Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug(misconf): False positive reporting aws_vpc_security_group_ingress_rule terraform resource as too permissive #7455

Open
2 tasks done
simar7 opened this issue Sep 6, 2024 Discussed in #7425 · 0 comments
Open
2 tasks done

bug(misconf): False positive reporting aws_vpc_security_group_ingress_rule terraform resource as too permissive #7455

simar7 opened this issue Sep 6, 2024 Discussed in #7425 · 0 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Milestone
v0.56.0

Comments

@simar7
Copy link
Member

simar7 commented Sep 6, 2024

Discussed in #7425

Originally posted by KashifSaadat August 30, 2024

IDs

AVD-AWS-0107

Description

Trivy complains that the security group ingress rule is allowing traffic from the public internet, referring to AVD-AWS-0107: An ingress security group rule allows traffic from /0.

The output is below:

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 telemetry.tf:38
   via telemetry.tf:35-44 (aws_vpc_security_group_ingress_rule.segment_io_to_telemetrydb)
────────────────────────────────────────
  35   resource "aws_vpc_security_group_ingress_rule" "segment_io_to_telemetrydb" {
  36     security_group_id = aws_security_group.telemetrydb.id
  37   
  38 [   cidr_ipv4   = "3.251.148.96/29"
  39     description = "Allow inbound from Segment.io to Telemetry RDS: https://segment.com/docs/connections/storage/warehouses/faq/#which-ips-should-i-allowlist"
  40     from_port   = 5432
  41     ip_protocol = "tcp"
  42     tags        = var.tags
  43     to_port     = 5432
  44   }
────────────────────────────────────────

From the above you can see that cidr_ipv4 = "3.251.148.96/29" (not 0.0.0.0/0). I noticed that if I use a /32 then it doesn't flag up.

Support for the resource was added in: #6764
An existing issue raised around this is: #6760

Reproduction Steps

Create the following:

resource "aws_security_group" "rds" {
  name        = "rds-sg"
  description = "Allow inbound traffic to RDS Instance"
  vpc_id      = var.vpc_id
}

resource "aws_vpc_security_group_ingress_rule" "segment_io_to_rds" {
  security_group_id = aws_security_group.rds.id
  cidr_ipv4   = "3.251.148.96/29"
  description = "Allow inbound from Segment.io to RDS"
  from_port   = 5432
  ip_protocol = "tcp"
  tags        = var.tags
  to_port     = 5432
}

Target

AWS

Scanner

Misconfiguration

Target OS

No response

Debug Output

-

Version

https://github.com/aquasecurity/trivy-action/releases/tag/0.24.0
https://github.com/aquasecurity/trivy/releases/tag/v0.53.0

Checklist
@simar7 simar7 added kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning labels Sep 6, 2024
@simar7 simar7 added this to the v0.56.0 milestone Sep 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Projects
Trivy Roadmap
Status: No status
Milestone
v0.56.0
Development

No branches or pull requests
1 participant
@simar7