Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(terraform): support for VPC resources for inbound and outbound rules #6764

Closed
2 tasks done
nikpivkin opened this issue May 24, 2024 Discussed in #6760 · 0 comments · Fixed by #6779
Closed
2 tasks done

feat(terraform): support for VPC resources for inbound and outbound rules #6764

nikpivkin opened this issue May 24, 2024 Discussed in #6760 · 0 comments · Fixed by #6779
Assignees
@nikpivkin
Labels
kind/feature Categorizes issue or PR as related to a new feature. scan/misconfiguration Issues relating to misconfiguration scanning
Milestone
v0.52.0

Comments

@nikpivkin
Copy link
Contributor

Ref:

Discussed in #6760

Originally posted by danfaizer May 23, 2024

IDs

ADV-AWS-0107

Description

You can define security group ingress/egress rules in 2 ways in Terraform:

  1. aws_security_group_rule
  2. aws_vpc_security_group_ingress_rule / aws_vpc_security_group_egress_rule

In case 1. the security control works and the "too broad" access is reported.
In case 2. (which seems to be the newer and recommended way to create ingress/egress rules) the security control does not work and the "too broad" access is NOT reported.

The control should be reported in both definitions.

Reproduction Steps

1. Create a security group with a security group ingress rule referencing the security group.
`security-group.tf`

resource "aws_security_group" "allow_ssh" {
  name        = "allow_ssh"
  description = "Allow SSH traffic from the internet"
  vpc_id      = "vpc-01234567890abcdef"

  tags = {
    Name = "allow_ssh"
  }
}

resource "aws_vpc_security_group_ingress_rule" "allow_ssh_access" {
  security_group_id = aws_security_group.id
  cidr_ipv4   = "0.0.0.0/0"
  ip_protocol = "tcp"
  from_port   = 22
  to_port     = 22
}

# resource "aws_security_group_rule" "allow_ssh_access" {
#   type              = "ingress"
#   security_group_id = aws_security_group.id
#   from_port         = 22
#   to_port           = 22
#   protocol          = "tcp"
#   cidr_blocks = [
#     "0.0.0.0/0",
#   ]
# }
  1. Scan with trivy:
trivy config security-group.tf
2024-05-23T14:31:11+02:00	INFO	Misconfiguration scanning is enabled
2024-05-23T14:31:11+02:00	INFO	Detected config files	num=2

Note: In the uncommented code the misconfiguration is not reported, in the commented code the misconfiguration is reported.



### Target

AWS

### Scanner

Misconfiguration

### Target OS

_No response_

### Debug Output

```bash
trivy config security-group.tf --debug
2024-05-23T14:33:00+02:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-05-23T14:33:00+02:00	DEBUG	Cache dir	dir="/Users/jamiroquake/Library/Caches/trivy"
2024-05-23T14:33:00+02:00	INFO	Misconfiguration scanning is enabled
2024-05-23T14:33:00+02:00	DEBUG	Policies successfully loaded from disk
2024-05-23T14:33:00+02:00	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-05-23T14:33:00+02:00	DEBUG	[nuget] The nuget packages directory couldn't be found. License search disabled
2024-05-23T14:33:00+02:00	DEBUG	Scanning files for misconfigurations...	scanner="Terraform"
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.549264000 terraform.scanner                Scanning [&{%!s(*mapfs.file=&{ [] {. 256 2147484096 {13946499877203372728 507056168 0x10e10dea0} <nil>} {{{0 0} {[] {} 0x14000d70440} map[security-group.tf:0x140022cd4a8] 0}}}) }] at '.'...
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.551615000 terraform.scanner.rego           Overriding filesystem for checks!
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.552140000 terraform.scanner.rego           Loaded 3 embedded libraries.
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.576610000 terraform.scanner.rego           Loaded 191 embedded policies.
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.613911000 terraform.scanner.rego           Loaded 194 policies from disk.
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.614150000 terraform.scanner.rego           Overriding filesystem for data!
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.777022000 terraform.parser.<root>          Setting project/module root to '.'
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.777048000 terraform.parser.<root>          Parsing FS from '.'
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.777067000 terraform.parser.<root>          Parsing 'security-group.tf'...
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.778768000 terraform.parser.<root>          Added file security-group.tf.
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.779138000 terraform.scanner                Scanning root module '.'...
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.779156000 terraform.parser.<root>          Setting project/module root to '.'
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.779165000 terraform.parser.<root>          Parsing FS from '.'
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.779177000 terraform.parser.<root>          Parsing 'security-group.tf'...
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.779258000 terraform.parser.<root>          Added file security-group.tf.
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.779265000 terraform.parser.<root>          Evaluating module...
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.779326000 terraform.parser.<root>          Read 2 block(s) and 0 ignore(s) for module 'root' (1 file[s])...
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.779343000 terraform.parser.<root>          Added 0 variables from tfvars.
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.779349000 terraform.parser.<root>          Error loading module metadata: open .terraform/modules/modules.json: file does not exist.
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.779405000 terraform.parser.<root>          Working directory for module evaluation is '/Users/jamiroquake/work/github.com/danfaizer/IaC-vulnerable-samples/terraform'
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.780154000 terraform.parser.<root>.evaluator Filesystem key is '5cb6251c9a42212a359127f6516f89f7974f5df8724c33f1687f9ad0e84db4fe'
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.780157000 terraform.parser.<root>.evaluator Starting module evaluation...
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.780500000 terraform.parser.<root>.evaluator Starting submodule evaluation...
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.780556000 terraform.parser.<root>.evaluator All submodules are evaluated at i=0
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.780562000 terraform.parser.<root>.evaluator Starting post-submodule evaluation...
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.780635000 terraform.parser.<root>.evaluator Finished processing 0 submodule(s).
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.780638000 terraform.parser.<root>.evaluator Module evaluation complete.
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.780641000 terraform.parser.<root>          Finished parsing module 'root'.
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.780658000 terraform.executor               Adapting modules...
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.782807000 terraform.executor               Adapted 1 module(s) into defsec state data.
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.782816000 terraform.executor               Using max routines of 7
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.783133000 terraform.executor               Initialized 486 rule(s).
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.783138000 terraform.executor               Created pool with 7 worker(s) to apply rules.
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.785424000 terraform.scanner.rego           Scanning 1 inputs...
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.789961000 terraform.executor               Finished applying rules.
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.789971000 terraform.executor               Applying ignores...
2024-05-23T14:33:00+02:00	DEBUG	OS is not detected.
2024-05-23T14:33:00+02:00	INFO	Detected config files	num=2
2024-05-23T14:33:00+02:00	DEBUG	Scanned config file	path="."
2024-05-23T14:33:00+02:00	DEBUG	Scanned config file	path="security-group.tf"

Version

trivy --version
Version: 0.51.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-04-16 06:12:18.601562975 +0000 UTC
  NextUpdate: 2024-04-16 12:12:18.601562704 +0000 UTC
  DownloadedAt: 2024-04-16 11:36:59.614942 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-10-27 00:56:52.8927736 +0000 UTC
  NextUpdate: 2023-10-30 00:56:52.8927731 +0000 UTC
  DownloadedAt: 2023-10-27 11:28:08.392459 +0000 UTC
Check Bundle:
  Digest: sha256:6d0771effa53c6cf8130861fc3ac28f5515c35a028edb4bb1e67261b9218c80e
  DownloadedAt: 2024-05-23 11:49:51.300577 +0000 UTC

Checklist
@nikpivkin nikpivkin added kind/feature Categorizes issue or PR as related to a new feature. scan/misconfiguration Issues relating to misconfiguration scanning labels May 24, 2024
@nikpivkin nikpivkin self-assigned this May 25, 2024
@nikpivkin nikpivkin mentioned this issue May 25, 2024
Merged
6 tasks
@simar7 simar7 added this to the v0.52.0 milestone May 27, 2024
@simar7 simar7 mentioned this issue Sep 6, 2024
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nikpivkin nikpivkin

Labels
kind/feature Categorizes issue or PR as related to a new feature. scan/misconfiguration Issues relating to misconfiguration scanning
Projects
Trivy Roadmap
Archived in project
Milestone
v0.52.0
Development

Successfully merging a pull request may close this issue.

feat(misconf): support for VPC resources for inbound/outbound rules nikpivkin/trivy
2 participants
@simar7 @nikpivkin