Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug(misconf): Inconsistent in the issue count between terraform/terraformplan-snapshot and terraformplan-json scanner #7098

Closed
2 tasks done
simar7 opened this issue Jul 4, 2024 Discussed in #7096 · 4 comments · Fixed by #7143
Closed
2 tasks done

bug(misconf): Inconsistent in the issue count between terraform/terraformplan-snapshot and terraformplan-json scanner #7098

simar7 opened this issue Jul 4, 2024 Discussed in #7096 · 4 comments · Fixed by #7143
Assignees
@simar7 @nikpivkin
Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Milestone
v0.54.0

Comments

@simar7
Copy link
Member

simar7 commented Jul 4, 2024

Discussed in #7096

Originally posted by cybersa July 4, 2024

Description

Consider this terraform script:

# S3 Buckets
variable "s3_buckets" {
  type        = any
  description = "S3 Buckets to create"
  default = [
    {name = "b1", cmk_name = "cmk1", enable_version = true },
    {name = "b2", cmk_name = "cmk2", enable_version = false }
  ]
}

locals {
  cmk_arn = {
    cmk1 = "arn:::xx::xx-xx-1"
    cmk2 = "arn:::xx::xx-xx-2"
  }
}

#Bucket
resource "aws_s3_bucket" "bucket" {
  for_each = toset([ for bucket in var.s3_buckets : bucket.name])

  bucket = "temp-${each.key}-bucket"
}

# Bucket Encryption
resource "aws_s3_bucket_server_side_encryption_configuration" "bucket" {
  for_each = { for bucket in var.s3_buckets : bucket.name => bucket.cmk_name}

  bucket = aws_s3_bucket.bucket[each.key].id

  rule {
    apply_server_side_encryption_by_default {
      kms_master_key_id = local.cmk_arn[each.value]
      sse_algorithm     = "aws:kms"
    }
  }
}

# Bucket Versioning
resource "aws_s3_bucket_versioning" "bucket" {
  for_each = toset([ for bucket in var.s3_buckets : bucket.name if bucket.enable_version])

  bucket = aws_s3_bucket.bucket[each.key].id

  versioning_configuration {
    status = "Enabled"
  }
}

# Block Public Access
resource "aws_s3_bucket_public_access_block" "bucket" {
  for_each = toset([ for bucket in var.s3_buckets : bucket.name])

  bucket                  = aws_s3_bucket.bucket[each.key].id
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

If I run these trivy commands against above terraform script, no High or Critical issues.
trivy config --misconfig-scanners terraform -s HIGH,CRITICAL s3_buckets.tf
terraform plan --out tfplan
trivy config --misconfig-scanners terraformplan-snapshot -s HIGH,CRITICAL tfplan

If I run this trivy commands against terraform JSON plan, 12 High issues.
trivy config --misconfig-scanners terraformplan-json -s "HIGH,CRITICAL" tfplan.json

Desired Behavior

Issue should be consistent between terraform, terraformplan-snapshot and terraformplan-json scanner.

Actual Behavior

Inconsistent in the issue between terraform scanners.

Reproduction Steps

Reproduction steps are in the description.

Target

Filesystem

Scanner

Misconfiguration

Output Format

None

Mode

Standalone

Debug Output

---
terraform scanner:
---

2024-07-04T12:40:18+05:30	DEBUG	Parsed severities	severities=[HIGH CRITICAL]
2024-07-04T12:40:18+05:30	INFO	Misconfiguration scanning is enabled
2024-07-04T12:40:18+05:30	DEBUG	Policies successfully loaded from disk
2024-07-04T12:40:18+05:30	DEBUG	Enabling misconfiguration scanners	scanners=[terraform]
2024-07-04T12:40:18+05:30	DEBUG	Initializing scan cache...	type="memory"
2024-07-04T12:40:18+05:30	DEBUG	[nuget] The nuget packages directory couldn't be found. License search disabled
2024-07-04T12:40:18+05:30	DEBUG	Scanning files for misconfigurations...	scanner="Terraform"
2024-07-04T12:40:18+05:30	DEBUG	[misconf] 40:18.832812689 terraform.scanner                Scanning [&{%!s(*mapfs.file=&{ [] {. 256 2147484096 {13950375482028580993 486464842 0x794e200} <nil>} {{{0 0} {[] {} 0xc0021964b0} map[s3_buckets.tf:0xc00150d1b0] 0}}}) }] at '.'...
2024-07-04T12:40:18+05:30	DEBUG	[misconf] 40:18.835812808 terraform.scanner.rego           Overriding filesystem for checks!
2024-07-04T12:40:18+05:30	DEBUG	[misconf] 40:18.836737208 terraform.scanner.rego           Loaded 3 embedded libraries.
2024-07-04T12:40:18+05:30	DEBUG	[misconf] 40:18.895031587 terraform.scanner.rego           Loaded 192 embedded policies.
2024-07-04T12:40:18+05:30	DEBUG	[misconf] 40:18.960818020 terraform.scanner.rego           Loaded 195 checks from disk.
2024-07-04T12:40:18+05:30	DEBUG	[misconf] 40:18.961445438 terraform.scanner.rego           Overriding filesystem for data!
2024-07-04T12:40:19+05:30	DEBUG	[misconf] 40:19.337500357 terraform.parser.<root>          Setting project/module root to '.'
2024-07-04T12:40:19+05:30	DEBUG	[misconf] 40:19.337533551 terraform.parser.<root>          Parsing FS from '.'
2024-07-04T12:40:19+05:30	DEBUG	[misconf] 40:19.337576377 terraform.parser.<root>          Parsing 's3_buckets.tf'...
2024-07-04T12:40:19+05:30	DEBUG	[misconf] 40:19.337947532 terraform.parser.<root>          Added file s3_buckets.tf.
2024-07-04T12:40:19+05:30	DEBUG	[misconf] 40:19.338180171 terraform.scanner                Scanning root module '.'...
2024-07-04T12:40:19+05:30	DEBUG	[misconf] 40:19.338192761 terraform.parser.<root>          Setting project/module root to '.'
2024-07-04T12:40:19+05:30	DEBUG	[misconf] 40:19.338201465 terraform.parser.<root>          Parsing FS from '.'
2024-07-04T12:40:19+05:30	DEBUG	[misconf] 40:19.338216478 terraform.parser.<root>          Parsing 's3_buckets.tf'...
2024-07-04T12:40:19+05:30	DEBUG	[misconf] 40:19.338511731 terraform.parser.<root>          Added file s3_buckets.tf.
2024-07-04T12:40:19+05:30	DEBUG	[misconf] 40:19.338531614 terraform.parser.<root>          Evaluating module...
2024-07-04T12:40:19+05:30	DEBUG	[misconf] 40:19.338717241 terraform.parser.<root>          Read 6 block(s) and 0 ignore(s) for module 'root' (1 file[s])...
2024-07-04T12:40:19+05:30	DEBUG	[misconf] 40:19.338740556 terraform.parser.<root>          Added 0 variables from tfvars.
2024-07-04T12:40:19+05:30	DEBUG	[misconf] 40:19.338770699 terraform.parser.<root>          Working directory for module evaluation is "/data/projects/miraterra/git/miraterrasoil-terraform/temp"
2024-07-04T12:40:19+05:30	DEBUG	[misconf] 40:19.338830056 terraform.parser.<root>.evaluator Filesystem key is 'e062b1569b2b684dcbe91a1ba43d1adda8e984e21dba2d7009e3654519b54044'
2024-07-04T12:40:19+05:30	DEBUG	[misconf] 40:19.338840550 terraform.parser.<root>.evaluator Starting module evaluation...
2024-07-04T12:40:19+05:30	DEBUG	[misconf] 40:19.339344699 terraform.parser.<root>.evaluator Expanded block 'aws_s3_bucket.bucket' into 2 clones via 'for_each' attribute.
2024-07-04T12:40:19+05:30	DEBUG	[misconf] 40:19.339558015 terraform.parser.<root>.evaluator Expanded block 'aws_s3_bucket_public_access_block.bucket' into 2 clones via 'for_each' attribute.
2024-07-04T12:40:19+05:30	DEBUG	[misconf] 40:19.339742688 terraform.parser.<root>.evaluator Expanded block 'aws_s3_bucket_server_side_encryption_configuration.bucket' into 2 clones via 'for_each' attribute.
2024-07-04T12:40:19+05:30	DEBUG	[misconf] 40:19.339867742 terraform.parser.<root>.evaluator Expanded block 'aws_s3_bucket_versioning.bucket' into 1 clones via 'for_each' attribute.
2024-07-04T12:40:19+05:30	DEBUG	[misconf] 40:19.339881635 terraform.parser.<root>.evaluator Starting submodule evaluation...
2024-07-04T12:40:19+05:30	DEBUG	[misconf] 40:19.339887789 terraform.parser.<root>.evaluator All submodules are evaluated at i=0
2024-07-04T12:40:19+05:30	DEBUG	[misconf] 40:19.339892399 terraform.parser.<root>.evaluator Starting post-submodule evaluation...
2024-07-04T12:40:19+05:30	DEBUG	[misconf] 40:19.340270576 terraform.parser.<root>.evaluator Finished processing 0 submodule(s).
2024-07-04T12:40:19+05:30	DEBUG	[misconf] 40:19.340281647 terraform.parser.<root>.evaluator Module evaluation complete.
2024-07-04T12:40:19+05:30	DEBUG	[misconf] 40:19.340289569 terraform.parser.<root>          Finished parsing module 'root'.
2024-07-04T12:40:19+05:30	DEBUG	[misconf] 40:19.340296635 terraform.executor               Adapting modules...
2024-07-04T12:40:19+05:30	DEBUG	[misconf] 40:19.340515715 terraform.executor               Adapted 1 module(s) into defsec state data.
2024-07-04T12:40:19+05:30	DEBUG	[misconf] 40:19.340527181 terraform.executor               Using max routines of 7
2024-07-04T12:40:19+05:30	DEBUG	[misconf] 40:19.340639780 terraform.executor               Initialized 487 rule(s).
2024-07-04T12:40:19+05:30	DEBUG	[misconf] 40:19.340650448 terraform.executor               Created pool with 7 worker(s) to apply rules.
2024-07-04T12:40:19+05:30	DEBUG	[misconf] 40:19.341625875 terraform.scanner.rego           Scanning 1 inputs...
2024-07-04T12:40:19+05:30	DEBUG	[misconf] 40:19.353839520 terraform.executor               Finished applying rules.
2024-07-04T12:40:19+05:30	DEBUG	[misconf] 40:19.353881735 terraform.executor               Applying ignores...
2024-07-04T12:40:19+05:30	DEBUG	OS is not detected.
2024-07-04T12:40:19+05:30	INFO	Detected config files	num=2
2024-07-04T12:40:19+05:30	DEBUG	Scanned config file	path="."
2024-07-04T12:40:19+05:30	DEBUG	Scanned config file	path="s3_buckets.tf"

---
terraformplan-snapshot scanner:
---

2024-07-04T12:38:54+05:30	DEBUG	Parsed severities	severities=[HIGH CRITICAL]
2024-07-04T12:38:54+05:30	INFO	Misconfiguration scanning is enabled
2024-07-04T12:38:54+05:30	DEBUG	Policies successfully loaded from disk
2024-07-04T12:38:54+05:30	DEBUG	Enabling misconfiguration scanners	scanners=[terraformplan-snapshot]
2024-07-04T12:38:54+05:30	DEBUG	Initializing scan cache...	type="memory"
2024-07-04T12:38:54+05:30	DEBUG	[nuget] The nuget packages directory couldn't be found. License search disabled
2024-07-04T12:38:54+05:30	DEBUG	Scanning files for misconfigurations...	scanner="Terraform Plan Snapshot"
2024-07-04T12:38:54+05:30	DEBUG	[misconf] 38:54.397678216 terraform.scanner                Scanning [&{%!s(*memoryfs.dir=&{{{0 0} 0 0 {{} 0} {{} 0}} {. 256 {13950375391399235573 497065044 0x794e200} 2147484096 <nil>} map[] map[s3_buckets.tf:0xc0012e1000 terraform-settings.tf:0xc0012e1080]})}] at '.'...
2024-07-04T12:38:54+05:30	DEBUG	[misconf] 38:54.400529965 terraform.scanner.rego           Overriding filesystem for checks!
2024-07-04T12:38:54+05:30	DEBUG	[misconf] 38:54.401930514 terraform.scanner.rego           Loaded 3 embedded libraries.
2024-07-04T12:38:54+05:30	DEBUG	[misconf] 38:54.464393996 terraform.scanner.rego           Loaded 192 embedded policies.
2024-07-04T12:38:54+05:30	DEBUG	[misconf] 38:54.530924086 terraform.scanner.rego           Loaded 195 checks from disk.
2024-07-04T12:38:54+05:30	DEBUG	[misconf] 38:54.531439235 terraform.scanner.rego           Overriding filesystem for data!
2024-07-04T12:38:54+05:30	DEBUG	[misconf] 38:54.899200674 terraform.parser.<root>          Setting project/module root to '.'
2024-07-04T12:38:54+05:30	DEBUG	[misconf] 38:54.899235780 terraform.parser.<root>          Parsing FS from '.'
2024-07-04T12:38:54+05:30	DEBUG	[misconf] 38:54.899253970 terraform.parser.<root>          Parsing 's3_buckets.tf'...
2024-07-04T12:38:54+05:30	DEBUG	[misconf] 38:54.899525428 terraform.parser.<root>          Added file s3_buckets.tf.
2024-07-04T12:38:54+05:30	DEBUG	[misconf] 38:54.899538070 terraform.parser.<root>          Parsing 'terraform-settings.tf'...
2024-07-04T12:38:54+05:30	DEBUG	[misconf] 38:54.899578862 terraform.parser.<root>          Added file terraform-settings.tf.
2024-07-04T12:38:54+05:30	DEBUG	[misconf] 38:54.899818811 terraform.scanner                Scanning root module '.'...
2024-07-04T12:38:54+05:30	DEBUG	[misconf] 38:54.899830838 terraform.parser.<root>          Setting project/module root to '.'
2024-07-04T12:38:54+05:30	DEBUG	[misconf] 38:54.899840669 terraform.parser.<root>          Parsing FS from '.'
2024-07-04T12:38:54+05:30	DEBUG	[misconf] 38:54.899852663 terraform.parser.<root>          Parsing 's3_buckets.tf'...
2024-07-04T12:38:54+05:30	DEBUG	[misconf] 38:54.900076989 terraform.parser.<root>          Added file s3_buckets.tf.
2024-07-04T12:38:54+05:30	DEBUG	[misconf] 38:54.900087366 terraform.parser.<root>          Parsing 'terraform-settings.tf'...
2024-07-04T12:38:54+05:30	DEBUG	[misconf] 38:54.900132392 terraform.parser.<root>          Added file terraform-settings.tf.
2024-07-04T12:38:54+05:30	DEBUG	[misconf] 38:54.900140964 terraform.parser.<root>          Evaluating module...
2024-07-04T12:38:54+05:30	DEBUG	[misconf] 38:54.900343701 terraform.parser.<root>          Read 7 block(s) and 0 ignore(s) for module 'root' (2 file[s])...
2024-07-04T12:38:54+05:30	DEBUG	[misconf] 38:54.900364125 terraform.parser.<root>          Added 0 variables from tfvars.
2024-07-04T12:38:54+05:30	DEBUG	[misconf] 38:54.900390507 terraform.parser.<root>          Working directory for module evaluation is "/data/projects/miraterra/git/miraterrasoil-terraform/temp"
2024-07-04T12:38:54+05:30	DEBUG	[misconf] 38:54.900438509 terraform.parser.<root>.evaluator Filesystem key is '52d5ca1283468bd2236fd005e5a64df1b185d6e99d39507227ab3104ca8fed2e'
2024-07-04T12:38:54+05:30	DEBUG	[misconf] 38:54.900448585 terraform.parser.<root>.evaluator Starting module evaluation...
2024-07-04T12:38:54+05:30	DEBUG	[misconf] 38:54.900919903 terraform.parser.<root>.evaluator Expanded block 'aws_s3_bucket.bucket' into 2 clones via 'for_each' attribute.
2024-07-04T12:38:54+05:30	DEBUG	[misconf] 38:54.901195064 terraform.parser.<root>.evaluator Expanded block 'aws_s3_bucket_public_access_block.bucket' into 2 clones via 'for_each' attribute.
2024-07-04T12:38:54+05:30	DEBUG	[misconf] 38:54.901366393 terraform.parser.<root>.evaluator Expanded block 'aws_s3_bucket_server_side_encryption_configuration.bucket' into 2 clones via 'for_each' attribute.
2024-07-04T12:38:54+05:30	DEBUG	[misconf] 38:54.901478994 terraform.parser.<root>.evaluator Expanded block 'aws_s3_bucket_versioning.bucket' into 1 clones via 'for_each' attribute.
2024-07-04T12:38:54+05:30	DEBUG	[misconf] 38:54.901494082 terraform.parser.<root>.evaluator Starting submodule evaluation...
2024-07-04T12:38:54+05:30	DEBUG	[misconf] 38:54.901504202 terraform.parser.<root>.evaluator All submodules are evaluated at i=0
2024-07-04T12:38:54+05:30	DEBUG	[misconf] 38:54.901513225 terraform.parser.<root>.evaluator Starting post-submodule evaluation...
2024-07-04T12:38:54+05:30	DEBUG	[misconf] 38:54.901954290 terraform.parser.<root>.evaluator Finished processing 0 submodule(s).
2024-07-04T12:38:54+05:30	DEBUG	[misconf] 38:54.901966854 terraform.parser.<root>.evaluator Module evaluation complete.
2024-07-04T12:38:54+05:30	DEBUG	[misconf] 38:54.901980634 terraform.parser.<root>          Finished parsing module 'root'.
2024-07-04T12:38:54+05:30	DEBUG	[misconf] 38:54.901990288 terraform.executor               Adapting modules...
2024-07-04T12:38:54+05:30	DEBUG	[misconf] 38:54.902212324 terraform.executor               Adapted 1 module(s) into defsec state data.
2024-07-04T12:38:54+05:30	DEBUG	[misconf] 38:54.902224635 terraform.executor               Using max routines of 7
2024-07-04T12:38:54+05:30	DEBUG	[misconf] 38:54.902317754 terraform.executor               Initialized 487 rule(s).
2024-07-04T12:38:54+05:30	DEBUG	[misconf] 38:54.902326706 terraform.executor               Created pool with 7 worker(s) to apply rules.
2024-07-04T12:38:54+05:30	DEBUG	[misconf] 38:54.903630155 terraform.scanner.rego           Scanning 1 inputs...
2024-07-04T12:38:54+05:30	DEBUG	[misconf] 38:54.915455203 terraform.executor               Finished applying rules.
2024-07-04T12:38:54+05:30	DEBUG	[misconf] 38:54.915568045 terraform.executor               Applying ignores...
2024-07-04T12:38:54+05:30	DEBUG	OS is not detected.
2024-07-04T12:38:54+05:30	INFO	Detected config files	num=2
2024-07-04T12:38:54+05:30	DEBUG	Scanned config file	path="."
2024-07-04T12:38:54+05:30	DEBUG	Scanned config file	path="s3_buckets.tf"

---
terraformplan-json scanner:
---

2024-07-04T12:36:26+05:30	DEBUG	Parsed severities	severities=[HIGH CRITICAL]
2024-07-04T12:36:26+05:30	INFO	Misconfiguration scanning is enabled
2024-07-04T12:36:26+05:30	DEBUG	Policies successfully loaded from disk
2024-07-04T12:36:26+05:30	DEBUG	Enabling misconfiguration scanners	scanners=[terraformplan-json]
2024-07-04T12:36:26+05:30	DEBUG	Initializing scan cache...	type="memory"
2024-07-04T12:36:26+05:30	DEBUG	[nuget] The nuget packages directory couldn't be found. License search disabled
2024-07-04T12:36:26+05:30	DEBUG	Scanning files for misconfigurations...	scanner="Terraform Plan JSON"
2024-07-04T12:36:26+05:30	DEBUG	[misconf] 36:26.905068917 tfplan.scanner                   Scanning file tfplan.json
2024-07-04T12:36:26+05:30	DEBUG	[misconf] 36:26.905884189 terraform.scanner                Scanning [&{%!s(*memoryfs.dir=&{{{0 0} 0 0 {{} 0} {{} 0}} {. 256 {13950375232993255809 497810943 0x794e200} 2147484096 <nil>} map[] map[main.tf:0xc0014a5980]})}] at '.'...
2024-07-04T12:36:26+05:30	DEBUG	[misconf] 36:26.909379694 terraform.scanner.rego           Overriding filesystem for checks!
2024-07-04T12:36:26+05:30	DEBUG	[misconf] 36:26.910561214 terraform.scanner.rego           Loaded 3 embedded libraries.
2024-07-04T12:36:26+05:30	DEBUG	[misconf] 36:26.967687028 terraform.scanner.rego           Loaded 192 embedded policies.
2024-07-04T12:36:27+05:30	DEBUG	[misconf] 36:27.033569307 terraform.scanner.rego           Loaded 195 checks from disk.
2024-07-04T12:36:27+05:30	DEBUG	[misconf] 36:27.034114826 terraform.scanner.rego           Overriding filesystem for data!
2024-07-04T12:36:27+05:30	DEBUG	[misconf] 36:27.393550192 terraform.parser.<root>          Setting project/module root to '.'
2024-07-04T12:36:27+05:30	DEBUG	[misconf] 36:27.393612577 terraform.parser.<root>          Parsing FS from '.'
2024-07-04T12:36:27+05:30	DEBUG	[misconf] 36:27.393636366 terraform.parser.<root>          Parsing 'main.tf'...
2024-07-04T12:36:27+05:30	DEBUG	[misconf] 36:27.394233781 terraform.parser.<root>          Added file main.tf.
2024-07-04T12:36:27+05:30	DEBUG	[misconf] 36:27.394585949 terraform.scanner                Scanning root module '.'...
2024-07-04T12:36:27+05:30	DEBUG	[misconf] 36:27.394599771 terraform.parser.<root>          Setting project/module root to '.'
2024-07-04T12:36:27+05:30	DEBUG	[misconf] 36:27.394606136 terraform.parser.<root>          Parsing FS from '.'
2024-07-04T12:36:27+05:30	DEBUG	[misconf] 36:27.394634795 terraform.parser.<root>          Parsing 'main.tf'...
2024-07-04T12:36:27+05:30	DEBUG	[misconf] 36:27.394843943 terraform.parser.<root>          Added file main.tf.
2024-07-04T12:36:27+05:30	DEBUG	[misconf] 36:27.394853505 terraform.parser.<root>          Evaluating module...
2024-07-04T12:36:27+05:30	DEBUG	[misconf] 36:27.395072562 terraform.parser.<root>          Read 7 block(s) and 0 ignore(s) for module 'root' (1 file[s])...
2024-07-04T12:36:27+05:30	DEBUG	[misconf] 36:27.395104753 terraform.parser.<root>          Added 0 variables from tfvars.
2024-07-04T12:36:27+05:30	DEBUG	[misconf] 36:27.395155791 terraform.parser.<root>          Working directory for module evaluation is "/data/projects/miraterra/git/miraterrasoil-terraform/temp"
2024-07-04T12:36:27+05:30	DEBUG	[misconf] 36:27.395271248 terraform.parser.<root>.evaluator Filesystem key is '01d065908fe73d60c92ab3111d701951286f8792ecda263f3f1cb188953756f3'
2024-07-04T12:36:27+05:30	DEBUG	[misconf] 36:27.395280463 terraform.parser.<root>.evaluator Starting module evaluation...
2024-07-04T12:36:27+05:30	DEBUG	[misconf] 36:27.395602434 terraform.parser.<root>.evaluator Starting submodule evaluation...
2024-07-04T12:36:27+05:30	DEBUG	[misconf] 36:27.395637602 terraform.parser.<root>.evaluator All submodules are evaluated at i=0
2024-07-04T12:36:27+05:30	DEBUG	[misconf] 36:27.395643493 terraform.parser.<root>.evaluator Starting post-submodule evaluation...
2024-07-04T12:36:27+05:30	DEBUG	[misconf] 36:27.395960780 terraform.parser.<root>.evaluator Finished processing 0 submodule(s).
2024-07-04T12:36:27+05:30	DEBUG	[misconf] 36:27.395973506 terraform.parser.<root>.evaluator Module evaluation complete.
2024-07-04T12:36:27+05:30	DEBUG	[misconf] 36:27.395986945 terraform.parser.<root>          Finished parsing module 'root'.
2024-07-04T12:36:27+05:30	DEBUG	[misconf] 36:27.395999981 terraform.executor               Adapting modules...
2024-07-04T12:36:27+05:30	DEBUG	[misconf] 36:27.396183980 terraform.executor               Adapted 1 module(s) into defsec state data.
2024-07-04T12:36:27+05:30	DEBUG	[misconf] 36:27.396197215 terraform.executor               Using max routines of 7
2024-07-04T12:36:27+05:30	DEBUG	[misconf] 36:27.396371946 terraform.executor               Initialized 487 rule(s).
2024-07-04T12:36:27+05:30	DEBUG	[misconf] 36:27.396386039 terraform.executor               Created pool with 7 worker(s) to apply rules.
2024-07-04T12:36:27+05:30	DEBUG	[misconf] 36:27.397209951 terraform.scanner.rego           Scanning 1 inputs...
2024-07-04T12:36:27+05:30	DEBUG	[misconf] 36:27.401956852 terraform.executor               Finished applying rules.
2024-07-04T12:36:27+05:30	DEBUG	[misconf] 36:27.402023298 terraform.executor               Applying ignores...
2024-07-04T12:36:27+05:30	DEBUG	OS is not detected.
2024-07-04T12:36:27+05:30	INFO	Detected config files	num=2
2024-07-04T12:36:27+05:30	DEBUG	Scanned config file	path="."
2024-07-04T12:36:27+05:30	DEBUG	Scanned config file	path="main.tf"

main.tf (terraformplan)

Tests: 14 (SUCCESSES: 2, FAILURES: 12, EXCEPTIONS: 0)
Failures: 12 (HIGH: 12, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf:5-7
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   5 ┌ resource "aws_s3_bucket" "bucket" {
   6 │ 	bucket = "temp-b2-bucket"
   7 └ 	}
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


HIGH: No public access block so not blocking public acls
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf:1-3
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "bucket" {
   2 │ 	bucket = "temp-b1-bucket"
   3 └ 	}
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


HIGH: No public access block so not blocking public policies
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf:5-7
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   5 ┌ resource "aws_s3_bucket" "bucket" {
   6 │ 	bucket = "temp-b2-bucket"
   7 └ 	}
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


HIGH: No public access block so not blocking public policies
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf:1-3
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "bucket" {
   2 │ 	bucket = "temp-b1-bucket"
   3 └ 	}
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


HIGH: Bucket does not have encryption enabled
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf:5-7
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   5 ┌ resource "aws_s3_bucket" "bucket" {
   6 │ 	bucket = "temp-b2-bucket"
   7 └ 	}
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


HIGH: Bucket does not have encryption enabled
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf:1-3
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "bucket" {
   2 │ 	bucket = "temp-b1-bucket"
   3 └ 	}
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf:5-7
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   5 ┌ resource "aws_s3_bucket" "bucket" {
   6 │ 	bucket = "temp-b2-bucket"
   7 └ 	}
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf:1-3
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "bucket" {
   2 │ 	bucket = "temp-b1-bucket"
   3 └ 	}
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf:5-7
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   5 ┌ resource "aws_s3_bucket" "bucket" {
   6 │ 	bucket = "temp-b2-bucket"
   7 └ 	}
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf:1-3
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "bucket" {
   2 │ 	bucket = "temp-b1-bucket"
   3 └ 	}
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf:5-7
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   5 ┌ resource "aws_s3_bucket" "bucket" {
   6 │ 	bucket = "temp-b2-bucket"
   7 └ 	}
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf:1-3
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "bucket" {
   2 │ 	bucket = "temp-b1-bucket"
   3 └ 	}
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Operating System

Ubuntu 20.04

Version

Version: 0.53.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-09-11 06:16:57.742189926 +0000 UTC
  NextUpdate: 2023-09-11 12:16:57.742189326 +0000 UTC
  DownloadedAt: 2023-09-11 07:08:10.751619881 +0000 UTC
Check Bundle:
  Digest: sha256:ef2d9ad4fce0f933b20a662004d7e55bf200987c180e7f2cd531af631f408bb3
  DownloadedAt: 2024-07-03 11:55:33.672405891 +0000 UTC

Checklist
@simar7 simar7 added kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning labels Jul 4, 2024
@simar7
Copy link
Member Author

simar7 commented Jul 4, 2024

@nikpivkin when you are back, can you take a look at it?

@nikpivkin
Copy link
Contributor

The problem is due to the fact that we cannot establish a relationship between resources in Plan file JSON format when each object is used in the expression. A similar issue has already been exists in Terraform.

@simar7
Copy link
Member Author

simar7 commented Jul 8, 2024

@nikpivkin this seems like a limitation of the current terraform feature set. Should we document this on our support page for terraform? https://aquasecurity.github.io/trivy/v0.53/docs/coverage/iac/terraform/

@nikpivkin
Copy link
Contributor

@simar7 Yeah, I think it can be done.

@nikpivkin nikpivkin mentioned this issue Jul 10, 2024
Merged
6 tasks
@simar7 simar7 added this to the v0.54.0 milestone Jul 10, 2024
@simar7 simar7 self-assigned this Jul 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@simar7 simar7

@nikpivkin nikpivkin

Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Projects
Trivy Roadmap
Archived in project
Milestone
v0.54.0
Development

Successfully merging a pull request may close this issue.

docs(misconf): add info about limitations for terraform plan json nikpivkin/trivy
2 participants
@simar7 @nikpivkin