Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(terraform): modules with the count meta-argument are not ignored #5665

Closed
nikpivkin opened this issue Nov 27, 2023 Discussed in #5642 · 5 comments · Fixed by #6160
Closed

fix(terraform): modules with the count meta-argument are not ignored #5665

nikpivkin opened this issue Nov 27, 2023 Discussed in #5642 · 5 comments · Fixed by #6160
Assignees
@nikpivkin
Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Milestone
v0.50.0

Comments

@nikpivkin
Copy link
Contributor

Discussed in #5642

Originally posted by parviste November 23, 2023

Description

In tfsec it's possible to ignore issues within modules (https://aquasecurity.github.io/tfsec/v1.28.4/guides/configuration/ignores/#ignoring-module-issues). This does not seem to be possible using trivy,

It would be nice if filtering using inline comments would also apply to resources within a module, i.e.

#trivy:ignore:AVD-AWS-0000
module "foo" {
  source = "./mymodule"
}

would ignore all the corresponding warnings coming from resources within the module.

The usecase is that I have a module which is secure enough in a particular context, so I don't care about warnings there, but I would care if it were used in a different context. Therefore, I don't want to add the ignore comments in the module itself.

Target

None

Scanner

Misconfiguration
@nikpivkin nikpivkin added kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning labels Nov 27, 2023
@felipeng
Copy link

I agree, filtering/ignore for Terraform files using trivy is not working correctly. We would like to migrate from tfsec to trivy but without filtering/ignore working correctly is not viable

@simar7
Copy link
Member

simar7 commented Feb 15, 2024

I agree, filtering/ignore for Terraform files using trivy is not working correctly. We would like to migrate from tfsec to trivy but without filtering/ignore working correctly is not viable

I believe (#6137) is the one that you were affected by @felipeng? If so we can track it there.

Please let me know if this particular issue still affects you. And if so, if it's possible for you to provide an example which we can use to repro it. Thank you.

@felipeng
Copy link

hey @simar7 is not related with that, here is an example:

trivy version
Version: 0.49.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-05-03 12:07:44.471037765 +0000 UTC
  NextUpdate: 2023-05-03 18:07:44.471037365 +0000 UTC
  DownloadedAt: 2023-05-03 14:39:37.564001 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-05-02 00:52:04.408192575 +0000 UTC
  NextUpdate: 2023-05-05 00:52:04.408192075 +0000 UTC
  DownloadedAt: 2023-05-02 15:41:25.133603 +0000 UTC
Policy Bundle:
  Digest: sha256:73a2a1a91c421860d22f08b990a0ca28fee4ca1e1b45e0bdea14357867e31eb6
  DownloadedAt: 2024-02-15 16:39:43.559716 +0000 UTC

main.tf

provider "aws" {
  region = "us-west-2"
}

#trivy:ignore:AVD-AWS-0107
module "aws-security-groups" {
  source  = "terraform-aws-modules/security-group/aws"
  version = "~> 5.1.0"
  name   = "sg1"
  vpc_id = "vpc-0364b8061e419d378"
  ingress_with_cidr_blocks = [
    {
      from_port   = 8001
      to_port     = 8001
      cidr_blocks = "0.0.0.0/0"
    },
    {
      from_port   = 8002
      to_port     = 8002
      cidr_blocks = "0.0.0.0/0"
    }
  ]
}

This ignores the AVD-AWS-0107 check for the whole module which is the intention. However, if I would like to ignore just the first rule it doesn't work, example:

provider "aws" {
  region = "us-west-2"
}

module "aws-security-groups" {
  source  = "terraform-aws-modules/security-group/aws"
  version = "~> 5.1.0"
  name   = "sg1"
  vpc_id = "vpc-0364b8061e419d378"
  ingress_with_cidr_blocks = [
    {
      from_port   = 8001
      to_port     = 8001
      cidr_blocks = "0.0.0.0/0"  #trivy:ignore:AVD-AWS-0107
    },
    {
      from_port   = 8002
      to_port     = 8002
      cidr_blocks = "0.0.0.0/0"
    }
  ]
}

trivy config .
2024-02-15T09:47:18.976-0800    INFO    Misconfiguration scanning is enabled
2024-02-15T09:47:19.516-0800    INFO    Detected config files: 2

terraform-aws-modules/security-group/aws/main.tf (terraform)

Tests: 4 (SUCCESSES: 2, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows ingress from public internet.
══════════════════════════════════════════════════════════════════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
──────────────────────────────────────────────────────────────────────────────────────────────────────
 terraform-aws-modules/security-group/aws/main.tf:197-204
   via terraform-aws-modules/security-group/aws/main.tf:191-227 (aws_security_group_rule.ingress_with_cidr_blocks[0])
    via sg.tf:6-23 (module.aws-security-groups)
──────────────────────────────────────────────────────────────────────────────────────────────────────
 191   resource "aws_security_group_rule" "ingress_with_cidr_blocks" {
 ...   
 197 ┌   cidr_blocks = compact(split(
 198 │     ",",
 199 │     lookup(
 200 │       var.ingress_with_cidr_blocks[count.index],
 201 │       "cidr_blocks",
 202 │       join(",", var.ingress_cidr_blocks),
 203 └     ),
 ...   
──────────────────────────────────────────────────────────────────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
══════════════════════════════════════════════════════════════════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
──────────────────────────────────────────────────────────────────────────────────────────────────────
 terraform-aws-modules/security-group/aws/main.tf:197-204
   via terraform-aws-modules/security-group/aws/main.tf:191-227 (aws_security_group_rule.ingress_with_cidr_blocks[1])
    via sg.tf:6-23 (module.aws-security-groups)
──────────────────────────────────────────────────────────────────────────────────────────────────────
 191   resource "aws_security_group_rule" "ingress_with_cidr_blocks" {
 ...   
 197 ┌   cidr_blocks = compact(split(
 198 │     ",",
 199 │     lookup(
 200 │       var.ingress_with_cidr_blocks[count.index],
 201 │       "cidr_blocks",
 202 │       join(",", var.ingress_cidr_blocks),
 203 └     ),
 ...   
──────────────────────────────────────────────────────────────────────────────────────────────────────

@simar7
Copy link
Member

simar7 commented Feb 16, 2024

@nikpivkin could you take a look?

@nikpivkin nikpivkin self-assigned this Feb 19, 2024
@nikpivkin nikpivkin mentioned this issue Feb 19, 2024
Merged
6 tasks
@nikpivkin
Copy link
Contributor Author

@simar7 I left comment #6137 (comment)

@simar7 simar7 added this to the v0.50.0 milestone Feb 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nikpivkin nikpivkin

Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Projects
Trivy Roadmap
Archived in project
Milestone
v0.50.0
Development

Successfully merging a pull request may close this issue.

fix(terraform): fix root module search nikpivkin/trivy
3 participants
@simar7 @felipeng @nikpivkin