Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

trivy config on terraform skips local modules #3575

Closed
kapilt opened this issue Feb 8, 2023 · 5 comments
Closed

trivy config on terraform skips local modules #3575

kapilt opened this issue Feb 8, 2023 · 5 comments
Assignees
@simar7 @giorod3
Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Milestone
v0.42.0

Comments

@kapilt
Copy link
Contributor

kapilt commented Feb 8, 2023
edited
Loading

Description

Given a terraform root module, that references a local module outside of the path of the root module ie. ../another-module, trivy won't scan the resources of the other module. This is due to initializing os.DirFS with the root module's path, os.DirFS won't allow for a relative path to traverse past its initial directory. example go code to demonstrate below.

This pattern is extremely common in terraform (ie separate environment roots for staging, dev, prod referencing common modules), and worse trivy will silently pass in such situations, even though the deployment contains non compliant resources with issues.

package main

import (
	"fmt"
	"io/fs"
	"log"
	"os"
	"path/filepath"
)

func main() {
	if len(os.Args) < 2 || len(os.Args) > 2 {
		log.Fatalf("usage: PATH")
	}
	path := os.Args[1]
	fx := os.DirFS(path)
	rel_path := "../parent_modules/parent_sqs")
	fileInfos, err := fs.ReadDir(fx, rel_path)
	if err != nil {
		panic(err)
	}
	fmt.Println(fileInfos)
}

What did you expect to happen?

trivy to scan local modules referenced from the root module, without regard to them being contained in the same directory.

What happened instead?

It silently ignores them.

Output of run with -debug:

this should pick up two resources, one in a child module and one in a sibling directory, instead it just picks up the one thats contained in the same directory as the root module, even though there is a another referenced in a sibling directory to the root module.

the terraform for this example is available here
https://github.com/kapilt/terraform-module-sample

❯ trivy config --debug root/
2023-02-07T22:12:40.514-0500    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-02-07T22:12:40.531-0500    DEBUG   cache dir:  /Users/kapilt/Library/Caches/trivy
2023-02-07T22:12:40.531-0500    INFO    Misconfiguration scanning is enabled
2023-02-07T22:12:40.531-0500    DEBUG   Policies successfully loaded from disk
2023-02-07T22:12:40.531-0500    DEBUG   Walk the file tree rooted at 'root' in parallel
2023-02-07T22:12:40.948-0500    DEBUG   OS is not detected.
2023-02-07T22:12:40.948-0500    INFO    Detected config files: 2
2023-02-07T22:12:40.948-0500    DEBUG   Scanned config file: .
2023-02-07T22:12:40.948-0500    DEBUG   Scanned config file: child_modules/child_sqs/main.tf

child_modules/child_sqs/main.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

HIGH: Queue is not encrypted
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Queues should be encrypted to protect queue contents.

See https://avd.aquasec.com/misconfig/avd-aws-0096
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 child_modules/child_sqs/main.tf:1-7
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1 ┌ resource "aws_sqs_queue" "child_queue" {
   2 │   name                      = "child_queue"
   3 │   delay_seconds             = 90
   4 │   max_message_size          = 2048
   5 │   message_retention_seconds = 86400
   6 │   receive_wait_time_seconds = 10
   7 └ }
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Output of trivy -v:

❯ trivy -v
Version: 0.37.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-01-31 12:07:36.562793386 +0000 UTC
  NextUpdate: 2023-01-31 18:07:36.562792986 +0000 UTC
  DownloadedAt: 2023-01-31 15:28:16.398692 +0000 UTC```
@kapilt kapilt added the kind/bug Categorizes issue or PR as related to a bug. label Feb 8, 2023
@itaysk itaysk added the scan/misconfiguration Issues relating to misconfiguration scanning label Feb 11, 2023
@giorod3 giorod3 self-assigned this Mar 27, 2023
@simar7
Copy link
Member

simar7 commented Mar 29, 2023

hi @kapilt - I briefly looked into it and I believe I'm able to reproduce it. Just to be clear this is what you are after:

Current Trivy output

trivy config root
2023-03-29T14:51:09.359-0700	INFO	Misconfiguration scanning is enabled
2023-03-29T14:51:10.258-0700	INFO	Detected config files: 1

child_modules/child_sqs/main.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

HIGH: Queue is not encrypted
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Queues should be encrypted to protect queue contents.

See https://avd.aquasec.com/misconfig/avd-aws-0096
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 child_modules/child_sqs/main.tf:1-7
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1 ┌ resource "aws_sqs_queue" "child_queue" {
   2 │   name                      = "child_queue"
   3 │   delay_seconds             = 90
   4 │   max_message_size          = 2048
   5 │   message_retention_seconds = 86400
   6 │   receive_wait_time_seconds = 10
   7 └ }
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Desired Trivy output

trivy config root
2023-03-29T14:51:52.550-0700	INFO	Misconfiguration scanning is enabled
2023-03-29T14:51:53.367-0700	INFO	Detected config files: 2

../parent_modules/parent_sqs/main.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

HIGH: Queue is not encrypted
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Queues should be encrypted to protect queue contents.

See https://avd.aquasec.com/misconfig/avd-aws-0096
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 ../parent_modules/parent_sqs/main.tf:1-7
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1 ┌ resource "aws_sqs_queue" "parent_queue" {
   2 │   name                      = "parent_queue"
   3 │   delay_seconds             = 90
   4 │   max_message_size          = 2048
   5 │   message_retention_seconds = 86400
   6 │   receive_wait_time_seconds = 10
   7 └ }
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────



root/child_modules/child_sqs/main.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

HIGH: Queue is not encrypted
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Queues should be encrypted to protect queue contents.

See https://avd.aquasec.com/misconfig/avd-aws-0096
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 root/child_modules/child_sqs/main.tf:1-7
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1 ┌ resource "aws_sqs_queue" "child_queue" {
   2 │   name                      = "child_queue"
   3 │   delay_seconds             = 90
   4 │   max_message_size          = 2048
   5 │   message_retention_seconds = 86400
   6 │   receive_wait_time_seconds = 10
   7 └ }
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

In both cases I've run the scan against the root directory directly.

Have I got that right?

@kapilt
Copy link
Contributor Author

kapilt commented Mar 29, 2023

@simar7 yeah that's a good summary on desired output and expectation. Ie terraform modules outside root should not silently pass when they would otherwise fail, I imagine this will suddenly break a lot of ci pipelines using trivy, due to broken previous behavior of silently passing instead of evaluating terraform.

@simar7 simar7 self-assigned this Mar 31, 2023
This was referenced Mar 31, 2023
Closed
Closed
@simar7 simar7 mentioned this issue Apr 20, 2023
Merged
7 tasks
@knqyf263 knqyf263 mentioned this issue Apr 20, 2023
Merged
6 tasks
@knqyf263 knqyf263 added this to the v0.42.0 milestone May 11, 2023
@knqyf263
Copy link
Collaborator

Will be included in v0.42.0

@itaysk
Copy link
Contributor

itaysk commented Jun 1, 2023

@simar7 should this be closed?

@simar7
Copy link
Member

simar7 commented Jun 9, 2023

This has been resolved in the latest releases.

@simar7 simar7 closed this as completed Jun 9, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@simar7 simar7

@giorod3 giorod3

Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Projects
None yet
Milestone
v0.42.0
5 participants
@kapilt @itaysk @simar7 @knqyf263 @giorod3