Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: Trivy security issue during module-ci code analysis #53

Open
2 tasks done
rswrz opened this issue Dec 17, 2024 · 2 comments
Open
2 tasks done

[Bug]: Trivy security issue during module-ci code analysis #53

rswrz opened this issue Dec 17, 2024 · 2 comments
Assignees
Labels
bug Something isn't working

Comments

@rswrz
Copy link
Member

rswrz commented Dec 17, 2024

Bug Description

Using this virtual machine module in https://github.com/cloudeteer/terraform-azurerm-mssql-vm module triggers an error in the code-analysis Mobile CI job (details below).

Expected Behavior

The module should not produce any Trivy security issues.

Terraform-Version

1.9

Relevant log output

Running trivy with options: trivy fs  --format table --exit-code  1 --ignore-unfixed --vuln-type  os,library --scanners  config,secret --severity  CRITICAL,HIGH --skip-dirs examples/ --skip-dirs tests/ .
Global options:  
2024-12-17T09:02:00Z	WARN	'--scanners config' is deprecated. Use '--scanners misconfig' instead. See https://github.com/aquasecurity/trivy/discussions/5586 for the detail.
2024-12-17T09:02:00Z	INFO	Misconfiguration scanning is enabled
2024-12-17T09:02:00Z	INFO	Need to update the built-in policies
2024-12-17T09:02:00Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-12-17T09:02:01Z	INFO	Secret scanning is enabled
2024-12-17T09:02:01Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-17T09:02:01Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-12-17T09:02:04Z	INFO	Detected config files	num=3

git::https:/github.com/cloudeteer/terraform-azurerm-vm?ref=19edd4856dcca0c5128ea5c5116d94d00ec13813/r-vm.tf (terraform)
=======================================================================================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Linux virtual machine allows password authentication.
════════════════════════════════════════
Access to virtual machines should be authenticated using SSH keys. Removing the option of password authentication enforces more secure methods while removing the risks inherent with passwords.

See https://avd.aquasec.com/misconfig/avd-azu-0039
────────────────────────────────────────
 git::https:/github.com/cloudeteer/terraform-azurerm-vm?ref=19edd4856dcca0c5128ea5c5116d94d00ec13813/r-vm.tf:23
   via git::https:/github.com/cloudeteer/terraform-azurerm-vm?ref=19edd4856dcca0c5128ea5c5116d94d00ec13813/r-vm.tf:8-108 (azurerm_linux_virtual_machine.this[0])
    via main.tf:52-89 (module.azurerm_virtual_machine)
────────────────────────────────────────
   8   resource "azurerm_linux_virtual_machine" "this" {
   .   
  23 [   disable_password_authentication                        = !strcontains(var.authentication_type, "Password")
 ...   
 108   }
────────────────────────────────────────

Relevant Error Messages

HIGH: Linux virtual machine allows password authentication.
════════════════════════════════════════
Access to virtual machines should be authenticated using SSH keys. Removing the option of password authentication enforces more secure methods while removing the risks inherent with passwords.

Additional Information

No response

Privacy Statement

  • I agree

Code of Conduct

  • I agree to follow this repository's Code of Conduct
@rswrz rswrz added the bug Something isn't working label Dec 17, 2024
@rswrz rswrz self-assigned this Dec 17, 2024
@rswrz rswrz changed the title [Bug]: [Bug]: Trivy Security Issues in cloudeteer/terraform-azurerm-mssql-vm Module During Mobile CI Code Analysis Dec 17, 2024
@rswrz rswrz changed the title [Bug]: Trivy Security Issues in cloudeteer/terraform-azurerm-mssql-vm Module During Mobile CI Code Analysis [Bug]: Trivy security issue during module-ci code analysis Dec 17, 2024
@rswrz
Copy link
Member Author

rswrz commented Dec 17, 2024

Adding the comment #trivy:ignore:avd-azu-0039 directly to the vm module does not resolve the issue.

However, adding the comment #trivy:ignore:avd-azu-0039 to the mssql-vm module, specifically on the module call for the vm module, resolves the issue.

#trivy:ignore:avd-azu-0039
module "azurerm_virtual_machine" {
  source  = "cloudeteer/vm/azurerm"
  version = "0.0.20"
}

@rswrz rswrz added weekly and removed weekly labels Dec 17, 2024
@rswrz
Copy link
Member Author

rswrz commented Dec 17, 2024

Actually, # trivy:ignore:avd-azu-0039 is already added to the code, for the whole resource azurerm_linux_virtual_machinehere. But this is not considered during the Trivy scan on the mssql-vm module – which makes sense on terms of security.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

When branches are created from issues, their pull requests are automatically linked.

1 participant