trivy icon indicating copy to clipboard operation
trivy copied to clipboard

Published 20 hours ago verified publisher icon aquasecurity

AWS Scan crashes on S3 Bucket Encryption policy check

Open gjkamstra opened this issue 1 year ago • 1 comments

Description

Scanning an AWS account with trivy aws --region eu-west-1 crashes Trivy during S3 scan.

What did you expect to happen?

No crash and a generated report

What happened instead?

Trivy crashed

Output of run with -debug:

2022-12-07T14:13:00.193+0100    DEBUG   [defsec] 13:00.193512000 aws-api.scanner.adapt.aws        Running adapter for s3...
[28/32] Scanning s3...
└╴Discovering buckets... ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒   0% 0/9 ??/s ETA: ??m??s
└╴Discovering buckets... █████████████████████████████████████████████▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒  22% 2/9 33/s ETA: 00m00s
2022-12-07T14:13:00.605+0100    DEBUG   [defsec] 13:00.605490000 aws-api.scanner.adapt.aws        Error getting public access block: operation error S3: GetPublicAccessBlock, https response error StatusCode: 404, RequestID: 53M9DS7MJAW6AGVR, HostID: OH51matBd+MQ7HjnJm2DXNBhfjzd9u22x5ZmMrnI/u71ivmQfstEyyE3BopG1IGNqteC6WG7DK0=, api error NoSuchPublicAccessBlockConfiguration: The public access block configuration was not found
2022-12-07T14:13:00.615+0100    DEBUG   [defsec] 13:00.615063000 aws-api.scanner.adapt.aws        Error getting public access block: operation error S3: GetPublicAccessBlock, https response error StatusCode: 404, RequestID: 53MDZNH1A4DQ3RVB, HostID: C4w207Jq5dZcNVv/PM0JwOEJWNpMXmhT4XelS514UaCFiEDKPnq9T4UllvbxDdeSHGrLuQNQFK0=, api error NoSuchPublicAccessBlockConfiguration: The public access block configuration was not found
2022-12-07T14:13:00.628+0100    DEBUG   [defsec] 13:00.628442000 aws-api.scanner.adapt.aws        Error getting public access block: operation error S3: GetPublicAccessBlock, https response error StatusCode: 404, RequestID: 53MEPHJFKJH4ARZP, HostID: uZSNPrMwbdNiUaaKtIYhyRi4r0tlSOc8qq+PLAfbbll648GeDMp4FR9xg3v4GpjjChogdn7ZZ+0=, api error NoSuchPublicAccessBlockConfiguration: The public access block configuration was not found
2022-12-07T14:13:00.628+0100    DEBUG   [defsec] 13:00.628451000 aws-api.scanner.adapt.aws        Error getting public access block: operation error S3: GetPublicAccessBlock, https response error StatusCode: 404, RequestID: 53MD2X5F6FZ4NDK4, HostID: TQuMTdXs0dqtH0SphUctkZUSPAcKAnQqH9gZQcJliQTUUqebUz9wLbAP8oXVy10ZAz+Xn3tAqzw=, api error NoSuchPublicAccessBlockConfiguration: The public access block configuration was not found
2022-12-07T14:13:00.632+0100    DEBUG   [defsec] 13:00.632591000 aws-api.scanner.adapt.aws        Error getting public access block: operation error S3: GetPublicAccessBlock, https response error StatusCode: 404, RequestID: 53M766WA3DV8T1XW, HostID: 3apI5sPLtUL1lrD9rvwV2IRA3bf8ESHojJ6GgJHxgs2Bf+1GW3R70upVJbuIWu8l9P0WaMgOmdE=, api error NoSuchPublicAccessBlockConfiguration: The public access block configuration was not found
2022-12-07T14:13:00.636+0100    DEBUG   [defsec] 13:00.636072000 aws-api.scanner.adapt.aws        Error getting public access block: operation error S3: GetBucketPolicy, https response error StatusCode: 404, RequestID: 53MEMQCFSKCN23ZV, HostID: CDClRhhcs7e8KzFCxpVEt4dbxZhd1wKnlUFF2dfV+a7wSzT73LUvcNCsUiFUa2Cjk2h/ISyOOVluAhB1g5DCQQ==, api error NoSuchBucketPolicy: The bucket policy does not exist
2022-12-07T14:13:00.636+0100    DEBUG   [defsec] 13:00.636451000 aws-api.scanner.adapt.aws        Error getting public access block: operation error S3: GetBucketPolicy, https response error StatusCode: 404, RequestID: 53MEZ8E11S2C7488, HostID: B+UilYIysuby6qGaNbNUpmoLZDsCRPYo2fSicajOoP9iJaiynKQr47jAq9rUDzu/kXvJPxxvios=, api error NoSuchBucketPolicy: The bucket policy does not exist
2022-12-07T14:13:00.645+0100    DEBUG   [defsec] 13:00.645324000 aws-api.scanner.adapt.aws        Error getting public access block: operation error S3: GetBucketPolicy, https response error StatusCode: 404, RequestID: 53MCD90PAZ1X4NNY, HostID: 0XyIrcD3e9fcIGvaUtRqMWHw2pkMEKdxlPUD98aufU+yE4h0X6rPR0bh0Ri8c1+URTkowGjz7ls=, api error NoSuchBucketPolicy: The bucket policy does not exist
2022-12-07T14:13:00.660+0100    DEBUG   [defsec] 13:00.660463000 aws-api.scanner.adapt.aws        Error getting public access block: operation error S3: GetBucketPolicy, https response error StatusCode: 404, RequestID: 53M5SVR2E5RCNA6E, HostID: YMj9NdUD8TYc2yEnty664vp8tXWxNx/k2/VdfnCikxPdYeuRPhc10Mzripp86Li91AhVKEHood8=, api error NoSuchBucketPolicy: The bucket policy does not exist
2022-12-07T14:13:00.660+0100    DEBUG   [defsec] 13:00.660468000 aws-api.scanner.adapt.aws        Error getting public access block: operation error S3: GetBucketPolicy, https response error StatusCode: 404, RequestID: 53MF880BM29J5K44, HostID: YDFb57zYehmWvbiRSZw0xaxYsDMVTtmSVeP2kmw3B8CsQoUeMosYL7Ugo6WQVhJYJVcG4AomnxU=, api error NoSuchBucketPolicy: The bucket policy does not exist
2022-12-07T14:13:00.663+0100    DEBUG   [defsec] 13:00.663553000 aws-api.scanner.adapt.aws        Error getting public access block: operation error S3: GetBucketPolicy, https response error StatusCode: 404, RequestID: 53M4NZ4BRTJ63QY4, HostID: KRXzr8Go3sh9I8kw6TRGWsvtp3nUPy/SB3IAHWfG7O084RLrOMdTk3TyP6wvkUHVnqqZBqAgxfY=, api error NoSuchBucketPolicy: The bucket policy does not exist
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x431c956]

goroutine 1964 [running]:
github.com/aquasecurity/defsec/internal/adapters/cloud/aws/s3.(*adapter).getBucketEncryption(_, _, {{{0xc002f74100, 0x40}, 0x0, 0x0, {0x7c55651, 0x6}, 0x0, {0x0, ...}, ...}, ...})
        /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/internal/adapters/cloud/aws/s3/s3.go:197 +0x716
github.com/aquasecurity/defsec/internal/adapters/cloud/aws/s3.(*adapter).adaptBucket(0xc0003d0810, {0xc0038e53e0?, 0xc00365c380?, {}})
        /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/internal/adapters/cloud/aws/s3/s3.go:95 +0x56a
github.com/aquasecurity/defsec/pkg/concurrency.Adapt[...].func1(0x0?)
        /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/pkg/concurrency/adapter.go:18 +0x27
github.com/aquasecurity/defsec/pkg/concurrency.AdaptWithState[...].func1()
        /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/pkg/concurrency/adapter.go:42 +0xea
created by github.com/aquasecurity/defsec/pkg/concurrency.AdaptWithState[...]
        /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/pkg/concurrency/adapter.go:35 +0x1c7

Output of trivy -v:

Version: 0.35.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2022-12-06 12:09:36.838371452 +0000 UTC
  NextUpdate: 2022-12-06 18:09:36.838371152 +0000 UTC
  DownloadedAt: 2022-12-06 14:29:21.199793 +0000 UTC

Additional details (base image name, container registry info...):

gjkamstra avatar Dec 07 '22 13:12 gjkamstra

thanks for the report - could you try with the latest version of trivy? We've made some changes to the logic this uses and hopefully it isn't tripped again as it did here. Please report if it does with another output along with -debug as you mentioned here.

simar7 avatar Jan 10 '23 23:01 simar7

Please reopen if issue still persists. Thanks.

simar7 avatar Mar 02 '23 22:03 simar7