Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(misconf): Implement aliases for misconf checks #5691

Closed
2 tasks done
simar7 opened this issue Dec 1, 2023 Discussed in #5684 · 2 comments · Fixed by aquasecurity/defsec#1515
Closed
2 tasks done

feat(misconf): Implement aliases for misconf checks #5691

simar7 opened this issue Dec 1, 2023 Discussed in #5684 · 2 comments · Fixed by aquasecurity/defsec#1515
Assignees
@simar7
Labels
kind/feature Categorizes issue or PR as related to a new feature. scan/misconfiguration Issues relating to misconfiguration scanning
Milestone
v0.49.0

Comments

@simar7
Copy link
Member

simar7 commented Dec 1, 2023

Description

Sometimes Trivy and tfsec checks can have different short_code to reference the same check. This can create friction for users to reuse their existing terraform code with trivy:ignore or tfsec:ignore that they were using with tfsec, to now use in Trivy.

Instead, we can add an alias field to our checks which can allow us to support alternate names for our existing checks. This is backwards compatible as it will not break any existing checks for users that are already using newer IDs.

Action Items

This change will require logic addition to the static metadata here

We will also need to include this alias as part of check evaluation. The logic to do so will be added here

In addition, we'll have to add aliases for all tfsec checks as defined here https://github.com/aquasecurity/tfsec/blob/master/rules.md

Discussed in #5684

Originally posted by bsolomon1124 November 29, 2023

Description

Multiple discussion and issues including #3620, #2961, aquasecurity/tfsec#1994, https://github.com/aquasecurity/tfsec/issues/1997 state that trivy will respect tfsec:ignore directives to ease the transition from tfsec to trivy, but it appears that trivy (0.47.0) does not respect tfsec:ignore directives at all.

So,

  • Does trivy still respect tfsec:ignore?
  • Where is the trivy documentation on line-ignores?
  • How does trivy map the tfsec rule IDs to AVD rule IDs?

Desired Behavior

Respect tfsec:ignore

Actual Behavior

Does not respect tfsec:ignore and reports the corresponding AVD ID as a violation/failure.

Reproduction Steps

  1. Create main.tf:
# tfsec-ignore-reason: This is the S3 access logging bucket
# tfsec:ignore:aws-s3-enable-bucket-logging
resource "aws_s3_bucket" "s3_logs" {
  bucket = "foo-logging"

  tags = {
    Name = "foo"
  }
}

# tfsec-ignore-reason: S3 buckets housing access logs cannot encrypt with customer managed keys
# tfsec:ignore:aws-s3-encryption-customer-key
resource "aws_s3_bucket_server_side_encryption_configuration" "s3_logs" {
  bucket = aws_s3_bucket.s3_logs.id

  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm = "AES256"
    }
  }
}
  1. Invoke trivy:
trivy config .
  1. Output includes the following failures:
LOW: Bucket has logging disabled
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Ensures S3 bucket logging is enabled for S3 buckets

See https://avd.aquasec.com/misconfig/avd-aws-0089
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf:3-9
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   3 ┌ resource "aws_s3_bucket" "s3_logs" {
   4 │   bucket = "foo-logging"
   5 │
   6 │   tags = {
   7 │     Name = "foo"
   8 │   }
   9 └ }

Trivy should ignore this check given tfsec:ignore:aws-s3-enable-bucket-logging.

Target

Filesystem

Scanner

Misconfiguration

Output Format

None

Mode

Standalone

Debug Output

$ trivy config . --debug
2023-11-29T09:27:33.049-0500	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-11-29T09:27:33.060-0500	DEBUG	cache dir:  /Users/brsolomon/Library/Caches/trivy
2023-11-29T09:27:33.060-0500	INFO	Misconfiguration scanning is enabled
2023-11-29T09:27:33.060-0500	DEBUG	Policies successfully loaded from disk
2023-11-29T09:27:33.072-0500	DEBUG	The nuget packages directory couldn't be found. License search disabled
2023-11-29T09:27:33.095-0500	DEBUG	Walk the file tree rooted at '.' in parallel
2023-11-29T09:27:33.095-0500	DEBUG	Scanning Terraform files for misconfigurations...
2023-11-29T09:27:33.435-0500	DEBUG	OS is not detected.
2023-11-29T09:27:33.435-0500	INFO	Detected config files: 2
2023-11-29T09:27:33.435-0500	DEBUG	Scanned config file: .
2023-11-29T09:27:33.435-0500	DEBUG	Scanned config file: main.tf

main.tf (terraform)

Tests: 10 (SUCCESSES: 2, FAILURES: 7, EXCEPTIONS: 1)
Failures: 7 (UNKNOWN: 0, LOW: 2, MEDIUM: 1, HIGH: 4, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf:3-9
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   3 ┌ resource "aws_s3_bucket" "s3_logs" {
   4 │   bucket = "foo-logging"
   5 │
   6 │   tags = {
   7 │     Name = "foo"
   8 │   }
   9 └ }
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


HIGH: No public access block so not blocking public policies
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf:3-9
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   3 ┌ resource "aws_s3_bucket" "s3_logs" {
   4 │   bucket = "foo-logging"
   5 │
   6 │   tags = {
   7 │     Name = "foo"
   8 │   }
   9 └ }
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


LOW: Bucket has logging disabled
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Ensures S3 bucket logging is enabled for S3 buckets

See https://avd.aquasec.com/misconfig/avd-aws-0089
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf:3-9
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   3 ┌ resource "aws_s3_bucket" "s3_logs" {
   4 │   bucket = "foo-logging"
   5 │
   6 │   tags = {
   7 │     Name = "foo"
   8 │   }
   9 └ }
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


MEDIUM: Bucket does not have versioning enabled
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════

Versioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket.
You can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets.
With versioning you can recover more easily from both unintended user actions and application failures.


See https://avd.aquasec.com/misconfig/avd-aws-0090
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf:3-9
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   3 ┌ resource "aws_s3_bucket" "s3_logs" {
   4 │   bucket = "foo-logging"
   5 │
   6 │   tags = {
   7 │     Name = "foo"
   8 │   }
   9 └ }
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf:3-9
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   3 ┌ resource "aws_s3_bucket" "s3_logs" {
   4 │   bucket = "foo-logging"
   5 │
   6 │   tags = {
   7 │     Name = "foo"
   8 │   }
   9 └ }
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf:3-9
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   3 ┌ resource "aws_s3_bucket" "s3_logs" {
   4 │   bucket = "foo-logging"
   5 │
   6 │   tags = {
   7 │     Name = "foo"
   8 │   }
   9 └ }
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


LOW: Bucket does not have a corresponding public access block.
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
The "block public access" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.

See https://avd.aquasec.com/misconfig/avd-aws-0094
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf:3-9
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   3 ┌ resource "aws_s3_bucket" "s3_logs" {
   4 │   bucket = "foo-logging"
   5 │
   6 │   tags = {
   7 │     Name = "foo"
   8 │   }
   9 └ }
───────

Operating System

macOS 13.6.2

Version

$ trivy --version
Version: 0.47.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-11-17 12:13:24.472455739 +0000 UTC
  NextUpdate: 2023-11-17 18:13:24.472455468 +0000 UTC
  DownloadedAt: 2023-11-17 17:32:19.528774 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-10-20 00:53:39.662512114 +0000 UTC
  NextUpdate: 2023-10-23 00:53:39.662511714 +0000 UTC
  DownloadedAt: 2023-10-20 13:15:23.612525 +0000 UTC
Policy Bundle:
  Digest: sha256:1df8ade71efc830877ca3b1130f83e0c6368e3a45b0d4c0f0418955501644054
  DownloadedAt: 2023-11-29 14:20:50.325614 +0000 UTC

Checklist
@simar7 simar7 added kind/feature Categorizes issue or PR as related to a new feature. scan/misconfiguration Issues relating to misconfiguration scanning labels Dec 1, 2023
@simar7 simar7 self-assigned this Dec 1, 2023
simar7 added a commit to aquasecurity/trivy-iac that referenced this issue Dec 12, 2023
@simar7
feat(rego): Add aliases for checks
30f38af 
Addresses: aquasecurity/trivy#5691
@simar7 simar7 mentioned this issue Dec 12, 2023
Closed
simar7 added a commit to aquasecurity/trivy-iac that referenced this issue Jan 4, 2024
@simar7
feat(rego): Add aliases for checks
1072bca 
Addresses: aquasecurity/trivy#5691
simar7 added a commit to aquasecurity/defsec that referenced this issue Jan 6, 2024
@simar7
feat(checks): Add aliasing support
809e213 
Fixes: aquasecurity/trivy#5691

Signed-off-by: Simar <[email protected]>
@simar7 simar7 mentioned this issue Jan 6, 2024
Merged
@simar7 simar7 closed this as not planned Won't fix, can't repro, duplicate, stale Jan 6, 2024
@simar7 simar7 reopened this Jan 6, 2024
simar7 added a commit to aquasecurity/defsec that referenced this issue Jan 10, 2024
@simar7
feat(checks): Add aliasing support
43c0b4e 
Fixes: aquasecurity/trivy#5691

Signed-off-by: Simar <[email protected]>
simar7 added a commit to aquasecurity/defsec that referenced this issue Jan 10, 2024
@simar7
feat(checks): Add aliasing support
a2051b3 
Fixes: aquasecurity/trivy#5691

Signed-off-by: Simar <[email protected]>
simar7 added a commit to aquasecurity/defsec that referenced this issue Jan 10, 2024
@simar7
feat(rego): Add aliasing support (#1515)
9a50155 
* feat(checks): Add aliasing support
Fixes: aquasecurity/trivy#5691

Signed-off-by: Simar <[email protected]>

* fix lint

---------

Signed-off-by: Simar <[email protected]>
@simar7 simar7 added this to the v0.49.0 milestone Jan 10, 2024
@simar7 simar7 mentioned this issue Jan 23, 2024
Merged
@RobinFrcd
Copy link

Hello,
I've tried # tfsec:ignore:aws-s3-enable-bucket-logging and # trivy:ignore:s3-bucket-logging and I'm getting this warning every time:

LOW: Bucket has logging disabled
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Ensures S3 bucket logging is enabled for S3 buckets

See https://avd.aquasec.com/misconfig/avd-aws-0089

Is this supposed to be working ? I'd like to used CSPM IDs instead of the trivy ID as the former is really convenient and readable.

I'm using

Version: 0.51.1
Check Bundle:
  Digest: sha256:6d0771effa53c6cf8130861fc3ac28f5515c35a028edb4bb1e67261b9218c80e
  DownloadedAt: 2024-05-13 10:11:34.444295583 +0000 UTC

Thanks !

@simar7
Copy link
Member Author

simar7 commented May 14, 2024
edited
Loading

@RobinFrcd please the PR here. The feature is supported within Trivy but adding aliases is done on a per need basis as going forwards we try to support the AVD IDs as we guarantee them to be unique. If you have other checks that you'd like us to add aliases for, please leave them as a comment in the PR mentioned. Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@simar7 simar7

Labels
kind/feature Categorizes issue or PR as related to a new feature. scan/misconfiguration Issues relating to misconfiguration scanning
Projects
Trivy Roadmap
Archived in project
Milestone
v0.49.0
Development

Successfully merging a pull request may close this issue.

feat(rego): Add aliasing support aquasecurity/defsec
2 participants
@simar7 @RobinFrcd