Paths don't work in .trivyignore.yaml

[salemgolemugoo]

Description

Trying to exclude some security warnings by specifying paths attribute in .trivyignore.yaml https://trivy.dev/latest/docs/configuration/filtering/#trivyignoreyaml

Desired Behavior

There should be no warnings AVD-AWS-0052, AVD-AWS-0053

Actual Behavior

1. It produces weird scan warnings because I have no application load balancer in my configuration (but let's leave that aside. It's for a separate ticket)
2. paths is being skipped. And I still see warnings

Reproduction Steps

1. mkdir -p test
2. Create a file

cat <<EOF > test/main.tf
resource "aws_lb_listener" "this" {
  load_balancer_arn = var.lb_arn
  port              = 80
  protocol          = "TCP"

  default_action {
    target_group_arn = var.target_group_arn
    type             = "forward"
  }
}
EOF

4. Create ignore file

cat <<EOF > .trivyignore.yaml
misconfigurations:
  - id: AVD-AWS-0052
    paths:
      - "test/"

EOF

5. Run trivy conf -s MEDIUM,HIGH,CRITICAL --ignorefile .trivyignore.yaml --debug --cache-dir /tmp --misconfig-scanners terraform ./test

Target

Filesystem

Scanner

Misconfiguration

Output Format

None

Mode

Standalone

Debug Output

2024-12-05T23:36:40+01:00       DEBUG   No plugins loaded
2024-12-05T23:36:40+01:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2024-12-05T23:36:40+01:00       DEBUG   Cache dir       dir="/tmp"
2024-12-05T23:36:40+01:00       DEBUG   Cache dir       dir="/tmp"
2024-12-05T23:36:40+01:00       DEBUG   Parsed severities       severities=[MEDIUM HIGH CRITICAL]
2024-12-05T23:36:40+01:00       INFO    [misconfig] Misconfiguration scanning is enabled
2024-12-05T23:36:40+01:00       DEBUG   [misconfig] Checks successfully loaded from disk
2024-12-05T23:36:40+01:00       DEBUG   Enabling misconfiguration scanners      scanners=[terraform]
2024-12-05T23:36:40+01:00       DEBUG   Initializing scan cache...      type="memory"
2024-12-05T23:36:40+01:00       DEBUG   [misconfig] Scanning files for misconfigurations...     scanner="Terraform"
2024-12-05T23:36:40+01:00       DEBUG   [terraform scanner] Scanning directory  file_path="."
2024-12-05T23:36:40+01:00       DEBUG   [rego] Overriding filesystem for checks
2024-12-05T23:36:40+01:00       DEBUG   [rego] Embedded libraries are loaded    count=15
2024-12-05T23:36:40+01:00       DEBUG   [rego] Embedded checks are loaded       count=511
2024-12-05T23:36:40+01:00       DEBUG   [rego] Checks from disk are loaded      count=526
2024-12-05T23:36:40+01:00       DEBUG   [rego] Overriding filesystem for data
2024-12-05T23:36:40+01:00       DEBUG   [terraform parser] Setting project/module root  module="root" file_path="."
2024-12-05T23:36:40+01:00       DEBUG   [terraform parser] Parsing FS   module="root" file_path="."
2024-12-05T23:36:40+01:00       DEBUG   [terraform parser] Parsing      module="root" file_path="main.tf"
2024-12-05T23:36:40+01:00       DEBUG   [terraform parser] Added file   module="root" file_path="main.tf"
2024-12-05T23:36:40+01:00       INFO    [terraform scanner] Scanning root module        file_path="."
2024-12-05T23:36:40+01:00       DEBUG   [terraform parser] Setting project/module root  module="root" file_path="."
2024-12-05T23:36:40+01:00       DEBUG   [terraform parser] Parsing FS   module="root" file_path="."
2024-12-05T23:36:40+01:00       DEBUG   [terraform parser] Parsing      module="root" file_path="main.tf"
2024-12-05T23:36:40+01:00       DEBUG   [terraform parser] Added file   module="root" file_path="main.tf"
2024-12-05T23:36:40+01:00       DEBUG   [terraform parser] Loading module       module="root" module="root"
2024-12-05T23:36:40+01:00       DEBUG   [terraform parser] Read block(s) and ignore(s)  module="root" blocks=1 ignores=0
2024-12-05T23:36:40+01:00       DEBUG   [terraform parser] Added input variables from tfvars    module="root" count=0
2024-12-05T23:36:40+01:00       DEBUG   [terraform parser] Working directory for module evaluation      module="root" file_path="/tmp"
2024-12-05T23:36:40+01:00       DEBUG   [terraform evaluator] Starting module evaluation...     path="."
2024-12-05T23:36:40+01:00       DEBUG   [terraform evaluator] Starting iteration        iteration=0
2024-12-05T23:36:40+01:00       DEBUG   [terraform evaluator] Starting iteration        iteration=1
2024-12-05T23:36:40+01:00       DEBUG   [terraform evaluator] Context unchanged iteration=1
2024-12-05T23:36:40+01:00       DEBUG   [terraform evaluator] Starting post-submodules evaluation...
2024-12-05T23:36:40+01:00       DEBUG   [terraform evaluator] Starting iteration        iteration=0
2024-12-05T23:36:40+01:00       DEBUG   [terraform evaluator] Starting iteration        iteration=1
2024-12-05T23:36:40+01:00       DEBUG   [terraform evaluator] Context unchanged iteration=1
2024-12-05T23:36:40+01:00       DEBUG   [terraform evaluator] Module evaluation complete.
2024-12-05T23:36:40+01:00       DEBUG   [terraform parser] Finished parsing module      module="root"
2024-12-05T23:36:40+01:00       DEBUG   [terraform executor] Adapting modules...
2024-12-05T23:36:40+01:00       DEBUG   [terraform executor] Adapted module(s) into state data. count=1
2024-12-05T23:36:40+01:00       DEBUG   [rego] Scanning inputs  count=1
2024-12-05T23:36:40+01:00       DEBUG   [terraform executor] Finished applying rules.
2024-12-05T23:36:40+01:00       DEBUG   [terraform executor] Applying ignores...
2024-12-05T23:36:40+01:00       DEBUG   OS is not detected.
2024-12-05T23:36:40+01:00       INFO    Detected config files   num=2
2024-12-05T23:36:40+01:00       DEBUG   Scanned config file     file_path=""
2024-12-05T23:36:40+01:00       DEBUG   Scanned config file     file_path="."
2024-12-05T23:36:40+01:00       DEBUG   Found an ignore yaml    file_path=".trivyignore.yaml"
2024-12-05T23:36:40+01:00       DEBUG   [vex] VEX filtering is disabled

 (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (MEDIUM: 0, HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Operating System

Darwin 24.1.0 Darwin Kernel Version 24.1.0: Thu Oct 10 21:03:11 PDT 2024; root:xnu-11215.41.3~2/RELEASE_ARM64_T6020 arm64

Version

Version: 0.58.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-12-05 06:14:56.206326099 +0000 UTC
  NextUpdate: 2024-12-06 06:14:56.206325668 +0000 UTC
  DownloadedAt: 2024-12-05 10:13:48.049361 +0000 UTC
Check Bundle:
  Digest: sha256:f6901e03f486a48f47aa17a78d89d18e6c31ded82aff83ed19d0d73935a1a059
  DownloadedAt: 2024-12-05 21:57:13.479529 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[simar7]

hi @salemgolemugoo thanks for the report - I can reproduce it locally. @nikpivkin this looks like a bug to me in the checks.

[AndyHawthornGMSL]

The bug seems to be related to creating a listener for a load balancer created outside the Terraform being analysed. So something like this:

data "aws_lb" "lb" {
  name = "external-lb"
}

resource "aws_lb_listener" "listener" {
  load_balancer_arn = data.aws_lb.lb.arn
  port              = 443

  default_action {
    type = "fixed-response"
    fixed_response {
      content_type = "text/plain"
      status_code  = "421"
    }
  }
}

will always trigger AVD-AWS-0052 and AVD-AWS-0053 warnings, in spite of the fact there's no load balancer in the configuration being analysed. It's as if the absence of a listener's load balancer to analyse results in Trivy assuming an invalid one in its place. In addition to that, it seems impossible to exclude the warnings related to this. The example I found was in a downloaded module, even though I had --tf-exclude-downloaded-modules enabled.