Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug(misconf): Inline filtering doesn't work anymore for avd-aws-0091 #6686

Closed
2 tasks
nikpivkin opened this issue May 14, 2024 Discussed in #6685 · 0 comments · Fixed by #6708
Closed
2 tasks

bug(misconf): Inline filtering doesn't work anymore for avd-aws-0091 #6686

nikpivkin opened this issue May 14, 2024 Discussed in #6685 · 0 comments · Fixed by #6708
Assignees
@simar7 @nikpivkin
Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Milestone
v0.52.0

Comments

@nikpivkin
Copy link
Contributor

Discussed in #6685

Originally posted by RobinFrcd May 14, 2024

Description

Hi,
I just switched from tfsec to trivy.
I used to ignore checks like this:

resource "aws_s3_bucket_public_access_block" "webapp_static" {
  bucket = aws_s3_bucket.webapp_static.id

  block_public_acls   = false #tfsec:ignore:aws-s3-block-public-acls
  block_public_policy = false #tfsec:ignore:aws-s3-block-public-policy

  ignore_public_acls      = false #tfsec:ignore:aws-s3-ignore-public-acls
  restrict_public_buckets = false #tfsec:ignore:aws-s3-no-public-buckets
}

Desired Behavior

resource "aws_s3_bucket_public_access_block" "webapp_static" {
  bucket = aws_s3_bucket.webapp_static.id

  block_public_acls   = false #tfsec:ignore:aws-s3-block-public-acls
  block_public_policy = false #tfsec:ignore:aws-s3-block-public-policy

  ignore_public_acls      = false #trivy:ignore:avd-aws-0091
  restrict_public_buckets = false #tfsec:ignore:aws-s3-no-public-buckets
}

Should not raise HIGH: Public access block does not ignore public ACLs

Actual Behavior

It raises HIGH: Public access block does not ignore public ACLs, the only way to correctly filter the alert is to put the comment before the resource.

This one doesn't raise the alert.

#trivy:ignore:avd-aws-0091
resource "aws_s3_bucket_public_access_block" "webapp_static" {
  bucket = aws_s3_bucket.webapp_static.id

  block_public_acls   = false #tfsec:ignore:aws-s3-block-public-acls
  block_public_policy = false #tfsec:ignore:aws-s3-block-public-policy

  ignore_public_acls      = false 
  restrict_public_buckets = false #tfsec:ignore:aws-s3-no-public-buckets
}

Reproduction Steps

1. Write this code

resource "aws_s3_bucket_public_access_block" "webapp_static" {
  bucket = aws_s3_bucket.webapp_static.id

  block_public_acls   = false #tfsec:ignore:aws-s3-block-public-acls
  block_public_policy = false #tfsec:ignore:aws-s3-block-public-policy

  ignore_public_acls      = false #trivy:ignore:avd-aws-0091
  restrict_public_buckets = false #tfsec:ignore:aws-s3-no-public-buckets
}

2. Run trivy

Target

AWS

Scanner

Misconfiguration

Output Format

None

Mode

None

Debug Output

HIGH: Public access block does not ignore public ACLs
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091

Operating System

Ubuntu 22.04

Version

Version: 0.51.1
Check Bundle:
  Digest: sha256:6d0771effa53c6cf8130861fc3ac28f5515c35a028edb4bb1e67261b9218c80e
  DownloadedAt: 2024-05-14 11:52:36.985947878 +0000 UTC

Checklist
@nikpivkin nikpivkin added kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning labels May 14, 2024
@simar7 simar7 mentioned this issue May 14, 2024
Merged
@nikpivkin nikpivkin mentioned this issue May 16, 2024
Merged
6 tasks
@simar7 simar7 added this to the v0.52.0 milestone May 17, 2024
@simar7 simar7 changed the title Inline filtering doesn't work anymore for avd-aws-0091 bug(misconf): Inline filtering doesn't work anymore for avd-aws-0091 May 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@simar7 simar7

@nikpivkin nikpivkin

Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Projects
Trivy Roadmap
Archived in project
Milestone
v0.52.0
Development

Successfully merging a pull request may close this issue.

fix(misconf): don't shift ignore rule related to code nikpivkin/trivy
2 participants
@simar7 @nikpivkin