Misconfig of AVD-AWS-0057 with format function not detecting

[rangamani54]

IDs

AVD-AWS-0057

Description

In the latest version of trivy 0.49.1. It's not able to detect no policy wildcard for resources s3 bucket when we use format function format("%s/*", aws_s3_bucket.example.arn) AVD-AWS-0057 to the mentioned actions.

resource "aws_iam_role_policy" "test_policy" {
 	name = "test_policy"
 	role = aws_iam_role.test_role.id
       policy = data.aws_iam_policy_document.s3_policy.json
 }
 
 resource "aws_iam_role" "test_role" {
 	name = "test_role"
 	assume_role_policy = jsonencode({
 		Version = "2012-10-17"
 		Statement = [
 		{
 			Action = "sts:AssumeRole"
 			Effect = "Allow"
 			Sid    = ""
 			Principal = {
 			Service = "s3.amazonaws.com"
 			}
 		},
 		]
 	})
 }
 
 data "aws_iam_policy_document" "s3_policy" {
   statement {
     principals {
       type        = "AWS"
       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
     }
     actions   = ["s3:GetObject",
      "s3:PutObject",
      "s3:DeleteObject",
      "s3:ListBucket"]
     resources = [aws_s3_bucket.example.arn,
                         format("%s/*", aws_s3_bucket.example.arn)
]
   }
 }

Reproduction Steps

1. Run 'trivy config a.tf' to the above terraform code in a.tf file.
...

Target

AWS

Scanner

Misconfiguration

Target OS

Ubuntu:22.04

Debug Output

trivy config a.tf --debug
2024-03-05T18:00:30.783+0530    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-03-05T18:00:30.786+0530    DEBUG   cache dir:  /home/mani/.cache/trivy
2024-03-05T18:00:30.786+0530    INFO    Misconfiguration scanning is enabled
2024-03-05T18:00:30.786+0530    DEBUG   Policies successfully loaded from disk
2024-03-05T18:00:30.786+0530    DEBUG   Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan]
2024-03-05T18:00:30.790+0530    DEBUG   The nuget packages directory couldn't be found. License search disabled
2024-03-05T18:00:30.799+0530    DEBUG   Walk the file tree rooted at 'a.tf' in series
2024-03-05T18:00:30.799+0530    DEBUG   Scanning Terraform files for misconfigurations...
2024-03-05T18:00:30.799+0530    DEBUG   [misconf] 00:30.799675608 terraform.scanner                Scanning [&{%!s(*mapfs.file=&{ [] {. 256 2147484096 {13939170784198616785 494844156 0xcb94700} <nil>} {{{0 0} {[] {} 0xc001b94110} map[a.tf:0xc001ea8188] 0}}}) }] at '.'...
2024-03-05T18:00:30.801+0530    DEBUG   [misconf] 00:30.801599760 terraform.scanner.rego           Overriding filesystem for policies!
2024-03-05T18:00:30.847+0530    DEBUG   [misconf] 00:30.847325650 terraform.scanner.rego           Loaded 190 policies from disk.
2024-03-05T18:00:30.847+0530    DEBUG   [misconf] 00:30.847815944 terraform.scanner.rego           Overriding filesystem for data!
2024-03-05T18:00:31.205+0530    DEBUG   [misconf] 00:31.205250452 terraform.scanner                Scanning root module '.'...
2024-03-05T18:00:31.205+0530    DEBUG   [misconf] 00:31.205311053 terraform.parser.<root>          Setting project/module root to '.'
2024-03-05T18:00:31.205+0530    DEBUG   [misconf] 00:31.205316677 terraform.parser.<root>          Parsing FS from '.'
2024-03-05T18:00:31.205+0530    DEBUG   [misconf] 00:31.205333758 terraform.parser.<root>          Parsing 'a.tf'...
2024-03-05T18:00:31.205+0530    DEBUG   [misconf] 00:31.205722019 terraform.parser.<root>          Added file a.tf.
2024-03-05T18:00:31.205+0530    DEBUG   [misconf] 00:31.205769380 terraform.parser.<root>          Evaluating module...
2024-03-05T18:00:31.206+0530    DEBUG   [misconf] 00:31.206234343 terraform.parser.<root>          Read 3 block(s) and 0 ignore(s) for module 'root' (1 file[s])...
2024-03-05T18:00:31.206+0530    DEBUG   [misconf] 00:31.206275282 terraform.parser.<root>          Added 0 variables from tfvars.
2024-03-05T18:00:31.206+0530    DEBUG   [misconf] 00:31.206517236 terraform.parser.<root>          Error loading module metadata: open .terraform/modules/modules.json: file does not exist.
2024-03-05T18:00:31.207+0530    DEBUG   [misconf] 00:31.206997528 terraform.parser.<root>          Working directory for module evaluation is '/home/mani'
2024-03-05T18:00:31.207+0530    DEBUG   [misconf] 00:31.207256121 terraform.parser.<root>.evaluator Filesystem key is 'c934b8df889062ab46f419146a406a0c2f61e57389e1e99078b0be2772eaab8d'
2024-03-05T18:00:31.207+0530    DEBUG   [misconf] 00:31.207282125 terraform.parser.<root>.evaluator Starting module evaluation...
2024-03-05T18:00:31.207+0530    DEBUG   [misconf] 00:31.207824866 terraform.parser.<root>.evaluator Starting submodule evaluation...
2024-03-05T18:00:31.207+0530    DEBUG   [misconf] 00:31.207845448 terraform.parser.<root>.evaluator Finished processing 0 submodule(s).
2024-03-05T18:00:31.207+0530    DEBUG   [misconf] 00:31.207855121 terraform.parser.<root>.evaluator Starting post-submodule evaluation...
2024-03-05T18:00:31.208+0530    DEBUG   [misconf] 00:31.208196627 terraform.parser.<root>.evaluator Module evaluation complete.
2024-03-05T18:00:31.208+0530    DEBUG   [misconf] 00:31.208212176 terraform.parser.<root>          Finished parsing module 'root'.
2024-03-05T18:00:31.208+0530    DEBUG   [misconf] 00:31.208231071 terraform.executor               Adapting modules...
2024-03-05T18:00:31.208+0530    DEBUG   [misconf] 00:31.208654545 terraform.executor               Adapted 1 module(s) into defsec state data.
2024-03-05T18:00:31.208+0530    DEBUG   [misconf] 00:31.208701753 terraform.executor               Using max routines of 15
2024-03-05T18:00:31.208+0530    DEBUG   [misconf] 00:31.208719857 terraform.executor               Applying state modifier functions...
2024-03-05T18:00:31.209+0530    DEBUG   [misconf] 00:31.209473942 terraform.executor               Initialised 484 rule(s).
2024-03-05T18:00:31.209+0530    DEBUG   [misconf] 00:31.209545302 terraform.executor               Created pool with 15 worker(s) to apply rules.
2024-03-05T18:00:31.209+0530    DEBUG   [misconf] 00:31.209988939 terraform.scanner.rego           Scanning 1 inputs...
2024-03-05T18:00:31.216+0530    DEBUG   [misconf] 00:31.216072128 terraform.executor               Finished applying rules.
2024-03-05T18:00:31.216+0530    DEBUG   [misconf] 00:31.216117556 terraform.executor               Applying ignores...
2024-03-05T18:00:31.230+0530    DEBUG   OS is not detected.
2024-03-05T18:00:31.230+0530    INFO    Detected config files: 2
2024-03-05T18:00:31.230+0530    DEBUG   Scanned config file: .
2024-03-05T18:00:31.230+0530    DEBUG   Scanned config file: a.tf

Version

Version: 0.49.1
Policy Bundle:
  Digest: sha256:cdff1bc8c97e4f5cd04782b057c00f5ea8cd81147a506ac4be76bef13710f2d3
  DownloadedAt: 2024-03-04 19:11:47.102100345 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[simar7]

@nikpivkin can you take a look?

[rangamani54]

It's detecting in the 0.48.3 version. Later, when we upgrade to 0.49.1 version even without ignore inline comment, it's not able to detect. Is it kind of bug or feature.

[nikpivkin]

Hi @rangamani54 !

The fact that this check worked in previous versions was a bug. Now it is fixed, as wildcard is allowed at object level.

[rangamani54]

Thank you very much @nikpivkin