Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: allow root break for mapfs #4094

Merged
merged 4 commits into from
May 11, 2023
Merged

feat: allow root break for mapfs #4094

merged 4 commits into from
May 11, 2023

Conversation

knqyf263
Copy link
Collaborator

Description

In some cases, filesystem scanning needs to access outside of the specified directory.
See this comment.

Related issues

Related PRs

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@knqyf263 knqyf263 self-assigned this Apr 20, 2023
@knqyf263 knqyf263 mentioned this pull request Apr 20, 2023
Merged
7 tasks
@knqyf263 knqyf263 marked this pull request as ready for review April 20, 2023 06:36
@knqyf263
Copy link
Collaborator Author

I confirmed #4090 and this PR help relative paths.

$ trivy config /path/to/terraform-module-sample/root
2023-04-20T09:14:57.827+0300    INFO    Misconfiguration scanning is enabled
2023-04-20T09:14:58.115+0300    INFO    Detected config files: 3

../parent_modules/parent_sqs/main.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

HIGH: Queue is not encrypted
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Queues should be encrypted to protect queue contents.

See https://avd.aquasec.com/misconfig/avd-aws-0096
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 ../parent_modules/parent_sqs/main.tf:1-7
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1 ┌ resource "aws_sqs_queue" "parent_queue" {
   2 │   name                      = "parent_queue"
   3 │   delay_seconds             = 90
   4 │   max_message_size          = 2048
   5 │   message_retention_seconds = 86400
   6 │   receive_wait_time_seconds = 10
   7 └ }
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


child_modules/child_sqs/main.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

HIGH: Queue is not encrypted
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Queues should be encrypted to protect queue contents.

See https://avd.aquasec.com/misconfig/avd-aws-0096
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 child_modules/child_sqs/main.tf:1-7
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1 ┌ resource "aws_sqs_queue" "child_queue" {
   2 │   name                      = "child_queue"
   3 │   delay_seconds             = 90
   4 │   max_message_size          = 2048
   5 │   message_retention_seconds = 86400
   6 │   receive_wait_time_seconds = 10
   7 └ }
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

@simar7 simar7 self-requested a review April 21, 2023 00:10
@simar7
Copy link
Member

simar7 commented Apr 21, 2023

I confirmed #4090 and this PR help relative paths.

This is cool and the correct functionality but I'm curious as I wasn't able to get it run locally. I cherry picked the commits from this PR onto the #4090 PR and ran locally but wasn't able to see the parent issues.

/Users/simar/repos/trivy/trivy --debug config  /Users/simar/repos/defsec-issues/3575/terraform-module-sample/root
2023-04-20T18:11:28.373-0700    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-04-20T18:11:28.425-0700    DEBUG   cache dir:  /Users/simar/Library/Caches/trivy
2023-04-20T18:11:28.425-0700    INFO    Misconfiguration scanning is enabled
2023-04-20T18:11:28.426-0700    DEBUG   Policies successfully loaded from disk
2023-04-20T18:11:28.457-0700    DEBUG   Walk the file tree rooted at '/Users/simar/repos/defsec-issues/3575/terraform-module-sample/root' in parallel
2023-04-20T18:11:29.286-0700    DEBUG   OS is not detected.
2023-04-20T18:11:29.286-0700    INFO    Detected config files: 2
2023-04-20T18:11:29.286-0700    DEBUG   Scanned config file: .
2023-04-20T18:11:29.286-0700    DEBUG   Scanned config file: child_modules/child_sqs/main.tf

child_modules/child_sqs/main.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

HIGH: Queue is not encrypted
═══════════════════════════════════════════════════════════════════════════════════════════════
Queues should be encrypted to protect queue contents.

See https://avd.aquasec.com/misconfig/avd-aws-0096
───────────────────────────────────────────────────────────────────────────────────────────────
 child_modules/child_sqs/main.tf:1-7
───────────────────────────────────────────────────────────────────────────────────────────────
   1 ┌ resource "aws_sqs_queue" "child_queue" {
   2 │   name                      = "child_queue"
   3 │   delay_seconds             = 90
   4 │   max_message_size          = 2048
   5 │   message_retention_seconds = 86400
   6 │   receive_wait_time_seconds = 10
   7 └ }
───────────────────────────────────────────────────────────────────────────────────────────────

Did I miss doing something?

@knqyf263
Copy link
Collaborator Author

I think you have missed this change.
#4090 (comment)

I've merged the main branch and added the above change. Can you try it again?
97144fc

@simar7
Copy link
Member

simar7 commented Apr 24, 2023

I think you have missed this change. #4090 (comment)

I've merged the main branch and added the above change. Can you try it again? 97144fc

Ah that might have been it. I can confirm it works now.

@simar7 simar7 mentioned this pull request Apr 24, 2023
Closed
6 tasks
@knqyf263 knqyf263 merged commit e859d10 into aquasecurity:main May 11, 2023
@knqyf263 knqyf263 deleted the mapfs_root_break branch May 11, 2023 11:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@simar7 simar7 simar7 approved these changes

Assignees

@knqyf263 knqyf263

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@knqyf263 @simar7