bug(misconf): Resolve attributes depending on conditions irrespective of placement #5686
Closed
2 tasks done
Labels
kind/bug
Categorizes issue or PR as related to a bug.
scan/misconfiguration
Issues relating to misconfiguration scanning
Milestone
Minimum reproducible example:
Discussed in #5680
Originally posted by SujithPS0604 November 29, 2023
Description
defsec does not evaluate the second part of a conditional operator
Example:
Here whatever the condition is, defsec is only scanning the configuration of the first part of the condition. Here it is analyzing
data.aws_iam_policy_document.access_policy_document_prod.json
.Output:
trivy config . --severity "HIGH" -d
Here there is no failure, as the policy
data.aws_iam_policy_document.access_policy_document_prod.json
is clean from issues.But if I move the second part to the first part, it is showing all the issues of
data.aws_iam_policy_document.access_policy_document.json
.Example:
Output:
trivy config . --severity "HIGH" -d
here, the number of config files scanned also increased, and is showing issues with the policy.
So, by default, is is always analyzing the first part of the condition only. Even if I switch the condition, it is still analyzing the first part.
Desired Behavior
It should analyze both the part of the condition, irrespective of the position at which it is in.
Actual Behavior
It is analyzing only the first part of the condition.
Reproduction Steps
1.In a terraform file, write a conditional expression, which will choose either one data block or the other data block. 2. Run the `trivy config` and observe it is showing the issues from the first part of the expression only
Target
Filesystem
Scanner
Misconfiguration
Output Format
None
Mode
Standalone
Debug Output
Operating System
macOS Sonoma
Version
Checklist
trivy image --reset
The text was updated successfully, but these errors were encountered: