bug: Symlinks that point to absolute paths are neglected

[nikpivkin]

source https://github.com/aquasecurity/tfsec/issues/1911

Describe the bug

tfsec fails to correctly read the contents of *.tf if they are symlinks pointing to absolute paths.

To Reproduce

1. mkdir /tmp/a /tmp/b

2. touch /tmp/a/a.tf

3. ln -s /tmp/a/a.tf /tmp/b/a.tf

4. tfsec --debug /tmp/b does not scan the contents of (currently-empty) /tmp/b/a.tf with the following message and then reports "files read: 0".

26:56.797660000 terraform.parser.<root>          Failed to stat resolved symlink 'tmp/b/tmp/a/a.tf': stat //tmp/b/tmp/a/a.tf: no such file or directory

All output of tfsec --debug /tmp/b

26:56.732983000 system.info                      APP       tfsec
26:56.733091000 system.info                      VERSION   v1.28.0
26:56.733092000 system.info                      OS        darwin
26:56.733093000 system.info                      ARCH      arm64
26:56.733094000 system.info                      KERNEL    
26:56.733096000 system.info                      TERM      xterm-256color
26:56.733097000 system.info                      SHELL     /bin/zsh
26:56.733098000 system.info                      GOVERSION go1.19.1
26:56.733099000 system.info                      GOROOT    /opt/homebrew/Cellar/go/1.19.1/libexec
26:56.733100000 system.info                      CGO       false
26:56.733102000 system.info                      CPUCOUNT  8
26:56.733103000 system.info                      MAXPROCS  8
26:56.733104000 system.info                      WORKDIR   /Users/skirino/temp
26:56.733106000 system.info                      UID       503
26:56.733107000 system.info                      EUID      503
26:56.733185000 system.info                      DOCKER    false
26:56.733190000 system.info                      CI        false
26:56.733191000 system.info                      HOSTNAME  A0114
26:56.733192000 system.info                      TEMP      /var/folders/2f/z_0yvm_j0k9g2336d23z2ws40000gq/T/
26:56.733193000 system.info                      PATHSEP   /
26:56.733195000 system.info                      CMD       tfsec --debug /tmp/b
26:56.733197000 cmd                              Command args=[]string{"/tmp/b"}
26:56.733207000 cmd                              Determined path dir=/tmp/b
26:56.733671000 cmd                              Determined path root=/
26:56.733675000 cmd                              Determined path rel=tmp/b
26:56.733739000 terraform.scanner                Scanning [&{/ /}] at 'tmp/b'...
26:56.734633000 terraform.scanner.rego           Loaded 4 embedded libraries.
26:56.752015000 terraform.scanner.rego           Loaded 117 embedded policies.
26:56.797350000 terraform.scanner                Scanning root module 'tmp/b'...
26:56.797370000 terraform.parser.<root>          Setting project/module root to 'tmp/b'
26:56.797372000 terraform.parser.<root>          Parsing FS from 'tmp/b'
26:56.797660000 terraform.parser.<root>          Failed to stat resolved symlink 'tmp/b/tmp/a/a.tf': stat //tmp/b/tmp/a/a.tf: no such file or directory
26:56.797668000 terraform.parser.<root>          Evaluating module...
26:56.797670000 terraform.parser.<root>          No files found, nothing to do.
26:56.797671000 terraform.executor               Adapting modules...
26:56.799144000 terraform.executor               Adapted 0 module(s) into defsec state data.
26:56.799147000 terraform.executor               Using max routines of 7
26:56.799149000 terraform.executor               Applying state modifier functions...
26:56.799445000 terraform.executor               Initialised 388 rule(s).
26:56.799452000 terraform.executor               Created pool with 7 worker(s) to apply rules.
26:56.800235000 terraform.scanner.rego           Scanning 1 inputs...
26:56.828356000 terraform.executor               Finished applying rules.
26:56.828373000 terraform.executor               Applying ignores...
26:56.828376000 cmd                              Exit code based on results: 0
  timings
  ──────────────────────────────────────────
  disk i/o             0s
  parsing              0s
  adaptation           1.470375ms
  checks               29.206292ms
  total                30.676667ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    0
  blocks processed     0
  files read           0

  results
  ──────────────────────────────────────────
  passed               0
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

Expected behavior

The absolute symlinks are processed as in the same way as normal files/relative symlinks.

System Info

tfsec version: 1.28.0
terraform version: 1.3.1
OS: macOS 12.6 (arm64)

Additional context

• We are integrating tfsec with bazel. When running tfsec via bazel test, bazel prepares *.tf source files as absolute symlnks in sandbox environments.
• The debug print "Failed to stat resolved symlink ..." should originate from https://github.com/aquasecurity/defsec/blob/v0.76.0/pkg/scanners/terraform/parser/parser.go#L224. (Code in another repo, but first let me report this issue here)

[simar7]

Closing this as it's a wider issue to work on as being discussed in #5356