Research
Security News
Kill Switch Hidden in npm Packages Typosquatting Chalk and Chokidar
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
@aws-c2a/rules
Advanced tools
@aws-c2a/engine
is a package that the toolkit consumes to analyze two CloudFormation templates, extract
their differences and produce a report of changes, customizable with a rules language.
The platform-mapping
directory holds parsers that transform an artifact into an InfraModel - in this case, CloudFormation templates.
The CloudFormation parser takes any CloudFormation template and generates an InfraModel
The type of CloudFormation entity (e.g. Resource, Parameter, Output) gets mapped to the type of Component. In the case of CloudFormation resources, in particular, their type gets mapped to the Component's subtype (i.e. an AWS Lambda Function resource generates a Component with type "Resource" and subtype "AWS::Lambda::Function").
The CloudFormation parser builds instances of CFEntity's subclasses, which have the responsibility of properly building the respective Components, Property Values, and outgoing Dependency Relationships.
The CFRef class extracts references to entities in an entity's declaration, from the used intrinsic functions and resources' DependsOn field.
The following image is an example of the created relationships:
Parsing CDK-generated CloudFormation templates begins by using the CloudFormation parser and adding a Component for each CDK Construct (extracted from the CloudFormation resources metadata). Afterwards, the stack Component and its Structural Relationships are removed and the CDK Construct Components are connected to the corresponding CloudFormation resource Components, as seen here:
The process of diffing InfraModels is contained in the model-diffing
directory.
In the context of AWS CDK/CloudFormation, this is where we extract the operations (changes) that occurred between the old CloudFormation template and the new one.
The basic diff is created in model-diffing/diff-creator.ts
. It groups components of the same type and subtype and matches them based on their name and similarity. This similarity is calculated by comparing the properties of each component, in model-diffing/property-diff.ts
.
Since detecting property operations and determining their similarity require the same underlying logic, they are both done simultaneously in model-diffing/property-diff.ts
. A few notes on how this property diffing currently works:
{
a: {b: "string", c: "string},
d: "string"
}
Let's consider the string value of key "d" has been changed and the similarity between the new and old value is 0.5. However, the value of key "a" will have similarity 1 because it has not been changed. We can calculate the similarity of the full properties by doing a weighted average between both similarities. "a" will have a weight of 4 (because it holds 4 unchanged values with similarity 1, two keys and two values) and "d" will have a weight of 1 (because it has only 1 primitive value). The similarity for this example is 1*(4/5)+0.5*(1/5)=0.9.change-propagator.ts
is responsible for taking the observed changes and propagating them. This means:
Aggregations are structures that group Operations (changes) in a tree-like structure. based on their characteristics, according to a given structure. These are used to collapse changes when presenting them in an interface. Take the following example:
These are resulting aggregations that narrow down operations by:
The characteristics that should be grouped at each level, and how, are described in aggregations/component-operation/module-tree.ts
. Aggregation modules define how to split a group of operations and a module tree is a configuration of these modules that is used to generate the aggregations.
Users can write rules classify the risk of each change and if it should be automatically approved or rejected. These rules are based on a custom grammar in JSON syntax. Take the following example of a rule:
{
"description": "Allow all insert operations",
"let": {
"insertChange": { "change": {"type": "INSERT" } }
},
"effect": {
"target": "insertChange",
"risk": "low",
"action": "approve"
}
}
This is a very simple rule that sets automatic approval and low risk for all operations of type "INSERT". It is broken down below:
Below is a more complex rule:
{
"description": "CLOUDFRONT",
"let": {"cf": { "Resource": "AWS::CloudFront::Distribution" } },
"then": [{
"description": "Cloudfront Distributions origin changes are risky",
"let": {
"change": { "change": {}, "where": "change appliesTo cf.Properties.DistributionConfig.Origins" }
},
"effect": {
"risk": "high"
}
}, {
"description": "Cloudfront Distributions origin protocol security can increase",
"let": {
"change": { "change": {}, "where": [
"change appliesTo cf.Properties.DistributionConfig.Origins.*.OriginProtocolPolicy",
"change.old == 'http-only'",
"change.new == 'https-only'"
]
}
},
"effect": {
"risk": "low",
"action": "approve"
}
}]
}
In this rule, the "then" field is also used, which allows applying sub-rules that have access to the identifiers declared in their parent.
Component and Property objects allow accessing their inner properties by using the dot (".") notation. For example component.someArray.*.property
will correspond to all values of key "property" in elements of array "someArray" inside "component".
You can also notice that queries can have a "when" field, specifying further conditions, such as: checking if a change applies to a given object (Component or Property) with the operator "applies to"; comparing old and new values of changes to properties with the ".old" accessor and "==" operator.
This rules language maps finds the objects in the graph generated from the InfraModelDiff and traverses its edges when relating objects, such as when navigating properties or checking whether a change applies to an object.
FAQs
The rules language and processor for CDK Change Analyzer
The npm package @aws-c2a/rules receives a total of 0 weekly downloads. As such, @aws-c2a/rules popularity was classified as not popular.
We found that @aws-c2a/rules demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
Product
Socket now supports uv.lock files to ensure consistent, secure dependency resolution for Python projects and enhance supply chain security.