Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug(misconf): RDS DB Deletion Protection check points to the wrong URL #6125

Closed
2 tasks
simar7 opened this issue Feb 14, 2024 Discussed in #6124 · 2 comments · Fixed by aquasecurity/trivy-checks#81
Closed
2 tasks

bug(misconf): RDS DB Deletion Protection check points to the wrong URL #6125

simar7 opened this issue Feb 14, 2024 Discussed in #6124 · 2 comments · Fixed by aquasecurity/trivy-checks#81
Assignees
@nikpivkin
Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning

Comments

@simar7
Copy link
Member

simar7 commented Feb 14, 2024

AVD-AWS-0177 should point to it's corresponding URL within AVD but instead points to https://avd.aquasec.com/misconfig/n/a which is a different check for cluster deletion prevention.

Discussed in #6124

Originally posted by Octogonapus February 13, 2024

Description

The RDS DB Deletion Protection finding should be able to be ignored using an inline comment. However, it can't be ignored using an inline comment

Desired Behavior

The finding should be ignored.

Actual Behavior

The finding is present despite the inline comment:

MEDIUM: Instance does not have Deletion Protection enabled
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Ensure deletion protection is enabled for RDS database instances.

See https://avd.aquasec.com/misconfig/n/a
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf:3
   via main.tf:2-5 (aws_db_instance.instance)
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   2   resource "aws_db_instance" "instance" {
   3 [   deletion_protection = false
   4     instance_class      = "db.t3.micro"
   5   }
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Reproduction Steps

Run `trivy fs . --scanners config --severity CRITICAL,HIGH,MEDIUM` with this code:


# trivy:ignore:AVD-AWS-0343
resource "aws_db_instance" "instance" {
  deletion_protection = false
  instance_class      = "db.t3.micro"
}

Target

Filesystem

Scanner

Misconfiguration

Output Format

None

Mode

Standalone

Debug Output

2024-02-13T17:02:33.035-0500    DEBUG   Severities: ["CRITICAL" "HIGH" "MEDIUM"]
2024-02-13T17:02:33.035-0500    WARN    '--scanners config' is deprecated. Use '--scanners misconfig' instead. See https://github.com/aquasecurity/trivy/discussions/5586 for the detail.
2024-02-13T17:02:33.035-0500    DEBUG   Ignore statuses {"statuses": null}
2024-02-13T17:02:33.049-0500    DEBUG   cache dir:  /home/salmon/.cache/trivy
2024-02-13T17:02:33.049-0500    INFO    Misconfiguration scanning is enabled
2024-02-13T17:02:33.049-0500    DEBUG   Policies successfully loaded from disk
2024-02-13T17:02:33.049-0500    DEBUG   Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan]
2024-02-13T17:02:33.056-0500    DEBUG   The nuget packages directory couldn't be found. License search disabled
2024-02-13T17:02:33.061-0500    DEBUG   Walk the file tree rooted at '.' in parallel
2024-02-13T17:02:33.061-0500    DEBUG   Scanning Terraform files for misconfigurations...
2024-02-13T17:02:33.061-0500    DEBUG   [misconf] 02:33.061657431 terraform.scanner                Scanning [&{%!s(*mapfs.file=&{ [] {. 256 2147484096 {13937259440335774982 304713905 0x100ff4c0} <nil>} {{{0 0} {[] {} 0xc003a365b0} map[main.tf:0xc002b82ca8] 0}}}) .}] at '.'...
2024-02-13T17:02:33.063-0500    DEBUG   [misconf] 02:33.063295020 terraform.scanner.rego           Overriding filesystem for policies!
2024-02-13T17:02:33.087-0500    DEBUG   [misconf] 02:33.087266286 terraform.scanner.rego           Loaded 189 policies from disk.
2024-02-13T17:02:33.087-0500    DEBUG   [misconf] 02:33.087431096 terraform.scanner.rego           Overriding filesystem for data!
2024-02-13T17:02:33.313-0500    DEBUG   [misconf] 02:33.313319772 terraform.scanner                Scanning root module '.'...
2024-02-13T17:02:33.313-0500    DEBUG   [misconf] 02:33.313346019 terraform.parser.<root>          Setting project/module root to '.'
2024-02-13T17:02:33.313-0500    DEBUG   [misconf] 02:33.313349944 terraform.parser.<root>          Parsing FS from '.'
2024-02-13T17:02:33.313-0500    DEBUG   [misconf] 02:33.313362269 terraform.parser.<root>          Parsing 'main.tf'...
2024-02-13T17:02:33.313-0500    DEBUG   [misconf] 02:33.313411219 terraform.parser.<root>          Added file main.tf.
2024-02-13T17:02:33.313-0500    DEBUG   [misconf] 02:33.313415453 terraform.parser.<root>          Evaluating module...
2024-02-13T17:02:33.313-0500    DEBUG   [misconf] 02:33.313462987 terraform.parser.<root>          Read 1 block(s) and 1 ignore(s) for module 'root' (1 file[s])...
2024-02-13T17:02:33.313-0500    DEBUG   [misconf] 02:33.313474690 terraform.parser.<root>          Added 0 variables from tfvars.
2024-02-13T17:02:33.313-0500    DEBUG   [misconf] 02:33.313479098 terraform.parser.<root>          Error loading module metadata: open .terraform/modules/modules.json: file does not exist.
2024-02-13T17:02:33.313-0500    DEBUG   [misconf] 02:33.313490124 terraform.parser.<root>          Working directory for module evaluation is '/tmp/trivytest'
2024-02-13T17:02:33.313-0500    DEBUG   [misconf] 02:33.313511862 terraform.parser.<root>.evaluator Filesystem key is 'ca2057ee8e86705f0963fc653de9373da9f8524f59098ff3b5e898298b5ae1e9'
2024-02-13T17:02:33.313-0500    DEBUG   [misconf] 02:33.313514927 terraform.parser.<root>.evaluator Starting module evaluation...
2024-02-13T17:02:33.313-0500    DEBUG   [misconf] 02:33.313548612 terraform.parser.<root>.evaluator Starting submodule evaluation...
2024-02-13T17:02:33.313-0500    DEBUG   [misconf] 02:33.313551435 terraform.parser.<root>.evaluator Finished processing 0 submodule(s).
2024-02-13T17:02:33.313-0500    DEBUG   [misconf] 02:33.313559061 terraform.parser.<root>.evaluator Starting post-submodule evaluation...
2024-02-13T17:02:33.313-0500    DEBUG   [misconf] 02:33.313585159 terraform.parser.<root>.evaluator Module evaluation complete.
2024-02-13T17:02:33.313-0500    DEBUG   [misconf] 02:33.313588539 terraform.parser.<root>          Finished parsing module 'root'.
2024-02-13T17:02:33.313-0500    DEBUG   [misconf] 02:33.313593365 terraform.executor               Adapting modules...
2024-02-13T17:02:33.313-0500    DEBUG   [misconf] 02:33.313658057 terraform.executor               Adapted 1 module(s) into defsec state data.
2024-02-13T17:02:33.313-0500    DEBUG   [misconf] 02:33.313660674 terraform.executor               Using max routines of 31
2024-02-13T17:02:33.313-0500    DEBUG   [misconf] 02:33.313664216 terraform.executor               Applying state modifier functions...
2024-02-13T17:02:33.313-0500    DEBUG   [misconf] 02:33.313724994 terraform.executor               Initialised 484 rule(s).
2024-02-13T17:02:33.313-0500    DEBUG   [misconf] 02:33.313727649 terraform.executor               Created pool with 31 worker(s) to apply rules.
2024-02-13T17:02:33.313-0500    DEBUG   [misconf] 02:33.313991352 terraform.scanner.rego           Scanning 1 inputs...
2024-02-13T17:02:33.322-0500    DEBUG   [misconf] 02:33.322870697 terraform.executor               Finished applying rules.
2024-02-13T17:02:33.322-0500    DEBUG   [misconf] 02:33.322894101 terraform.executor               Applying ignores...
2024-02-13T17:02:33.340-0500    DEBUG   OS is not detected.
2024-02-13T17:02:33.340-0500    INFO    Detected config files: 2
2024-02-13T17:02:33.340-0500    DEBUG   Scanned config file: main.tf
2024-02-13T17:02:33.340-0500    DEBUG   Scanned config file: .

main.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (MEDIUM: 2, HIGH: 1, CRITICAL: 0)

MEDIUM: Instance has very low backup retention period.
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
RDS backup retention for clusters defaults to 1 day, this may not be enough to identify and respond to an issue. Backup retention periods should be set to a period that is a balance on cost and limiting risk.

See https://avd.aquasec.com/misconfig/avd-aws-0077
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf:2-5
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   2 ┌ resource "aws_db_instance" "instance" {
   3 │   deletion_protection = false
   4 │   instance_class      = "db.t3.micro"
   5 └ }
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


HIGH: Instance does not have storage encryption enabled.
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Encryption should be enabled for an RDS Database instances. 

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf:2-5
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   2 ┌ resource "aws_db_instance" "instance" {
   3 │   deletion_protection = false
   4 │   instance_class      = "db.t3.micro"
   5 └ }
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


MEDIUM: Instance does not have Deletion Protection enabled
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Ensure deletion protection is enabled for RDS database instances.

See https://avd.aquasec.com/misconfig/n/a
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf:3
   via main.tf:2-5 (aws_db_instance.instance)
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   2   resource "aws_db_instance" "instance" {
   3 [   deletion_protection = false
   4     instance_class      = "db.t3.micro"
   5   }
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Operating System

Fedora 39 Workstation

Version

Version: 0.49.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-02-09 12:11:54.803692275 +0000 UTC
  NextUpdate: 2024-02-09 18:11:54.803691874 +0000 UTC
  DownloadedAt: 2024-02-09 16:04:19.667835944 +0000 UTC
Policy Bundle:
  Digest: sha256:1df8ade71efc830877ca3b1130f83e0c6368e3a45b0d4c0f0418955501644054
  DownloadedAt: 2024-02-13 21:22:48.94929282 +0000 UTC

Checklist
@simar7 simar7 added kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning labels Feb 14, 2024
@nikpivkin nikpivkin self-assigned this Feb 14, 2024
@nikpivkin nikpivkin mentioned this issue Feb 14, 2024
Merged
@nikpivkin
Copy link
Contributor

@simar7 There is already an open issue related to incorrect links to checks

@simar7
Copy link
Member Author

simar7 commented Feb 16, 2024

Ah thanks! I didn't see that. Will close this in favor of it #5195

@simar7 simar7 closed this as not planned Won't fix, can't repro, duplicate, stale Feb 16, 2024
@simar7 simar7 mentioned this issue Mar 1, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nikpivkin nikpivkin

Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(checks): add missing ID field nikpivkin/trivy-policies
2 participants
@simar7 @nikpivkin