Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug: CodeBuildProjectSourceRepoUrl is out of date #1590

Open
mskrip opened this issue Feb 8, 2024 · 1 comment
Open

bug: CodeBuildProjectSourceRepoUrl is out of date #1590

mskrip opened this issue Feb 8, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@mskrip
Copy link

mskrip commented Feb 8, 2024

What is the problem?

Current implementation of check for CodeBuildProjectSourceRepoUrl checks if source of CodeBuild project has OAUTH as authentication type. Description of the rule says this should be applied only for GitHub or BitBucket sources but as far as I understand the implementation it ignores that part. Moreover, current description of the rule is different now (https://docs.aws.amazon.com/config/latest/developerguide/codebuild-project-source-repo-url-check.html)

Old: The Codebuild project which utilizes either a GitHub or BitBucket repository does not utilize OAuth.

New: Checks if the Bitbucket source repository URL contains sign-in credentials or not. The rule is NON_COMPLIANT if the URL contains any sign-in information and COMPLIANT if it doesn't.

Reproduction Steps

I noticed this when creating a CDK pipeline with Github repo as source for it through a CodeStar connection:

        pipelines.CodePipeline(
            self,
            "pipeline",
            synth=pipelines.ShellStep(
                "synth",
                input=pipelines.CodePipelineSource.connection(
                    repo_string="repo",
                    branch="master",
                    connection_arn="<codestar connection ARN>"
                ),
                commands=[
                    "cdk synth '**'"
                ],
            ),
        )

This pipeline AFAIK creates 2 CodeBuild projects, none of which have Github as their source, instead source for them is CODE_PIPELINE

What did you expect to happen?

I expected the check for CodeBuildProjectSourceRepoUrl to just pass

What actually happened?

It didn't

cdk-nag version

2.28.27

Language

Python

Other information

No response
@mskrip mskrip added bug Something isn't working needs-triage This issue or PR still needs to be triaged. labels Feb 8, 2024
@dontirun dontirun removed the needs-triage This issue or PR still needs to be triaged. label Feb 20, 2024
@dontirun
Copy link
Collaborator

Thanks for reporting! It looks the like CodeBuild Project CloudFormation resource has also had a number of updates, including SourceAuth being a console only feature.

All to say that this rule needs some serious rework

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dontirun @mskrip