Unable to pass tfvars file

[Octogonapus]

Description

I'm unable to pass in a .tfvars file during misconfiguration scanning using the --tf-vars option because an error occurs when using that option.

touch foo.tfvars
trivy config --tf-vars foo.tfvars .

What did you expect to happen?

The file foo.tfvars should be loaded as described in the documentation https://aquasecurity.github.io/trivy/v0.39/docs/misconfiguration/options/values/#terraform-value-overrides

What happened instead?

2023-04-07T15:27:37.990-0400    INFO    Misconfiguration scanning is enabled
2023-04-07T15:27:39.121-0400    FATAL   filesystem scan error: scan error: scan failed: failed analysis: failed to call hooks: post handler error: misconfiguration scan error: scan config error: failed to load tfvars from foo.tfvars: open foo.tfvars: file does not exist

Output of run with -debug:

2023-04-07T15:29:18.435-0400    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-04-07T15:29:18.449-0400    DEBUG   cache dir:  /home/username/.cache/trivy
2023-04-07T15:29:18.449-0400    INFO    Misconfiguration scanning is enabled
2023-04-07T15:29:18.449-0400    DEBUG   Policies successfully loaded from disk
2023-04-07T15:29:18.452-0400    DEBUG   Walk the file tree rooted at '.' in parallel
2023-04-07T15:29:19.165-0400    FATAL   filesystem scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.Run
        github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:431
  - scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact
        github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:266
  - scan failed:
    github.com/aquasecurity/trivy/pkg/commands/artifact.scan
        github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:679
  - failed analysis:
    github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact
        github.com/aquasecurity/trivy/pkg/scanner/scan.go:146
  - failed to call hooks:
    github.com/aquasecurity/trivy/pkg/fanal/artifact/local.Artifact.Inspect
        github.com/aquasecurity/trivy/pkg/fanal/artifact/local/fs.go:182
  - post handler error:
    github.com/aquasecurity/trivy/pkg/fanal/handler.Manager.PostHandle
        github.com/aquasecurity/trivy/pkg/fanal/handler/handler.go:75
  - misconfiguration scan error:
    github.com/aquasecurity/trivy/pkg/fanal/handler/misconf.misconfPostHandler.Handle
        github.com/aquasecurity/trivy/pkg/fanal/handler/misconf/misconf.go:45
  - scan config error:
    github.com/aquasecurity/trivy/pkg/misconf.(*Scanner).Scan
        github.com/aquasecurity/trivy/pkg/misconf/scanner.go:227
  - failed to load tfvars from foo.tfvars: open foo.tfvars: file does not exist

Output of trivy -v:

Version: 0.39.0
Policy Bundle:
  Digest: sha256:2f95caeff50df1f00efdf5cb619c3b5488bbbb9bb08ef0890f52352464d35c79
  DownloadedAt: 2023-04-07 19:08:37.283915299 +0000 UTC

Additional details (base image name, container registry info...):

[simar7]

thanks for the report, I'm looking into it.

[kapilt]

this issue still exists, a tfvars outside of the module root is not found.

[itaysk]

@simar7 wdyt?

[simar7]

Will take a look again

[nikpivkin]

@itaysk I confirm this is a problem if .tfvars is located below the scan directory or the path to .tfvars is an absolute.

[darrenhull]

has this been released?

[simar7]

has this been released?

Not yet. It will be available in the next release of Trivy.

[kderck]

Why has the issue been closed if this is still an issue and has not been merged. Please feel free to educate me if this is how it's normally done as my new to the Open Source scene.

[simar7]

Why has the issue been closed if this is still an issue and has not been merged. Please feel free to educate me if this is how it's normally done as my new to the Open Source scene.

It was released in the latest version of Trivy as mentioned above. Are you still facing this issue?

[kderck]

@simar7 Yeah, I'm having some issues. Let me get back to you with some more technical information, I'l check the version numbers on my side too

[kderck]

Let me know if I'm doing something daft!

MacOS Ventura (Version 13.5.1 (22G90)) on Apple M1

kyle@Gracies-Macbook-Air terraform-aws-waf-private-edge % trivy --version
Version: 0.46.0
Policy Bundle:
  Digest: sha256:1df8ade71efc830877ca3b1130f83e0c6368e3a45b0d4c0f0418955501644054
  DownloadedAt: 2023-10-17 17:07:37.370512 +0000 UTC

trivy config --tf-vars terraform.tfvars .

2023-10-17T19:57:10.044+0100	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-10-17T19:57:10.055+0100	DEBUG	cache dir:  /Users/kyle/Library/Caches/trivy
2023-10-17T19:57:10.055+0100	INFO	Misconfiguration scanning is enabled
2023-10-17T19:57:10.056+0100	DEBUG	Policies successfully loaded from disk
2023-10-17T19:57:10.077+0100	DEBUG	The nuget packages directory couldn't be found. License search disabled
2023-10-17T19:57:10.115+0100	DEBUG	Walk the file tree rooted at '.' in parallel
2023-10-17T19:57:10.117+0100	DEBUG	Scanning Terraform files for misconfigurations...
panic: inconsistent map element types (cty.String then cty.Bool)

goroutine 1 [running]:
github.com/zclconf/go-cty/cty.MapVal(0x14002e88c00)
	github.com/zclconf/go-cty@v1.13.0/cty/value_init.go:220 +0x3a4
github.com/hashicorp/hcl/v2/ext/typeexpr.(*Defaults).apply(0x1400033dc60, {{{0x10d18b358?, 0x14001705040?}}, {0x10c5288e0?, 0x14002e62060?}})
	github.com/hashicorp/hcl/v2@v2.17.0/ext/typeexpr/defaults.go:109 +0x8f8
github.com/hashicorp/hcl/v2/ext/typeexpr.(*Defaults).applyAsSlice(0x10d18b278?, {{{0x10d18b278?, 0x14001bbf668?}}, {0x10c0cc400?, 0x14001bbf680?}})
	github.com/hashicorp/hcl/v2@v2.17.0/ext/typeexpr/defaults.go:123 +0x184
github.com/hashicorp/hcl/v2/ext/typeexpr.(*Defaults).apply(0x1400033dc80, {{{0x10d18b278?, 0x14001bbf668?}}, {0x10c0cc400?, 0x14001bbf680?}})
	github.com/hashicorp/hcl/v2@v2.17.0/ext/typeexpr/defaults.go:65 +0x280
github.com/hashicorp/hcl/v2/ext/typeexpr.(*Defaults).applyAsMap(0x10d18b320?, {{{0x10d18b320?, 0x14001757320?}}, {0x10c5288e0?, 0x14002e7ee70?}})
	github.com/hashicorp/hcl/v2@v2.17.0/ext/typeexpr/defaults.go:136 +0x108
github.com/hashicorp/hcl/v2/ext/typeexpr.(*Defaults).apply(0x14000250840, {{{0x10d18b320?, 0x14001757320?}}, {0x10c5288e0?, 0x14002e7ee70?}})
	github.com/hashicorp/hcl/v2@v2.17.0/ext/typeexpr/defaults.go:88 +0x53c
github.com/hashicorp/hcl/v2/ext/typeexpr.(*Defaults).Apply(...)
	github.com/hashicorp/hcl/v2@v2.17.0/ext/typeexpr/defaults.go:45
github.com/aquasecurity/defsec/pkg/scanners/terraform/parser.(*evaluator).evaluateVariable(0x14000bdf8c0, 0x140016e6fc0)
	github.com/aquasecurity/defsec@v0.93.1/pkg/scanners/terraform/parser/evaluator.go:378 +0x2f4
github.com/aquasecurity/defsec/pkg/scanners/terraform/parser.(*evaluator).getValuesByBlockType(0x14000bdf8c0, {0x10a88c248, 0x8})
	github.com/aquasecurity/defsec@v0.93.1/pkg/scanners/terraform/parser/evaluator.go:414 +0x73c
github.com/aquasecurity/defsec/pkg/scanners/terraform/parser.(*evaluator).evaluateStep(0x14000bdf8c0)
	github.com/aquasecurity/defsec@v0.93.1/pkg/scanners/terraform/parser/evaluator.go:93 +0x30
github.com/aquasecurity/defsec/pkg/scanners/terraform/parser.(*evaluator).EvaluateAll(0x14000bdf8c0, {0x10d18a3e0, 0x14001b910a0})
	github.com/aquasecurity/defsec@v0.93.1/pkg/scanners/terraform/parser/evaluator.go:135 +0x154
github.com/aquasecurity/defsec/pkg/scanners/terraform/parser.(*Parser).EvaluateAll(0x140021417c0, {0x10d18a3e0, 0x14001b910a0})
	github.com/aquasecurity/defsec@v0.93.1/pkg/scanners/terraform/parser/parser.go:305 +0x47c
github.com/aquasecurity/defsec/pkg/scanners/terraform/parser.(*evaluator).EvaluateAll(0x14000b84000, {0x10d18a3e0, 0x14001b910a0})
	github.com/aquasecurity/defsec@v0.93.1/pkg/scanners/terraform/parser/evaluator.go:159 +0x368
github.com/aquasecurity/defsec/pkg/scanners/terraform/parser.(*Parser).EvaluateAll(0x14000e9e780, {0x10d18a3e0, 0x14001b910a0})
	github.com/aquasecurity/defsec@v0.93.1/pkg/scanners/terraform/parser/parser.go:305 +0x47c
github.com/aquasecurity/defsec/pkg/scanners/terraform.(*Scanner).ScanFSWithMetrics(0x14001002a20, {0x10d18a3e0, 0x14001b910a0}, {0x10d0e3900?, 0x140001a01b0}, {0x10bd01c68, 0x1})
	github.com/aquasecurity/defsec@v0.93.1/pkg/scanners/terraform/scanner.go:231 +0x4a0
github.com/aquasecurity/defsec/pkg/scanners/terraform.(*Scanner).ScanFS(0x10a89564e?, {0x10d18a3e0?, 0x14001b910a0?}, {0x10d0e3900?, 0x140001a01b0?}, {0x10bd01c68?, 0x14001261d00?})
	github.com/aquasecurity/defsec@v0.93.1/pkg/scanners/terraform/scanner.go:148 +0x38
github.com/aquasecurity/trivy/pkg/misconf.(*Scanner).Scan(0x14001161c80, {0x10d18a3e0, 0x14001b910a0}, {0x10d0e3900?, 0x14001a8b7d0?})
	github.com/aquasecurity/trivy/pkg/misconf/scanner.go:154 +0x18c
github.com/aquasecurity/trivy/pkg/fanal/analyzer/config.(*Analyzer).PostAnalyze(0x1400024de80, {0x10d18a3e0?, 0x14001b910a0?}, {{0x10d0e3900?, 0x14001a8b7d0?}, {0x9?, 0x0?}})
	github.com/aquasecurity/trivy/pkg/fanal/analyzer/config/config.go:45 +0x38
github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.PostAnalyze({{0x140020f1200, 0x3, 0x4}, {0x14000f1c580, 0x7, 0x8}, 0x140010a6150}, {0x10d18a3e0, 0x14001b910a0}, 0x14000fa2280, ...)
	github.com/aquasecurity/trivy/pkg/fanal/analyzer/analyzer.go:491 +0x23c
github.com/aquasecurity/trivy/pkg/fanal/artifact/local.Artifact.Inspect({{0x16aef7950, 0x1}, {0x11a449138, 0x140026d4a70}, {{{0x0, 0x0, 0x0}, {0x1400127ce80, 0x3, 0x4}, ...}, ...}, ...}, ...)
	github.com/aquasecurity/trivy/pkg/fanal/artifact/local/fs.go:171 +0x408
github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact({{_, _}, {_, _}}, {_, _}, {{0x0, 0x0, 0x0}, {0x140026d49b0, ...}, ...})
	github.com/aquasecurity/trivy/pkg/scanner/scan.go:145 +0xa0
github.com/aquasecurity/trivy/pkg/commands/artifact.scan({_, _}, {{{0x10a89dca3, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, {0x14000dcb440, ...}, ...}, ...}, ...)
	github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:683 +0x320
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact(_, {_, _}, {{{0x10a89dca3, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, ...}, ...}, ...)
	github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:266 +0xa0
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanFS(_, {_, _}, {{{0x10a89dca3, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, ...}, ...})
	github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:214 +0xa4
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).ScanFilesystem(_, {_, _}, {{{0x10a89dca3, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, ...}, ...})
	github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:194 +0x1b0
github.com/aquasecurity/trivy/pkg/commands/artifact.Run({_, _}, {{{0x10a89dca3, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, {0x14000dcb440, ...}, ...}, ...}, ...)
	github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:427 +0x3bc
github.com/aquasecurity/trivy/pkg/commands.NewConfigCommand.func2(0x14000f5a900, {0x140020f0e40, 0x1, 0x4})
	github.com/aquasecurity/trivy/pkg/commands/app.go:679 +0x290
github.com/spf13/cobra.(*Command).execute(0x14000f5a900, {0x140020f0e00, 0x4, 0x4})
	github.com/spf13/cobra@v1.7.0/command.go:940 +0x658
github.com/spf13/cobra.(*Command).ExecuteC(0x14000db7200)
	github.com/spf13/cobra@v1.7.0/command.go:1068 +0x320
github.com/spf13/cobra.(*Command).Execute(0x10a90954b?)
	github.com/spf13/cobra@v1.7.0/command.go:992 +0x1c
main.run()
	github.com/aquasecurity/trivy/cmd/trivy/main.go:35 +0x150
main.main()
	github.com/aquasecurity/trivy/cmd/trivy/main.go:17 +0x1c

[simar7]

Can you share your terraform config and tfvars so we can take a look?

[kderck]

Hi the problem is with the parsing, I'l open a separate issue.