Does not detect Cloudformation Template , in which contains the !If statement

[siukimok]

Description

Does not detect Cloudformation Template , in which contains the !If statement

The Trivy does not detect the AWS Cloudformation template , in which contains the !If statement as below :

Resources:
######## STATE MACHINE #########
rStateMachineA:
Type: AWS::Serverless::StateMachine
Properties:
Name: !Sub sdlf-${pTeamName}-${pPipeline}-sm-a
DefinitionUri: ./state-machine/stage-a.asl.json
DefinitionSubstitutions:
lStep1: !GetAtt rLambdaStep1.Arn
lStep2: !GetAtt rLambdaStep2.Arn
lStep3: !GetAtt rLambdaStep3.Arn
lError: !GetAtt rLambdaErrorStep.Arn
Role: !Ref pStatesExecutionRole
Logging:
Destinations:
- CloudWatchLogsLogGroup: !GetAtt rStateMachineLogGroup.Arn
IncludeExecutionData: True
Level: ALL
Tracing:
Enabled:
!If [
EnableTracing,
true,
false
]

Provided that it is passed the cloudformation validation .

What did you expect to happen?

When we are trying to run the trivy with the following command :

trivy config . --debug

What happened instead?

2023-03-03T11:20:49.877Z INFO Detected config files: 0, instead of 1 file detected.

Output of run with -debug:

2023-03-03T11:20:48.520Z DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-03-03T11:20:48.523Z DEBUG cache dir: /home/runner/.cache/trivy
2023-03-03T11:20:48.523Z INFO Misconfiguration scanning is enabled
2023-03-03T11:20:48.523Z DEBUG Failed to open the policy metadata: open /home/runner/.cache/trivy/policy/metadata.json: no such file or directory
2023-03-03T11:20:48.523Z INFO Need to update the built-in policies
2023-03-03T11:20:48.523Z INFO Downloading the built-in policies...
39.14 KiB / 39.14 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2023-03-03T11:20:48.900Z DEBUG Digest of the built-in policies: sha256:19a017cdc798631ad42f6f4dce823d77b2989128f0e1a7f9bc83ae3c59024edd
2023-03-03T11:20:48.900Z DEBUG Policies successfully loaded from disk
2023-03-03T11:20:48.900Z DEBUG Walk the file tree rooted at '.' in parallel
2023-03-03T11:20:49.877Z DEBUG OS is not detected.
2023-03-03T11:20:49.877Z INFO Detected config files: 0

(paste your output here)

Output of trivy -v:

(paste your output here)
Version: 0.38.1

Additional details (base image name, container registry info...):

[itaysk]

Duplicate of #3418

Thanks for reporting, we'll try to look at this

[siukimok]

The complete yaml file shown as :
AWSTemplateFormatVersion: 2010-09-09
Transform: AWS::Serverless-2016-10-31
Description: Contains StageA StateMachine Definition

Parameters:
pEnableTracing:
Description: Flag for whether XRay tracing is enabled
Type: String

Conditions:
DeployElasticSearch: '!Equals [!Ref pElasticSearchEnabled, "true"]'
EnableTracing: '!Equals [!Ref pEnableTracing, "true"]'

Globals:
Function:
Runtime: python3.7
Handler: lambda_function.lambda_handler
Layers:
- !Ref pDatalakeLibLayer
KmsKeyArn: !Ref pKMSInfraKeyId

######## STATE MACHINE #########
rStateMachineA:
Type: AWS::Serverless::StateMachine
Properties:
Name: !Sub sdlf-${pTeamName}-${pPipeline}-sm-a
DefinitionUri: ./state-machine/stage-a.asl.json
DefinitionSubstitutions:
lStep1: !GetAtt rLambdaStep1.Arn
lStep2: !GetAtt rLambdaStep2.Arn
lStep3: !GetAtt rLambdaStep3.Arn
lError: !GetAtt rLambdaErrorStep.Arn
Role: !Ref pStatesExecutionRole
Logging:
Destinations:
- CloudWatchLogsLogGroup: !GetAtt rStateMachineLogGroup.Arn
IncludeExecutionData: True
Level: ALL
Tracing:
Enabled: !If [EnableTracing, true, false]

Foundings:
It is suspected that the issue is related to Conditons clause and If clause. If I comment the Conditons clause 'EnableTracing' or comment on !If then the trivy can detect the file.