trivy icon indicating copy to clipboard operation
trivy copied to clipboard
Published 4 weeks ago verified publisher icon aquasecurity

feat(terraform): hyphen and non-ASCII support for domain names in credential extraction

Open nikpivkin opened this issue 1 year ago • 0 comments

Discussed in https://github.com/aquasecurity/trivy/discussions/6067

Originally posted by adam-carruthers February 5, 2024

Description

Here is the trivy code that finds the token for private terraform registry modules:

envVar := fmt.Sprintf("TF_TOKEN_%s", strings.ReplaceAll(hostname, ".", "_"))

https://github.com/aquasecurity/trivy-iac/blob/3d8e412cf0ab0c8ad0296df8a01363a3ed7efe85/pkg/scanners/terraform/parser/resolvers/registry.go#L58

This correctly changes the . characters in hostnames to _ - but that's not the only transformation that needs to be done. It also needs to look for a second env var with the - characters as __. From the terraform docs:

Hyphens are also valid within host names but usually invalid as variable names and may be encoded as double underscores. For example, you can set a token for the domain name café.fr as TF_TOKEN_xn--caf-dma.fr, TF_TOKEN_xn--caf-dma_fr, or TF_TOKEN_xn____caf__dma_fr. If multiple variables evaluate to the same hostname, Terraform will choose the one defined last in the operating system's variable table.

https://developer.hashicorp.com/terraform/cli/config/config-file

I really need this change, because I pass the token through the TF_TOKEN variable, but the hostname has a - and I am using Ubuntu that doesn't allow - in environment variables, so trivy can't find my

Desired Behavior

When I used my environment variable TF_TOKEN_some__site_with_hash_com trivy recognised it as the terraform private registry token for some-site.with.hash.com

Actual Behavior

Trivy didn't recognise my environment variable and I couldn't connect it to the private registry.

Reproduction Steps

  1. Add terraform code to a folder that uses some imaginary remote repository (doesn't have to be real)
module "fake" {
  source = "some-site.with.hash.com/something/foobar/aws"
}
  1. Add the environment variable in your bash terminal
export TF_TOKEN_some__site_with_hash_com=abcdef
  1. Run trivy in debug mode
trivy config --skip-dirs .terraform -d .
  1. Observe the debug output that it didn't find the token

Target

Filesystem

Scanner

Misconfiguration

Output Format

None

Mode

Standalone

Debug Output

2024-02-05T13:59:27.594Z        DEBUG   [misconf] 59:27.594451288 terraform.parser.<root>.evaluator.resolver Resolving module 'module.fake' with source: 'some-site.with.hash.com/something/foobar/aws'...
2024-02-05T13:59:27.594Z        DEBUG   [misconf] 59:27.594463619 terraform.parser.<root>.evaluator.resolver Trying to resolve: 4f54644b2a174fe837cdc15cfeb7b7ba
2024-02-05T13:59:27.594Z        DEBUG   [misconf] 59:27.594532381 terraform.parser.<root>.evaluator.resolver No token was found for the registry at some-site.with.hash.com

Operating System

Ubuntu

Version

Version: 0.49.0
Policy Bundle:
  Digest: sha256:f21e8e92a7b3f6042ef7acfd3b799afc1648536dc4111c4d5458bc16396f8332
  DownloadedAt: 2024-02-05 09:59:15.002900989 +0000 UTC

Checklist

nikpivkin avatar Feb 05 '24 14:02 nikpivkin