search

aquasecurity / trivy

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
https://aquasecurity.github.io/trivy
Apache License 2.0
23.36k stars 2.31k forks source link

Trivy outputing incorrect scan results when certain aws services are unavailable #3502

Closed jeffqumata closed 1 year ago

jeffqumata commented 1 year ago

Description

Related to #3419 and possibly #3420, the workspaces service is not available in all regions (which is fine) but this can cause trivy to behave strangely - for example it will always output zero issues when running a full service scan, for example..

$ trivy aws --region ap-east-1 --update-cache 
[1/31] Scanning api-gateway...
[2/31] Scanning athena...
[3/31] Scanning cloudfront...
[4/31] Scanning cloudtrail...
[5/31] Scanning cloudwatch...
[6/31] Scanning codebuild...
[7/31] Scanning documentdb...
[8/31] Scanning dynamodb...
[9/31] Scanning ec2...
[10/31] Scanning ecr...
[11/31] Scanning ecs...
[12/31] Scanning efs...
[13/31] Scanning eks...
[14/31] Scanning elasticache...
[15/31] Scanning elasticsearch...
[16/31] Scanning elb...
[17/31] Scanning emr...
[18/31] Scanning iam...
[19/31] Scanning kinesis...
[20/31] Scanning kms...
[21/31] Scanning lambda...
[22/31] Scanning mq...
[23/31] Scanning msk...
[24/31] Scanning neptune...
[25/31] Scanning rds...
[26/31] Scanning redshift...
[27/31] Scanning s3...
[28/31] Scanning sns...
[29/31] Scanning sqs...
[30/31] Scanning ssm...
[31/31] Scanning workspaces...
2023-01-30T13:21:32.381Z    WARN    Adapter error: failed to run adapter for workspaces: operation error WorkSpaces: DescribeWorkspaces, exceeded maximum number of attempts, 3, https response error StatusCode: 0, RequestID: , request send failed, Post "https://workspaces.ap-east-1.amazonaws.com/": dial tcp: lookup workspaces.ap-east-1.amazonaws.com on 192.168.0.1:53: no such host

Scan Overview for AWS Account XXXX
┌───────────────┬──────────────────────────────────────────────────┬──────────────┐
│               │                Misconfigurations                 │              │
│               ├──────────┬──────────────┬────────┬─────┬─────────┤              │
│ Service       │ Critical │     High     │ Medium │ Low │ Unknown │ Last Scanned │
├───────────────┼──────────┼──────────────┼────────┼─────┼─────────┼──────────────┤
│ api-gateway   │        0 │            0 │      0 │   0 │       0 │ just now     │
│ athena        │        0 │            0 │      0 │   0 │       0 │ just now     │
│ cloudfront    │        0 │            0 │      0 │   0 │       0 │ just now     │
│ cloudtrail    │        0 │            0 │      0 │   0 │       0 │ just now     │
│ cloudwatch    │        0 │            0 │      0 │   0 │       0 │ just now     │
│ codebuild     │        0 │            0 │      0 │   0 │       0 │ just now     │
│ documentdb    │        0 │            0 │      0 │   0 │       0 │ just now     │
│ dynamodb      │        0 │            0 │      0 │   0 │       0 │ just now     │
│ ec2           │        0 │            0 │      0 │   0 │       0 │ just now     │
│ ecr           │        0 │            0 │      0 │   0 │       0 │ just now     │
│ ecs           │        0 │            0 │      0 │   0 │       0 │ just now     │
│ efs           │        0 │            0 │      0 │   0 │       0 │ just now     │
│ eks           │        0 │            0 │      0 │   0 │       0 │ just now     │
│ elasticache   │        0 │            0 │      0 │   0 │       0 │ just now     │
│ elasticsearch │        0 │            0 │      0 │   0 │       0 │ just now     │
│ elb           │        0 │            0 │      0 │   0 │       0 │ just now     │
│ emr           │        0 │            0 │      0 │   0 │       0 │ just now     │
│ iam           │        0 │            0 │      0 │   0 │       0 │ just now     │
│ kinesis       │        0 │            0 │      0 │   0 │       0 │ just now     │
│ kms           │        0 │            0 │      0 │   0 │       0 │ just now     │
│ lambda        │        0 │            0 │      0 │   0 │       0 │ just now     │
│ mq            │        0 │            0 │      0 │   0 │       0 │ just now     │
│ msk           │        0 │            0 │      0 │   0 │       0 │ just now     │
│ neptune       │        0 │            0 │      0 │   0 │       0 │ just now     │
│ rds           │        0 │            0 │      0 │   0 │       0 │ just now     │
│ redshift      │        0 │            0 │      0 │   0 │       0 │ just now     │
│ s3            │        0 │            0 │      0 │   0 │       0 │ just now     │
│ sns           │        0 │            0 │      0 │   0 │       0 │ just now     │
│ sqs           │        0 │            0 │      0 │   0 │       0 │ just now     │
│ ssm           │        0 │            0 │      0 │   0 │       0 │ just now     │
│ workspaces    │        0 │            0 │      0 │   0 │       0 │ just now     │
└───────────────┴──────────┴──────────────┴────────┴─────┴─────────┴──────────────┘

What did you expect to happen?

Trivy to output something like "workspaces not available in current region" and continue to output the results of the scan.

What happened instead?

Trivy reported zero issues on all aws services. This is dangerous.

Output of trivy -v:

$ trivy -v
Version: 0.31.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2022-07-21 06:07:12.449530935 +0000 UTC
  NextUpdate: 2022-07-21 12:07:12.449530635 +0000 UTC
  DownloadedAt: 2022-07-21 08:42:09.42507959 +0000 UTC
albertollamaso commented 1 year ago

hello, @jeffqumata in most recent version it is working as expected. 

trivy aws --region us-west-1 --update-cache

Scan Overview for AWS Account xxxxxxx
┌────────────────┬──────────────────────────────────────────────────┬──────────────┐
│                │                Misconfigurations                 │              │
│                ├──────────┬──────────────┬────────┬─────┬─────────┤              │
│ Service        │ Critical │     High     │ Medium │ Low │ Unknown │ Last Scanned │
├────────────────┼──────────┼──────────────┼────────┼─────┼─────────┼──────────────┤
│ accessanalyzer │        0 │            0 │      0 │   0 │       0 │ just now     │
│ api-gateway    │        0 │            0 │      0 │   0 │       0 │ just now     │
│ athena         │        0 │            2 │      0 │   0 │       0 │ just now     │
│ cloudfront     │        0 │            0 │      0 │   0 │       0 │ just now     │
│ cloudtrail     │        0 │            0 │      0 │   0 │       0 │ just now     │
│ cloudwatch     │        0 │            0 │      0 │   0 │       0 │ just now     │
│ codebuild      │        0 │            0 │      0 │   0 │       0 │ just now     │
│ documentdb     │        0 │            0 │      0 │   0 │       0 │ just now     │
│ dynamodb       │        0 │            0 │      0 │   0 │       0 │ just now     │
│ ec2            │        3 │            1 │      1 │   0 │       0 │ just now     │
│ ecr            │        0 │            0 │      0 │   0 │       0 │ just now     │
│ ecs            │        0 │            0 │      0 │   0 │       0 │ just now     │
│ efs            │        0 │            0 │      0 │   0 │       0 │ just now     │
│ eks            │        0 │            0 │      0 │   0 │       0 │ just now     │
│ elasticache    │        0 │            0 │      0 │   0 │       0 │ just now     │
│ elasticsearch  │        0 │            0 │      0 │   0 │       0 │ just now     │
│ elb            │        0 │            0 │      0 │   0 │       0 │ just now     │
│ emr            │        0 │            0 │      0 │   0 │       0 │ just now     │
│ iam            │        0 │            0 │      0 │   1 │       0 │ just now     │
│ kinesis        │        0 │            0 │      0 │   0 │       0 │ just now     │
│ kms            │        0 │            0 │      0 │   0 │       0 │ just now     │
│ lambda         │        0 │            0 │      0 │   0 │       0 │ just now     │
│ mq             │        0 │            0 │      0 │   0 │       0 │ just now     │
│ msk            │        0 │            0 │      0 │   0 │       0 │ just now     │
│ neptune        │        0 │            0 │      0 │   0 │       0 │ just now     │
│ rds            │        0 │            0 │      0 │   0 │       0 │ just now     │
│ redshift       │        0 │            0 │      0 │   0 │       0 │ just now     │
│ s3             │        0 │            0 │      0 │   0 │       0 │ just now     │
│ sns            │        0 │            0 │      0 │   0 │       0 │ just now     │
│ sqs            │        0 │            0 │      0 │   0 │       0 │ just now     │
│ ssm            │        0 │            0 │      0 │   0 │       0 │ just now     │
│ workspaces     │        0 │            0 │      0 │   0 │       0 │ just now     │
└────────────────┴──────────┴──────────────┴────────┴─────┴─────────┴──────────────┘
trivy --version
Version: 0.37.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-01-25 12:08:59.350553048 +0000 UTC
  NextUpdate: 2023-01-25 18:08:59.350552848 +0000 UTC
  DownloadedAt: 2023-01-25 13:05:59.839508854 +0000 UTC

cf. https://docs.aws.amazon.com/workspaces/latest/adminguide/azs-workspaces.html

jeffqumata commented 1 year ago

perfect, thanks