search

bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
https://www.checkov.io/
Apache License 2.0
6.78k stars 1.08k forks source link

CKV2_IBM_6 is requiring a deprecated feature in order to pass #5855

Open ocofaigh opened 7 months ago

ocofaigh commented 7 months ago

Describe the issue CKV2_IBM_6: "Ensure Databases network access is restricted to a specific IP range" currently fails if not using the allowlist option with the ibm_database resource.

The problem however is that this feature has been deprecated by IBM Cloud in favour of CBRs (Context Based Restrictions). From the official docs: image

So I do not think CKV2_IBM_6 should be mandating people to use a deprecated feature. Perhaps update the logic to check for CBRs? For example, our ICD redis module allows you to provision CBR rules to restrict network access -> https://github.com/terraform-ibm-modules/terraform-ibm-icd-redis/blob/bd9f6299366bf2f58a137e04500d4f2102e96cf4/main.tf#L143-L181

Examples Module -> https://github.com/terraform-ibm-modules/terraform-ibm-icd-redis Failure:

Check: CKV2_IBM_6: "Ensure Databases network access is restricted to a specific IP range"
    FAILED for resource: module.icd_redis.ibm_database.redis_database
    File: /main.tf:52-141

Version (please complete the following information):

Additional context Add any other context about the problem here.

Saarett commented 7 months ago

Hi @ocofaigh , thanks for reaching out πŸ˜„ That's a good catch πŸ‘ Do you wish to contribute the fix? That would be very helpful πŸ™‚ Otherwise, we could wait for @praveen-panw to introduce the fix. This is the relevant file path - checkov/terraform/checks/graph_checks/ibm/IBM_DatabasesNWaccessRestrictedToSpecificIPrange.yaml

ocofaigh commented 7 months ago

@Saarett What do you propose the fix would be here? CBR creation is handled as completely different terraform resources to ibm_database. You basically use ibm_cbr_zone to create a zone (such as IP address space), and then use ibm_cbr_rule to create the rule. So it won't be as simple as updating the current yaml logic.

stale[bot] commented 1 month ago

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at codifiedsecurity.slack.com Thanks!

ocofaigh commented 1 month ago

Still an issue, so leaving comment to prevent issue from being closed

Saarett commented 3 weeks ago

@ocofaigh I apologize for the delayed response. What if we changed this policy from a YAML-based policy to a Python-based policy? Would that make it easier?

ocofaigh commented 3 weeks ago

@Saarett regardless of whether you go with yaml or python, I guess a decision has to be made on what exactly you plan to check. All that I know is that the rule CKV2_IBM_6 is mandating a feature that is deprecated, so you either need to remove the rule, or update it. If you were to update it, I'm not actually sure what you replace it with since they suggestion is to use CBRs, and CBRs are account level setting that are created separately to database instances