Inline filtering doesn't work anymore for avd-aws-0091

[RobinFrcd]

Description

Hi,
I just switched from tfsec to trivy.
I used to ignore checks like this:

resource "aws_s3_bucket_public_access_block" "webapp_static" {
  bucket = aws_s3_bucket.webapp_static.id

  block_public_acls   = false #tfsec:ignore:aws-s3-block-public-acls
  block_public_policy = false #tfsec:ignore:aws-s3-block-public-policy

  ignore_public_acls      = false #tfsec:ignore:aws-s3-ignore-public-acls
  restrict_public_buckets = false #tfsec:ignore:aws-s3-no-public-buckets
}

Desired Behavior

resource "aws_s3_bucket_public_access_block" "webapp_static" {
  bucket = aws_s3_bucket.webapp_static.id

  block_public_acls   = false #tfsec:ignore:aws-s3-block-public-acls
  block_public_policy = false #tfsec:ignore:aws-s3-block-public-policy

  ignore_public_acls      = false #trivy:ignore:avd-aws-0091
  restrict_public_buckets = false #tfsec:ignore:aws-s3-no-public-buckets
}

Should not raise HIGH: Public access block does not ignore public ACLs

Actual Behavior

It raises HIGH: Public access block does not ignore public ACLs, the only way to correctly filter the alert is to put the comment before the resource.

This one doesn't raise the alert.

#trivy:ignore:avd-aws-0091
resource "aws_s3_bucket_public_access_block" "webapp_static" {
  bucket = aws_s3_bucket.webapp_static.id

  block_public_acls   = false #tfsec:ignore:aws-s3-block-public-acls
  block_public_policy = false #tfsec:ignore:aws-s3-block-public-policy

  ignore_public_acls      = false 
  restrict_public_buckets = false #tfsec:ignore:aws-s3-no-public-buckets
}

Reproduction Steps

1. Write this code

resource "aws_s3_bucket_public_access_block" "webapp_static" {
  bucket = aws_s3_bucket.webapp_static.id

  block_public_acls   = false #tfsec:ignore:aws-s3-block-public-acls
  block_public_policy = false #tfsec:ignore:aws-s3-block-public-policy

  ignore_public_acls      = false #trivy:ignore:avd-aws-0091
  restrict_public_buckets = false #tfsec:ignore:aws-s3-no-public-buckets
}

2. Run trivy

Target

AWS

Scanner

Misconfiguration

Output Format

None

Mode

None

Debug Output

HIGH: Public access block does not ignore public ACLs
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091

Operating System

Ubuntu 22.04

Version

Version: 0.51.1
Check Bundle:
  Digest: sha256:6d0771effa53c6cf8130861fc3ac28f5515c35a028edb4bb1e67261b9218c80e
  DownloadedAt: 2024-05-14 11:52:36.985947878 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting

[RobinFrcd]

Same for avd-aws-0086

[nikpivkin]

Hi @RobinFrcd !

Thanks for the report. I'm investigating it. Track #6686