No harmful dependency conflicts

No harmful dependency conflicts

No harmful dependency conflicts

There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.

Error type: undefined. Note: this is a nested preset so please contact the preset author if you are unable to fix it yourself.

Hey there! I noticed some possible problems in some code in this repo. A quick summary of a few of them is below, but let me know if you're interested in seeing a full report or talking about cloud security in general.

severity: serious

filename: ./src/test/resources/aws-cross-account-manager-master.yml

line number(s): [119]

resource(s):

IAM role should not allow * action on its permissions policy

severity: warning

filename: ./src/test/resources/aws-cross-account-manager-master.yml

line number(s): [252]

resource(s):

IAM policy should not allow * resource

severity: warning

filename: ./src/test/resources/aws-cross-account-manager-master.yml

line number(s): [687, 711, 728, 119]

resource(s):

Resource found with an explicit name, this disallows updates that require replacement of this resource

severity: warning

filename: ./src/test/resources/aws-cross-account-manager-master.yml

line number(s): [482, 489]

resource(s):

S3 Bucket should have access logging configured

severity: warning

filename: ./src/test/resources/aws-cross-account-manager-master.yml

line number(s): [482, 489]

resource(s):

S3 Bucket should have encryption option set

Hello,

We've tried to activate or update your repository on Depfu and couldn't find any supported dependency files. If we were to guess, we would say that this is not actually a project Depfu supports and has probably been activated by error.

Monorepos

Please note that Depfu currently only searches for your dependency files in the root folder. We do support monorepos and non-root files, but don't auto-detect them. If that's the case with this repo, please send us a quick email with the folder you want Depfu to work on and we'll set it up right away!

How to deactivate the project

• Go to the Settings page of either your own account or the organization you've used
• Go to "Installed Integrations"
• Click the "Configure" button on the Depfu integration
• Remove this repo (Hack23/sonar-cloudformation-plugin) from the list of accessible repos.

Please note that using the "All Repositories" setting doesn't make a lot of sense with Depfu.

If you think that this is a mistake

Please let us know by sending an email to [email protected].

This is an automated issue by Depfu. You're getting it because someone configured Depfu to automatically update dependencies on this project.

CVE-2019-12814 - Medium Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /sonar-cloudformation-plugin/pom.xml

Path to vulnerable library: 2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar

Dependency Hierarchy:

• ❌ jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: be7a1bd4dc799db5eb2ae9fe4d2f66cb81357afd

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.

Publish Date: 2019-06-19

URL: CVE-2019-12814

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Change files

Origin: FasterXML/jackson-databind@5f7c69b

Release Date: 2019-06-14

Fix Resolution: Replace or update the following files: SubTypeValidator.java, VERSION

Step up your Open Source Security Game with WhiteSource here

The project could not be analyzed because of build errors. Please review the error messages here. Another build will be scheduled within 24 hours. If the build is successful this issue will be closed, otherwise the error message will be updated.

_{This is an automated GitHub Issue created by Sonatype DepShield. GitHub Apps, including DepShield, can be managed from the Developer settings of the repository administrators.}

No harmful dependency conflicts

look at adding https://github.com/bridgecrewio/checkov support

No harmful dependency conflicts

Hi @pethers,

Can you explain how custom rules can be added to the plugin during scan ? I can add them to cfn_nag scan, aka report, but are they going to be presented to sonar ?

Many thanks

CVE-2019-12384 - Medium Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /sonar-cloudformation-plugin/pom.xml

Path to vulnerable library: 2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.9/jackson-databind-2.9.9.jar

Dependency Hierarchy:

• ❌ jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 44941eedd471ae47571a9d7cfdefae19bdab946f

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.9 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.

Publish Date: 2019-06-24

URL: CVE-2019-12384

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Step up your Open Source Security Game with WhiteSource here

No harmful dependency conflicts

Hi there,

If sonar-scanner runs as a docker container, it can't find generated report.

jenkins@859f9f94dc19:~/workspace/app$ pwd
/var/jenkins_home/workspace/app
jenkins@859f9f94dc19:~/workspace/app$ ls -l
total 8
-rw-r--r-- 1 jenkins jenkins 112 Dec  6 18:59 template.json
-rw-r--r-- 1 jenkins jenkins 397 Dec  6 18:59 template.json.nag

While running scanner, the sonar-cloudformation-plugin complains about missing report

Processing:template.json.nag missing or do not end with .nag or .nagscan

Full scanner log

jenkins@859f9f94dc19:~/workspace/app$ sonar-scanner -Dsonar.host.url=http://sonar:9000 -Dsonar.projectKey=app -Dsonar.cfn.nag.reportFiles=template.json.nag
INFO: Scanner configuration file: /var/jenkins_home/tools/hudson.plugins.sonar.SonarRunnerInstallation/scanner/conf/sonar-scanner.properties
INFO: Project root configuration file: NONE
INFO: SonarScanner 4.5.0.2216
INFO: Java 1.8.0_242 Oracle Corporation (64-bit)
INFO: Linux 5.4.0-56-generic amd64
INFO: User cache: /var/jenkins_home/.sonar/cache
INFO: Scanner configuration file: /var/jenkins_home/tools/hudson.plugins.sonar.SonarRunnerInstallation/scanner/conf/sonar-scanner.properties
INFO: Project root configuration file: NONE
INFO: Analyzing on SonarQube server 7.9.5
INFO: Default locale: "en", source code encoding: "UTF-8" (analysis is platform dependent)
WARN: SonarScanner will require Java 11 to run starting in SonarQube 8.x
INFO: Load global settings
INFO: Load global settings (done) | time=205ms
INFO: Server id: BF41A1F2-AXYzS_xwqkpYAjvo9ndy
INFO: User cache: /var/jenkins_home/.sonar/cache
INFO: Load/download plugins
INFO: Load plugins index
INFO: Load plugins index (done) | time=129ms
INFO: Load/download plugins (done) | time=209ms
INFO: Process project properties
INFO: Execute project builders
INFO: Execute project builders (done) | time=38ms
INFO: Project key: app
INFO: Base dir: /var/jenkins_home/workspace/app
INFO: Working dir: /var/jenkins_home/workspace/app/.scannerwork
INFO: Load project settings for component key: 'app'
INFO: Load project settings for component key: 'app' (done) | time=64ms
INFO: Load quality profiles
INFO: Load quality profiles (done) | time=192ms
INFO: Load active rules
INFO: Load active rules (done) | time=4532ms
INFO: Indexing files...
INFO: Project configuration:
INFO: 2 files indexed
INFO: 0 files ignored because of scm ignore settings
INFO: ------------- Run sensors on module app
INFO: Load metrics repository
INFO: Load metrics repository (done) | time=112ms
INFO: Sensor JaCoCo XML Report Importer [jacoco]
INFO: Sensor JaCoCo XML Report Importer [jacoco] (done) | time=17ms
INFO: Sensor JavaXmlSensor [java]
INFO: Sensor JavaXmlSensor [java] (done) | time=5ms
INFO: Sensor HTML [web]
INFO: Sensor HTML [web] (done) | time=47ms
INFO: Sensor Cloudformation Check [cloudformation]
INFO: Process cfn-nag reports
INFO: sonar.cfn.nag.reportFiles=template.json.nag
INFO: Processing:template.json.nag
WARN: Processing:template.json.nag missing or do not end with .nag or .nagscan
INFO: Process cfn-nag reports (done) | time=69ms
INFO: Sensor Cloudformation Check [cloudformation] (done) | time=69ms
INFO: ------------- Run sensors on project
INFO: Sensor Zero Coverage Sensor
INFO: Sensor Zero Coverage Sensor (done) | time=14ms
INFO: Calculating CPD for 0 files
INFO: CPD calculation finished
INFO: Analysis report generated in 314ms, dir size=74 KB
INFO: Analysis report compressed in 39ms, zip size=10 KB
INFO: Analysis report uploaded in 104ms
INFO: ANALYSIS SUCCESSFUL, you can browse http://sonar:9000/dashboard?id=app
INFO: Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report
INFO: More about the report processing at http://sonar:9000/api/ce/task?id=AXY5d1P7VvK5T4nIqYQX
INFO: Analysis total time: 13.041 s
INFO: ------------------------------------------------------------------------
INFO: EXECUTION SUCCESS
INFO: ------------------------------------------------------------------------
INFO: Total time: 15.697s
INFO: Final Memory: 15M/150M
INFO: ------------------------------------------------------------------------

The project could not be analyzed because of build errors. Please review the error messages here. Another build will be scheduled when a change to a manifest file^* occurs. If the build is successful this issue will be closed, otherwise the error message will be updated.

_{This is an automated GitHub Issue created by Sonatype DepShield. GitHub Apps, including DepShield, can be managed from the Developer settings of the repository administrators.}

_{* Supported manifest files are: pom.xml, package.json, package-lock.json, npm-shrinkwrap.json, Cargo.lock, Cargo.toml, main.rs, lib.rs, build.gradle, build.gradle.kts, settings.gradle, settings.gradle.kts, gradle.properties, gradle-wrapper.properties, go.mod, go.sum}

No harmful dependency conflicts

Hi,

Is it possible to add .jar in release assets, this helps greatly when we have to add plugins on sonarqube installation done via helm charts.

Thanks

F19 EnableKeyRotation should not be false or absent on KMS::Key resource
F42 Pinpoint APNSSandboxChannel PrivateKey must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.
F43 Pinpoint APNSSandboxChannel TokenKey must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.
F44 ElastiCache ReplicationGroup AuthToken must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.
F45 Lambda Permission EventSourceToken must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.
F46 Pinpoint APNSVoipSandboxChannel PrivateKey must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.
F47 Pinpoint APNSVoipSandboxChannel TokenKey must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.
F48 Pinpoint APNSVoipChannel PrivateKey must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.
F49 Pinpoint APNSChannel TokenKey must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.
F56 Pinpoint APNSChannel TokenKey must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.
F57 Pinpoint APNSChannel PrivateKey must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.
F61 OpsWorks App SslConfiguration PrivateKey must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.
F62 OpsWorks Stack CustomCookbooksSource Password must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.
F63 EMR Cluster KerberosAttributes AD Domain JoinPassword must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.
F64 EMR Cluster KerberosAttributes CrossRealmTrustPrincipal Password must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.
F65 EMR Cluster KerberosAttributes KdcAdmin Password must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.
F66 Kinesis Firehose DeliveryStream RedshiftDestinationConfiguration Password must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.
F67 OpsWorks App AppSource Password must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.
F68 Kinesis Firehose DeliveryStream SplunkDestinationConfiguration HECToken must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.
F69 CodePipeline Webhook AuthenticationConfiguration SecretToken must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.
F70 DocDB DB Cluster master user password must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.
F71 ManagedBlockchain Member MemberFabricConfiguration AdminPasswordRule must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.

W61 EMR SecurityConfiguration should enable and properly configure encryption at rest and in transit.
W63 EMR Cluster should specify SecurityConfiguration.

No harmful dependency conflicts

F76 KMS key should not allow * principal (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html)

created the rule before PR was merged and changed after.

No harmful dependency conflicts

Cfn-nag issues

New rule:AWS::ECR::Repository should have scanOnPush enabled
stelligent/cfn_nag#498 (PR: stelligent/cfn_nag#499) : released https://github.com/stelligent/cfn_nag/releases/tag/v0.6.14 and added to this plugin.

AWS::MSK::Cluster auth and encryption
stelligent/cfn_nag#380

AWS::DLM::LifecyclePolicy - Encryption
stelligent/cfn_nag#379

AWS::SageMaker::NotebookInstance - DirectInternetAccess
stelligent/cfn_nag#377

new rule : Kendra index should specify KmsKeyId
stelligent/cfn_nag#500 (PR : stelligent/cfn_nag#501)

Existing config-rules that can be added to cfn-nag

Encryption

https://asecure.cloud/a/cfgrule_eks-secrets-encrypted/

https://asecure.cloud/a/cfgrule_dax-encryption-enabled/

https://asecure.cloud/a/cfgrule_cloudwatch-log-group-encrypted/

https://asecure.cloud/a/cfgrule_api-gw-cache-enabled-and-encrypted/

https://asecure.cloud/a/cfgrule_elasticsearch-node-to-node-encryption-check/

https://asecure.cloud/a/cfgrule_cloudwatch-log-group-encrypted/

https://asecure.cloud/a/cfgrule_cw-loggroup-retention-period-check/

Public

https://asecure.cloud/a/cfgrule_elasticsearch-in-vpc-only/

https://asecure.cloud/a/cfgrule_emr-master-no-public-ip/

https://asecure.cloud/a/cfgrule_dms-replication-not-public/

https://asecure.cloud/a/cfgrule_eks-endpoint-no-public-access/

https://asecure.cloud/a/cfgrule_lambda-inside-vpc/

Limits

https://asecure.cloud/a/cfgrule_lambda-concurrency-check/

Worth noting that cfn_nag 0.6.8 output now looks like the cfn_nag_scan output and causes a jackson parse error.

The difference in the output is it's in an array now and has the filename key.

We're able to work around it (naming the file as a nagscan output file) but maybe worth either updating docos or changing the behavior

The project could not be analyzed because of build errors. Please review the error messages here. Another build will be scheduled within 24 hours. If the build is successful this issue will be closed, otherwise the error message will be updated.

_{This is an automated GitHub Issue created by Sonatype DepShield. GitHub Apps, including DepShield, can be managed from the Developer settings of the repository administrators.}

CVE-2015-9251 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.10.2.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.10.2/jquery.js

Path to vulnerable library: /sonar-cloudformation-plugin/apidocs/jquery/external/jquery/jquery.js,/sonar-cloudformation-plugin/apidocs/jquery/jquery-1.10.2.js,/sonar-cloudformation-plugin/testapidocs/jquery/jquery-1.10.2.js,/sonar-cloudformation-plugin/testapidocs/jquery/external/jquery/jquery.js

Dependency Hierarchy:

• ❌ jquery-1.10.2.js (Vulnerable Library)

Found in HEAD commit: 7dd60b2baa60c931e429999b34d738012f406f03

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: 3.0.0

Step up your Open Source Security Game with WhiteSource here

CWE-311 - Missing Encryption of Sensitive Data
CWE-326 - Inadequate Encryption Strength
CWE-732 - Incorrect Permission Assignment for Critical Resource
CWE-257 - Storing Passwords in a Recoverable Format
CWE-778 - Insufficient Logging
CWE-272 - Least Privilege Violation
CWE-286 - Incorrect User Management
CWE-770: Allocation of Resources Without Limits or Throttling

Some mapping of CWE -> NIST https://github.com/mitre/heimdall_tools/blob/master/lib/data/cwe-nist-mapping.csv (not complete) .

But agree cannot be used for compliance alone but "CWE-778 - Insufficient Logging" connected to AU-12 Audit Generation.

CWE-311 Missing Encryption of Sensitive Data -> SC-8 Transmission Confidentiality and Integrity

Hello,

I used an older version of the sonarqube cfn plugin, that was manually installed. Today I got an auto update for that to the version 2.0.4

Since then, the findings in the cfn.nagscan json file, are not shown in SonarQube anymore.

Output is:

INFO: Sensor Cloudformation Check [cloudformation]
INFO: Process cfn-nag reports
INFO: sonar.cfn.nag.reportFiles=cfn.nagscan
INFO: Processing:cfn.nagscan
INFO: Looking for cloudformation template matching:cfn.json
INFO: matching:cfn.json = cfn.json
INFO: Load project repositories
INFO: Load project repositories (done) | time=31ms
INFO: Looking for cloudformation template matching:db-stack.cfn.json
INFO: matching:db-stack.cfn.json = db-stack.cfn.json
INFO: Process cfn-nag reports (done) | time=345ms
INFO: Sensor Cloudformation Check [cloudformation] (done) | time=346ms

But SonarQube had the 6 found issues removed in todays version.

I tested around a bit, moving the files to other locations, but no success.

For information, the 2 files are in the main directory, since we use deployment repositories apart from our source-code.

Best,
Ben

No harmful dependency conflicts

Hi,
very nice plugin. It seems to have problems whem there are same template names but in a different directories, like

/folder_1/test.yaml
/folder_2/test.yaml

the result nagscan report is correct but the plug-in fails to map the issues between the files. Everything is mapped to the first file.

Many thanks

W55 Elastic Load Balancer V2 Listener SslPolicy should use TLS 1.2
W56 Elastic Load Balancer V2 Listener Protocol should use HTTPS for ALBs

The property of directory scanning should be plural.
sonar.cfn.nag.reportFiles=target/cfn-nag-scan.nagscan

No harmful dependency conflicts

No harmful dependency conflicts

Hi,

Would be great to implement the rules of official Python linter from AWS to the sonar plugin as well:

https://github.com/aws-cloudformation/cfn-python-lint

No harmful dependency conflicts

CVE-2019-11358 - Medium Severity Vulnerability

Vulnerable Library - jquery-3.3.1.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.js

Path to vulnerable library: /sonar-cloudformation-plugin/testapidocs/jquery/jquery-3.3.1.js,/sonar-cloudformation-plugin/testapidocs/jquery/external/jquery/jquery.js,/sonar-cloudformation-plugin/apidocs/jquery/jquery-3.3.1.js,/sonar-cloudformation-plugin/apidocs/jquery/external/jquery/jquery.js

Dependency Hierarchy:

• ❌ jquery-3.3.1.js (Vulnerable Library)

Found in HEAD commit: 6dc7985faaf613b21e7c0576990643d64edf9b50

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: 3.4.0

Step up your Open Source Security Game with WhiteSource here

Is your feature request related to a problem? Please describe.
For each rule add which iso 27001 area the rule belongs to, example https://github.com/toniblyx/prowler/blob/master/groups/group18_iso27001

Describe the solution you'd like
Add info to rule description

Describe alternatives you've considered
add tags for rules

Additional context

from https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html

Prio:
*CWE-311 - Missing Encryption of Sensitive Data
W41 S3 Bucket should have encryption option set
F1 EBS volume should have server-side encryption enabled
F25 ElastiCache ReplicationGroup should have encryption enabled for at rest
F28 Redshift Cluster should have encryption enabled
F29 Workspace should have encryption enabled
F30 Neptune database cluster storage should have encryption enabled
F32 EFS FileSystem should have encryption enabled
F33 ElastiCache ReplicationGroup should have encryption enabled for in transit
missing ?

*CWE-778 - Insufficient Logging
W10 CloudFront Distribution should enable access logging
W26 Elastic Load Balancer should have access logging enabled
W35 S3 Bucket should have access logging configured
W45 ApiGateway should have access logging configured
Issues created
stelligent/cfn_nag#311
stelligent/cfn_nag#308
missing ?

CWE-732 - Incorrect Permission Assignment for Critical Resource
CWE-257 - Storing Passwords in a Recoverable Format
CWE-272 - Least Privilege Violation
CWE-286 - Incorrect User Management No CWE associated

java.lang.IllegalArgumentException: 1020 is not a valid line for pointer.

at com.hack23.sonar.cloudformation.CloudformationSensor.addIssue(CloudformationSensor.java:238)
at com.hack23.sonar.cloudformation.CloudformationSensor.handleCfnNagScanReports(CloudformationSensor.java:192)
at com.hack23.sonar.cloudformation.CloudformationSensor.execute(CloudformationSensor.java:131)

version 1.7.1, possible 2.0.9 as well.

follow https://docs.sonarqube.org/latest/extend/deploying-to-marketplace/

update https://community.sonarsource.com/t/new-release-sonar-cloudformation-plugin-1-0-2/14021 with missing information and create PR in https://github.com/Hack23/sonar-update-center-properties

No harmful dependency conflicts

W1200 SageMaker EndpointConfig should have a KmsKeyId property set.
W1201 SageMaker NotebookInstance should have a KmsKeyId property set.

F31 DirectoryService SimpleAD password must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.
F34 RDS DB Cluster master user password must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.
F35 Redshift Cluster master user password must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.
F36 Directory Service Microsoft AD password must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.
F37 DMS Endpoint password must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.

F41 Amplify App AccessToken must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.
F42 Pinpoint APNSSandboxChannel PrivateKey must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.
F43 Pinpoint APNSSandboxChannel TokenKey must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.
F44 ElastiCache ReplicationGroup AuthToken must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.
F45 Lambda Permission EventSourceToken must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.
F46 Pinpoint APNSVoipSandboxChannel PrivateKey must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.
F47 Pinpoint APNSVoipSandboxChannel TokenKey must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.
F48 Pinpoint APNSVoipChannel PrivateKey must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.
F49 Pinpoint APNSChannel TokenKey must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.
F50 Amplify App BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.
F51 IAM User LoginProfile Password must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.
F52 AmazonMQ Broker Users Password must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.
F53 AppStream DirectoryConfig ServiceAccountCredentials AccountPassword must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.
F54 OpsWorks Stack RDS DbInstance DbPassword must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.
F55 DMS Endpoint MongoDbSettings Password must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.
F56 Pinpoint APNSChannel TokenKey must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.
F57 Pinpoint APNSChannel PrivateKey must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.
F58 Amplify App OauthToken must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.
F60 Amplify Branch BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.
F61 OpsWorks App SslConfiguration PrivateKey must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.
F62 OpsWorks Stack CustomCookbooksSource Password must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.
F63 EMR Cluster KerberosAttributes AD Domain JoinPassword must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.
F64 EMR Cluster KerberosAttributes CrossRealmTrustPrincipal Password must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.
F65 EMR Cluster KerberosAttributes KdcAdmin Password must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.
F66 Kinesis Firehose DeliveryStream RedshiftDestinationConfiguration Password must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.
F67 OpsWorks App AppSource Password must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.
F68 Kinesis Firehose DeliveryStream SplunkDestinationConfiguration HECToken must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.
F69 CodePipeline Webhook AuthenticationConfiguration SecretToken must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.
F70 DocDB DB Cluster master user password must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.
F71 ManagedBlockchain Member MemberFabricConfiguration AdminPasswordRule must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.
F74 Alexa ASK Skill AuthenticationConfiguration ClientSecret must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.
F75 Alexa ASK Skill AuthenticationConfiguration RefreshToken must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.

No harmful dependency conflicts

W65 GameLift fleet EC2InboundPermissions found with port range instead of just a single port
W66 To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code).
W67 TCP/UDP protocol NetworkACL entries possibly should not allow all ports.
W68 AWS::ApiGateway::Deployment resources should be associated with an AWS::ApiGateway::UsagePlan.

No harmful dependency conflicts

No harmful dependency conflicts

No harmful dependency conflicts