diff --git a/.trivyignore.yaml b/.trivyignore.yaml index 3cc8bce..c8a5f69 100644 --- a/.trivyignore.yaml +++ b/.trivyignore.yaml @@ -23,3 +23,12 @@ vulnerabilities: - id: CVE-2025-61729 statement: downstream dependency for asdf/go - waiting for new asdf release expired_at: 2026-06-01 + - id: CVE-2025-61726 + statement: downstream dependency for asdf/go - waiting for new asdf release + expired_at: 2026-06-01 + - id: CVE-2025-61728 + statement: downstream dependency for asdf/go - waiting for new asdf release + expired_at: 2026-06-01 + - id: CVE-2026-25128 + statement: downstream dependency for fast-xml-parser - waiting for aws-sdk release + expired_at: 2026-06-01 diff --git a/packages/cdkConstructs/src/constructs/PythonLambdaFunction.ts b/packages/cdkConstructs/src/constructs/PythonLambdaFunction.ts index 63775ad..c49db86 100644 --- a/packages/cdkConstructs/src/constructs/PythonLambdaFunction.ts +++ b/packages/cdkConstructs/src/constructs/PythonLambdaFunction.ts @@ -17,6 +17,7 @@ import { } from "aws-cdk-lib/aws-lambda" import {join} from "node:path" import {createSharedLambdaResources} from "./lambdaSharedResources" +import {addSuppressions} from "../utils/helpers" export interface PythonLambdaFunctionProps { /** @@ -207,15 +208,11 @@ export class PythonLambdaFunction extends Construct { // Suppress CFN guard rules for Lambda function const cfnLambda = lambdaFunction.node.defaultChild as CfnFunction - cfnLambda.cfnOptions.metadata = { - guard: { - SuppressedRules: [ - "LAMBDA_DLQ_CHECK", - "LAMBDA_INSIDE_VPC", - "LAMBDA_CONCURRENCY_CHECK" - ] - } - } + addSuppressions([cfnLambda], [ + "LAMBDA_DLQ_CHECK", + "LAMBDA_INSIDE_VPC", + "LAMBDA_CONCURRENCY_CHECK" + ]) // Create policy for external services to invoke this Lambda const executionManagedPolicy = new ManagedPolicy(this, "ExecuteLambdaManagedPolicy", { diff --git a/packages/cdkConstructs/src/constructs/TypescriptLambdaFunction.ts b/packages/cdkConstructs/src/constructs/TypescriptLambdaFunction.ts index 6fcd376..ff8c5de 100644 --- a/packages/cdkConstructs/src/constructs/TypescriptLambdaFunction.ts +++ b/packages/cdkConstructs/src/constructs/TypescriptLambdaFunction.ts @@ -15,6 +15,7 @@ import {NodejsFunction, NodejsFunctionProps} from "aws-cdk-lib/aws-lambda-nodejs import {Construct} from "constructs" import {join} from "node:path" import {createSharedLambdaResources} from "./lambdaSharedResources" +import {addSuppressions} from "../utils/helpers" export interface TypescriptLambdaFunctionProps { /** @@ -231,15 +232,11 @@ export class TypescriptLambdaFunction extends Construct { }) const cfnLambda = lambdaFunction.node.defaultChild as CfnFunction - cfnLambda.cfnOptions.metadata = { - guard: { - SuppressedRules: [ - "LAMBDA_DLQ_CHECK", - "LAMBDA_INSIDE_VPC", - "LAMBDA_CONCURRENCY_CHECK" - ] - } - } + addSuppressions([cfnLambda], [ + "LAMBDA_DLQ_CHECK", + "LAMBDA_INSIDE_VPC", + "LAMBDA_CONCURRENCY_CHECK" + ]) const executionManagedPolicy = new ManagedPolicy(this, "ExecuteLambdaManagedPolicy", { description: `execute lambda ${functionName}`, diff --git a/packages/cdkConstructs/src/constructs/lambdaSharedResources.ts b/packages/cdkConstructs/src/constructs/lambdaSharedResources.ts index 65da9a4..c85efc2 100644 --- a/packages/cdkConstructs/src/constructs/lambdaSharedResources.ts +++ b/packages/cdkConstructs/src/constructs/lambdaSharedResources.ts @@ -13,6 +13,7 @@ import { } from "aws-cdk-lib/aws-iam" import {NagSuppressions} from "cdk-nag" import {LAMBDA_INSIGHTS_LAYER_ARNS} from "../config" +import {addSuppressions} from "../utils/helpers" export interface SharedLambdaResourceProps { readonly functionName: string @@ -65,13 +66,7 @@ export const createSharedLambdaResources = ( }) const cfnlogGroup = logGroup.node.defaultChild as CfnLogGroup - cfnlogGroup.cfnOptions.metadata = { - guard: { - SuppressedRules: [ - "CW_LOGGROUP_RETENTION_PERIOD_CHECK" - ] - } - } + addSuppressions([cfnlogGroup], ["CW_LOGGROUP_RETENTION_PERIOD_CHECK"]) new CfnSubscriptionFilter(scope, "LambdaLogsSplunkSubscriptionFilter", { destinationArn: splunkDeliveryStream.streamArn,