED_RULES.add("W69");
+		SUPPORTED_RULES.add("W70");
+		SUPPORTED_RULES.add("W71");
+		SUPPORTED_RULES.add("W72");
+		SUPPORTED_RULES.add("W73");
+		SUPPORTED_RULES.add("W74");
+		SUPPORTED_RULES.add("W75");
+
+		SUPPORTED_RULES.add("W1200");
+		SUPPORTED_RULES.add("W1201");
 	}
 
 	public static boolean hasRule(final String id) {

src/main/resources/cloudformation-rules.xml

@@ -1179,6 +1179,38 @@
 		<tag>cweid-308</tag>
 		<remediationFunction>CONSTANT_ISSUE</remediationFunction>
         <remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
+     </rule>
+	<rule>
+		<key>F79</key>
+		<name>A NetworkACL's rule numbers cannot be repeated unless one is egress and one is ingress.</name>
+		<internalKey>F79</internalKey>
+		<description>A NetworkACL's rule numbers cannot be repeated unless one is egress and one is ingress.</description>
+		<severity>BLOCKER</severity>
+		<cardinality>SINGLE</cardinality>
+		<status>READY</status>
+		<type>VULNERABILITY</type>
+		<tag>security</tag>
+		<tag>cfn-nag</tag>
+		<tag>owasp-a6</tag>
+		<tag>cweid-284</tag>
+		<remediationFunction>CONSTANT_ISSUE</remediationFunction>
+        <remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
+     </rule>
+	<rule>
+		<key>F80</key>
+		<name>RDS instance should have deletion protection enabled.</name>
+		<internalKey>F80</internalKey>
+		<description>RDS instance should have deletion protection enabled.</description>
+		<severity>BLOCKER</severity>
+		<cardinality>SINGLE</cardinality>
+		<status>READY</status>
+		<type>VULNERABILITY</type>
+		<tag>security</tag>
+		<tag>cfn-nag</tag>
+		<tag>owasp-a6</tag>
+		<tag>cweid-693</tag>
+		<remediationFunction>CONSTANT_ISSUE</remediationFunction>
+        <remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
      </rule>
 	<rule>
 		<key>F665</key>
@@ -1835,7 +1867,6 @@
 		<remediationFunction>CONSTANT_ISSUE</remediationFunction>
         <remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
      </rule>
-
 	<rule>
 		<key>W46</key>
 		<name>ApiGateway V2 should have access logging configured</name>
@@ -1852,8 +1883,6 @@
 		<remediationFunction>CONSTANT_ISSUE</remediationFunction>
         <remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
      </rule>
-
-
 	<rule>
 		<key>W47</key>
 		<name>SNS Topic should specify KmsMasterKeyId property</name>
@@ -1934,7 +1963,6 @@
 		<remediationFunction>CONSTANT_ISSUE</remediationFunction>
         <remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
      </rule>
-
 	<rule>
 		<key>W52</key>
 		<name>Elastic Load Balancer V2 should have access logging enabled</name>
@@ -2015,8 +2043,6 @@
 		<remediationFunction>CONSTANT_ISSUE</remediationFunction>
         <remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
      </rule>
-
-
      <rule>
 		<key>W57</key>
 		<name>AWS::Cognito::IdentityPool AllowUnauthenticatedIdentities property should be false but CAN be true if proper restrictive IAM roles and permissions are established for unauthenticated users.</name>
@@ -2129,8 +2155,6 @@
 		<remediationFunction>CONSTANT_ISSUE</remediationFunction>
         <remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
      </rule>
-
-
     <rule>
 		<key>W64</key>
 		<name>AWS::ApiGateway::Stage resources should be associated with an AWS::ApiGateway::UsagePlan.</name>
@@ -2146,9 +2170,6 @@
 		<remediationFunction>CONSTANT_ISSUE</remediationFunction>
         <remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
      </rule>
-
-
-
      <rule>
 		<key>W65</key>
 		<name>GameLift fleet EC2InboundPermissions found with port range instead of just a single port</name>
@@ -2165,7 +2186,6 @@
 		<remediationFunction>CONSTANT_ISSUE</remediationFunction>
         <remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
      </rule>
-
 	<rule>
 		<key>W66</key>
 		<name>To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be specified</name>
@@ -2230,4 +2250,130 @@
 		<remediationFunction>CONSTANT_ISSUE</remediationFunction>
         <remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
      </rule>
+      <rule>
+		<key>W70</key>
+		<name>Cloudfront should use minimum protocol version TLS 1.2</name>
+		<internalKey>W70</internalKey>
+		<description>Cloudfront should use minimum protocol version TLS 1.2</description>
+		<severity>BLOCKER</severity>
+		<cardinality>SINGLE</cardinality>
+		<status>READY</status>
+		<type>VULNERABILITY</type>
+		<tag>security</tag>
+		<tag>cfn-nag</tag>
+		<tag>owasp-a6</tag>
+		<tag>cweid-326</tag>
+		<remediationFunction>CONSTANT_ISSUE</remediationFunction>
+        <remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
+     </rule>
+     <rule>
+		<key>W71</key>
+		<name>NetworkACL Entry Deny rules should affect all CIDR ranges.</name>
+		<internalKey>W71</internalKey>
+		<description>NetworkACL Entry Deny rules should affect all CIDR ranges.</description>
+		<severity>BLOCKER</severity>
+		<cardinality>SINGLE</cardinality>
+		<status>READY</status>
+		<type>VULNERABILITY</type>
+		<tag>security</tag>
+		<tag>cfn-nag</tag>
+		<tag>owasp-a6</tag>
+		<tag>cweid-284</tag>
+		<remediationFunction>CONSTANT_ISSUE</remediationFunction>
+        <remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
+     </rule>
+     <rule>
+		<key>W72</key>
+		<name>NetworkACL Entries are reusing or overlapping ports which may create ineffective rules.</name>
+		<internalKey>W72</internalKey>
+		<description>NetworkACL Entries are reusing or overlapping ports which may create ineffective rules.</description>
+		<severity>BLOCKER</severity>
+		<cardinality>SINGLE</cardinality>
+		<status>READY</status>
+		<type>VULNERABILITY</type>
+		<tag>security</tag>
+		<tag>cfn-nag</tag>
+		<tag>owasp-a6</tag>
+		<tag>cweid-284</tag>
+		<remediationFunction>CONSTANT_ISSUE</remediationFunction>
+        <remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
+     </rule>
+     <rule>
+		<key>W73</key>
+		<name>DynamoDB table should have billing mode set to either PAY_PER_REQUEST or PROVISIONED</name>
+		<internalKey>W73</internalKey>
+		<description>DynamoDB table should have billing mode set to either PAY_PER_REQUEST or PROVISIONED</description>
+		<severity>MAJOR</severity>
+		<cardinality>SINGLE</cardinality>
+		<status>READY</status>
+		<type>VULNERABILITY</type>
+		<tag>security</tag>
+		<tag>cfn-nag</tag>
+		<remediationFunction>CONSTANT_ISSUE</remediationFunction>
+        <remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
+     </rule>
+     <rule>
+		<key>W74</key>
+		<name>DynamoDB table should have encryption enabled using a CMK stored in KMS</name>
+		<internalKey>W74</internalKey>
+		<description>DynamoDB table should have encryption enabled using a CMK stored in KMS</description>
+		<severity>BLOCKER</severity>
+		<cardinality>SINGLE</cardinality>
+		<status>READY</status>
+		<type>VULNERABILITY</type>
+		<tag>security</tag>
+		<tag>cfn-nag</tag>
+		<tag>owasp-a6</tag>
+		<tag>cweid-311</tag>
+		<remediationFunction>CONSTANT_ISSUE</remediationFunction>
+        <remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
+     </rule>
+     <rule>
+		<key>W75</key>
+		<name>RDS instance should have backup retention period greater than 0.</name>
+		<internalKey>W75</internalKey>
+		<description>RDS instance should have backup retention period greater than 0.</description>
+		<severity>BLOCKER</severity>
+		<cardinality>SINGLE</cardinality>
+		<status>READY</status>
+		<type>VULNERABILITY</type>
+		<tag>security</tag>
+		<tag>cfn-nag</tag>
+		<tag>owasp-a6</tag>
+		<tag>cweid-693</tag>
+		<remediationFunction>CONSTANT_ISSUE</remediationFunction>
+        <remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
+     </rule>
+	 <rule>
+		<key>W1200</key>
+		<name>SageMaker EndpointConfig should have a KmsKeyId property set.</name>
+		<internalKey>W1200</internalKey>
+		<description>SageMaker EndpointConfig should have a KmsKeyId property set.</description>
+		<severity>BLOCKER</severity>
+		<cardinality>SINGLE</cardinality>
+		<status>READY</status>
+		<type>VULNERABILITY</type>
+		<tag>security</tag>
+		<tag>cfn-nag</tag>
+		<tag>owasp-a6</tag>
+		<tag>cweid-311</tag>
+		<remediationFunction>CONSTANT_ISSUE</remediationFunction>
+        <remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
+    </rule>
+	<rule>
+		<key>W1201</key>
+		<name>SageMaker NotebookInstance should have a KmsKeyId property set.</name>
+		<internalKey>W1201</internalKey>
+		<description>SageMaker NotebookInstance should have a KmsKeyId property set.</description>
+		<severity>BLOCKER</severity>
+		<cardinality>SINGLE</cardinality>
+		<status>READY</status>
+		<type>VULNERABILITY</type>
+		<tag>security</tag>
+		<tag>cfn-nag</tag>
+		<tag>owasp-a6</tag>
+		<tag>cweid-311</tag>
+		<remediationFunction>CONSTANT_ISSUE</remediationFunction>
+        <remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
+     </rule>
 </cloudformation-rules>

src/test/java/com/hack23/sonar/cloudformation/CloudformationQualityProfileTest.java

@@ -39,7 +39,7 @@ public void defineTest() {
 		final BuiltInQualityProfile qualityProfile = context.profile(CloudformationLanguage.KEY,"Cloudformation Rules");
 		assertNotNull(qualityProfile);
 		assertTrue(qualityProfile.isDefault());
-		assertEquals(139,qualityProfile.rules().size());
+		assertEquals(149,qualityProfile.rules().size());
 	}
 
 }