bug: Locally installed packaged failed add suppression #2172
Description
What is the problem?
Within our team we have a shared cdk packages that we use in different projects. I tried to locally install the package with a npm install ../cdk-helper-package.
In the main project we create cdk resources (using the helper package) and afterwards add nag suppressions.
I noticed that the nag suppressions where not applied after installing the package locally.
Reproduction Steps
Create a package that exports a class or function that creates a cdk resource.
Locally install the package in an other project.
In the other project use the class or function to create the cdk resource and use addResourceSuppressions to add a nag suppression on the resource.
What did you expect to happen?
I expect the suppression to be applied like it does when the helper package is installed from a remote repository.
What actually happened?
The suppression is not applied. It is not part of the Cloudformation template meta data and nag warnings are triggered.
cdk-nag version
2.37.55
Language
Typescript
Other information
This probably happens because the addResourceSuppressions function uses the instanceof operator to check for CfnResources. Having the helper package generate a resources with it's version of cdk-libs which is different than the one used in the main project results in a false outcome.
Using 'CfnResource.isCfnResource(possibleL1)` will probably fix this.
I tested this theory with the following checks:
resource instanceof cdk.CfnResource // false
resource.node.defaultChild instanceof cdk.CfnResource // false
cdk.CfnResource.isCfnResource(resource) // false
cdk.CfnResource.isCfnResource(resource.node.defaultChild) // true