Conversation
…I3042) + engines (W3002/W3011/E3045)
…3505/E3049/E3054/E3048/W2533) + remove I3037
…urce (F3020 via ext) + remove E3040
…schemas, update stale tests for corrected behavior
…int: 0 on corpus, fire on genuine cases); scrub cfn-lint refs from code comments; add I2003 lookahead handling
…iagnostics; FP 23->20
…1028 paths; regen collision fixtures from current cfn-lint; FP 18->14
…quals args), E9004 (E1017 alias)
…ing collapse F3003 (required-property): skip the generic empty-object required-property check when the property is structurally an Fn::If. The branch-aware rule already emits the diagnostic at the branch-qualified path (<prop>.Fn::If.<idx>); the generic check duplicated it at the un-qualified property path. I3042 (hardcoded-partition ARN): collapse hardcoded-partition ARN findings that are list siblings of one property to the lowest index. List-sibling Fn::Sub ARNs share a single source location, so they are one observable finding rather than several. Applied at the resolver->model boundary so both the CEL and Rego engines inherit it identically. Precision now 100% (FP=0) on both engines with full parity; golden file and detailed reports regenerated.
The fixture loader scanned only two directory levels, so result fixtures under good/resources/properties/ (and other deeply-nested dirs) were never loaded. Templates without a loaded fixture fall into engine_only and are excluded from the false-positive tally, which masked genuine engine false positives and produced a misleading FP=0. Recursing with rglob loads 456 fixtures (was 405) and surfaces the true FP=7 across 5 rules.
After the comparison harness was fixed to load all fixture dirs, FP rose from a masked 0 to a true 7. This resolves them: - F1020 (×3): cfn-lint's single E1010 GetAtt rule also covers a missing target *resource*, which the engine reports as F1020. Added F1020 to the E1010 alias group so the engine's correct finding matches (audit table). - F3014: the exactly-one-of check counted a property whose value is AWS::NoValue as present. Exclude null-resolving members from the tally. - F3037: array-uniqueness treated AWS::NoValue (null) list items as members, flagging two NoValue-collapsed Fn::If branches as duplicates. Skip nulls, which CloudFormation strips at deploy time. - F3012: a wrong-typed property wrapping an Fn::If emitted the same property-level type error once per branch scenario. Report it once per path. - W2511: fired for any policy Version != 2012-10-17 (incl. invalid values, which are a schema concern). Restrict to the older-but-valid 2008-10-17, matching the upgrade-suggestion semantics. CEL + Rego. True FP=0 on both engines over the full corpus (456 fixtures); precision 100%, parity verified, golden regenerated. Adds 5 regression tests.
Resolve all clippy lints under -D warnings: - conditions.rs: collapse FindInMap match arm into the outer Node match - cel intrinsics.rs: fold the nested GetAtt-attribute if into its else-if chain - cel resources_extra.rs: collapse the Ref/parameter if-let - cel structure.rs: simplify the logical-ID boolean via De Morgan's All behavior-preserving; 1283 workspace tests pass. Also includes rustfmt line-rewrapping applied across previously-touched files.
F0014 is the single structural-validity rule for all boolean condition functions (Fn::Equals, Fn::And, Fn::Or, Fn::Not) — cfn-lint splits these across E8003/E8004/E8005/E8006. The old description named only Fn::Equals, which misrepresented the rule when it fires for And/Or/Not.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue #, if available:
Description of changes:
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.