Patch release v2.0.2

CHANGELOG.md

@@ -5,6 +5,15 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.0.2] - 2023-10-24
+
+### Security
+
+- Upgraded @babel/traverse to mitigate CVE-2023-45133
+- Upgraded urllib3 to mitigate CVE-2023-45803
+- Upgraded aws-cdk-lib to mitigate CVE-2023-35165
+- Upgraded @cdklabs/cdk-ssm-documents to mitigate CVE-2023-26115
+
 ## [2.0.1] - 2023-04-20
 
 ### Fixed

CODE_OF_CONDUCT.md

@@ -1,4 +1,4 @@
 ## Code of Conduct
 This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 
 For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 
-opensource-codeofconduct@amazon.com with any additional questions or comments.
+opensource-codeofconduct@amazon.com with any additional questions or comments.

NOTICE.txt

@@ -1,4 +1,5 @@
 Automated Security Response on AWS
+
 Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 Licensed under the Apache License Version 2.0 (the "License"). You may not use this file except
 in compliance with the License. A copy of the License is located at http://www.apache.org/licenses/
@@ -45,9 +46,31 @@ pytest under the MIT License
 pytest-cov under the MIT License
 pytest-env under the MIT License
 pytest-mock under the MIT License
-python-dateutil under the Apache License 2.0 and the BSD 3-Clause "New" or "Revised" License
+python-dateutil under the Apache License 2.0 and the BSD 3-Clause
 s3transfer under the Apache License 2.0
 setuptools under the MIT License
 six under the MIT License
 urllib3 under the MIT License
 virtualenv under the MIT License
+Jinja2 under the BSD 3-Clause
+MarkupSafe under the BSD 3-Clause
+Werkzeug under the BSD 3-Clause
+boolean.py under the BSD-2-Clause
+botocore-stubs under the MIT License
+cffi under the MIT License
+coverage under the Apache License 2.0
+cryptography under the Apache License 2.0 and the BSD 3-Clause
+exceptiongroup under the MIT License
+iniconfig under the MIT License
+license-expression under the Apache License 2.0
+mypy-boto3-s3 under the MIT License
+pluggy under the MIT License
+py-partiql-parser under the MIT License
+pycparser under the BSD 3-Clause
+responses under the Apache License 2.0
+tomli under the MIT License
+types-PyYAML under the Apache License 2.0
+types-awscrt under the MIT License
+types-s3transfer under the MIT License
+typing_extensions under the  Python Software Foundation License
+xmltodict under the MIT License

deployment/testing_requirements.txt

@@ -5,12 +5,4 @@ pytest
 pytest-cov
 pytest-env
 pytest-mock
-## boto3 and botocore should match Lambda runtime: https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html
-boto3==1.20.32
-botocore==1.23.32
-## jmespath, python-dateutil, s3transfer, six, and urllib3 should match Lambda runtime
-jmespath==0.10.0
-python-dateutil==2.8.2
-s3transfer==0.5.2
-six==1.16.0
-urllib3==1.26.11
+urllib3<2

source/lib/__snapshots__/member-stack.test.ts.snap

@@ -980,6 +980,16 @@ exports[`member stack snapshot matches 1`] = `
       "DependsOn": [
         "WaitProviderRole83B0295F",
       ],
+      "Metadata": {
+        "cdk_nag": {
+          "rules_to_suppress": [
+            {
+              "id": "AwsSolutions-L1",
+              "reason": "Will upgrade in next release to prioritize patch",
+            },
+          ],
+        },
+      },
       "Properties": {
         "Code": {
           "S3Bucket": {

source/lib/member/redshift-audit-logging.ts

@@ -30,7 +30,7 @@ export class RedshiftAuditLogging extends Construct {
       expression: Fn.conditionEquals(templateParam.valueAsString, ChoiceParam.Yes),
     });
 
-    const bucket = new Bucket(scope, 'S3BucketForRedShiftAuditLogging', {
+    const bucket = new Bucket(scope, 'S3BucketForRedShiftAuditLogging', { //NOSONAR The policy attached to this bucket enforces SSL.
       encryption: BucketEncryption.S3_MANAGED,
       publicReadAccess: false,
       blockPublicAccess: BlockPublicAccess.BLOCK_ALL,

source/lib/solution_deploy-stack.ts

@@ -276,6 +276,13 @@ export class SolutionDeployStack extends cdk.Stack {
       };
     }
 
+    cdk_nag.NagSuppressions.addResourceSuppressions(checkSSMDocState, [
+      {
+        id: "AwsSolutions-L1",
+        reason: "Will upgrade in next release to prioritize patch",
+      },
+    ]);
+
     /**
      * @description getApprovalRequirement - determine whether manual approval is required
      * @type {lambda.Function}
@@ -325,6 +332,13 @@ export class SolutionDeployStack extends cdk.Stack {
       };
     }
 
+    cdk_nag.NagSuppressions.addResourceSuppressions(getApprovalRequirement, [
+      {
+        id: "AwsSolutions-L1",
+        reason: "Will upgrade in next release to prioritize patch",
+      },
+    ]);
+
     /**
      * @description execAutomation - initiate an SSM automation document in a target account
      * @type {lambda.Function}
@@ -373,6 +387,13 @@ export class SolutionDeployStack extends cdk.Stack {
       };
     }
 
+    cdk_nag.NagSuppressions.addResourceSuppressions(execAutomation, [
+      {
+        id: "AwsSolutions-L1",
+        reason: "Will upgrade in next release to prioritize patch",
+      },
+    ]);
+
     /**
      * @description monitorSSMExecState - get the status of an ssm execution
      * @type {lambda.Function}
@@ -421,6 +442,13 @@ export class SolutionDeployStack extends cdk.Stack {
       };
     }
 
+    cdk_nag.NagSuppressions.addResourceSuppressions(monitorSSMExecState, [
+      {
+        id: "AwsSolutions-L1",
+        reason: "Will upgrade in next release to prioritize patch",
+      },
+    ]);
+
     /**
      * @description Policy for role used by common Orchestrator notification lambda
      * @type {Policy}
@@ -555,6 +583,13 @@ export class SolutionDeployStack extends cdk.Stack {
       };
     }
 
+    cdk_nag.NagSuppressions.addResourceSuppressions(sendNotifications, [
+      {
+        id: "AwsSolutions-L1",
+        reason: "Will upgrade in next release to prioritize patch",
+      },
+    ]);
+
     //-------------------------------------------------------------------------
     // Custom Lambda Policy
     //
@@ -669,6 +704,13 @@ export class SolutionDeployStack extends cdk.Stack {
       },
     };
 
+    cdk_nag.NagSuppressions.addResourceSuppressions(createCustomAction, [
+      {
+        id: "AwsSolutions-L1",
+        reason: "Will upgrade in next release to prioritize patch",
+      },
+    ]);
+
     const orchestrator = new OrchestratorConstruct(this, 'orchestrator', {
       roleArn: orchestratorRole.roleArn,
       ssmDocStateLambda: checkSSMDocState.functionArn,

source/lib/wait-provider.ts

@@ -75,7 +75,7 @@ export class WaitProvider extends Construct {
       },
     ]);
 
-    const lambdaFunction = new Function(scope, `${id}Function`, {
+    const lambdaFunction = new Function(scope, `${id}Function`, { //NOSONAR This is not unknown code.
       role,
       runtime: props.runtimePython,
       code: Code.fromBucket(
@@ -87,6 +87,13 @@ export class WaitProvider extends Construct {
       timeout: Duration.minutes(15),
     });
 
+    NagSuppressions.addResourceSuppressions(lambdaFunction, [
+      {
+        id: "AwsSolutions-L1",
+        reason: "Will upgrade in next release to prioritize patch",
+      },
+    ]);
+
     return new WaitProvider(scope, id, { serviceToken: lambdaFunction.functionArn });
   }
 }