Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug(misconf): AVD-AWS-0107 gets triggered for aws_security_group_rule when using a /23 netblock #7267

Open
2 tasks done
nikpivkin opened this issue Jul 31, 2024 Discussed in #7263 · 0 comments · May be fixed by aquasecurity/trivy-checks#178
Open
2 tasks done

bug(misconf): AVD-AWS-0107 gets triggered for aws_security_group_rule when using a /23 netblock #7267

nikpivkin opened this issue Jul 31, 2024 Discussed in #7263 · 0 comments · May be fixed by aquasecurity/trivy-checks#178
Assignees
@nikpivkin
Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Milestone
v0.56.0

Comments

@nikpivkin
Copy link
Contributor

Discussed in #7263

Originally posted by kiwimato July 30, 2024

Description

AVD-AWS-0107 is triggered when I use /23 cidr block.

Terraform code:

resource "aws_security_group_rule" "http" {
  description = "Allow Inbound HTTP traffic"

  from_port         = "80"
  to_port           = "80"
  protocol          = "tcp"
  security_group_id = aws_security_group.alb.id
  type              = "ingress"

  cidr_blocks = [
    "1.2.3.4/32",
    "5.6.7.0/23",
  ]
  lifecycle {
    ignore_changes = [
      description,
    ]
  }
}

Desired Behavior

No findings, because a /23 cidr block is far from being public.
However, if I remove "5.6.7.0/23", from the list i have no findings.

Actual Behavior

I get the finding: AVD-AWS-0107: An ingress security group rule allows traffic from /0.

Reproduction Steps

1. Run Trivy on the above Terraform code
2. See the critical error in the report.

Target

Filesystem

Scanner

Misconfiguration

Output Format

JSON

Mode

Standalone

Debug Output

It's a bit cumbersome for me to extract the debug logs right now since I also have to redact all the company related information, but I will if really necessary.

Operating System

Ubuntu 22.04

Version

v0.53.0

Checklist
@nikpivkin nikpivkin added kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning labels Jul 31, 2024
@nikpivkin nikpivkin self-assigned this Jul 31, 2024
@nikpivkin nikpivkin linked a pull request Jul 31, 2024 that will close this issue
Draft
@simar7 simar7 added this to the v0.55.0 milestone Aug 6, 2024
@knqyf263 knqyf263 modified the milestones: v0.55.0, v0.56.0 Sep 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nikpivkin nikpivkin

Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Projects
Trivy Roadmap
Status: No status
Milestone
v0.56.0
Development

Successfully merging a pull request may close this issue.

refactor(checks): update logic of AVD-AWS-0107 and AVD-AWS-0105 checks nikpivkin/trivy-policies
3 participants
@simar7 @knqyf263 @nikpivkin