Doesn't detect all config files particularly CloudFormation templates

[aigerim-zhalgasbekova-paf]

Description

Trivy doesn't detect all CloudFormation files existing in a directory when running the following command:

% trivy config ./deploy

What did you expect to happen?

Trivy should detect 4 .yaml files

├── deploy
    ├── cf-apigw-lambdas-stack.yaml
    ├── cf-monitoring.yaml
    ├── cf-s3-trust-store.yaml
    ├── cf-s3.yaml

What happened instead?

It detects 0 instead (in some projects where I tested this command it finds one or more files but not all)

Output of run with -debug:

% trivy config --debug ./deploy
2023-01-12T10:53:27.094+0200	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-01-12T10:53:27.135+0200	DEBUG	cache dir:  /Users/aigzha/Library/Caches/trivy
2023-01-12T10:53:27.135+0200	INFO	Misconfiguration scanning is enabled
2023-01-12T10:53:27.135+0200	DEBUG	Walk the file tree rooted at 'deploy' in parallel
2023-01-12T10:53:27.425+0200	DEBUG	OS is not detected.
2023-01-12T10:53:27.425+0200	INFO	Detected config files: 0

Output of trivy -v:

% trivy -v
Version: 0.36.1

[aigerim-zhalgasbekova-paf]

I've also tried the command with --file-patterns but it doesn't work either.

% trivy conf --file-patterns "yaml:cf-monitoring" --debug ./deploy
2023-01-12T11:08:36.318+0200	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-01-12T11:08:36.361+0200	DEBUG	cache dir:  /Users/aigzha/Library/Caches/trivy
2023-01-12T11:08:36.361+0200	INFO	Misconfiguration scanning is enabled
2023-01-12T11:08:36.361+0200	DEBUG	Walk the file tree rooted at 'deploy' in parallel
2023-01-12T11:08:36.658+0200	DEBUG	OS is not detected.
2023-01-12T11:08:36.658+0200	INFO	Detected config files: 0

[itaysk]

can you please show a sample for one of the files? CF files are detected as either yaml/json files with the abstract structure of: an object with a "Resources" key which contains an object: https://github.com/aquasecurity/defsec/blob/master/pkg/detection/detect.go#L125

[aigerim-zhalgasbekova-paf]

The following is a sample for all our CF templates with .yaml extension:

AWSTemplateFormatVersion: "2010-09-09"
Description: Example CloudFormation template, please provide correct description!

Parameters:

### Setup the input parameters of template here ###

Conditions:

### Setup the conditions here ###

Resources:
### Resources that will be created by this template ###

Outputs:
### Setup the values that need to be exported to other CloudFormation stacks here ###

[aigerim-zhalgasbekova-paf]

I found that Trivy doesn't detect CF templates that have the following condition:

Conditions:
  ## This cryptic syntax sets SuffixResources = true if EnvName != ""
  SuffixResources: !Not [!Equals [!Ref EnvName, ""]]

@itaysk Do you have any idea why it happens?

[itaysk]

Does this YAML pass validation, and does it parse the way you intend it to? specifically, this value is error prone: !Not [!Equals [!Ref EnvName, ""]]. can you try to single quote it? '!Not [!Equals [!Ref EnvName, ""]]'

[aigerim-zhalgasbekova-paf]

The condition works for all our CF stacks. cfn-lint also doesn't complain about it. When I single quote it like you suggest, cfn-lint throws Condition SuffixResources has invalid property.

[aigerim-zhalgasbekova-paf]

We follow the conditions syntax -> https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-conditions.html#intrinsic-function-reference-conditions-not

[aigerim-zhalgasbekova-paf]

@itaysk I found out that trivy can't detect the templates with the condition used in If clause like here ->

AWSTemplateFormatVersion: "2010-09-09"
Description: some description
Parameters:
  ServiceName:
    Type: String
    Description: The service name
  EnvName:
    Type: String
    Description: Optional environment name to prefix all resources with
    Default: ""

Conditions:
  ## This cryptic syntax sets SuffixResources = true if EnvName != ""
  SuffixResources: !Not [!Equals [!Ref EnvName, ""]]

Resources:
  ErrorTimedOutMetricFilter:
    Type: AWS::Logs::MetricFilter
    Properties:
      FilterPattern: "?ERROR ?error ?Error ?\"timed out\"" # If log contains one of these error words or timed out
      LogGroupName:
        !If [
          SuffixResources,
          !Sub "/aws/lambda/${ServiceName}-${EnvName}",
          !Sub "/aws/lambda/${ServiceName}",
        ]
      MetricTransformations:
        - MetricName: !Sub "${ServiceName}-ErrorLogCount"
          MetricNamespace: market-LogMetrics
          MetricValue: 1
          DefaultValue: 0

When I use the condition directly in the !If like:

      !If [
          !Not [!Equals [!Ref EnvName, ""]],
          !Sub "/aws/lambda/${ServiceName}-${EnvName}",
          !Sub "/aws/lambda/${ServiceName}",
        ]

Trivy detects the template.

[r-khurram]

@giorod3 I see that issue. As per my understanding its is only showing those files which are misconfigured and show issue in those file. I think message is misleading as it should says "Misconfigured files detected" instead of "Config files detected". So either we need to change the message or should count all files.

[r-khurram]

SO, what i suggest that we can change the message like that detected config file : (total number of files scan) detected misconfig files : (Misconfig number of files ) @itaysk @giorod3

[itaysk]

please ignore my previous message, I thought that yaml was invalid but it is. this looks like a bug in trivy.

[itaysk]

@simar7 PTAL?

[r-khurram]

@itaysk yes, that is a bug in the trivy.

[AkhtarAmir]

@aigerim-zhalgasbekova-paf Khurram has added some comments? What do you think?

[itaysk]

@AkhtarAmir where did they add comments?

[r-khurram]

@itaysk above the @AkhtarAmir comments.

[itaysk]

sorry i don't follow. trivy scans configuration files and may find issues in them. the config files counter message shows how many files trivy tried to scan. what's wrong with this message? also, I don't understand how it's related to this issue?

[r-khurram]

@itaysk actually the message only show the the count of misconfig files not all the scans files. So that's why i mentioned this

is that make sense now???

[itaysk]

what do you consider "misconfig files" and what "scans files"? If a directory has one dockerfile and one kubernetes yaml, the message will say that trivy identified 2 config files. If the docker file has issues, then then those issues would be reported as findings under that file. does that make sense? Also, please explain how it related to the bug discussed in this issue otherwise we should move the discussion elsewhere

[r-khurram]

@itaysk scans files means total number files which we scanned. and misconfig files are those in which issues reported. So we are only showing the misconfig count not the number of files scanned. So bug means they are thinking it is not showing the total number of files which are scanned. but we are only showing the misconifg file count like issue reported in the file. is that make sense now??

[itaysk]

we are only showing the misconfig count not the number of files scanned

This isn't true as far as I understand. The message: Detected config files: 0 counts what you refer to as "scans files", meaning configuration files that trivy attempts to scan.

The issue here is that due to yaml parsing error Trivy didn't detect the file as cloudformation and therefore it was not scanned (which explains the Detected config files: 0 message).

[r-khurram]

@itaysk I checked that trivy is detecting the files and scanned the files but show only the misonfig file in which issue detects we are not showing the total number of files. that is the thing that i am explaining you it's bug in trivy. if we want to show the total files then we need to change the message or we can show the total config files.

[simar7]

@itaysk I checked that trivy is detecting the files and scanned the files but show only the misonfig file in which issue detects we are not showing the total number of files. that is the thing that i am explaining you it's bug in trivy. if we want to show the total files then we need to change the message or we can show the total config files.

@r-khurram: The following are two different things:

Case 1: Scanning the template as is (before rendering the values)

There will not be any vulnerabilities because it is a template not an actual cloud formation file.

Case 2: Scanning the template after it is rendered

If there are any vulnerabilities here, it should be flagged. We expect that this is what's happening here. Trivy should be able to scan template files, render them and flag any misconfigurations as such.

Are you saying that the template once rendered (case 2), does not have any misconfigurations?

Please let me know if I have missed something based on your findings.

[r-khurram]

@simar7 Actually it scan all the templates but show the flag only on the misconfig files(like total number of issued files) not the total number of templates scanned. so the in this open issue they are saying trivy is not showing the number of scanned templates . but as per my understanding as i check in the trivy its is only showing the minconfig templates not the total number of templates. so i suggest that which i mentioned earlier

[simar7]

Will be fixed in the next release of Trivy via https://github.com/aquasecurity/defsec/pull/1389