You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Originally posted by SujithPS0604 November 29, 2023
Description
defsec does not evaluate the second part of a conditional operator
Example:
resource "aws_iam_role_policy" "access_policy" {
name = "${local.service_name}_access_role_policy"
role = aws_iam_role.access_role.id
policy = var.dry_run == "false" ? data.aws_iam_policy_document.access_policy_document_prod.json : data.aws_iam_policy_document.access_policy_document.json
}
Here whatever the condition is, defsec is only scanning the configuration of the first part of the condition. Here it is analyzing data.aws_iam_policy_document.access_policy_document_prod.json .
Output:
trivy config . --severity "HIGH" -d
2023-11-29T18:08:46.173+0530 INFO Misconfiguration scanning is enabled
2023-11-29T18:08:48.058+0530 INFO Detected config files: 35
Here there is no failure, as the policy data.aws_iam_policy_document.access_policy_document_prod.json is clean from issues.
But if I move the second part to the first part, it is showing all the issues of data.aws_iam_policy_document.access_policy_document.json .
Example:
resource "aws_iam_role_policy" "access_policy" {
name = "${local.service_name}_access_role_policy"
role = aws_iam_role.access_role.id
policy = var.dry_run == "true" ? data.aws_iam_policy_document.access_policy_document.json : data.aws_iam_policy_document.access_policy_document_prod.json
}
Output:
trivy config . --severity "HIGH" -d
2023-11-29T18:09:15.574+0530 INFO Misconfiguration scanning is enabled
2023-11-29T18:09:17.464+0530 INFO Detected config files: 36
terraform/custom_role/custom_role.tf (terraform)
Tests: 27 (SUCCESSES: 1, FAILURES: 26, EXCEPTIONS: 0)
Failures: 26 (HIGH: 26)
HIGH: IAM policy document uses sensitive action 'autoscaling:AttachLoadBalancers' on wildcarded resource '*'
here, the number of config files scanned also increased, and is showing issues with the policy.
So, by default, is is always analyzing the first part of the condition only. Even if I switch the condition, it is still analyzing the first part.
Desired Behavior
It should analyze both the part of the condition, irrespective of the position at which it is in.
Actual Behavior
It is analyzing only the first part of the condition.
Reproduction Steps
1.In a terraform file, write a conditional expression, which will choose either one data block or the other data block.
2. Run the `trivy config` and observe it is showing the issues from the first part of the expression only
Target
Filesystem
Scanner
Misconfiguration
Output Format
None
Mode
Standalone
Debug Output
2023-11-29T18:09:15.574+0530 INFO Misconfiguration scanning is enabled
2023-11-29T18:09:17.464+0530 INFO Detected config files: 36
terraform/custom_role/custom_role.tf (terraform)
Tests: 27 (SUCCESSES: 1, FAILURES: 26, EXCEPTIONS: 0)
Failures: 26 (HIGH: 26)
HIGH: IAM policy document uses sensitive action 'autoscaling:AttachLoadBalancers' on wildcarded resource '*'
Discussed in #5680
Originally posted by SujithPS0604 November 29, 2023
Description
defsec does not evaluate the second part of a conditional operator
Example:
Here whatever the condition is, defsec is only scanning the configuration of the first part of the condition. Here it is analyzing
data.aws_iam_policy_document.access_policy_document_prod.json.Output:
trivy config . --severity "HIGH" -dHere there is no failure, as the policy
data.aws_iam_policy_document.access_policy_document_prod.jsonis clean from issues.But if I move the second part to the first part, it is showing all the issues of
data.aws_iam_policy_document.access_policy_document.json.Example:
Output:
trivy config . --severity "HIGH" -dhere, the number of config files scanned also increased, and is showing issues with the policy.
So, by default, is is always analyzing the first part of the condition only. Even if I switch the condition, it is still analyzing the first part.
Desired Behavior
It should analyze both the part of the condition, irrespective of the position at which it is in.
Actual Behavior
It is analyzing only the first part of the condition.
Reproduction Steps
1.In a terraform file, write a conditional expression, which will choose either one data block or the other data block. 2. Run the `trivy config` and observe it is showing the issues from the first part of the expression onlyTarget
Filesystem
Scanner
Misconfiguration
Output Format
None
Mode
Standalone
Debug Output
Operating System
macOS Sonoma
Version
Checklist
trivy image --resetThe text was updated successfully, but these errors were encountered: