bug: CodeBuildProjectSourceRepoUrl is out of date

[mskrip]

What is the problem?

Current implementation of check for CodeBuildProjectSourceRepoUrl checks if source of CodeBuild project has OAUTH as authentication type. Description of the rule says this should be applied only for GitHub or BitBucket sources but as far as I understand the implementation it ignores that part. Moreover, current description of the rule is different now (https://docs.aws.amazon.com/config/latest/developerguide/codebuild-project-source-repo-url-check.html)

Old: The Codebuild project which utilizes either a GitHub or BitBucket repository does not utilize OAuth.

New: Checks if the Bitbucket source repository URL contains sign-in credentials or not. The rule is NON_COMPLIANT if the URL contains any sign-in information and COMPLIANT if it doesn't.

Reproduction Steps

I noticed this when creating a CDK pipeline with Github repo as source for it through a CodeStar connection:

        pipelines.CodePipeline(
            self,
            "pipeline",
            synth=pipelines.ShellStep(
                "synth",
                input=pipelines.CodePipelineSource.connection(
                    repo_string="repo",
                    branch="master",
                    connection_arn="<codestar connection ARN>"
                ),
                commands=[
                    "cdk synth '**'"
                ],
            ),
        )

This pipeline AFAIK creates 2 CodeBuild projects, none of which have Github as their source, instead source for them is CODE_PIPELINE

What did you expect to happen?

I expected the check for CodeBuildProjectSourceRepoUrl to just pass

What actually happened?

It didn't

cdk-nag version

2.28.27

Language

Python

Other information

No response

[dontirun]

Thanks for reporting! It looks the like CodeBuild Project CloudFormation resource has also had a number of updates, including SourceAuth being a console only feature.

All to say that this rule needs some serious rework