search

Checkmarx / kics

Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx.
https://kics.io
Apache License 2.0
2.03k stars 298 forks source link

bug(terraform): wrong detection of unused security group #7089

Closed tculp closed 3 months ago

tculp commented 4 months ago

Description

Attaching a security group to an elasticache instance does not mark the security group as used.

Expected Behavior

No "Security Group Not Used" error returned.

Actual Behavior

"Security Group Not Used" error is returned

Steps to Reproduce the Problem

Create a security group and an elasticache instance which uses it.

Minimal resources (AWS provider and VPC data source omitted):

resource "aws_security_group" "example" {
  name        = "example"
  description = "Allow Redis traffic"
  vpc_id      = data.aws_vpc.selected.id

  ingress {

    from_port   = 6379
    to_port     = 6379
    protocol    = "tcp"
    cidr_blocks = [data.aws_vpc.selected.cidr_block]
  }
}

resource "aws_elasticache_replication_group" "redis" {
  replication_group_id       = "Example"
  parameter_group_name       = "default.redis6.x"
  engine                     = "redis"
  engine_version             = "6.x"
  automatic_failover_enabled = false

  security_group_ids = [aws_security_group.example.id]
}

returns

Security Group Not Used, Severity: INFO, Results: 1
Description: Security group must be used or not declared
Platform: Terraform
Learn more about this vulnerability: https://docs.kics.io/latest/queries/terraform-queries/aws/4849211b-ac39-479e-ae78-5694d506cb24

        [1]: ../../path/sg.tf:2

                001: 
                002: resource "aws_security_group" "example" {
                003:   name        = "example"

Command: docker run --rm -t -v .:/path checkmarx/kics:latest scan -p /path -o "/path/"

Specifications

ArturRibeiro-CX commented 4 months ago

Hi @tculp,

Thank you for raising this issue!

We have identified the problem with the query incorrectly returning a "Security Group Not Used" error when attaching a security group to an ElastiCache instance. We are currently working on resolving this in PR #7098.

Additionally, would it be alright if we use your provided sample configuration as a test case to ensure the fix addresses the issue accurately? Your example is very helpful in reproducing the problem.

We will notify you as soon as the fix is released.

Best regards, Artur Ribeiro.

tculp commented 3 months ago

@ArturRibeiro-CX Of course, thanks for working on this!

JulioSCX commented 3 months ago

Hello @tculp !

We want to let you know that a fix has already been prepared. However, we are currently waiting for confirmation from our Appsec team to verify the validity of the issue and to approve the implementation of the fix. (APPSEC-2746)

We will keep you updated on any developments and will notify you as soon as we have a definitive response. Thank you again for bringing this issue to our attention!

Best regards, Júlio Silva

ArturRibeiro-CX commented 3 months ago

Hi @tculp, Our AppSec team has reviewed and approved both the issue and the proposed fix. We will proceed with implementing the solution.

Thank you again for your valuable contribution!