Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(checks): Improve wording on AVD-AZU-0051 #7137

Closed
2 tasks done
simar7 opened this issue Jul 10, 2024 Discussed in #7135 · 0 comments · Fixed by #7146
Closed
2 tasks done

fix(checks): Improve wording on AVD-AZU-0051 #7137

simar7 opened this issue Jul 10, 2024 Discussed in #7135 · 0 comments · Fixed by #7146
Assignees
@nikpivkin
Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Milestone
v0.55.0

Comments

@simar7
Copy link
Member

simar7 commented Jul 10, 2024
edited
Loading

Discussed in #7135

Originally posted by chanster July 9, 2024

IDs

AVD-AZU-0051

Description

The title of the check is An outbound network security rule allows traffic to /0 but the actual trigger is any public IP range.

The code is just checking if the IP is a public IP and does not validate the mask. The title or triggger should be updated to match the other.

Link to specific code line: https://github.com/aquasecurity/trivy-checks/blame/3c54ac8393e3ae60e70a638940f5dbb636717843/checks/cloud/azure/network/no_public_egress.go#L43)

Reproduction Steps

1. Set destination IP to any public IP `x.x.x.x/32`
1. Run `trivy fs --scanners misconfig --severity CRITICAL /path/to/terraform/files`

Target

Filesystem

Scanner

Misconfiguration

Target OS

n/a

Debug Output

<dns_resolver_outbound_nsg_rules>.evaluator Finished processing 0 submodule(s).
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.382896000 terraform.parser.<dns_resolver_outbound_nsg_rules>.evaluator Module evaluation complete.
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.405217000 terraform.parser.<root>.evaluator Submodule api_nsg_rules inputs unchanged
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.405470000 terraform.parser.<root>.evaluator Submodule data_nsg_rules inputs unchanged
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.405782000 terraform.parser.<root>.evaluator Submodule dmz_nsg_rules inputs unchanged
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.406034000 terraform.parser.<root>.evaluator Submodule dns_resolver_inbound_nsg_rules inputs unchanged
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.406206000 terraform.parser.<root>.evaluator Submodule dns_resolver_outbound_nsg_rules inputs unchanged
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.406465000 terraform.parser.<root>.evaluator Evaluating submodule mgmt_nsg_rules
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.406527000 terraform.parser.<mgmt_nsg_rules>.evaluator Filesystem key is '6066d1a6e43365d5a5fbadf49b4b930eef03c727c8bc9b80dc5b5112c46afd15'
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.406558000 terraform.parser.<mgmt_nsg_rules>.evaluator Starting module evaluation...
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.410639000 terraform.parser.<mgmt_nsg_rules>.evaluator Expanded block 'azurerm_network_security_rule.inbound' into 4 clones via 'for_each' attribute.
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.411932000 terraform.parser.<mgmt_nsg_rules>.evaluator Expanded block 'azurerm_network_security_rule.outbound' into 6 clones via 'for_each' attribute.
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.411972000 terraform.parser.<mgmt_nsg_rules>.evaluator Starting submodule evaluation...
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.411989000 terraform.parser.<mgmt_nsg_rules>.evaluator All submodules are evaluated at i=0
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.412002000 terraform.parser.<mgmt_nsg_rules>.evaluator Starting post-submodule evaluation...
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.417055000 terraform.parser.<mgmt_nsg_rules>.evaluator Finished processing 0 submodule(s).
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.417104000 terraform.parser.<mgmt_nsg_rules>.evaluator Module evaluation complete.
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.431899000 terraform.parser.<root>.evaluator Submodule api_nsg_rules inputs unchanged
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.432116000 terraform.parser.<root>.evaluator Submodule data_nsg_rules inputs unchanged
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.432364000 terraform.parser.<root>.evaluator Submodule dmz_nsg_rules inputs unchanged
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.432547000 terraform.parser.<root>.evaluator Submodule dns_resolver_inbound_nsg_rules inputs unchanged
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.432671000 terraform.parser.<root>.evaluator Submodule dns_resolver_outbound_nsg_rules inputs unchanged
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.432937000 terraform.parser.<root>.evaluator Submodule mgmt_nsg_rules inputs unchanged
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.433070000 terraform.parser.<root>.evaluator Evaluating submodule web_nsg_rules
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.433105000 terraform.parser.<web_nsg_rules>.evaluator Filesystem key is '6066d1a6e43365d5a5fbadf49b4b930eef03c727c8bc9b80dc5b5112c46afd15'
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.433122000 terraform.parser.<web_nsg_rules>.evaluator Starting module evaluation...
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.436799000 terraform.parser.<web_nsg_rules>.evaluator Expanded block 'azurerm_network_security_rule.inbound' into 5 clones via 'for_each' attribute.
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.437771000 terraform.parser.<web_nsg_rules>.evaluator Expanded block 'azurerm_network_security_rule.outbound' into 5 clones via 'for_each' attribute.
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.437802000 terraform.parser.<web_nsg_rules>.evaluator Starting submodule evaluation...
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.437818000 terraform.parser.<web_nsg_rules>.evaluator All submodules are evaluated at i=0
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.437831000 terraform.parser.<web_nsg_rules>.evaluator Starting post-submodule evaluation...
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.442392000 terraform.parser.<web_nsg_rules>.evaluator Finished processing 0 submodule(s).
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.442432000 terraform.parser.<web_nsg_rules>.evaluator Module evaluation complete.
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.458043000 terraform.parser.<root>.evaluator Submodule api_nsg_rules inputs unchanged
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.458263000 terraform.parser.<root>.evaluator Submodule data_nsg_rules inputs unchanged
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.458485000 terraform.parser.<root>.evaluator Submodule dmz_nsg_rules inputs unchanged
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.458608000 terraform.parser.<root>.evaluator Submodule dns_resolver_inbound_nsg_rules inputs unchanged
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.458764000 terraform.parser.<root>.evaluator Submodule dns_resolver_outbound_nsg_rules inputs unchanged
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.459098000 terraform.parser.<root>.evaluator Submodule mgmt_nsg_rules inputs unchanged
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.459433000 terraform.parser.<root>.evaluator Submodule web_nsg_rules inputs unchanged
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.459949000 terraform.parser.<root>.evaluator Evaluating submodule worker_nsg_rules
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.459995000 terraform.parser.<worker_nsg_rules>.evaluator Filesystem key is '6066d1a6e43365d5a5fbadf49b4b930eef03c727c8bc9b80dc5b5112c46afd15'
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.460013000 terraform.parser.<worker_nsg_rules>.evaluator Starting module evaluation...
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.471611000 terraform.parser.<worker_nsg_rules>.evaluator Expanded block 'azurerm_network_security_rule.inbound' into 13 clones via 'for_each' attribute.
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.474392000 terraform.parser.<worker_nsg_rules>.evaluator Expanded block 'azurerm_network_security_rule.outbound' into 13 clones via 'for_each' attribute.
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.474452000 terraform.parser.<worker_nsg_rules>.evaluator Starting submodule evaluation...
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.474472000 terraform.parser.<worker_nsg_rules>.evaluator All submodules are evaluated at i=0
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.474485000 terraform.parser.<worker_nsg_rules>.evaluator Starting post-submodule evaluation...
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.500467000 terraform.parser.<worker_nsg_rules>.evaluator Finished processing 0 submodule(s).
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.500522000 terraform.parser.<worker_nsg_rules>.evaluator Module evaluation complete.
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.517188000 terraform.parser.<root>.evaluator Submodule api_nsg_rules inputs unchanged
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.517423000 terraform.parser.<root>.evaluator Submodule data_nsg_rules inputs unchanged
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.517655000 terraform.parser.<root>.evaluator Submodule dmz_nsg_rules inputs unchanged
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.517779000 terraform.parser.<root>.evaluator Submodule dns_resolver_inbound_nsg_rules inputs unchanged
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.517905000 terraform.parser.<root>.evaluator Submodule dns_resolver_outbound_nsg_rules inputs unchanged
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.518160000 terraform.parser.<root>.evaluator Submodule mgmt_nsg_rules inputs unchanged
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.518426000 terraform.parser.<root>.evaluator Submodule web_nsg_rules inputs unchanged
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.519129000 terraform.parser.<root>.evaluator Submodule worker_nsg_rules inputs unchanged
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.519154000 terraform.parser.<root>.evaluator All submodules are evaluated at i=8
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.519168000 terraform.parser.<root>.evaluator Starting post-submodule evaluation...
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.529597000 terraform.parser.<root>.evaluator Finished processing 8 submodule(s).
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.529654000 terraform.parser.<root>.evaluator Module evaluation complete.
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.529695000 terraform.parser.<root>          Finished parsing module 'root'.
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.529747000 terraform.parser.<root>.evaluator Added module output nat=cty.ObjectVal(map[string]cty.Value{"id":cty.StringVal("8b5808ac-65bf-4a0d-8d2f-a83db536b295"), "location":cty.NilVal, "name":cty.NilVal, "resource_group_name":cty.NilVal, "sku_name":cty.StringVal("Standard"), "tags":cty.NilVal}).
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.529858000 terraform.parser.<root>.evaluator Added module output sg_map=cty.ObjectVal(map[string]cty.Value{"api":cty.ObjectVal(map[string]cty.Value{"id":cty.StringVal("c7de375f-f563-4172-92d9-f0078d67201b"), "location":cty.NilVal, "name":cty.NilVal, "resource_group_name":cty.NilVal, "tags":cty.NilVal}), "data":cty.ObjectVal(map[string]cty.Value{"id":cty.StringVal("02cf4dad-d9c2-4d7a-8f67-aa7ba949fa53"), "location":cty.NilVal, "name":cty.NilVal, "resource_group_name":cty.NilVal, "tags":cty.NilVal}), "dmz":cty.ObjectVal(map[string]cty.Value{"id":cty.StringVal("d5170e55-1795-4e1f-af4b-36c82490d6f9"), "location":cty.NilVal, "name":cty.NilVal, "resource_group_name":cty.NilVal, "tags":cty.NilVal}), "dnsr_in":cty.ObjectVal(map[string]cty.Value{"id":cty.StringVal("4359568f-90c0-451c-b4f5-d1c0d9456c1e"), "location":cty.NilVal, "name":cty.NilVal, "resource_group_name":cty.NilVal, "tags":cty.NilVal}), "dnsr_out":cty.ObjectVal(map[string]cty.Value{"id":cty.StringVal("efc0b6b9-f1a5-4d98-a01c-e2f115889962"), "location":cty.NilVal, "name":cty.NilVal, "resource_group_name":cty.NilVal, "tags":cty.NilVal}), "mgmt":cty.ObjectVal(map[string]cty.Value{"id":cty.StringVal("b2e1b363-36ae-4f27-a546-155eb71b2f39"), "location":cty.NilVal, "name":cty.NilVal, "resource_group_name":cty.NilVal, "tags":cty.NilVal}), "web":cty.ObjectVal(map[string]cty.Value{"id":cty.StringVal("920a7c20-4862-4d45-9b64-247dc73352e7"), "location":cty.NilVal, "name":cty.NilVal, "resource_group_name":cty.NilVal, "tags":cty.NilVal}), "worker":cty.ObjectVal(map[string]cty.Value{"id":cty.StringVal("d1c78f71-e0f4-466d-a887-9c407c843463"), "location":cty.NilVal, "name":cty.NilVal, "resource_group_name":cty.NilVal, "tags":cty.NilVal})}).
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.530043000 terraform.parser.<root>.evaluator Added module output subnet_map=cty.ObjectVal(map[string]cty.Value{"api":cty.ObjectVal(map[string]cty.Value{"address_prefixes":cty.TupleVal([]cty.Value{cty.DynamicVal}), "id":cty.StringVal("2fb3ea07-3424-4d93-bb46-587cc3f178f2"), "name":cty.NilVal, "private_link_service_network_policies_enabled":cty.False, "resource_group_name":cty.NilVal, "virtual_network_name":cty.NilVal}), "data":cty.ObjectVal(map[string]cty.Value{"address_prefixes":cty.TupleVal([]cty.Value{cty.DynamicVal}), "id":cty.StringVal("b291e428-190b-47e5-b8b1-ccd91ba01100"), "name":cty.NilVal, "private_link_service_network_policies_enabled":cty.False, "resource_group_name":cty.NilVal, "service_endpoints":cty.TupleVal([]cty.Value{cty.StringVal("Microsoft.Storage"), cty.StringVal("Microsoft.KeyVault")}), "virtual_network_name":cty.NilVal}), "dmz":cty.ObjectVal(map[string]cty.Value{"address_prefixes":cty.TupleVal([]cty.Value{cty.DynamicVal}), "id":cty.StringVal("effd051e-df11-42e8-8af2-67b9f04c12f8"), "name":cty.NilVal, "private_link_service_network_policies_enabled":cty.False, "resource_group_name":cty.NilVal, "virtual_network_name":cty.NilVal}), "dnsr_in":cty.ObjectVal(map[string]cty.Value{"address_prefixes":cty.TupleVal([]cty.Value{cty.DynamicVal}), "id":cty.StringVal("390c26af-9b45-41fa-8f85-ec245ea2eb6c"), "name":cty.NilVal, "private_link_service_network_policies_enabled":cty.False, "resource_group_name":cty.NilVal, "virtual_network_name":cty.NilVal}), "dnsr_out":cty.ObjectVal(map[string]cty.Value{"address_prefixes":cty.TupleVal([]cty.Value{cty.DynamicVal}), "id":cty.StringVal("d66aa7a8-7ec5-4d25-a449-73bb2a8130aa"), "name":cty.NilVal, "private_link_service_network_policies_enabled":cty.False, "resource_group_name":cty.NilVal, "virtual_network_name":cty.NilVal}), "mgmt":cty.ObjectVal(map[string]cty.Value{"address_prefixes":cty.TupleVal([]cty.Value{cty.DynamicVal}), "id":cty.StringVal("022439b8-ebd6-4b06-a6df-907352e08435"), "name":cty.NilVal, "private_link_service_network_policies_enabled":cty.False, "resource_group_name":cty.NilVal, "virtual_network_name":cty.NilVal}), "web":cty.ObjectVal(map[string]cty.Value{"address_prefixes":cty.TupleVal([]cty.Value{cty.DynamicVal}), "id":cty.StringVal("2f4cacbf-d5aa-4553-b973-ef8bfdb18386"), "name":cty.NilVal, "private_link_service_network_policies_enabled":cty.False, "resource_group_name":cty.NilVal, "virtual_network_name":cty.NilVal}), "worker":cty.ObjectVal(map[string]cty.Value{"address_prefixes":cty.TupleVal([]cty.Value{cty.DynamicVal}), "id":cty.StringVal("cc1a6c47-7776-4b92-922a-5c67e8319822"), "name":cty.NilVal, "private_link_service_network_policies_enabled":cty.False, "resource_group_name":cty.NilVal, "service_endpoints":cty.TupleVal([]cty.Value{cty.StringVal("Microsoft.Storage"), cty.StringVal("Microsoft.KeyVault"), cty.StringVal("Microsoft.ContainerRegistry")}), "virtual_network_name":cty.NilVal})}).
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.530416000 terraform.parser.<root>.evaluator Added module output vnet=cty.ObjectVal(map[string]cty.Value{"address_space":cty.NilVal, "id":cty.StringVal("8aad1cb7-1a2f-49bb-be1e-2c6b6da60611"), "location":cty.NilVal, "name":cty.NilVal, "resource_group_name":cty.NilVal, "tags":cty.NilVal}).
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.530579000 terraform.executor               Adapting modules...
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.543761000 terraform.executor               Adapted 9 module(s) into defsec state data.
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.543818000 terraform.executor               Using max routines of 11
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.543945000 terraform.executor               Initialized 487 rule(s).
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.543966000 terraform.executor               Created pool with 11 worker(s) to apply rules.
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.561039000 terraform.scanner.rego           Scanning 1 inputs...
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.587536000 terraform.executor               Finished applying rules.
2024-07-09T08:15:39-05:00       DEBUG   [misconf] 15:39.587589000 terraform.executor               Applying ignores...
2024-07-09T08:15:40-05:00       DEBUG   OS is not detected.
2024-07-09T08:15:40-05:00       INFO    Detected config files   num=11
2024-07-09T08:15:40-05:00       DEBUG   Scanned config file     path="subnet_dmz.tf"
2024-07-09T08:15:40-05:00       DEBUG   Scanned config file     path="subnet_dnsr_in.tf"
2024-07-09T08:15:40-05:00       DEBUG   Scanned config file     path="subnet_dnsr_out.tf"
2024-07-09T08:15:40-05:00       DEBUG   Scanned config file     path="subnet_mgmt.tf"
2024-07-09T08:15:40-05:00       DEBUG   Scanned config file     path="subnet_web.tf"
2024-07-09T08:15:40-05:00       DEBUG   Scanned config file     path="subnet_worker.tf"
2024-07-09T08:15:40-05:00       DEBUG   Scanned config file     path=""
2024-07-09T08:15:40-05:00       DEBUG   Scanned config file     path="."
2024-07-09T08:15:40-05:00       DEBUG   Scanned config file     path="subnet_data.tf"
2024-07-09T08:15:40-05:00       DEBUG   Scanned config file     path="nsg_rules/main.tf"
2024-07-09T08:15:40-05:00       DEBUG   Scanned config file     path="subnet_api.tf"
2024-07-09T08:15:40-05:00       DEBUG   Found an ignore file    path=".trivyignore"

nsg_rules/main.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (CRITICAL: 2)

CRITICAL: Security group rule allows egress to public internet.
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Network security rules should not use very broad subnets.

Where possible, segments should be broken into smaller subnets.

See https://avd.aquasec.com/misconfig/avd-azu-0051
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 nsg_rules/main.tf:54
   via nsg_rules/main.tf:31-59 (azurerm_network_security_rule.outbound["dns_resolver_to_corp_udp"])
    via subnet_dnsr_out.tf:36-91 (module.dns_resolver_outbound_nsg_rules)
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  31   resource "azurerm_network_security_rule" "outbound" {
  ..
  54 [   destination_address_prefix   = try(each.value.destination_address_prefix, null)
  ..
  59   }
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


CRITICAL: Security group rule allows egress to public internet.
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Network security rules should not use very broad subnets.

Where possible, segments should be broken into smaller subnets.

See https://avd.aquasec.com/misconfig/avd-azu-0051
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 nsg_rules/main.tf:54
   via nsg_rules/main.tf:31-59 (azurerm_network_security_rule.outbound["dns_resolver_to_corp_tcp"])
    via subnet_dnsr_out.tf:36-91 (module.dns_resolver_outbound_nsg_rules)
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  31   resource "azurerm_network_security_rule" "outbound" {
  ..
  54 [   destination_address_prefix   = try(each.value.destination_address_prefix, null)
  ..
  59   }
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Version

Version: 0.53.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-07-09 00:18:30.980256974 +0000 UTC
  NextUpdate: 2024-07-09 06:18:30.980256813 +0000 UTC
  DownloadedAt: 2024-07-09 02:47:08.113915 +0000 UTC
Check Bundle:
  Digest: sha256:ef2d9ad4fce0f933b20a662004d7e55bf200987c180e7f2cd531af631f408bb3
  DownloadedAt: 2024-07-09 02:49:01.360072 +0000 UTC

Checklist
@simar7 simar7 added kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning labels Jul 10, 2024
@nikpivkin nikpivkin self-assigned this Jul 11, 2024
@nikpivkin nikpivkin mentioned this issue Jul 11, 2024
Merged
6 tasks
@simar7 simar7 added this to the v0.55.0 milestone Aug 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nikpivkin nikpivkin

Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Projects
Trivy Roadmap
Archived in project
Milestone
v0.55.0
Development

Successfully merging a pull request may close this issue.

feat(misconf): port and protocol support for EC2 networks nikpivkin/trivy
2 participants
@simar7 @nikpivkin