indrora
commented
1 year ago I'm torn if this is a bug or a feature request. I want to err on the side of bug.
I'm going to consider this a bug
Open dontirun opened 1 year ago
indrora
commented
1 year ago I'm torn if this is a bug or a feature request. I want to err on the side of bug.
I'm going to consider this a bug
mrgrain
commented
1 year ago Thanks @dontirun we are undeprecating the method until we have a better solution for you.
We are currently thinking something like an accessible report of acknowledged warnings for plugins to parse.
NagSuppressions could then be a thin wrapper around CDK functionality.
But we'd also have to address the papercuts you've mentioned.
rix0rrr
commented
1 year ago On the papercuts:
this adds a bit of clutter and confusion
I appreciate this, but I also think it's vitally important that the suppression tag is surfaced in a clear way to users, especially if we intend to go full-hog on warnings (which I want to, with all the tweakable and adjustable things and weird edge cases people can get into, it's much better to overwarn and allow it to be silenced, than to not warn or *gasp* error). I opted for putting the tag into the warning string directly, so there's no way to miss it. Of course, any presentation layer could be aware of this, parse out the tag and display it differently, for example in a separate table column or something.
there would a delta [...] to acknowledge/suppress [...] Errors
Do you have an example of a suppressible error? To my mind the major distinction between warnings and errors is their suppressibility, and so the fact that they cannot be suppressed is a feature.
dontirun
commented
1 year ago Do you have an example of a suppressible error? To my mind the major distinction between warnings and errors is their suppressibility, and so the fact that they cannot be suppressed is a feature.
Yes, but with some context first 😄. cdk-nag has a concept of NagPacks which are sets of guidance that are based on some set of standards. Generally during a security review/audit you provide evidence to compliance and provide/discuss/ document exceptions with the reviewer/auditor.
Given that, let's say that you are using the HIPAA security based NagPack and encounter the HIPAA.Security-LambdaInsideVPC error. If you are strictly following the HIPAA guidelines, you want to prevent a deployment that has a misconfiguration (Error), but there are plenty of valid reasons why this particular guideline doesn't matter in a specific case. For example, maybe your lambda function is calling an external service, your application is completely serverless and doesn't have a VPC otherwise, your lambda function isn't processing any Health related data, etc. In that case you would suppress with your documented reason and continue the deployment.
rix0rrr
commented
1 year ago In CDK Core feature parlance, would it be equivalent to say that message is a warning, and everyone must always run with --strict ? That is, all warnings must either be fixed or acknowledged?
dontirun
commented
1 year ago In CDK Core feature parlance, would it be equivalent to say that message is a warning, and everyone must always run with
--strict? That is, all warnings must either be fixed or acknowledged?
Yes, I would say an error in cdk-nag is equivalent to this
Describe the feature
Exactly the addWarning method, but not deprecated
Use Case
cdk-nag uses the cdk Annotation system to emit
WarningsandErrors. Currently it uses the addWarning method forWarnings.addWarningwas deprecated with the introduction ofaddWarningV2in the latest cdk release. Allcdk-nagWarnings now emit deprecation messages along with the warning, which adds a lot of clutter the the CLI output. While this could be fixed by switching toaddWarningV2, I don't think thataddWarningV2is the correct choice in this case, primarily due to how thecdk-nagwarning/error suppression system is intended to function.Primary Concern
acknowledgeWarningvsNagSuppressionNagSuppressions arecdk-nag's way of acknowledging warnings and errors. The key difference betweenacknowledgeWarningandNagSuppressions are thatNagSuppresions write the suppression to the CloudFormation Metadata in acdk-nagspecific format. That Cfn metadata is important when using SAST tooling to look over the generated CloudFormation templates (Anecdotally, I know of several use cases where thecdk-nagMetadata is reviewed in CI/CD pipelines). Ifcdk-nagwere to switch fromaddWarningtoaddWarningV2users would be able to use bothacknowledgeWarningandNagSuppresions to silence warnings. While technically not a breaking change giving users the ability to useacknowledgeWarningforcdk-nagisn't a good choice.Smaller Concerns/Annoyances with
addWarningV2andcdk-nagif
cdk-nagwere to switch toaddWarningV2and we were to ignore the primary concern there would be a few other minor annoyances.warningsanderrorswould be slightly different from one another.Warningswould have an additionaladdWarningV2identifier appended to the end of the message, whileerrorswould not. While that would be the existingRuleIdalready used forcdk-nag,errorsdon't have a correspondingaddErrorV2(and in my opinion it doesn't make sense to have this) so this adds a bit of clutter and confusionaddErrorV2method there would a delta between the options to acknowledge/suppressWarningsandErrorsProposed Solution
I don't think that "undeprecating"
addWarningis the correct solution, because in cdk internal uses casesaddWarningV2is the correct choice and users should useaddWarningV2. Having a clone ofaddWarningwith a better name would add some "guardrails"(?) on usageaddUnacknowledgeableWarning()method toAnnotationswhich is a clone of of the currentaddWarningmethodaddWarningV2unless they have a specific use case where the warnings should not be acknowledgeable and that unhandled warnings will prohibit users from deploying cdk applications withstrictmode.Other Information
Related to https://github.com/cdklabs/cdk-nag/issues/1418
Acknowledgements
CDK version used
2.93.0
Environment details (OS name and version, etc.)
Not relevant, but macOs 13.4 (Ventura) 😄