bug: deletion protection can't be ignored using inline comment #6124

Octogonapus · 2024-02-13T22:01:59Z

Octogonapus
Feb 13, 2024

Description

The RDS DB Deletion Protection finding should be able to be ignored using an inline comment. However, it can't be ignored using an inline comment

Desired Behavior

The finding should be ignored.

Actual Behavior

The finding is present despite the inline comment:

MEDIUM: Instance does not have Deletion Protection enabled
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Ensure deletion protection is enabled for RDS database instances.

See https://avd.aquasec.com/misconfig/n/a
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf:3
   via main.tf:2-5 (aws_db_instance.instance)
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   2   resource "aws_db_instance" "instance" {
   3 [   deletion_protection = false
   4     instance_class      = "db.t3.micro"
   5   }
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Reproduction Steps

Run `trivy fs . --scanners config --severity CRITICAL,HIGH,MEDIUM` with this code:


# trivy:ignore:AVD-AWS-0343
resource "aws_db_instance" "instance" {
  deletion_protection = false
  instance_class      = "db.t3.micro"
}

Target

Filesystem

Scanner

Misconfiguration

Output Format

None

Mode

Standalone

Debug Output

2024-02-13T17:02:33.035-0500    DEBUG   Severities: ["CRITICAL" "HIGH" "MEDIUM"]
2024-02-13T17:02:33.035-0500    WARN    '--scanners config' is deprecated. Use '--scanners misconfig' instead. See https://github.com/aquasecurity/trivy/discussions/5586 for the detail.
2024-02-13T17:02:33.035-0500    DEBUG   Ignore statuses {"statuses": null}
2024-02-13T17:02:33.049-0500    DEBUG   cache dir:  /home/salmon/.cache/trivy
2024-02-13T17:02:33.049-0500    INFO    Misconfiguration scanning is enabled
2024-02-13T17:02:33.049-0500    DEBUG   Policies successfully loaded from disk
2024-02-13T17:02:33.049-0500    DEBUG   Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan]
2024-02-13T17:02:33.056-0500    DEBUG   The nuget packages directory couldn't be found. License search disabled
2024-02-13T17:02:33.061-0500    DEBUG   Walk the file tree rooted at '.' in parallel
2024-02-13T17:02:33.061-0500    DEBUG   Scanning Terraform files for misconfigurations...
2024-02-13T17:02:33.061-0500    DEBUG   [misconf] 02:33.061657431 terraform.scanner                Scanning [&{%!s(*mapfs.file=&{ [] {. 256 2147484096 {13937259440335774982 304713905 0x100ff4c0} <nil>} {{{0 0} {[] {} 0xc003a365b0} map[main.tf:0xc002b82ca8] 0}}}) .}] at '.'...
2024-02-13T17:02:33.063-0500    DEBUG   [misconf] 02:33.063295020 terraform.scanner.rego           Overriding filesystem for policies!
2024-02-13T17:02:33.087-0500    DEBUG   [misconf] 02:33.087266286 terraform.scanner.rego           Loaded 189 policies from disk.
2024-02-13T17:02:33.087-0500    DEBUG   [misconf] 02:33.087431096 terraform.scanner.rego           Overriding filesystem for data!
2024-02-13T17:02:33.313-0500    DEBUG   [misconf] 02:33.313319772 terraform.scanner                Scanning root module '.'...
2024-02-13T17:02:33.313-0500    DEBUG   [misconf] 02:33.313346019 terraform.parser.<root>          Setting project/module root to '.'
2024-02-13T17:02:33.313-0500    DEBUG   [misconf] 02:33.313349944 terraform.parser.<root>          Parsing FS from '.'
2024-02-13T17:02:33.313-0500    DEBUG   [misconf] 02:33.313362269 terraform.parser.<root>          Parsing 'main.tf'...
2024-02-13T17:02:33.313-0500    DEBUG   [misconf] 02:33.313411219 terraform.parser.<root>          Added file main.tf.
2024-02-13T17:02:33.313-0500    DEBUG   [misconf] 02:33.313415453 terraform.parser.<root>          Evaluating module...
2024-02-13T17:02:33.313-0500    DEBUG   [misconf] 02:33.313462987 terraform.parser.<root>          Read 1 block(s) and 1 ignore(s) for module 'root' (1 file[s])...
2024-02-13T17:02:33.313-0500    DEBUG   [misconf] 02:33.313474690 terraform.parser.<root>          Added 0 variables from tfvars.
2024-02-13T17:02:33.313-0500    DEBUG   [misconf] 02:33.313479098 terraform.parser.<root>          Error loading module metadata: open .terraform/modules/modules.json: file does not exist.
2024-02-13T17:02:33.313-0500    DEBUG   [misconf] 02:33.313490124 terraform.parser.<root>          Working directory for module evaluation is '/tmp/trivytest'
2024-02-13T17:02:33.313-0500    DEBUG   [misconf] 02:33.313511862 terraform.parser.<root>.evaluator Filesystem key is 'ca2057ee8e86705f0963fc653de9373da9f8524f59098ff3b5e898298b5ae1e9'
2024-02-13T17:02:33.313-0500    DEBUG   [misconf] 02:33.313514927 terraform.parser.<root>.evaluator Starting module evaluation...
2024-02-13T17:02:33.313-0500    DEBUG   [misconf] 02:33.313548612 terraform.parser.<root>.evaluator Starting submodule evaluation...
2024-02-13T17:02:33.313-0500    DEBUG   [misconf] 02:33.313551435 terraform.parser.<root>.evaluator Finished processing 0 submodule(s).
2024-02-13T17:02:33.313-0500    DEBUG   [misconf] 02:33.313559061 terraform.parser.<root>.evaluator Starting post-submodule evaluation...
2024-02-13T17:02:33.313-0500    DEBUG   [misconf] 02:33.313585159 terraform.parser.<root>.evaluator Module evaluation complete.
2024-02-13T17:02:33.313-0500    DEBUG   [misconf] 02:33.313588539 terraform.parser.<root>          Finished parsing module 'root'.
2024-02-13T17:02:33.313-0500    DEBUG   [misconf] 02:33.313593365 terraform.executor               Adapting modules...
2024-02-13T17:02:33.313-0500    DEBUG   [misconf] 02:33.313658057 terraform.executor               Adapted 1 module(s) into defsec state data.
2024-02-13T17:02:33.313-0500    DEBUG   [misconf] 02:33.313660674 terraform.executor               Using max routines of 31
2024-02-13T17:02:33.313-0500    DEBUG   [misconf] 02:33.313664216 terraform.executor               Applying state modifier functions...
2024-02-13T17:02:33.313-0500    DEBUG   [misconf] 02:33.313724994 terraform.executor               Initialised 484 rule(s).
2024-02-13T17:02:33.313-0500    DEBUG   [misconf] 02:33.313727649 terraform.executor               Created pool with 31 worker(s) to apply rules.
2024-02-13T17:02:33.313-0500    DEBUG   [misconf] 02:33.313991352 terraform.scanner.rego           Scanning 1 inputs...
2024-02-13T17:02:33.322-0500    DEBUG   [misconf] 02:33.322870697 terraform.executor               Finished applying rules.
2024-02-13T17:02:33.322-0500    DEBUG   [misconf] 02:33.322894101 terraform.executor               Applying ignores...
2024-02-13T17:02:33.340-0500    DEBUG   OS is not detected.
2024-02-13T17:02:33.340-0500    INFO    Detected config files: 2
2024-02-13T17:02:33.340-0500    DEBUG   Scanned config file: main.tf
2024-02-13T17:02:33.340-0500    DEBUG   Scanned config file: .

main.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (MEDIUM: 2, HIGH: 1, CRITICAL: 0)

MEDIUM: Instance has very low backup retention period.
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
RDS backup retention for clusters defaults to 1 day, this may not be enough to identify and respond to an issue. Backup retention periods should be set to a period that is a balance on cost and limiting risk.

See https://avd.aquasec.com/misconfig/avd-aws-0077
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf:2-5
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   2 ┌ resource "aws_db_instance" "instance" {
   3 │   deletion_protection = false
   4 │   instance_class      = "db.t3.micro"
   5 └ }
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


HIGH: Instance does not have storage encryption enabled.
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Encryption should be enabled for an RDS Database instances. 

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf:2-5
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   2 ┌ resource "aws_db_instance" "instance" {
   3 │   deletion_protection = false
   4 │   instance_class      = "db.t3.micro"
   5 └ }
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


MEDIUM: Instance does not have Deletion Protection enabled
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Ensure deletion protection is enabled for RDS database instances.

See https://avd.aquasec.com/misconfig/n/a
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf:3
   via main.tf:2-5 (aws_db_instance.instance)
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   2   resource "aws_db_instance" "instance" {
   3 [   deletion_protection = false
   4     instance_class      = "db.t3.micro"
   5   }
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Operating System

Fedora 39 Workstation

Version

Version: 0.49.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-02-09 12:11:54.803692275 +0000 UTC
  NextUpdate: 2024-02-09 18:11:54.803691874 +0000 UTC
  DownloadedAt: 2024-02-09 16:04:19.667835944 +0000 UTC
Policy Bundle:
  Digest: sha256:1df8ade71efc830877ca3b1130f83e0c6368e3a45b0d4c0f0418955501644054
  DownloadedAt: 2024-02-13 21:22:48.94929282 +0000 UTC

Checklist

Run trivy image --reset
Read the troubleshooting

simar7 · 2024-02-13T22:13:12Z

simar7
Feb 13, 2024
Maintainer

Thanks for the report, looks like ID for the check is incorrect. AVD-AWS-0343 is for cluster deletion prevention, not instance.

The correct ID for the policy to ignore is AVD-AWS-0177 and the link is https://avd.aquasec.com/misconfig/aws/rds/avd-aws-0177/

The below code snippet works as expected:

#trivy:ignore:AVD-AWS-0177
resource "aws_db_instance" "instance" {
  deletion_protection = false
  instance_class      = "db.t3.micro"
}

$ trivy --debug config .
<snip>
2024-02-13T15:09:51.560-0700    DEBUG   [misconf] 09:51.560387000 terraform.executor               Ignored 'aws-rds-enable-deletion-protection' at 'main.tf:3'.
</snip>

0 replies

Octogonapus · 2024-02-14T01:43:03Z

Octogonapus
Feb 14, 2024
Author

Ok thanks! Note the misconfig link is https://avd.aquasec.com/misconfig/n/a which links to AWS-AVD-0343 so that's how I got confused. I guess that is the real bug here.

2 replies

simar7 Feb 14, 2024
Maintainer

Yeah you're right. I'll create an issue to track it.

simar7 Feb 14, 2024
Maintainer

Track #6125

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

bug: deletion protection can't be ignored using inline comment #6124

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 2 comments 2 replies

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

Select a reply

bug: deletion protection can't be ignored using inline comment #6124

Octogonapus Feb 13, 2024

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Target

Scanner

Output Format

Mode

Debug Output

Operating System

Version

Checklist

Replies: 2 comments · 2 replies

simar7 Feb 13, 2024 Maintainer

Octogonapus Feb 14, 2024 Author

simar7 Feb 14, 2024 Maintainer

simar7 Feb 14, 2024 Maintainer

Octogonapus
Feb 13, 2024

Replies: 2 comments 2 replies

simar7
Feb 13, 2024
Maintainer

Octogonapus
Feb 14, 2024
Author

simar7 Feb 14, 2024
Maintainer

simar7 Feb 14, 2024
Maintainer