Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug(misconf) Terraform module: "Failed to load module "improper constraint:" #6537

Closed
2 tasks
simar7 opened this issue Apr 22, 2024 Discussed in #6536 · 0 comments · Fixed by #6614
Closed
2 tasks

bug(misconf) Terraform module: "Failed to load module "improper constraint:" #6537

simar7 opened this issue Apr 22, 2024 Discussed in #6536 · 0 comments · Fixed by #6614
Assignees
@nikpivkin
Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Milestone
v0.52.0

Comments

@simar7
Copy link
Member

simar7 commented Apr 22, 2024

Introduced in v0.50.0

Discussed in #6536

Originally posted by du228 April 22, 2024

Description

We are replacing tfsec with trivy and It seems trivy can't parse terraform module version if "version" has complex expression.
For example if the terraform configuration has the code similar to this one

module "sql_instance" {
  source           = "GoogleCloudPlatform/sql-db/google//modules/postgresql"
  version          = "~> 15.0"
  <.....>
 }

trivy will end up with this in debug log:

terraform.parser.<root>.evaluator locating non-initialized module 'GoogleCloudPlatform/sql-db/google//modules/postgresql'...
2024-04-22T14:44:40.600+0100	DEBUG	[misconf] 44:40.600037000 terraform.parser.<root>.evaluator.resolver Resolving module 'module.sql_instance' with source: 'GoogleCloudPlatform/sql-db/google//modules/postgresql'...
2024-04-22T14:44:40.600+0100	DEBUG	[misconf] 44:40.600047000 terraform.parser.<root>.evaluator.resolver Trying to resolve: a58e44ba4dc30d9f3d6d01d6a4a35b14
2024-04-22T14:44:40.600+0100	DEBUG	[misconf] 44:40.600054000 terraform.parser.<root>.evaluator.resolver Requesting module versions from registry using 'https://registry.terraform.io/v1/modules/GoogleCloudPlatform/sql-db/google/versions'...
2024-04-22T14:44:40.723+0100	DEBUG	[misconf] 44:40.723667000 terraform.parser.<root>.evaluator Failed to load module "improper constraint: ~> 15.0". Maybe try 'terraform init'?

and no scan will be performed for this module.

Desired Behavior

In tfsec it worked as expected:

51:13.657204000 terraform.parser.<root>.evaluator.resolver Requesting module versions from registry using 'https://registry.terraform.io/v1/modules/GoogleCloudPlatform/sql-db/google/versions'...
51:13.828185000 terraform.parser.<root>.evaluator.resolver Found version '15.0.0' for constraint '~> 15.0'
51:13.828205000 terraform.parser.<root>.evaluator.resolver Requesting module source from registry using 'https://registry.terraform.io/v1/modules/GoogleCloudPlatform/sql-db/google/15.0.0/download'...

If we set simple expression instead, trivy will work as expected (change "~> 15.0" to "> 15.0")

DEBUG	[misconf] 12:59.156899000 terraform.parser.<root>.evaluator locating non-initialized module 'GoogleCloudPlatform/sql-db/google//modules/postgresql'...
DEBUG	[misconf] 12:59.156903000 terraform.parser.<root>.evaluator.resolver Resolving module 'module.sql_instance' with source: 'GoogleCloudPlatform/sql-db/google//modules/postgresql'...
DEBUG	[misconf] 12:59.156915000 terraform.parser.<root>.evaluator.resolver Trying to resolve: 0a6de5ac8bcd692335b618d0accbd9d8
DEBUG	[misconf] 12:59.156924000 terraform.parser.<root>.evaluator.resolver Requesting module versions from registry using 'https://registry.terraform.io/v1/modules/GoogleCloudPlatform/sql-db/google/versions'...
DEBUG	[misconf] 12:59.374119000 terraform.parser.<root>.evaluator.resolver Found version '20.0.0' for constraint '> 15.0'
DEBUG	[misconf] 12:59.374155000 terraform.parser.<root>.evaluator.resolver Requesting module source from registry using 'https://registry.terraform.io/v1/modules/GoogleCloudPlatform/sql-db/google/20.0.0/download'...
DEBUG	[misconf] 12:59.644712000 terraform.parser.<root>.evaluator.resolver Module 'module.sql_instance' resolved via registry to new source: 'git::https://github.com/terraform-google-modules/terraform-google-sql-db?ref=fc37d6e6a7c37625ea95770d386e4b3033926926'

Actual Behavior

Failed to load module "improper constraint: ~> 15.0"

Reproduction Steps

1. create terraform config with publicly available module and version with "~> xx.xx"
2. run `trivy fs --scanners misconfig -d .`

Target

Filesystem

Scanner

Misconfiguration

Output Format

None

Mode

Standalone

Debug Output

2024-04-22T14:44:40.600+0100	DEBUG	[misconf] 44:40.600032000 terraform.parser.<root>.evaluator locating non-initialized module 'GoogleCloudPlatform/sql-db/google//modules/postgresql'...
2024-04-22T14:44:40.600+0100	DEBUG	[misconf] 44:40.600037000 terraform.parser.<root>.evaluator.resolver Resolving module 'module.sql_instance' with source: 'GoogleCloudPlatform/sql-db/google//modules/postgresql'...
2024-04-22T14:44:40.600+0100	DEBUG	[misconf] 44:40.600047000 terraform.parser.<root>.evaluator.resolver Trying to resolve: a58e44ba4dc30d9f3d6d01d6a4a35b14
2024-04-22T14:44:40.600+0100	DEBUG	[misconf] 44:40.600054000 terraform.parser.<root>.evaluator.resolver Requesting module versions from registry using 'https://registry.terraform.io/v1/modules/GoogleCloudPlatform/sql-db/google/versions'...
2024-04-22T14:44:40.723+0100	DEBUG	[misconf] 44:40.723667000 terraform.parser.<root>.evaluator Failed to load module "improper constraint: ~> 15.0". Maybe try 'terraform init'?

Operating System

macOS Sonome

Version

Version: 0.50.0

Checklist
@simar7 simar7 added the kind/bug Categorizes issue or PR as related to a bug. label Apr 22, 2024
@nikpivkin nikpivkin added the scan/misconfiguration Issues relating to misconfiguration scanning label May 3, 2024
@nikpivkin nikpivkin self-assigned this May 3, 2024
@nikpivkin nikpivkin mentioned this issue May 3, 2024
Merged
6 tasks
@simar7 simar7 added this to the v0.52.0 milestone May 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nikpivkin nikpivkin

Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Projects
Trivy Roadmap
Status: No status
Milestone
v0.52.0
Development

Successfully merging a pull request may close this issue.

fix(misconf): do not use semver for parsing tf module versions nikpivkin/trivy
2 participants
@simar7 @nikpivkin