Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(misconf): handle of unresolvable values in checks #7764

Closed
nikpivkin opened this issue Oct 18, 2024 Discussed in #7760 · 0 comments
Closed

fix(misconf): handle of unresolvable values in checks #7764

nikpivkin opened this issue Oct 18, 2024 Discussed in #7760 · 0 comments
Assignees
@nikpivkin
Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Milestone
v0.57.0

Comments

@nikpivkin
Copy link
Contributor

If the value is equal to cty.NilVal (for terraform configurations) or is unknown, it is marked as unresolvable. Methods that check conditions return false if the value is unresolvable. For example, calling the Empty method for an unresolvable empty string will return false, and calling the EqualTo method with an argument of 0 for an unresolvable number 0 will also return false. This helps avoid false positives when the value is unknown. Example of a configuration where the kms_master_key_id attribute is unknown because it references an attribute from a data block:

data "aws_kms_alias" "test" {
  name = "alias/aws/s3"
}

resource "aws_sns_topic" "test" {
  name = "user-updates-topic"
  kms_master_key_id = data.aws_kms_alias.test.target_key_id
}

Rego checks should use functions that take into account handling of unresolvable values instead of directly accessing them.

Discussed in #7760
@nikpivkin nikpivkin added kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning labels Oct 18, 2024
@nikpivkin nikpivkin self-assigned this Oct 18, 2024
This was referenced Oct 18, 2024
Merged
Merged
@simar7 simar7 added this to the v0.57.0 milestone Oct 21, 2024
@simar7 simar7 closed this as completed Oct 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nikpivkin nikpivkin

Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Projects
Trivy Roadmap
Status: No status
Milestone
v0.57.0
Development

No branches or pull requests
3 participants
@simar7 @nikpivkin and others