Doesn't detect all config files particularly CloudFormation templates #3418
Comments
aigerim-zhalgasbekova-paf
added
the
kind/bug
|
I've also tried the command with |
itaysk
added
the
scan/misconfiguration
|
can you please show a sample for one of the files? CF files are detected as either yaml/json files with the abstract structure of: an object with a "Resources" key which contains an object: |
|
The following is a sample for all our CF templates with .yaml extension: |
|
I found that Trivy doesn't detect CF templates that have the following condition: @itaysk Do you have any idea why it happens? |
|
Does this YAML pass validation, and does it parse the way you intend it to? specifically, this value is error prone: |
|
The condition works for all our CF stacks. cfn-lint also doesn't complain about it. When I single quote it like you suggest, cfn-lint throws |
|
@itaysk I found out that trivy can't detect the templates with the condition used in AWSTemplateFormatVersion: "2010-09-09"
Description: some description
Parameters:
ServiceName:
Type: String
Description: The service name
EnvName:
Type: String
Description: Optional environment name to prefix all resources with
Default: ""
Conditions:
## This cryptic syntax sets SuffixResources = true if EnvName != ""
SuffixResources: !Not [!Equals [!Ref EnvName, ""]]
Resources:
ErrorTimedOutMetricFilter:
Type: AWS::Logs::MetricFilter
Properties:
FilterPattern: "?ERROR ?error ?Error ?\"timed out\"" # If log contains one of these error words or timed out
LogGroupName:
!If [
SuffixResources,
!Sub "/aws/lambda/${ServiceName}-${EnvName}",
!Sub "/aws/lambda/${ServiceName}",
]
MetricTransformations:
- MetricName: !Sub "${ServiceName}-ErrorLogCount"
MetricNamespace: market-LogMetrics
MetricValue: 1
DefaultValue: 0When I use the condition directly in the !If [
!Not [!Equals [!Ref EnvName, ""]],
!Sub "/aws/lambda/${ServiceName}-${EnvName}",
!Sub "/aws/lambda/${ServiceName}",
]Trivy detects the template. |
|
@giorod3 I see that issue. As per my understanding its is only showing those files which are misconfigured and show issue in those file. I think message is misleading as it should says "Misconfigured files detected" instead of "Config files detected". So either we need to change the message or should count all files. |
|
please ignore my previous message, I thought that yaml was invalid but it is. this looks like a bug in trivy. |
|
@simar7 PTAL? |
|
@itaysk yes, that is a bug in the trivy. |
|
@aigerim-zhalgasbekova-paf Khurram has added some comments? What do you think? |
|
@AkhtarAmir where did they add comments? |
|
@itaysk above the @AkhtarAmir comments. |
|
sorry i don't follow. trivy scans configuration files and may find issues in them. the config files counter message shows how many files trivy tried to scan. what's wrong with this message? also, I don't understand how it's related to this issue? |
|
@itaysk actually the message only show the the count of misconfig files not all the scans files. So that's why i mentioned this is that make sense now??? |
|
what do you consider "misconfig files" and what "scans files"? If a directory has one dockerfile and one kubernetes yaml, the message will say that trivy identified 2 config files. If the docker file has issues, then then those issues would be reported as findings under that file. does that make sense? |
|
@itaysk scans files means total number files which we scanned. and misconfig files are those in which issues reported. So we are only showing the misconfig count not the number of files scanned. So bug means they are thinking it is not showing the total number of files which are scanned. but we are only showing the misconifg file count like issue reported in the file. |
This isn't true as far as I understand. The message: The issue here is that due to yaml parsing error Trivy didn't detect the file as cloudformation and therefore it was not scanned (which explains the |
|
@itaysk I checked that trivy is detecting the files and scanned the files but show only the misonfig file in which issue detects we are not showing the total number of files. that is the thing that i am explaining you it's bug in trivy. if we want to show the total files then we need to change the message or we can show the total config files. |
@r-khurram: The following are two different things: Case 1: Scanning the template as is (before rendering the values)There will not be any vulnerabilities because it is a template not an actual cloud formation file. Case 2: Scanning the template after it is renderedIf there are any vulnerabilities here, it should be flagged. We expect that this is what's happening here. Trivy should be able to scan template files, render them and flag any misconfigurations as such. Are you saying that the template once rendered (case 2), does not have any misconfigurations? Please let me know if I have missed something based on your findings. |
|
@simar7 Actually it scan all the templates but show the flag only on the misconfig files(like total number of issued files) not the total number of templates scanned. so the in this open issue they are saying trivy is not showing the number of scanned templates . but as per my understanding as i check in the trivy its is only showing the minconfig templates not the total number of templates. so i suggest that which i mentioned earlier |
|
Will be fixed in the next release of Trivy via aquasecurity/defsec#1389 |
Description
Trivy doesn't detect all CloudFormation files existing in a directory when running the following command:
What did you expect to happen?
Trivy should detect 4 .yaml files
├── deploy ├── cf-apigw-lambdas-stack.yaml ├── cf-monitoring.yaml ├── cf-s3-trust-store.yaml ├── cf-s3.yamlWhat happened instead?
It detects 0 instead (in some projects where I tested this command it finds one or more files but not all)
Output of run with
-debug:Output of
trivy -v:The text was updated successfully, but these errors were encountered: