search

aquasecurity / trivy

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
https://aquasecurity.github.io/trivy
Apache License 2.0
22.14k stars 2.18k forks source link

bug(misconf): Inconsistent in the issue count between terraform/terraformplan-snapshot and terraformplan-json scanner #7098

Open simar7 opened 5 days ago

simar7 commented 5 days ago

Discussed in https://github.com/aquasecurity/trivy/discussions/7096

Originally posted by **cybersa** July 4, 2024 ### Description Consider this terraform script: ``` # S3 Buckets variable "s3_buckets" { type = any description = "S3 Buckets to create" default = [ {name = "b1", cmk_name = "cmk1", enable_version = true }, {name = "b2", cmk_name = "cmk2", enable_version = false } ] } locals { cmk_arn = { cmk1 = "arn:::xx::xx-xx-1" cmk2 = "arn:::xx::xx-xx-2" } } #Bucket resource "aws_s3_bucket" "bucket" { for_each = toset([ for bucket in var.s3_buckets : bucket.name]) bucket = "temp-${each.key}-bucket" } # Bucket Encryption resource "aws_s3_bucket_server_side_encryption_configuration" "bucket" { for_each = { for bucket in var.s3_buckets : bucket.name => bucket.cmk_name} bucket = aws_s3_bucket.bucket[each.key].id rule { apply_server_side_encryption_by_default { kms_master_key_id = local.cmk_arn[each.value] sse_algorithm = "aws:kms" } } } # Bucket Versioning resource "aws_s3_bucket_versioning" "bucket" { for_each = toset([ for bucket in var.s3_buckets : bucket.name if bucket.enable_version]) bucket = aws_s3_bucket.bucket[each.key].id versioning_configuration { status = "Enabled" } } # Block Public Access resource "aws_s3_bucket_public_access_block" "bucket" { for_each = toset([ for bucket in var.s3_buckets : bucket.name]) bucket = aws_s3_bucket.bucket[each.key].id block_public_acls = true block_public_policy = true ignore_public_acls = true restrict_public_buckets = true } ``` If I run these trivy commands against above terraform script, no High or Critical issues. `trivy config --misconfig-scanners terraform -s HIGH,CRITICAL s3_buckets.tf` `terraform plan --out tfplan` `trivy config --misconfig-scanners terraformplan-snapshot -s HIGH,CRITICAL tfplan` If I run this trivy commands against terraform JSON plan, 12 High issues. `trivy config --misconfig-scanners terraformplan-json -s "HIGH,CRITICAL" tfplan.json` ### Desired Behavior Issue should be consistent between terraform, terraformplan-snapshot and terraformplan-json scanner. ### Actual Behavior Inconsistent in the issue between terraform scanners. ### Reproduction Steps ```bash Reproduction steps are in the description. ``` ### Target Filesystem ### Scanner Misconfiguration ### Output Format None ### Mode Standalone ### Debug Output ```bash --- terraform scanner: --- 2024-07-04T12:40:18+05:30 DEBUG Parsed severities severities=[HIGH CRITICAL] 2024-07-04T12:40:18+05:30 INFO Misconfiguration scanning is enabled 2024-07-04T12:40:18+05:30 DEBUG Policies successfully loaded from disk 2024-07-04T12:40:18+05:30 DEBUG Enabling misconfiguration scanners scanners=[terraform] 2024-07-04T12:40:18+05:30 DEBUG Initializing scan cache... type="memory" 2024-07-04T12:40:18+05:30 DEBUG [nuget] The nuget packages directory couldn't be found. License search disabled 2024-07-04T12:40:18+05:30 DEBUG Scanning files for misconfigurations... scanner="Terraform" 2024-07-04T12:40:18+05:30 DEBUG [misconf] 40:18.832812689 terraform.scanner Scanning [&{%!s(*mapfs.file=&{ [] {. 256 2147484096 {13950375482028580993 486464842 0x794e200} } {{{0 0} {[] {} 0xc0021964b0} map[s3_buckets.tf:0xc00150d1b0] 0}}}) }] at '.'... 2024-07-04T12:40:18+05:30 DEBUG [misconf] 40:18.835812808 terraform.scanner.rego Overriding filesystem for checks! 2024-07-04T12:40:18+05:30 DEBUG [misconf] 40:18.836737208 terraform.scanner.rego Loaded 3 embedded libraries. 2024-07-04T12:40:18+05:30 DEBUG [misconf] 40:18.895031587 terraform.scanner.rego Loaded 192 embedded policies. 2024-07-04T12:40:18+05:30 DEBUG [misconf] 40:18.960818020 terraform.scanner.rego Loaded 195 checks from disk. 2024-07-04T12:40:18+05:30 DEBUG [misconf] 40:18.961445438 terraform.scanner.rego Overriding filesystem for data! 2024-07-04T12:40:19+05:30 DEBUG [misconf] 40:19.337500357 terraform.parser. Setting project/module root to '.' 2024-07-04T12:40:19+05:30 DEBUG [misconf] 40:19.337533551 terraform.parser. Parsing FS from '.' 2024-07-04T12:40:19+05:30 DEBUG [misconf] 40:19.337576377 terraform.parser. Parsing 's3_buckets.tf'... 2024-07-04T12:40:19+05:30 DEBUG [misconf] 40:19.337947532 terraform.parser. Added file s3_buckets.tf. 2024-07-04T12:40:19+05:30 DEBUG [misconf] 40:19.338180171 terraform.scanner Scanning root module '.'... 2024-07-04T12:40:19+05:30 DEBUG [misconf] 40:19.338192761 terraform.parser. Setting project/module root to '.' 2024-07-04T12:40:19+05:30 DEBUG [misconf] 40:19.338201465 terraform.parser. Parsing FS from '.' 2024-07-04T12:40:19+05:30 DEBUG [misconf] 40:19.338216478 terraform.parser. Parsing 's3_buckets.tf'... 2024-07-04T12:40:19+05:30 DEBUG [misconf] 40:19.338511731 terraform.parser. Added file s3_buckets.tf. 2024-07-04T12:40:19+05:30 DEBUG [misconf] 40:19.338531614 terraform.parser. Evaluating module... 2024-07-04T12:40:19+05:30 DEBUG [misconf] 40:19.338717241 terraform.parser. Read 6 block(s) and 0 ignore(s) for module 'root' (1 file[s])... 2024-07-04T12:40:19+05:30 DEBUG [misconf] 40:19.338740556 terraform.parser. Added 0 variables from tfvars. 2024-07-04T12:40:19+05:30 DEBUG [misconf] 40:19.338770699 terraform.parser. Working directory for module evaluation is "/data/projects/miraterra/git/miraterrasoil-terraform/temp" 2024-07-04T12:40:19+05:30 DEBUG [misconf] 40:19.338830056 terraform.parser..evaluator Filesystem key is 'e062b1569b2b684dcbe91a1ba43d1adda8e984e21dba2d7009e3654519b54044' 2024-07-04T12:40:19+05:30 DEBUG [misconf] 40:19.338840550 terraform.parser..evaluator Starting module evaluation... 2024-07-04T12:40:19+05:30 DEBUG [misconf] 40:19.339344699 terraform.parser..evaluator Expanded block 'aws_s3_bucket.bucket' into 2 clones via 'for_each' attribute. 2024-07-04T12:40:19+05:30 DEBUG [misconf] 40:19.339558015 terraform.parser..evaluator Expanded block 'aws_s3_bucket_public_access_block.bucket' into 2 clones via 'for_each' attribute. 2024-07-04T12:40:19+05:30 DEBUG [misconf] 40:19.339742688 terraform.parser..evaluator Expanded block 'aws_s3_bucket_server_side_encryption_configuration.bucket' into 2 clones via 'for_each' attribute. 2024-07-04T12:40:19+05:30 DEBUG [misconf] 40:19.339867742 terraform.parser..evaluator Expanded block 'aws_s3_bucket_versioning.bucket' into 1 clones via 'for_each' attribute. 2024-07-04T12:40:19+05:30 DEBUG [misconf] 40:19.339881635 terraform.parser..evaluator Starting submodule evaluation... 2024-07-04T12:40:19+05:30 DEBUG [misconf] 40:19.339887789 terraform.parser..evaluator All submodules are evaluated at i=0 2024-07-04T12:40:19+05:30 DEBUG [misconf] 40:19.339892399 terraform.parser..evaluator Starting post-submodule evaluation... 2024-07-04T12:40:19+05:30 DEBUG [misconf] 40:19.340270576 terraform.parser..evaluator Finished processing 0 submodule(s). 2024-07-04T12:40:19+05:30 DEBUG [misconf] 40:19.340281647 terraform.parser..evaluator Module evaluation complete. 2024-07-04T12:40:19+05:30 DEBUG [misconf] 40:19.340289569 terraform.parser. Finished parsing module 'root'. 2024-07-04T12:40:19+05:30 DEBUG [misconf] 40:19.340296635 terraform.executor Adapting modules... 2024-07-04T12:40:19+05:30 DEBUG [misconf] 40:19.340515715 terraform.executor Adapted 1 module(s) into defsec state data. 2024-07-04T12:40:19+05:30 DEBUG [misconf] 40:19.340527181 terraform.executor Using max routines of 7 2024-07-04T12:40:19+05:30 DEBUG [misconf] 40:19.340639780 terraform.executor Initialized 487 rule(s). 2024-07-04T12:40:19+05:30 DEBUG [misconf] 40:19.340650448 terraform.executor Created pool with 7 worker(s) to apply rules. 2024-07-04T12:40:19+05:30 DEBUG [misconf] 40:19.341625875 terraform.scanner.rego Scanning 1 inputs... 2024-07-04T12:40:19+05:30 DEBUG [misconf] 40:19.353839520 terraform.executor Finished applying rules. 2024-07-04T12:40:19+05:30 DEBUG [misconf] 40:19.353881735 terraform.executor Applying ignores... 2024-07-04T12:40:19+05:30 DEBUG OS is not detected. 2024-07-04T12:40:19+05:30 INFO Detected config files num=2 2024-07-04T12:40:19+05:30 DEBUG Scanned config file path="." 2024-07-04T12:40:19+05:30 DEBUG Scanned config file path="s3_buckets.tf" --- terraformplan-snapshot scanner: --- 2024-07-04T12:38:54+05:30 DEBUG Parsed severities severities=[HIGH CRITICAL] 2024-07-04T12:38:54+05:30 INFO Misconfiguration scanning is enabled 2024-07-04T12:38:54+05:30 DEBUG Policies successfully loaded from disk 2024-07-04T12:38:54+05:30 DEBUG Enabling misconfiguration scanners scanners=[terraformplan-snapshot] 2024-07-04T12:38:54+05:30 DEBUG Initializing scan cache... type="memory" 2024-07-04T12:38:54+05:30 DEBUG [nuget] The nuget packages directory couldn't be found. License search disabled 2024-07-04T12:38:54+05:30 DEBUG Scanning files for misconfigurations... scanner="Terraform Plan Snapshot" 2024-07-04T12:38:54+05:30 DEBUG [misconf] 38:54.397678216 terraform.scanner Scanning [&{%!s(*memoryfs.dir=&{{{0 0} 0 0 {{} 0} {{} 0}} {. 256 {13950375391399235573 497065044 0x794e200} 2147484096 } map[] map[s3_buckets.tf:0xc0012e1000 terraform-settings.tf:0xc0012e1080]})}] at '.'... 2024-07-04T12:38:54+05:30 DEBUG [misconf] 38:54.400529965 terraform.scanner.rego Overriding filesystem for checks! 2024-07-04T12:38:54+05:30 DEBUG [misconf] 38:54.401930514 terraform.scanner.rego Loaded 3 embedded libraries. 2024-07-04T12:38:54+05:30 DEBUG [misconf] 38:54.464393996 terraform.scanner.rego Loaded 192 embedded policies. 2024-07-04T12:38:54+05:30 DEBUG [misconf] 38:54.530924086 terraform.scanner.rego Loaded 195 checks from disk. 2024-07-04T12:38:54+05:30 DEBUG [misconf] 38:54.531439235 terraform.scanner.rego Overriding filesystem for data! 2024-07-04T12:38:54+05:30 DEBUG [misconf] 38:54.899200674 terraform.parser. Setting project/module root to '.' 2024-07-04T12:38:54+05:30 DEBUG [misconf] 38:54.899235780 terraform.parser. Parsing FS from '.' 2024-07-04T12:38:54+05:30 DEBUG [misconf] 38:54.899253970 terraform.parser. Parsing 's3_buckets.tf'... 2024-07-04T12:38:54+05:30 DEBUG [misconf] 38:54.899525428 terraform.parser. Added file s3_buckets.tf. 2024-07-04T12:38:54+05:30 DEBUG [misconf] 38:54.899538070 terraform.parser. Parsing 'terraform-settings.tf'... 2024-07-04T12:38:54+05:30 DEBUG [misconf] 38:54.899578862 terraform.parser. Added file terraform-settings.tf. 2024-07-04T12:38:54+05:30 DEBUG [misconf] 38:54.899818811 terraform.scanner Scanning root module '.'... 2024-07-04T12:38:54+05:30 DEBUG [misconf] 38:54.899830838 terraform.parser. Setting project/module root to '.' 2024-07-04T12:38:54+05:30 DEBUG [misconf] 38:54.899840669 terraform.parser. Parsing FS from '.' 2024-07-04T12:38:54+05:30 DEBUG [misconf] 38:54.899852663 terraform.parser. Parsing 's3_buckets.tf'... 2024-07-04T12:38:54+05:30 DEBUG [misconf] 38:54.900076989 terraform.parser. Added file s3_buckets.tf. 2024-07-04T12:38:54+05:30 DEBUG [misconf] 38:54.900087366 terraform.parser. Parsing 'terraform-settings.tf'... 2024-07-04T12:38:54+05:30 DEBUG [misconf] 38:54.900132392 terraform.parser. Added file terraform-settings.tf. 2024-07-04T12:38:54+05:30 DEBUG [misconf] 38:54.900140964 terraform.parser. Evaluating module... 2024-07-04T12:38:54+05:30 DEBUG [misconf] 38:54.900343701 terraform.parser. Read 7 block(s) and 0 ignore(s) for module 'root' (2 file[s])... 2024-07-04T12:38:54+05:30 DEBUG [misconf] 38:54.900364125 terraform.parser. Added 0 variables from tfvars. 2024-07-04T12:38:54+05:30 DEBUG [misconf] 38:54.900390507 terraform.parser. Working directory for module evaluation is "/data/projects/miraterra/git/miraterrasoil-terraform/temp" 2024-07-04T12:38:54+05:30 DEBUG [misconf] 38:54.900438509 terraform.parser..evaluator Filesystem key is '52d5ca1283468bd2236fd005e5a64df1b185d6e99d39507227ab3104ca8fed2e' 2024-07-04T12:38:54+05:30 DEBUG [misconf] 38:54.900448585 terraform.parser..evaluator Starting module evaluation... 2024-07-04T12:38:54+05:30 DEBUG [misconf] 38:54.900919903 terraform.parser..evaluator Expanded block 'aws_s3_bucket.bucket' into 2 clones via 'for_each' attribute. 2024-07-04T12:38:54+05:30 DEBUG [misconf] 38:54.901195064 terraform.parser..evaluator Expanded block 'aws_s3_bucket_public_access_block.bucket' into 2 clones via 'for_each' attribute. 2024-07-04T12:38:54+05:30 DEBUG [misconf] 38:54.901366393 terraform.parser..evaluator Expanded block 'aws_s3_bucket_server_side_encryption_configuration.bucket' into 2 clones via 'for_each' attribute. 2024-07-04T12:38:54+05:30 DEBUG [misconf] 38:54.901478994 terraform.parser..evaluator Expanded block 'aws_s3_bucket_versioning.bucket' into 1 clones via 'for_each' attribute. 2024-07-04T12:38:54+05:30 DEBUG [misconf] 38:54.901494082 terraform.parser..evaluator Starting submodule evaluation... 2024-07-04T12:38:54+05:30 DEBUG [misconf] 38:54.901504202 terraform.parser..evaluator All submodules are evaluated at i=0 2024-07-04T12:38:54+05:30 DEBUG [misconf] 38:54.901513225 terraform.parser..evaluator Starting post-submodule evaluation... 2024-07-04T12:38:54+05:30 DEBUG [misconf] 38:54.901954290 terraform.parser..evaluator Finished processing 0 submodule(s). 2024-07-04T12:38:54+05:30 DEBUG [misconf] 38:54.901966854 terraform.parser..evaluator Module evaluation complete. 2024-07-04T12:38:54+05:30 DEBUG [misconf] 38:54.901980634 terraform.parser. Finished parsing module 'root'. 2024-07-04T12:38:54+05:30 DEBUG [misconf] 38:54.901990288 terraform.executor Adapting modules... 2024-07-04T12:38:54+05:30 DEBUG [misconf] 38:54.902212324 terraform.executor Adapted 1 module(s) into defsec state data. 2024-07-04T12:38:54+05:30 DEBUG [misconf] 38:54.902224635 terraform.executor Using max routines of 7 2024-07-04T12:38:54+05:30 DEBUG [misconf] 38:54.902317754 terraform.executor Initialized 487 rule(s). 2024-07-04T12:38:54+05:30 DEBUG [misconf] 38:54.902326706 terraform.executor Created pool with 7 worker(s) to apply rules. 2024-07-04T12:38:54+05:30 DEBUG [misconf] 38:54.903630155 terraform.scanner.rego Scanning 1 inputs... 2024-07-04T12:38:54+05:30 DEBUG [misconf] 38:54.915455203 terraform.executor Finished applying rules. 2024-07-04T12:38:54+05:30 DEBUG [misconf] 38:54.915568045 terraform.executor Applying ignores... 2024-07-04T12:38:54+05:30 DEBUG OS is not detected. 2024-07-04T12:38:54+05:30 INFO Detected config files num=2 2024-07-04T12:38:54+05:30 DEBUG Scanned config file path="." 2024-07-04T12:38:54+05:30 DEBUG Scanned config file path="s3_buckets.tf" --- terraformplan-json scanner: --- 2024-07-04T12:36:26+05:30 DEBUG Parsed severities severities=[HIGH CRITICAL] 2024-07-04T12:36:26+05:30 INFO Misconfiguration scanning is enabled 2024-07-04T12:36:26+05:30 DEBUG Policies successfully loaded from disk 2024-07-04T12:36:26+05:30 DEBUG Enabling misconfiguration scanners scanners=[terraformplan-json] 2024-07-04T12:36:26+05:30 DEBUG Initializing scan cache... type="memory" 2024-07-04T12:36:26+05:30 DEBUG [nuget] The nuget packages directory couldn't be found. License search disabled 2024-07-04T12:36:26+05:30 DEBUG Scanning files for misconfigurations... scanner="Terraform Plan JSON" 2024-07-04T12:36:26+05:30 DEBUG [misconf] 36:26.905068917 tfplan.scanner Scanning file tfplan.json 2024-07-04T12:36:26+05:30 DEBUG [misconf] 36:26.905884189 terraform.scanner Scanning [&{%!s(*memoryfs.dir=&{{{0 0} 0 0 {{} 0} {{} 0}} {. 256 {13950375232993255809 497810943 0x794e200} 2147484096 } map[] map[main.tf:0xc0014a5980]})}] at '.'... 2024-07-04T12:36:26+05:30 DEBUG [misconf] 36:26.909379694 terraform.scanner.rego Overriding filesystem for checks! 2024-07-04T12:36:26+05:30 DEBUG [misconf] 36:26.910561214 terraform.scanner.rego Loaded 3 embedded libraries. 2024-07-04T12:36:26+05:30 DEBUG [misconf] 36:26.967687028 terraform.scanner.rego Loaded 192 embedded policies. 2024-07-04T12:36:27+05:30 DEBUG [misconf] 36:27.033569307 terraform.scanner.rego Loaded 195 checks from disk. 2024-07-04T12:36:27+05:30 DEBUG [misconf] 36:27.034114826 terraform.scanner.rego Overriding filesystem for data! 2024-07-04T12:36:27+05:30 DEBUG [misconf] 36:27.393550192 terraform.parser. Setting project/module root to '.' 2024-07-04T12:36:27+05:30 DEBUG [misconf] 36:27.393612577 terraform.parser. Parsing FS from '.' 2024-07-04T12:36:27+05:30 DEBUG [misconf] 36:27.393636366 terraform.parser. Parsing 'main.tf'... 2024-07-04T12:36:27+05:30 DEBUG [misconf] 36:27.394233781 terraform.parser. Added file main.tf. 2024-07-04T12:36:27+05:30 DEBUG [misconf] 36:27.394585949 terraform.scanner Scanning root module '.'... 2024-07-04T12:36:27+05:30 DEBUG [misconf] 36:27.394599771 terraform.parser. Setting project/module root to '.' 2024-07-04T12:36:27+05:30 DEBUG [misconf] 36:27.394606136 terraform.parser. Parsing FS from '.' 2024-07-04T12:36:27+05:30 DEBUG [misconf] 36:27.394634795 terraform.parser. Parsing 'main.tf'... 2024-07-04T12:36:27+05:30 DEBUG [misconf] 36:27.394843943 terraform.parser. Added file main.tf. 2024-07-04T12:36:27+05:30 DEBUG [misconf] 36:27.394853505 terraform.parser. Evaluating module... 2024-07-04T12:36:27+05:30 DEBUG [misconf] 36:27.395072562 terraform.parser. Read 7 block(s) and 0 ignore(s) for module 'root' (1 file[s])... 2024-07-04T12:36:27+05:30 DEBUG [misconf] 36:27.395104753 terraform.parser. Added 0 variables from tfvars. 2024-07-04T12:36:27+05:30 DEBUG [misconf] 36:27.395155791 terraform.parser. Working directory for module evaluation is "/data/projects/miraterra/git/miraterrasoil-terraform/temp" 2024-07-04T12:36:27+05:30 DEBUG [misconf] 36:27.395271248 terraform.parser..evaluator Filesystem key is '01d065908fe73d60c92ab3111d701951286f8792ecda263f3f1cb188953756f3' 2024-07-04T12:36:27+05:30 DEBUG [misconf] 36:27.395280463 terraform.parser..evaluator Starting module evaluation... 2024-07-04T12:36:27+05:30 DEBUG [misconf] 36:27.395602434 terraform.parser..evaluator Starting submodule evaluation... 2024-07-04T12:36:27+05:30 DEBUG [misconf] 36:27.395637602 terraform.parser..evaluator All submodules are evaluated at i=0 2024-07-04T12:36:27+05:30 DEBUG [misconf] 36:27.395643493 terraform.parser..evaluator Starting post-submodule evaluation... 2024-07-04T12:36:27+05:30 DEBUG [misconf] 36:27.395960780 terraform.parser..evaluator Finished processing 0 submodule(s). 2024-07-04T12:36:27+05:30 DEBUG [misconf] 36:27.395973506 terraform.parser..evaluator Module evaluation complete. 2024-07-04T12:36:27+05:30 DEBUG [misconf] 36:27.395986945 terraform.parser. Finished parsing module 'root'. 2024-07-04T12:36:27+05:30 DEBUG [misconf] 36:27.395999981 terraform.executor Adapting modules... 2024-07-04T12:36:27+05:30 DEBUG [misconf] 36:27.396183980 terraform.executor Adapted 1 module(s) into defsec state data. 2024-07-04T12:36:27+05:30 DEBUG [misconf] 36:27.396197215 terraform.executor Using max routines of 7 2024-07-04T12:36:27+05:30 DEBUG [misconf] 36:27.396371946 terraform.executor Initialized 487 rule(s). 2024-07-04T12:36:27+05:30 DEBUG [misconf] 36:27.396386039 terraform.executor Created pool with 7 worker(s) to apply rules. 2024-07-04T12:36:27+05:30 DEBUG [misconf] 36:27.397209951 terraform.scanner.rego Scanning 1 inputs... 2024-07-04T12:36:27+05:30 DEBUG [misconf] 36:27.401956852 terraform.executor Finished applying rules. 2024-07-04T12:36:27+05:30 DEBUG [misconf] 36:27.402023298 terraform.executor Applying ignores... 2024-07-04T12:36:27+05:30 DEBUG OS is not detected. 2024-07-04T12:36:27+05:30 INFO Detected config files num=2 2024-07-04T12:36:27+05:30 DEBUG Scanned config file path="." 2024-07-04T12:36:27+05:30 DEBUG Scanned config file path="main.tf" main.tf (terraformplan) Tests: 14 (SUCCESSES: 2, FAILURES: 12, EXCEPTIONS: 0) Failures: 12 (HIGH: 12, CRITICAL: 0) HIGH: No public access block so not blocking public acls ══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a. See https://avd.aquasec.com/misconfig/avd-aws-0086 ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── main.tf:5-7 ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 5 ┌ resource "aws_s3_bucket" "bucket" { 6 │ bucket = "temp-b2-bucket" 7 └ } ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── HIGH: No public access block so not blocking public acls ══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a. See https://avd.aquasec.com/misconfig/avd-aws-0086 ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── main.tf:1-3 ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 1 ┌ resource "aws_s3_bucket" "bucket" { 2 │ bucket = "temp-b1-bucket" 3 └ } ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── HIGH: No public access block so not blocking public policies ══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access. See https://avd.aquasec.com/misconfig/avd-aws-0087 ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── main.tf:5-7 ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 5 ┌ resource "aws_s3_bucket" "bucket" { 6 │ bucket = "temp-b2-bucket" 7 └ } ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── HIGH: No public access block so not blocking public policies ══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access. See https://avd.aquasec.com/misconfig/avd-aws-0087 ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── main.tf:1-3 ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 1 ┌ resource "aws_s3_bucket" "bucket" { 2 │ bucket = "temp-b1-bucket" 3 └ } ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── HIGH: Bucket does not have encryption enabled ══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised. See https://avd.aquasec.com/misconfig/avd-aws-0088 ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── main.tf:5-7 ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 5 ┌ resource "aws_s3_bucket" "bucket" { 6 │ bucket = "temp-b2-bucket" 7 └ } ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── HIGH: Bucket does not have encryption enabled ══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised. See https://avd.aquasec.com/misconfig/avd-aws-0088 ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── main.tf:1-3 ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 1 ┌ resource "aws_s3_bucket" "bucket" { 2 │ bucket = "temp-b1-bucket" 3 └ } ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── HIGH: No public access block so not ignoring public acls ══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored. See https://avd.aquasec.com/misconfig/avd-aws-0091 ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── main.tf:5-7 ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 5 ┌ resource "aws_s3_bucket" "bucket" { 6 │ bucket = "temp-b2-bucket" 7 └ } ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── HIGH: No public access block so not ignoring public acls ══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored. See https://avd.aquasec.com/misconfig/avd-aws-0091 ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── main.tf:1-3 ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 1 ┌ resource "aws_s3_bucket" "bucket" { 2 │ bucket = "temp-b1-bucket" 3 └ } ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── HIGH: No public access block so not restricting public buckets ══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy. See https://avd.aquasec.com/misconfig/avd-aws-0093 ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── main.tf:5-7 ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 5 ┌ resource "aws_s3_bucket" "bucket" { 6 │ bucket = "temp-b2-bucket" 7 └ } ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── HIGH: No public access block so not restricting public buckets ══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy. See https://avd.aquasec.com/misconfig/avd-aws-0093 ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── main.tf:1-3 ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 1 ┌ resource "aws_s3_bucket" "bucket" { 2 │ bucket = "temp-b1-bucket" 3 └ } ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── HIGH: Bucket does not encrypt data with a customer managed key. ══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys. See https://avd.aquasec.com/misconfig/avd-aws-0132 ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── main.tf:5-7 ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 5 ┌ resource "aws_s3_bucket" "bucket" { 6 │ bucket = "temp-b2-bucket" 7 └ } ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── HIGH: Bucket does not encrypt data with a customer managed key. ══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys. See https://avd.aquasec.com/misconfig/avd-aws-0132 ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── main.tf:1-3 ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 1 ┌ resource "aws_s3_bucket" "bucket" { 2 │ bucket = "temp-b1-bucket" 3 └ } ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── ``` ### Operating System Ubuntu 20.04 ### Version ```bash Version: 0.53.0 Vulnerability DB: Version: 2 UpdatedAt: 2023-09-11 06:16:57.742189926 +0000 UTC NextUpdate: 2023-09-11 12:16:57.742189326 +0000 UTC DownloadedAt: 2023-09-11 07:08:10.751619881 +0000 UTC Check Bundle: Digest: sha256:ef2d9ad4fce0f933b20a662004d7e55bf200987c180e7f2cd531af631f408bb3 DownloadedAt: 2024-07-03 11:55:33.672405891 +0000 UTC ``` ### Checklist - [X] Run `trivy clean --all` - [X] Read [the troubleshooting](https://aquasecurity.github.io/trivy/latest/docs/references/troubleshooting/)
simar7 commented 5 days ago

@nikpivkin when you are back, can you take a look at it?

nikpivkin commented 2 days ago

The problem is due to the fact that we cannot establish a relationship between resources in Plan file JSON format when each object is used in the expression. A similar issue has already been exists in Terraform.

simar7 commented 1 day ago

@nikpivkin this seems like a limitation of the current terraform feature set. Should we document this on our support page for terraform? https://aquasecurity.github.io/trivy/v0.53/docs/coverage/iac/terraform/

nikpivkin commented 1 day ago

@simar7 Yeah, I think it can be done.