Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(misconf): Support relative paths in terraform config #3991

Closed
wants to merge 8 commits into from

Conversation

simar7
Copy link
Member

@simar7 simar7 commented Apr 5, 2023

Description

Currently, if a terraform deployment contains modules that are defined with relative file paths, trivy silently ignores them and does not scan them.

This PR also eliminates unnecessary scan for config types that are not found when evaluating.

Related issues

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

Signed-off-by: Simar [email protected]

Currently, if a terraform deployment contains modules
that are defined with relative file paths, trivy silently
ignores them and does not scan them.

This PR also eliminates unnecessary scan for config types
that are not found when evaluating.

Signed-off-by: Simar <[email protected]>
@simar7 simar7 force-pushed the fix-relative-paths-last-good branch from fb55191 to 6a9e717 Compare April 5, 2023 05:57
@simar7 simar7 force-pushed the fix-relative-paths-last-good branch from 6a9e717 to 0337b65 Compare April 5, 2023 06:00
simar7 added 3 commits April 4, 2023 23:18
Signed-off-by: Simar <[email protected]>
Signed-off-by: Simar <[email protected]>
Signed-off-by: Simar <[email protected]>
@simar7 simar7 force-pushed the fix-relative-paths-last-good branch from 535f19c to 6a435df Compare April 6, 2023 02:18
Signed-off-by: Simar <[email protected]>
@simar7 simar7 force-pushed the fix-relative-paths-last-good branch 2 times, most recently from cbc439e to adeeec3 Compare April 6, 2023 06:22
@@ -50,6 +51,7 @@ func NewScanner(filePatterns []string, opt config.ScannerOption) (Scanner, error
opts := []options.ScannerOption{
options.ScannerWithSkipRequiredCheck(true),
options.ScannerWithEmbeddedPolicies(!opt.DisableEmbeddedPolicies),
options.ScannerWithDebug(os.Stdout),
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TODO: Remove prior to merge

@simar7 simar7 force-pushed the fix-relative-paths-last-good branch 2 times, most recently from 499a3ac to 1baf04c Compare April 7, 2023 00:03
@simar7 simar7 marked this pull request as ready for review April 7, 2023 00:54
@simar7 simar7 requested a review from knqyf263 as a code owner April 7, 2023 00:54
Comment on lines -418 to -421
ID: "sha256:b3ae72efb468a0e17551fa4067c1f9d9dff9a1e520b9f8191f48829ab6e8356d",
BlobIDs: []string{
"sha256:b3ae72efb468a0e17551fa4067c1f9d9dff9a1e520b9f8191f48829ab6e8356d",
},
Copy link
Member Author

@simar7 simar7 Apr 14, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

note: I've removed these assertions as the key is calculated over everything (including the file paths in the blob), which results in the key being different on different OS's (unix vs windows).

Arguably the content is more important in these tests, which is still asserted.

@simar7
Copy link
Member Author

simar7 commented Apr 14, 2023

hi @knqyf263 could you review these as you are the code owner and your review is needed to merge it in.

@knqyf263
Copy link
Collaborator

Sure. I cut v0.40.0 yesterday and have time to review it now.

rootDir = strings.TrimPrefix(filepath.ToSlash(rootDir), volume+"/")
}

results, err = scanner.ScanFS(ctx, extrafs.OSDir("/"), rootDir)
Copy link
Collaborator

@knqyf263 knqyf263 Apr 18, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

extrafs.OSDir says

Go does not currently support symlinks in io/fs

https://github.com/aquasecurity/defsec/blob/a071f4812c575431b38ce741c2138c40cfccc423/pkg/extrafs/extrafs.go#L9-L12

Is it correct? DirFS seems to follow symlinks. Am I missing something?
https://pkg.go.dev/os#DirFS

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And it breaks container/VM image scanning since os.DirFS refers to the local filesystem. Putting Terraform files into container/VM images is rare, but we have actually seen it in the past. That is why we use memoryfs instead of the OS filesystem.

IIUC, the problem here is memoryfs and os.DirFS don't allow accessing outside the root directory. I have a plan to replace memoryfs with mapfs. What if allowing mapfs to access the outside file?

I'll raise a PR shortly. We can discuss the solution after that.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

extrafs.OSDir says

Go does not currently support symlinks in io/fs

https://github.com/aquasecurity/defsec/blob/a071f4812c575431b38ce741c2138c40cfcc423/pkg/extrafs/extrafs.go#L9-L12

https://github.com/aquasecurity/defsec/blob/a071f4812c575431b38ce741c2138c40cfccc423/pkg/extrafs/extrafs.go#L9-L12

Is it correct? DirFS seems to follow symlinks. Am I missing something? https://pkg.go.dev/os#DirFS

Hmm... I don't know the origin of that comment but I do see os.DirFS does follow symlinks as you said. Maybe that comment/commit was added pre go 1.16 and isn't relevant anymore? 🤷🏼

And it breaks container/VM image scanning since os.DirFS refers to the local filesystem. Putting Terraform files into container/VM images is rare, but we have actually seen it in the past. That is why we use memoryfs instead of the OS filesystem.

Oh interesting. We should have a test for this. Do we have any integration tests that test out container/VM images? Maybe we can add a symlinked terraform file in there to have this covered.

IIUC, the problem here is memoryfs and os.DirFS don't allow accessing outside the root directory. I have a plan to replace memoryfs with mapfs. What if allowing mapfs to access the outside file?

Yes that's the problem. I assume you are talking this mapfs right? Does it support symlinks today? I only see that it implements these https://github.com/aquasecurity/trivy/blob/main/pkg/mapfs/fs.go#L18-L22 - I assumed you would need to implement something like this: https://github.com/aquasecurity/defsec/blob/a071f4812c575431b38ce741c2138c40cfccc423/pkg/extrafs/extrafs.go#L48-L54?

I'll raise a PR shortly. We can discuss the solution after that.

Sure, add me to the review so I'll take a look at it as well.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we have any integration tests that test out container/VM images?

No, but you're right. We should have it. It was not a common case, so we were lazy 😄 .

@simar7 Can you add a test container image for Terraform here? Also, I assigned you another issue. It would be great if you take care of them.
aquasecurity/trivy-test-images#28
aquasecurity/trivy-test-images#27

Does it support symlinks today?

No, but it would be easy to support. I'll implement it.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does it support symlinks today?

It uses os.Open() under the hood, which follows symlinks. What else do we need?

trivy/pkg/mapfs/file.go

Lines 68 to 69 in cc18f92

default: // Real file
return os.Open(f.path)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In theory, tthat should be all. The key thing would be to be able to support paths outside the memfs, including relative paths, which is what this PR tries to do with extrafs.

pkg/fanal/handler/misconf/misconf.go Outdated Show resolved Hide resolved
@knqyf263 knqyf263 mentioned this pull request Apr 20, 2023
6 tasks
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Where is this file used? I didn't find the test case.

@simar7
Copy link
Member Author

simar7 commented Apr 24, 2023

Superseeded by #4094

@simar7 simar7 closed this Apr 24, 2023
@knqyf263 knqyf263 deleted the fix-relative-paths-last-good branch June 6, 2023 06:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

trivy config on terraform skips local modules
3 participants