1.4.0.1294

New Feature

• [SONARIAC-196] - Rule S4423: Weak SSL/TLS protocols should not be used (for API Gateway domain names)
• [SONARIAC-198] - Rule S5332: Using clear-text protocols is security-sensitive (for Elasticsearch domain)
• [SONARIAC-200] - Rule S4423: Weak SSL/TLS protocols should not be used (for Elasticsearch domain endpoints)
• [SONARIAC-204] - Rule S5332: Using clear-text protocols is security-sensitive (For MSK internal communications)
• [SONARIAC-205] - Rule S5332: Using clear-text protocols is security-sensitive (for ECS Task Definitions)
• [SONARIAC-213] - Rule S5332: Using clear-text protocols is security-sensitive (for Elasticache Replication Group)
• [SONARIAC-216] - Rule S5332: Using clear-text protocols is security-sensitive (For Kinesis Data Streams)
• [SONARIAC-219] - Rule S5332: Using clear-text protocols is security-sensitive (for AWS Load Balancer Listeners)
• [SONARIAC-222] - Rule S6258: Disabling logging is security sensitive (X-Ray tracing on AWS API Gateway)
• [SONARIAC-225] - Rule S6258: Disabling logging is security-sensitive (for API Gateway Stages)
• [SONARIAC-228] - Rule S6258: Disabling logging is security sensitive (AWS MSK)
• [SONARIAC-231] - Rule S6258: Disabling logging is security-sensitive (for Neptune)
• [SONARIAC-234] - Rule S6258: Disabling logging is security sensitive (AWS DocDB)
• [SONARIAC-237] - Rule S6258: Disabling logging is security-sensitive (for MQ)
• [SONARIAC-240] - Rule S6258: Disabling logging is security-sensitive (for RedShift Clusters)
• [SONARIAC-243] - Rule S6258: Disabling logging is security-sensitive (for Global Accelerator)
• [SONARIAC-245] - Rule S6258: Disabling logging is security sensitive (AWS OpenSearch/ES Domains)
• [SONARIAC-248] - Rule S6258: Disabling logging is security sensitive (CloudFront Distributions)
• [SONARIAC-251] - Rule S6258: Disabling logging is security sensitive (Elastic Load Balancing v1)
• [SONARIAC-254] - Rule S6258: Disabling logging is security sensitive (Elastic Load Balancing v2)
• [SONARIAC-257] - Rule S6364 : Reducing Backup retention duration is security-sensitive (AWS RDS)

False-Positive

• [SONARIAC-260] - Rule S6304: no issue should be raised for KMS key policies

False Negative

• [SONARIAC-267] - S6321 Terraform should consider all ingress blocks

1.3.0.1016

This static code analyzer for Infrastructure-as-Code (IaC) languages such as CloudFormation and Terraform is now open source and can be used on a SonarQube platform and it runs the IaC features on SonarCloud.

1.2.0.976

    Release Notes - SonarIac - Version 1.2.0.976

New Feature

• [SONARIAC-170] - S6317: AWS IAM policies should not allow privilege escalation
• [SONARIAC-192] - Make rules activated by default for CloudFormation and Terraform on SonarCloud

Task

• [SONARIAC-195] - Update Rules Metadata

Improvement

• [SONARIAC-124] - S6302 Having AWS policies that grant all privileges is security-sensitive
• [SONARIAC-137] - Update S6270 to be more generic targeting all AWS resource
• [SONARIAC-142] - S6304 Having AWS policies that grant access to all resources of an account is security-sensitive
• [SONARIAC-162] - S6321: Administration services access should be restricted to specific IP addresses
• [SONARIAC-172] - S6329 Assigning public IP address to an AWS resource is security-sensitive
• [SONARIAC-181] - S6333: Creating public APIs is security sensitive
• [SONARIAC-193] - Terraform S6281 should raise on configurations which cannot be connected to a bucket
• [SONARIAC-194] - S6281: Update issue message

1.1.0.861

Detect security problems related to Encryption At Rest on AWS IaC files:

• SONARIAC-125 - S6275 Using unencrypted EBS volumes is security-sensitive
• SONARIAC-144 - S6303 Using unencrypted RDS databases is security-sensitive
• SONARIAC-149 - S6308 Using unencrypted Elasticsearch domains is security-sensitive
• SONARIAC-164 - S6319 Using unencrypted SageMaker notebook instances is security-sensitive
• SONARIAC-167 - S6327 Using unencrypted SNS topics is security-sensitive
• SONARIAC-173 - S6330 Using unencrypted SQS queues is security-sensitive
• SONARIAC-178 - S6332 Using unencrypted EFS file systems is security-sensitive

Fix false-positives:

• SONARIAC-184 - S6294[CF] Associate resources and log groups using simple string match
• SONARIAC-188 - S6249[CF] Improve unsecure resource detection of bucket policy
• SONARIAC-189 - S6255[TF] Do not raise issue on S3 buckets created with default config about versioning

1.0.1.763

• [SONARIAC-186] - Remove the dependency on guava through sslr-toolkit

1.0.0.746

Initial release of the plugin to highlight and analyze Terraform and CloudFormation files.