False positieve from incorrect terraform parsing for AVD-AWS-0107

[denisovval]

IDs

AVD-AWS-0107

Description

Trivy incorrectly detects avd-aws-0107 in clean TF code. TFSEC reports the same issue.

we use a shared module with the following security group definition:

resource "aws_security_group" "pg" {
  name        = "${var.name} PostgreSQL"
  description = "Allow connect to PostgreSQL"
  vpc_id      = var.master_region_infra.region.vpc.id
  ingress {
    description = "Connect to PostgreSQL"
    from_port   = 5432
    to_port     = 5432
    protocol    = "tcp"
    cidr_blocks = flatten([
      var.master_region_infra.region.vpc.cidr_block,
      var.other_regions_infra[*].region.vpc.cidr_block,
    ])
  }
  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  dynamic "ingress" {
    for_each = var.rds_cidr_allow_list
    content {
      description = "from additional list"
      from_port   = 5432
      to_port     = 5432
      protocol    = "tcp"
      **cidr_blocks = [ingress.value]**
    }
  }
}

variable "rds_cidr_allow_list" {
  type        = list(string)
  description = "List of additional CIDR blocks to add to RDS SG"

  default = []
}

This module is used with parameters:

  rds_cidr_allow_list = [
    "172.16.0.0/16", # to rds
  ]

and it produces errors:

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
../../../../modules/dbs.tf:29
────────────────────────────────────────
1   resource "aws_security_group" "pg" {
.
29 [       cidr_blocks = [ingress.value]
..
32   }
────────────────────────────────────────

Even though cidr_blocks are defined.
If we scan dbs.tf directly via trivy - no errors.

This should not be reported as SG has additional cidr_blocks defined and they are not null

Reproduction Steps

1. Scan top-level code via trivy config --severity CRITICAL 
2. get an error in the child module

Target

Filesystem

Scanner

Misconfiguration

Target OS

No response

Debug Output

2023-07-06T18:13:08.054+0200    INFO    Detected config files: 19
2023-07-06T18:13:08.054+0200    DEBUG   Scanned config file: ../../../../modules/dbs.tf
2023-07-06T18:13:08.063+0200    DEBUG   Found an ignore file .trivyignore
2023-07-06T18:13:08.063+0200    DEBUG   These IDs will be ignored: ["AVD-AWS-0057" "AVD-AWS-0132" "AVD-AWS-0104" "AVD-AWS-0040"]

Version

Version: 0.43.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-07-06 06:10:31.117953059 +0000 UTC
  NextUpdate: 2023-07-06 12:10:31.117952559 +0000 UTC
  DownloadedAt: 2023-07-06 09:15:35.098511 +0000 UTC
Policy Bundle:
  Digest: sha256:30ca89c908eac67d337f8b393262de10ccc2b4f486e7b47bf7828167ad6840b5
  DownloadedAt: 2023-07-06 16:11:32.174564 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[simar7]

@nikpivkin could you take a look at it?

[nikpivkin]

@simar7 of course

[denisovval]

@nikpivkin Any updates ? :)

[nikpivkin]

Hi @denisovval ! I couldn't reproduce it, trivy doesn't report AVD-AWS-0107.

modules/dbs/main.tf

resource "aws_security_group" "pg" {
  name        = "PostgreSQL"
  description = "Allow connect to PostgreSQL"

  dynamic "ingress" {
    for_each = var.rds_cidr_allow_list
    content {
      description = "from additional list"
      from_port   = 5432
      to_port     = 5432
      protocol    = "tcp"
      cidr_blocks = [ingress.value]
    }
  }
}

variable "rds_cidr_allow_list" {
  type        = list(string)
  description = "List of additional CIDR blocks to add to RDS SG"

  default = []
}

main.tf

module "main" {
  source = "./modules/dbs"
  rds_cidr_allow_list = [
    "172.16.0.0/16", # to rds
  ]
}

Output:

trivy config . -d | grep "avd-aws-0107"
2023-08-04T18:11:15.951+0600    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-08-04T18:11:15.960+0600    DEBUG   cache dir:  /Users/tososomaru/Library/Caches/trivy
2023-08-04T18:11:15.960+0600    DEBUG   Module dir: /Users/tososomaru/.trivy/modules
2023-08-04T18:11:15.960+0600    INFO    Misconfiguration scanning is enabled
2023-08-04T18:11:15.960+0600    DEBUG   Policies successfully loaded from disk
2023-08-04T18:11:15.980+0600    DEBUG   Walk the file tree rooted at '.' in parallel
2023-08-04T18:11:15.981+0600    DEBUG   Scanning Terraform files for misconfigurations...
2023-08-04T18:11:16.274+0600    DEBUG   OS is not detected.
2023-08-04T18:11:16.274+0600    INFO    Detected config files: 3
2023-08-04T18:11:16.274+0600    DEBUG   Scanned config file: .
2023-08-04T18:11:16.274+0600    DEBUG   Scanned config file: modules/dbs
2023-08-04T18:11:16.274+0600    DEBUG   Scanned config file: modules/dbs/main.tf