bug(misconf): AVD-AWS-0107 gets triggered for aws_security_group_rule when using a /23 netblock

[kiwimato]

Description

AVD-AWS-0107 is triggered when I use /23 cidr block.

Terraform code:

resource "aws_security_group_rule" "http" {
  description = "Allow Inbound HTTP traffic"

  from_port         = "80"
  to_port           = "80"
  protocol          = "tcp"
  security_group_id = aws_security_group.alb.id
  type              = "ingress"

  cidr_blocks = [
    "1.2.3.4/32",
    "5.6.7.0/23",
  ]
  lifecycle {
    ignore_changes = [
      description,
    ]
  }
}

Desired Behavior

No findings, because a /23 cidr block is far from being public.
However, if I remove "5.6.7.0/23", from the list i have no findings.

Actual Behavior

I get the finding: AVD-AWS-0107: An ingress security group rule allows traffic from /0.

Reproduction Steps

1. Run Trivy on the above Terraform code
2. See the critical error in the report.

Target

Filesystem

Scanner

Misconfiguration

Output Format

JSON

Mode

Standalone

Debug Output

It's a bit cumbersome for me to extract the debug logs right now since I also have to redact all the company related information, but I will if really necessary.

Operating System

Ubuntu 22.04

Version

v0.53.0

Checklist

• Run trivy clean --all
• Read the troubleshooting

[nikpivkin]

Hi @kiwimato !

A fix is already open for this check. I'll open a issue for track.

[nikpivkin]

Track #7267