Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(misconf): add an ID field for all Rego rules #5195

Closed
2 tasks done
nikpivkin opened this issue Sep 15, 2023 Discussed in #5194 · 1 comment
Closed
2 tasks done

fix(misconf): add an ID field for all Rego rules #5195

nikpivkin opened this issue Sep 15, 2023 Discussed in #5194 · 1 comment
Assignees
@simar7 @nikpivkin
Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Milestone
v0.50.0

Comments

@nikpivkin
Copy link
Contributor

nikpivkin commented Sep 15, 2023
edited
Loading

Trivy uses the rule ID to create the primary URL, so we should add an id field (a copy of avd_id) for all Rego rules.

Related issues:

Discussed in #5194

Originally posted by el-chazmo September 15, 2023

Description

When scanning a terraform config file creating an aws_db_instance, the following error shows up

MEDIUM: Instance does not have Deletion Protection enabled Ensure deletion protection is enabled for RDS database instances. See https://avd.aquasec.com/misconfig/n/a
URL redirects to

https://avd.aquasec.com/misconfig/aws/s3/avd-aws-0321/

Would also like to ignore this error using # trivy:ignore:

Desired Behavior

In trivy output URL should be
https://avd.aquasec.com/misconfig/aws/rds/rds-deletion-protection-enabled/

Ignore code should be

trivy:ignore:rds-deletion-protection-enabled

(as per ID on URL)

Actual Behavior

URL is https://avd.aquasec.com/misconfig/n/a
which redirects to
https://avd.aquasec.com/misconfig/aws/s3/avd-aws-0321/

Ignore code is: -

trivy:ignore:N/A

NOTE: lowercase # trivy:ignore:n/a does NOT work

Reproduction Steps

1. trivy config .

Target

Git Repository

Scanner

Misconfiguration

Output Format

Table

Mode

Standalone

Debug Output

2023-09-15T11:48:36.268+0100    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-09-15T11:48:36.280+0100    DEBUG   cache dir:  /home/xxxx.xxxx/.cache/trivy
2023-09-15T11:48:36.280+0100    INFO    Misconfiguration scanning is enabled
2023-09-15T11:48:36.280+0100    DEBUG   Using URL: ghcr.io/aquasecurity/defsec:0 to load policy bundle
2023-09-15T11:48:36.950+0100    DEBUG   Policies successfully loaded from disk
2023-09-15T11:48:36.984+0100    DEBUG   Walk the file tree rooted at '.' in parallel
2023-09-15T11:48:36.988+0100    DEBUG   Scanning Terraform files for misconfigurations...
2023-09-15T11:48:40.550+0100    DEBUG   Scanning Helm files for misconfigurations...
2023-09-15T11:48:40.559+0100    DEBUG   Loading the default license classifier...
2023-09-15T11:48:41.043+0100    DEBUG   Unable to identify dependencies of github.com/bgentry/[email protected] as it doesn't support Go modules
2023-09-15T11:48:41.082+0100    DEBUG   Unable to identify dependencies of github.com/pmezard/[email protected] as it doesn't support Go modules
2023-09-15T11:48:41.146+0100    DEBUG   Unable to identify dependencies of github.com/davecgh/[email protected] as it doesn't support Go modules
2023-09-15T11:48:41.456+0100    DEBUG   Unable to identify dependencies of github.com/golang/[email protected] as it doesn't support Go modules
2023-09-15T11:48:41.555+0100    DEBUG   Unable to identify dependencies of github.com/klauspost/[email protected] as it doesn't support Go modules
2023-09-15T11:48:41.555+0100    DEBUG   Unable to identify dependencies of github.com/mitchellh/[email protected] as it doesn't support Go modules
2023-09-15T11:48:41.555+0100    DEBUG   Unable to identify dependencies of github.com/stretchr/[email protected] as it doesn't support Go modules
2023-09-15T11:48:41.555+0100    DEBUG   Unable to identify dependencies of github.com/zclconf/[email protected] as it doesn't support Go modules
2023-09-15T11:48:41.562+0100    DEBUG   Unable to identify dependencies of cloud.google.com/[email protected] as it doesn't support Go modules
2023-09-15T11:48:41.562+0100    DEBUG   Unable to identify dependencies of golang.org/x/[email protected] as it doesn't support Go modules
2023-09-15T11:48:41.562+0100    DEBUG   Unable to identify dependencies of google.golang.org/[email protected] as it doesn't support Go modules
2023-09-15T11:48:41.562+0100    DEBUG   Unable to identify dependencies of golang.org/x/[email protected] as it doesn't support Go modules
2023-09-15T11:48:41.574+0100    DEBUG   Unable to identify dependencies of github.com/tidwall/[email protected] as it doesn't support Go modules
2023-09-15T11:48:41.579+0100    DEBUG   Unable to identify dependencies of sigs.k8s.io/kustomize/[email protected] as it doesn't support Go modules
2023-09-15T11:48:41.579+0100    DEBUG   Unable to identify dependencies of cloud.google.com/go/[email protected] as it doesn't support Go modules
2023-09-15T11:48:41.579+0100    DEBUG   Unable to identify dependencies of github.com/aws/[email protected] as it doesn't support Go modules
2023-09-15T11:48:41.588+0100    DEBUG   Unable to identify dependencies of k8s.io/[email protected] as it doesn't support Go modules
2023-09-15T11:48:41.598+0100    DEBUG   Unable to identify dependencies of github.com/tmccombs/[email protected] as it doesn't support Go modules
2023-09-15T11:48:41.598+0100    DEBUG   Unable to identify dependencies of golang.org/x/[email protected] as it doesn't support Go modules
2023-09-15T11:48:41.598+0100    DEBUG   Unable to identify dependencies of golang.org/x/[email protected] as it doesn't support Go modules
2023-09-15T11:48:41.598+0100    DEBUG   Unable to identify dependencies of google.golang.org/[email protected] as it doesn't support Go modules
2023-09-15T11:48:41.598+0100    DEBUG   Unable to identify dependencies of github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/[email protected] as it doesn't support Go modules
2023-09-15T11:48:41.598+0100    DEBUG   Unable to identify dependencies of github.com/hashicorp/hcl/[email protected] as it doesn't support Go modules
2023-09-15T11:48:41.605+0100    DEBUG   Unable to identify dependencies of cloud.google.com/go/[email protected] as it doesn't support Go modules
2023-09-15T11:48:41.645+0100    DEBUG   Unable to identify dependencies of golang.org/x/[email protected] as it doesn't support Go modules
2023-09-15T11:48:41.645+0100    DEBUG   Unable to identify dependencies of github.com/hashicorp/[email protected] as it doesn't support Go modules
2023-09-15T11:48:41.656+0100    DEBUG   Unable to identify dependencies of github.com/gruntwork-io/[email protected] as it doesn't support Go modules
2023-09-15T11:48:41.656+0100    DEBUG   Unable to identify dependencies of golang.org/x/[email protected] as it doesn't support Go modules
2023-09-15T11:48:41.661+0100    DEBUG   Unable to identify dependencies of google.golang.org/[email protected] as it doesn't support Go modules
2023-09-15T11:48:41.734+0100    DEBUG   OS is not detected.
2023-09-15T11:48:41.734+0100    INFO    Detected config files: 32
2023-09-15T11:48:41.734+0100    DEBUG   Scanned config file: examples/advanced
2023-09-15T11:48:41.734+0100    DEBUG   Scanned config file: examples/basic
2023-09-15T11:48:41.734+0100    DEBUG   Scanned config file: examples/cross-region-backup-restore
2023-09-15T11:48:41.734+0100    DEBUG   Scanned config file: examples/cross-region-replica
2023-09-15T11:48:41.734+0100    DEBUG   Scanned config file: examples/in-region-backup-restore
2023-09-15T11:48:41.734+0100    DEBUG   Scanned config file: examples/in-region-replica
2023-09-15T11:48:41.734+0100    DEBUG   Scanned config file: main.tf
2023-09-15T11:48:41.734+0100    DEBUG   Scanned config file: secrets.tf
2023-09-15T11:48:41.734+0100    DEBUG   Scanned config file: sns_notifications.tf
2023-09-15T11:48:41.734+0100    DEBUG   Scanned config file: test/setup/advanced
2023-09-15T11:48:41.734+0100    DEBUG   Scanned config file: test/setup/cross-region-backup-restore
2023-09-15T11:48:41.734+0100    DEBUG   Scanned config file: test/setup/cross-region-replica
2023-09-15T11:48:41.734+0100    DEBUG   Scanned config file: test/setup/in-region-backup-restore
2023-09-15T11:48:41.734+0100    DEBUG   Scanned config file: test/setup/in-region-replica
2023-09-15T11:48:41.734+0100    DEBUG   Scanned config file: test/setup
2023-09-15T11:48:41.734+0100    DEBUG   Scanned config file: .terraform/modules/kms_key
2023-09-15T11:48:41.734+0100    DEBUG   Scanned config file: .terraform/modules/kms_key/examples/custom-policies
2023-09-15T11:48:41.734+0100    DEBUG   Scanned config file: .terraform/modules/kms_key/examples/multi-region
2023-09-15T11:48:41.734+0100    DEBUG   Scanned config file: .terraform/modules/kms_key/examples/services
2023-09-15T11:48:41.734+0100    DEBUG   Scanned config file: .terraform/modules/kms_key/examples/basic
2023-09-15T11:48:41.734+0100    DEBUG   Scanned config file: .terraform/modules/kms_key/examples/complete
2023-09-15T11:48:41.734+0100    DEBUG   Scanned config file: .terraform/modules/kms_key/key.tf
2023-09-15T11:48:41.734+0100    DEBUG   Scanned config file: .terraform/modules/kms_key/policy.decrypt.tf
2023-09-15T11:48:41.734+0100    DEBUG   Scanned config file: .terraform/modules/kms_key/policy.encrypt.tf
2023-09-15T11:48:41.734+0100    DEBUG   Scanned config file: .terraform/modules/rds_security_group/examples/basic
2023-09-15T11:48:41.734+0100    DEBUG   Scanned config file: .terraform/modules/rds_security_group/examples/cidr-blocks
2023-09-15T11:48:41.734+0100    DEBUG   Scanned config file: .terraform/modules/rds_security_group/ingress.tf
2023-09-15T11:48:41.734+0100    DEBUG   Scanned config file: .terraform/modules/rds_security_group/test/setup
2023-09-15T11:48:41.734+0100    DEBUG   Scanned config file: .terraform/modules/rds_security_group/test/setup/main.tf
2023-09-15T11:48:41.734+0100    DEBUG   Scanned config file: .terraform/modules/rds_security_group
2023-09-15T11:48:41.734+0100    DEBUG   Scanned config file: .terraform/modules/rds_security_group/egress.tf
2023-09-15T11:48:41.734+0100    DEBUG   Scanned config file: .

main.tf (terraform)

Tests: 136 (SUCCESSES: 126, FAILURES: 10, EXCEPTIONS: 0)
Failures: 10 (UNKNOWN: 0, LOW: 0, MEDIUM: 10, HIGH: 0, CRITICAL: 0)

MEDIUM: Instance does not have Deletion Protection enabled
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Ensure deletion protection is enabled for RDS database instances.

See https://avd.aquasec.com/misconfig/n/a
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf:221
   via main.tf:200-303 (aws_db_instance.oracle)
    via test/setup/cross-region-backup-restore/main.tf:19-47 (module.database)
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 200   resource "aws_db_instance" "oracle" {
 ...   
 221 [   deletion_protection                 = var.enable_deletion_protection
 ...   
 303   }

Operating System

WSL Ubuntu 22.04.3 LTS

Version

Version: 0.45.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-09-14 06:14:32.051301011 +0000 UTC
  NextUpdate: 2023-09-14 12:14:32.051300311 +0000 UTC
  DownloadedAt: 2023-09-14 09:26:27.492862816 +0000 UTC
Policy Bundle:
  Digest: sha256:fd5f1ce3d8efb1fe158cb41f9adb9d7c7cc5c4c863b261053c962e6d950350b3
  DownloadedAt: 2023-09-15 10:48:36.950288081 +0000 UTC

Checklist
@nikpivkin nikpivkin added kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning labels Sep 15, 2023
@nikpivkin nikpivkin mentioned this issue Feb 14, 2024
Closed
2 tasks
@simar7 simar7 added this to the v0.50.0 milestone Feb 16, 2024
@simar7 simar7 self-assigned this Feb 28, 2024
@simar7
Copy link
Member

simar7 commented Feb 28, 2024

Fixed via aquasecurity/trivy-checks#81

@simar7 simar7 closed this as completed Feb 28, 2024
@simar7 simar7 mentioned this issue Mar 5, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@simar7 simar7

@nikpivkin nikpivkin

Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Projects
Trivy Roadmap
Archived in project
Milestone
v0.50.0
Development

No branches or pull requests
2 participants
@simar7 @nikpivkin