Skip to content

Commit

Permalink
Merge pull request #176 from aws-solutions/release/v2.0.2
Browse files Browse the repository at this point in the history
Patch release v2.0.2
  • Loading branch information
tbelmega authored Oct 24, 2023
2 parents 996817b + 50343aa commit 5244c64
Show file tree
Hide file tree
Showing 20 changed files with 2,625 additions and 2,005 deletions.
9 changes: 9 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,15 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [2.0.2] - 2023-10-24

### Security

- Upgraded @babel/traverse to mitigate CVE-2023-45133
- Upgraded urllib3 to mitigate CVE-2023-45803
- Upgraded aws-cdk-lib to mitigate CVE-2023-35165
- Upgraded @cdklabs/cdk-ssm-documents to mitigate CVE-2023-26115

## [2.0.1] - 2023-04-20

### Fixed
Expand Down
2 changes: 1 addition & 1 deletion CODE_OF_CONDUCT.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
## Code of Conduct
This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct).
For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact
[email protected] with any additional questions or comments.
[email protected] with any additional questions or comments.
25 changes: 24 additions & 1 deletion NOTICE.txt
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
Automated Security Response on AWS

Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
Licensed under the Apache License Version 2.0 (the "License"). You may not use this file except
in compliance with the License. A copy of the License is located at http://www.apache.org/licenses/
Expand Down Expand Up @@ -45,9 +46,31 @@ pytest under the MIT License
pytest-cov under the MIT License
pytest-env under the MIT License
pytest-mock under the MIT License
python-dateutil under the Apache License 2.0 and the BSD 3-Clause "New" or "Revised" License
python-dateutil under the Apache License 2.0 and the BSD 3-Clause
s3transfer under the Apache License 2.0
setuptools under the MIT License
six under the MIT License
urllib3 under the MIT License
virtualenv under the MIT License
Jinja2 under the BSD 3-Clause
MarkupSafe under the BSD 3-Clause
Werkzeug under the BSD 3-Clause
boolean.py under the BSD-2-Clause
botocore-stubs under the MIT License
cffi under the MIT License
coverage under the Apache License 2.0
cryptography under the Apache License 2.0 and the BSD 3-Clause
exceptiongroup under the MIT License
iniconfig under the MIT License
license-expression under the Apache License 2.0
mypy-boto3-s3 under the MIT License
pluggy under the MIT License
py-partiql-parser under the MIT License
pycparser under the BSD 3-Clause
responses under the Apache License 2.0
tomli under the MIT License
types-PyYAML under the Apache License 2.0
types-awscrt under the MIT License
types-s3transfer under the MIT License
typing_extensions under the Python Software Foundation License
xmltodict under the MIT License
10 changes: 1 addition & 9 deletions deployment/testing_requirements.txt
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,4 @@ pytest
pytest-cov
pytest-env
pytest-mock
## boto3 and botocore should match Lambda runtime: https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html
boto3==1.20.32
botocore==1.23.32
## jmespath, python-dateutil, s3transfer, six, and urllib3 should match Lambda runtime
jmespath==0.10.0
python-dateutil==2.8.2
s3transfer==0.5.2
six==1.16.0
urllib3==1.26.11
urllib3<2
10 changes: 10 additions & 0 deletions source/lib/__snapshots__/member-stack.test.ts.snap
Original file line number Diff line number Diff line change
Expand Up @@ -980,6 +980,16 @@ exports[`member stack snapshot matches 1`] = `
"DependsOn": [
"WaitProviderRole83B0295F",
],
"Metadata": {
"cdk_nag": {
"rules_to_suppress": [
{
"id": "AwsSolutions-L1",
"reason": "Will upgrade in next release to prioritize patch",
},
],
},
},
"Properties": {
"Code": {
"S3Bucket": {
Expand Down
2 changes: 1 addition & 1 deletion source/lib/member/redshift-audit-logging.ts
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ export class RedshiftAuditLogging extends Construct {
expression: Fn.conditionEquals(templateParam.valueAsString, ChoiceParam.Yes),
});

const bucket = new Bucket(scope, 'S3BucketForRedShiftAuditLogging', {
const bucket = new Bucket(scope, 'S3BucketForRedShiftAuditLogging', { //NOSONAR The policy attached to this bucket enforces SSL.
encryption: BucketEncryption.S3_MANAGED,
publicReadAccess: false,
blockPublicAccess: BlockPublicAccess.BLOCK_ALL,
Expand Down
42 changes: 42 additions & 0 deletions source/lib/solution_deploy-stack.ts
Original file line number Diff line number Diff line change
Expand Up @@ -276,6 +276,13 @@ export class SolutionDeployStack extends cdk.Stack {
};
}

cdk_nag.NagSuppressions.addResourceSuppressions(checkSSMDocState, [
{
id: "AwsSolutions-L1",
reason: "Will upgrade in next release to prioritize patch",
},
]);

/**
* @description getApprovalRequirement - determine whether manual approval is required
* @type {lambda.Function}
Expand Down Expand Up @@ -325,6 +332,13 @@ export class SolutionDeployStack extends cdk.Stack {
};
}

cdk_nag.NagSuppressions.addResourceSuppressions(getApprovalRequirement, [
{
id: "AwsSolutions-L1",
reason: "Will upgrade in next release to prioritize patch",
},
]);

/**
* @description execAutomation - initiate an SSM automation document in a target account
* @type {lambda.Function}
Expand Down Expand Up @@ -373,6 +387,13 @@ export class SolutionDeployStack extends cdk.Stack {
};
}

cdk_nag.NagSuppressions.addResourceSuppressions(execAutomation, [
{
id: "AwsSolutions-L1",
reason: "Will upgrade in next release to prioritize patch",
},
]);

/**
* @description monitorSSMExecState - get the status of an ssm execution
* @type {lambda.Function}
Expand Down Expand Up @@ -421,6 +442,13 @@ export class SolutionDeployStack extends cdk.Stack {
};
}

cdk_nag.NagSuppressions.addResourceSuppressions(monitorSSMExecState, [
{
id: "AwsSolutions-L1",
reason: "Will upgrade in next release to prioritize patch",
},
]);

/**
* @description Policy for role used by common Orchestrator notification lambda
* @type {Policy}
Expand Down Expand Up @@ -555,6 +583,13 @@ export class SolutionDeployStack extends cdk.Stack {
};
}

cdk_nag.NagSuppressions.addResourceSuppressions(sendNotifications, [
{
id: "AwsSolutions-L1",
reason: "Will upgrade in next release to prioritize patch",
},
]);

//-------------------------------------------------------------------------
// Custom Lambda Policy
//
Expand Down Expand Up @@ -669,6 +704,13 @@ export class SolutionDeployStack extends cdk.Stack {
},
};

cdk_nag.NagSuppressions.addResourceSuppressions(createCustomAction, [
{
id: "AwsSolutions-L1",
reason: "Will upgrade in next release to prioritize patch",
},
]);

const orchestrator = new OrchestratorConstruct(this, 'orchestrator', {
roleArn: orchestratorRole.roleArn,
ssmDocStateLambda: checkSSMDocState.functionArn,
Expand Down
9 changes: 8 additions & 1 deletion source/lib/wait-provider.ts
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ export class WaitProvider extends Construct {
},
]);

const lambdaFunction = new Function(scope, `${id}Function`, {
const lambdaFunction = new Function(scope, `${id}Function`, { //NOSONAR This is not unknown code.
role,
runtime: props.runtimePython,
code: Code.fromBucket(
Expand All @@ -87,6 +87,13 @@ export class WaitProvider extends Construct {
timeout: Duration.minutes(15),
});

NagSuppressions.addResourceSuppressions(lambdaFunction, [
{
id: "AwsSolutions-L1",
reason: "Will upgrade in next release to prioritize patch",
},
]);

return new WaitProvider(scope, id, { serviceToken: lambdaFunction.functionArn });
}
}
Loading

0 comments on commit 5244c64

Please sign in to comment.