Use ssl_mode instead of legacy require_ssl

[desolatorxxl]

IDs

avd-gcp-0015

Description

The Google docs recommend to use ssl_mode instead of the legacy require_ssl attribute.

See:

https://cloud.google.com/sql/docs/postgres/admin-api/rest/v1beta4/instances#ipconfiguration
https://cloud.google.com/sql/docs/postgres/admin-api/rest/v1beta4/instances#sslmode

Reproduction Steps

cat <<EOT > sql.tf
resource "google_sql_database_instance" "foo" {
  name             = "foo"
  database_version = "POSTGRES_13"
  region           = "europe-west1"

  settings {
    disk_autoresize_limit = 250
    disk_autoresize       = true

    ip_configuration {
      ipv4_enabled    = false
      private_network = "default"
    }

    backup_configuration {
      enabled = true
    }



    database_flags {
      name  = "log_lock_waits"
      value = "on"
    }

    database_flags {
      name  = "log_checkpoints"
      value = "on"
    }

    database_flags {
      name  = "log_connections"
      value = "on"
    }

    database_flags {
      name  = "log_disconnections"
      value = "on"
    }

    database_flags {
      name  = "log_temp_files"
      value = "0"
    }
  }
}
EOT

trivy config .

### Target

Filesystem

### Scanner

Misconfiguration

### Target OS

Gentoo

### Debug Output

```bash
$ trivy config .
2024-05-07T10:34:16.961+0200	�[35mDEBUG�[0m	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-05-07T10:34:16.973+0200	�[35mDEBUG�[0m	cache dir:  /home/foo/.cache/trivy
2024-05-07T10:34:16.973+0200	�[34mINFO�[0m	Misconfiguration scanning is enabled
2024-05-07T10:34:16.974+0200	�[35mDEBUG�[0m	Policies successfully loaded from disk
2024-05-07T10:34:16.974+0200	�[35mDEBUG�[0m	Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-05-07T10:34:16.975+0200	�[35mDEBUG�[0m	The nuget packages directory couldn't be found. License search disabled
2024-05-07T10:34:16.982+0200	�[35mDEBUG�[0m	Walk the file tree rooted at '.' in series
2024-05-07T10:34:16.982+0200	�[35mDEBUG�[0m	Scanning Terraform files for misconfigurations...
2024-05-07T10:34:16.982+0200	�[35mDEBUG�[0m	[misconf] 34:16.982306570 terraform.scanner                Scanning [&{%!s(*mapfs.file=&{ [] {. 256 2147484096 {13945000156661059123 327184098 0x555f9b04e1c0} <nil>} {{{0 0} {[] {} 0xc00193a8b0} map[sql.tf:0xc001184bb8] 0}}}) .}] at '.'...
2024-05-07T10:34:16.983+0200	�[35mDEBUG�[0m	[misconf] 34:16.983432873 terraform.scanner.rego           Overriding filesystem for policies!
2024-05-07T10:34:17.016+0200	�[35mDEBUG�[0m	[misconf] 34:17.016733440 terraform.scanner.rego           Loaded 194 policies from disk.
2024-05-07T10:34:17.016+0200	�[35mDEBUG�[0m	[misconf] 34:17.016986495 terraform.scanner.rego           Overriding filesystem for data!
2024-05-07T10:34:17.260+0200	�[35mDEBUG�[0m	[misconf] 34:17.260609383 terraform.parser.<root>          Setting project/module root to '.'
2024-05-07T10:34:17.260+0200	�[35mDEBUG�[0m	[misconf] 34:17.260627646 terraform.parser.<root>          Parsing FS from '.'
2024-05-07T10:34:17.260+0200	�[35mDEBUG�[0m	[misconf] 34:17.260639493 terraform.parser.<root>          Parsing 'sql.tf'...
2024-05-07T10:34:17.260+0200	�[35mDEBUG�[0m	[misconf] 34:17.260741970 terraform.parser.<root>          Added file sql.tf.
2024-05-07T10:34:17.260+0200	�[35mDEBUG�[0m	[misconf] 34:17.260842909 terraform.scanner                Scanning root module '.'...
2024-05-07T10:34:17.260+0200	�[35mDEBUG�[0m	[misconf] 34:17.260845225 terraform.parser.<root>          Setting project/module root to '.'
2024-05-07T10:34:17.260+0200	�[35mDEBUG�[0m	[misconf] 34:17.260846534 terraform.parser.<root>          Parsing FS from '.'
2024-05-07T10:34:17.260+0200	�[35mDEBUG�[0m	[misconf] 34:17.260849370 terraform.parser.<root>          Parsing 'sql.tf'...
2024-05-07T10:34:17.260+0200	�[35mDEBUG�[0m	[misconf] 34:17.260934942 terraform.parser.<root>          Added file sql.tf.
2024-05-07T10:34:17.260+0200	�[35mDEBUG�[0m	[misconf] 34:17.260937088 terraform.parser.<root>          Evaluating module...
2024-05-07T10:34:17.261+0200	�[35mDEBUG�[0m	[misconf] 34:17.261006673 terraform.parser.<root>          Read 2 block(s) and 0 ignore(s) for module 'root' (1 file[s])...
2024-05-07T10:34:17.261+0200	�[35mDEBUG�[0m	[misconf] 34:17.261011956 terraform.parser.<root>          Added 0 variables from tfvars.
2024-05-07T10:34:17.261+0200	�[35mDEBUG�[0m	[misconf] 34:17.261015334 terraform.parser.<root>          Error loading module metadata: open .terraform/modules/modules.json: file does not exist.
2024-05-07T10:34:17.261+0200	�[35mDEBUG�[0m	[misconf] 34:17.261020143 terraform.parser.<root>          Working directory for module evaluation is '/tmp/foo'
2024-05-07T10:34:17.261+0200	�[35mDEBUG�[0m	[misconf] 34:17.261040267 terraform.parser.<root>.evaluator Filesystem key is '95149b582ed3a1d2426c8a44c1fc3979c3f855fa29b2ce7bbf4a91b5109dddce'
2024-05-07T10:34:17.261+0200	�[35mDEBUG�[0m	[misconf] 34:17.261042035 terraform.parser.<root>.evaluator Starting module evaluation...
2024-05-07T10:34:17.261+0200	�[35mDEBUG�[0m	[misconf] 34:17.261084279 terraform.parser.<root>.evaluator Starting submodule evaluation...
2024-05-07T10:34:17.261+0200	�[35mDEBUG�[0m	[misconf] 34:17.261086019 terraform.parser.<root>.evaluator Finished processing 0 submodule(s).
2024-05-07T10:34:17.261+0200	�[35mDEBUG�[0m	[misconf] 34:17.261087336 terraform.parser.<root>.evaluator Starting post-submodule evaluation...
2024-05-07T10:34:17.261+0200	�[35mDEBUG�[0m	[misconf] 34:17.261125689 terraform.parser.<root>.evaluator Module evaluation complete.
2024-05-07T10:34:17.261+0200	�[35mDEBUG�[0m	[misconf] 34:17.261127809 terraform.parser.<root>          Finished parsing module 'root'.
2024-05-07T10:34:17.261+0200	�[35mDEBUG�[0m	[misconf] 34:17.261130102 terraform.executor               Adapting modules...
2024-05-07T10:34:17.261+0200	�[35mDEBUG�[0m	[misconf] 34:17.261204626 terraform.executor               Adapted 1 module(s) into defsec state data.
2024-05-07T10:34:17.261+0200	�[35mDEBUG�[0m	[misconf] 34:17.261207039 terraform.executor               Using max routines of 23
2024-05-07T10:34:17.261+0200	�[35mDEBUG�[0m	[misconf] 34:17.261208359 terraform.executor               Applying state modifier functions...
2024-05-07T10:34:17.261+0200	�[35mDEBUG�[0m	[misconf] 34:17.261289946 terraform.executor               Initialized 486 rule(s).
2024-05-07T10:34:17.261+0200	�[35mDEBUG�[0m	[misconf] 34:17.261291635 terraform.executor               Created pool with 23 worker(s) to apply rules.
2024-05-07T10:34:17.261+0200	�[35mDEBUG�[0m	[misconf] 34:17.261578549 terraform.scanner.rego           Scanning 1 inputs...
2024-05-07T10:34:17.265+0200	�[35mDEBUG�[0m	[misconf] 34:17.265095084 terraform.executor               Finished applying rules.
2024-05-07T10:34:17.265+0200	�[35mDEBUG�[0m	[misconf] 34:17.265101502 terraform.executor               Applying ignores...
2024-05-07T10:34:17.282+0200	�[35mDEBUG�[0m	OS is not detected.
2024-05-07T10:34:17.282+0200	�[34mINFO�[0m	Detected config files: 2
2024-05-07T10:34:17.282+0200	�[35mDEBUG�[0m	Scanned config file: .
2024-05-07T10:34:17.282+0200	�[35mDEBUG�[0m	Scanned config file: sql.tf

sql.tf (terraform)
==================
Tests: 9 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

HIGH: Database instance does not require TLS for all connections.
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
In-transit data should be encrypted so that if traffic is intercepted data will not be exposed in plaintext to attackers.

See https://avd.aquasec.com/misconfig/avd-gcp-0015
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 sql.tf:16-19
   via sql.tf:10-51 (settings)
    via sql.tf:5-52 (google_sql_database_instance.foo)
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   5   resource "google_sql_database_instance" "foo" {
   .   
  16 ┌     ip_configuration {
  17 │       ipv4_enabled    = false
  18 │       private_network = "default"
  19 └     }
  ..   
  52   }
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Version

$ trivy --version
Version: 0.50.2
Policy Bundle:
  Digest: sha256:6d0771effa53c6cf8130861fc3ac28f5515c35a028edb4bb1e67261b9218c80e
  DownloadedAt: 2024-05-07 07:54:21.435447743 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[desolatorxxl]

I already proposed changes here aquasecurity/trivy-checks#119, and made according changes here:
desolatorxxl@56578b8
But to make a PR I need a issue created by the maintainers, right?

[DmitriyLewen]

@nikpivkin , @simar7 Can you take a look?

[nikpivkin]

Hi @desolatorxxl !

We should retain support for the require_ssl field, since users can still use it.

The check should take into account the specific interaction between these two attributes.

If you must use the requireSsl flag for backward compatibility, then only the following value pairs are valid:

For PostgreSQL and MySQL:

• sslMode=ALLOW_UNENCRYPTED_AND_ENCRYPTED and requireSsl=false
• sslMode=ENCRYPTED_ONLY and requireSsl=false
• sslMode=TRUSTED_CLIENT_CERTIFICATE_REQUIRED and requireSsl=true

For SQL Server:

• sslMode=ALLOW_UNENCRYPTED_AND_ENCRYPTED and requireSsl=false
• sslMode=ENCRYPTED_ONLY and requireSsl=true

The value of sslMode has priority over the value of requireSsl.

[nikpivkin]

I've created an issue #6649

[simar7]

Closing as can be tracked in the above created issue.