kics icon indicating copy to clipboard operation
kics copied to clipboard

Published 20 hours ago verified publisher icon Checkmarx

Ansible: variable is detected as invalid

Open markuman opened this issue 3 years ago • 4 comments

Expected Behavior

(Which results are expected from KICS?)

No medium vulnerable detected

Actual Behavior

(Formatted logs and samples helps us to better understand the issue)

CloudWatch Without Retention Period Specified, Severity: MEDIUM, Results: 2
Description: AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events
Platform: Ansible

	[1]: roles/ecs/tasks/prod.yml:118

		117:     log_group_name: "{{ item }}"
		118:     retention: "{{ retention }}"
		119:   with_items: "{{ cwlgroups }}"


	[2]: roles/ecs/tasks/test.yml:147

		146:     log_group_name: "{{ item }}"
		147:     retention: "{{ retention }}"
		148:   with_items: "{{ cwlgroups }}"

Steps to Reproduce the Problem

(Command line arguments and flags used)

rentention value is defined as a variable.

- name: create cloudwatch log groups
  cloudwatchlogs_log_group:
    log_group_name: "{{ item }}"
    retention: "{{ retention }}"
  with_items:
    - some
    - groups

Specifications

(N/A if not applicable)

  • Version: 1.5.0
  • Platform: ansible
  • Subsystem:

markuman avatar Feb 09 '22 12:02 markuman

Hello, @markuman 🙂 Thank you for contacting us.

This query reports a result for your sample because, in addition to having a rule that verifies if retention is undefined, it also has another one to check if retention is set to the valid values (1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, or 3653).

Since the value of retention ("{{ retention }}") is not being interpreted by KICS, it reports "cloudwatchlogs_log_group.retention is set and invalid". You can check the code here.

rafaela-soares avatar Feb 09 '22 15:02 rafaela-soares

Hello, @markuman slightly_smiling_face Thank you for contacting us.

This query reports a result for your sample because, in addition to having a rule that verifies if retention is undefined, it also has another one to check if retention is set to the valid values (1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, or 3653).

Since the value of retention ("{{ retention }}") is not being interpreted by KICS, it reports "cloudwatchlogs_log_group.retention is set and invalid". You can check the code here.

Ok, the retentation is defined in the same yaml playbook in a set_fact tasks

- name: set ecs prod variables
  set_fact:
    retention: 14

- name: create cloudwatch log groups
  cloudwatchlogs_log_group:
    log_group_name: "{{ item }}"
    retention: "{{ retention }}"
  with_items:
    - some
    - groups

markuman avatar Feb 09 '22 16:02 markuman

Using a default value results also in a false-positiv (imo).

    retention: "{{ retention | default(14) }}"

markuman avatar Feb 09 '22 16:02 markuman

At this moment, KICS can not interpret Ansible variables and default values. That's why the query is reporting that FP result in your sample.

We will discuss this topic as soon as possible and I will let you know the verdict 🙂

rafaela-soares avatar Feb 09 '22 17:02 rafaela-soares