fix(cloudformation): resolve property depending on conditions #4844

nikpivkin · 2023-07-19T16:26:16Z

When a property is a value returned by a condition, then defsec does not evaluate it

Example:

Resources:
  Bucket:
    Type: "AWS::S3::Bucket"
    Properties:
      VersioningConfiguration:
        !If [true, { Status: Enabled }, { Status: Suspended }]

Output:

trivy config pseudo.yaml -d
2023-07-19T22:24:32.105+0600    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-07-19T22:24:32.115+0600    DEBUG   cache dir:  /Users/tososomaru/Library/Caches/trivy
2023-07-19T22:24:32.115+0600    DEBUG   Module dir: /Users/tososomaru/.trivy/modules
2023-07-19T22:24:32.115+0600    INFO    Misconfiguration scanning is enabled
2023-07-19T22:24:32.116+0600    DEBUG   Policies successfully loaded from disk
2023-07-19T22:24:32.142+0600    DEBUG   Walk the file tree rooted at 'pseudo.yaml' in parallel
2023-07-19T22:24:32.142+0600    DEBUG   Scanning CloudFormation files for misconfigurations...
2023-07-19T22:24:32.423+0600    DEBUG   Scanning Helm files for misconfigurations...
2023-07-19T22:24:32.442+0600    DEBUG   OS is not detected.
2023-07-19T22:24:32.442+0600    INFO    Detected config files: 1
2023-07-19T22:24:32.442+0600    DEBUG   Scanned config file: pseudo.yaml

pseudo.yaml (cloudformation)

Tests: 11 (SUCCESSES: 2, FAILURES: 9, EXCEPTIONS: 0)
Failures: 9 (UNKNOWN: 0, LOW: 1, MEDIUM: 2, HIGH: 6, CRITICAL: 0)
....

MEDIUM: Bucket does not have versioning enabled
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════

Versioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. 
You can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. 
With versioning you can recover more easily from both unintended user actions and application failures.


See https://avd.aquasec.com/misconfig/avd-aws-0090
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 pseudo.yaml:2-6
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   2 ┌   Bucket:
   3 │     Type: "AWS::S3::Bucket"
   4 │     Properties:
   5 │       VersioningConfiguration:
   6 └         !If [true, { Status: Enabled }, { Status: Suspended }]
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
....

simar7 · 2023-07-20T12:49:55Z

Closed via aquasecurity/defsec#1396

nikpivkin added kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning labels Jul 19, 2023

nikpivkin self-assigned this Jul 19, 2023

nikpivkin mentioned this issue Jul 19, 2023

fix(cloudformation): resolve property depending on conditions aquasecurity/defsec#1396

Merged

simar7 closed this as completed Jul 20, 2023

simar7 added this to the v0.44.0 milestone Jul 27, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(cloudformation): resolve property depending on conditions #4844

fix(cloudformation): resolve property depending on conditions #4844

nikpivkin commented Jul 19, 2023

simar7 commented Jul 20, 2023

fix(cloudformation): resolve property depending on conditions #4844

fix(cloudformation): resolve property depending on conditions #4844

Comments

nikpivkin commented Jul 19, 2023

simar7 commented Jul 20, 2023