Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(terraform): false positive AVD-AZU-0013 when scanning a synthesized TF config using cdktf #5081

Closed
nikpivkin opened this issue Sep 1, 2023 · 3 comments
Closed

fix(terraform): false positive AVD-AZU-0013 when scanning a synthesized TF config using cdktf #5081

nikpivkin opened this issue Sep 1, 2023 · 3 comments
Assignees
@nikpivkin
Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning

Comments

@nikpivkin
Copy link
Contributor

Source https://github.com/aquasecurity/tfsec/issues/1979

cdk.tf.json:

{
  "//": {
    "metadata": {
      "backend": "local",
      "stackName": "cdktf-tfsec-azure-key-vault-bug",
      "version": "0.15.0"
    },
    "outputs": {
    }
  },
  "data": {
    "azurerm_client_config": {
      "current": {
        "//": {
          "metadata": {
            "path": "cdktf-tfsec-azure-key-vault-bug/current",
            "uniqueId": "current"
          }
        }
      }
    }
  },
  "provider": {
    "azurerm": [
      {
        "features": {
          "key_vault": {
            "purge_soft_delete_on_destroy": true,
            "recover_soft_deleted_key_vaults": true
          }
        }
      }
    ]
  },
  "resource": {
    "azurerm_key_vault": {
      "key-vault": {
        "//": {
          "metadata": {
            "path": "cdktf-tfsec-azure-key-vault-bug/key-vault",
            "uniqueId": "key-vault"
          }
        },
        "enabled_for_deployment": true,
        "enabled_for_disk_encryption": true,
        "enabled_for_template_deployment": true,
        "location": "${azurerm_resource_group.key-vault-resource-group.location}",
        "name": "test-azure-key-vault1",
        "network_acls": {
          "bypass": "AzureServices",
          "default_action": "Deny"
        },
        "purge_protection_enabled": true,
        "resource_group_name": "${azurerm_resource_group.key-vault-resource-group.name}",
        "sku_name": "standard",
        "soft_delete_retention_days": 7,
        "tenant_id": "${data.azurerm_client_config.current.tenant_id}"
      }
    },
    "azurerm_resource_group": {
      "key-vault-resource-group": {
        "//": {
          "metadata": {
            "path": "cdktf-tfsec-azure-key-vault-bug/key-vault-resource-group",
            "uniqueId": "key-vault-resource-group"
          }
        },
        "location": "East US",
        "name": "test-key-vault-rg"
      }
    }
  },
  "terraform": {
    "backend": {
      "local": {
        "path": "/Users/tososomaru/projects/tfsec/issue-1979/cdktf-tfsec-azure-key-vault-bug/terraform.cdktf-tfsec-azure-key-vault-bug.tfstate"
      }
    },
    "required_providers": {
      "azurerm": {
        "source": "azurerm",
        "version": "3.40.0"
      }
    }
  }
}

Trivy output:

docker run --rm -it -v ./cdktf.out/stacks:/workspace  ghcr.io/aquasecurity/trivy:canary conf /workspace -d
2023-09-01T05:45:56.509Z        DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-09-01T05:45:56.510Z        DEBUG   cache dir:  /root/.cache/trivy
2023-09-01T05:45:56.511Z        INFO    Misconfiguration scanning is enabled
2023-09-01T05:45:56.511Z        DEBUG   Failed to open the policy metadata: open /root/.cache/trivy/policy/metadata.json: no such file or directory
2023-09-01T05:45:56.511Z        INFO    Need to update the built-in policies
2023-09-01T05:45:56.511Z        INFO    Downloading the built-in policies...
2023-09-01T05:45:56.511Z        DEBUG   Using URL: ghcr.io/aquasecurity/defsec:0 to load policy bundle
44.37 KiB / 44.37 KiB [-----------------------------------------------------------------------------------------------------------------] 100.00% ? p/s 200ms
2023-09-01T05:45:58.490Z        DEBUG   Digest of the built-in policies: sha256:fd5f1ce3d8efb1fe158cb41f9adb9d7c7cc5c4c863b261053c962e6d950350b3
2023-09-01T05:45:58.490Z        DEBUG   Policies successfully loaded from disk
2023-09-01T05:45:58.519Z        DEBUG   Walk the file tree rooted at '/workspace' in parallel
2023-09-01T05:45:58.521Z        DEBUG   Scanning Terraform files for misconfigurations...
2023-09-01T05:45:58.881Z        DEBUG   OS is not detected.
2023-09-01T05:45:58.881Z        INFO    Detected config files: 2
2023-09-01T05:45:58.881Z        DEBUG   Scanned config file: cdktf-tfsec-azure-key-vault-bug
2023-09-01T05:45:58.881Z        DEBUG   Scanned config file: cdktf-tfsec-azure-key-vault-bug/cdk.tf.json

cdktf-tfsec-azure-key-vault-bug/cdk.tf.json (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)

CRITICAL: Vault network ACL does not block access by default.
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Network ACLs allow you to reduce your exposure to risk by limiting what can access your key vault. 

The default action of the Network ACL should be set to deny for when IPs are not matched. Azure services can be allowed to bypass.

See https://avd.aquasec.com/misconfig/avd-azu-0013
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 cdktf-tfsec-azure-key-vault-bug/cdk.tf.json:37-58
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  37 ┌       "key-vault": {
  38 │         "//": {
  39 │           "metadata": {
  40 │             "path": "cdktf-tfsec-azure-key-vault-bug/key-vault",
  41 │             "uniqueId": "key-vault"
  42 │           }
  43 │         },
  44 │         "enabled_for_deployment": true,
  45 └         "enabled_for_disk_encryption": true,
  ..   
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
@nikpivkin nikpivkin added kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning labels Sep 1, 2023
@nikpivkin
Copy link
Contributor Author

@simar7 This is similar to #5080 (See comments)

Due to the ambiguity of the JSON syntax, there is no way to distinguish based on the input alone between argument and nested block usage, so the JSON syntax cannot support the nested block processing mode for these arguments

@simar7
Copy link
Member

simar7 commented Dec 8, 2023

@simar7 This is similar to #5080 (See comments)

Due to the ambiguity of the JSON syntax, there is no way to distinguish based on the input alone between argument and nested block usage, so the JSON syntax cannot support the nested block processing mode for these arguments

Since this issue only arises in JSON syntax, what if we don't flag it as an issue for this case? Removing the check isn't ideal because we do scan properly when it isn't JSON but at the same time, we should create false positives for when it is.

Thoughts?

@nikpivkin nikpivkin mentioned this issue Dec 11, 2023
Closed
@simar7 simar7 mentioned this issue Jan 10, 2024
Closed
@simar7
Copy link
Member

simar7 commented Jan 10, 2024

Closing and tracking here #5907

@simar7 simar7 closed this as not planned Won't fix, can't repro, duplicate, stale Jan 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nikpivkin nikpivkin

Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@simar7 @nikpivkin