Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(misconf): resolve unknown values without panic #8603

Closed
2 tasks done
simar7 opened this issue Mar 25, 2025 Discussed in #8598 · 0 comments · Fixed by #8604
Closed
2 tasks done

fix(misconf): resolve unknown values without panic #8603

simar7 opened this issue Mar 25, 2025 Discussed in #8598 · 0 comments · Fixed by #8604
Assignees
@simar7
Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Milestone
v0.61.0

Comments

@simar7
Copy link
Member

simar7 commented Mar 25, 2025

Discussed in #8598

Originally posted by donkomura March 22, 2025

Description

Hi, Team,

I was scanning Terraform configurations with Trivy 0.59.0, but after updating to 0.60.0, Trivy started to panic and crash.
There are no changes in the terraform code.

Desired Behavior

Successful scan

Actual Behavior

Runtime error (panic)

Reproduction Steps

$ cat <<EOF > _gcs.tf
resource "google_storage_bucket_iam_binding" "service-a" {
  bucket = google_storage_bucket.service-a.name
  role   = "roles/storage.objectAdmin"

  members = [
    "serviceAccount:[email protected]",
    data.google_storage_transfer_project_service_account.production.member,
  ]
}

data "google_storage_transfer_project_service_account" "production" {
  project = local.project_id
}
EOF
$ docker run --rm -v $PWD:/root/trivy docker.io/aquasec/trivy:0.59.0 config --format json root/trivy/_gcs.tf --debug
$ docker run --rm -v $PWD:/root/trivy docker.io/aquasec/trivy:0.60.0 config --format json root/trivy/_gcs.tf --debug

Target

None

Scanner

Misconfiguration

Output Format

JSON

Mode

Standalone

Debug Output

❯ docker run --rm -v $PWD:/root/trivy docker.io/aquasec/trivy:0.60.0 config --format json root/trivy/_gcs.tf --debug
2025-03-23T03:17:55Z    DEBUG   No plugins loaded
2025-03-23T03:17:55Z    DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-03-23T03:17:55Z    DEBUG   Cache dir       dir="/root/.cache/trivy"
2025-03-23T03:17:55Z    DEBUG   Cache dir       dir="/root/.cache/trivy"
2025-03-23T03:17:55Z    DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-03-23T03:17:55Z    INFO    [misconfig] Misconfiguration scanning is enabled
2025-03-23T03:17:55Z    DEBUG   [misconfig] Failed to open the check metadata   err="open /root/.cache/trivy/policy/metadata.json: no such file or directory"
2025-03-23T03:17:55Z    INFO    [misconfig] Need to update the built-in checks
2025-03-23T03:17:55Z    INFO    [misconfig] Downloading the built-in checks...
2025-03-23T03:17:55Z    DEBUG   [misconfig] Loading check bundle        repository="mirror.gcr.io/aquasec/trivy-checks:1"
163.77 KiB / 163.77 KiB [------------------------------------------------------] 100.00% ? p/s 200ms2025-03-23T03:17:56Z        DEBUG   [misconfig] Digest of the built-in checks   digest="sha256:2bc834fc222789e26b85dc3e92e3333b488e16a9bfa192aa971cca25db884837"
2025-03-23T03:17:56Z    DEBUG   [misconfig] Checks successfully loaded from disk
2025-03-23T03:17:56Z    DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2025-03-23T03:17:56Z    DEBUG   Initializing scan cache...      type="memory"
2025-03-23T03:17:56Z    DEBUG   [fs] Analyzing...       root="root/trivy/_gcs.tf"
2025-03-23T03:17:56Z    DEBUG   [fs] Random cache key will be used      err="failed to open git repository: stat /root/trivy/_gcs.tf/.git: not a directory"
2025-03-23T03:17:56Z    DEBUG   [misconfig] Scanning files for misconfigurations...     scanner="Terraform"
2025-03-23T03:17:56Z    DEBUG   [terraform scanner] Scanning directory  file_path="."
2025-03-23T03:17:57Z    DEBUG   [rego] Overriding filesystem for checks
2025-03-23T03:17:57Z    DEBUG   [rego] Embedded libraries are loaded    count=17
2025-03-23T03:17:57Z    DEBUG   [rego] Embedded checks are loaded       count=517
2025-03-23T03:17:57Z    DEBUG   [rego] Checks from disk are loaded      count=534
2025-03-23T03:17:57Z    DEBUG   [rego] Overriding filesystem for data
2025-03-23T03:17:57Z    DEBUG   [terraform parser] Setting project/module root  module="root" file_path="."
2025-03-23T03:17:57Z    DEBUG   [terraform parser] Parsing FS   module="root" file_path="."
2025-03-23T03:17:57Z    DEBUG   [terraform parser] Parsing      module="root" file_path="_gcs.tf"
2025-03-23T03:17:57Z    DEBUG   [terraform parser] Added file   module="root" file_path="_gcs.tf"
2025-03-23T03:17:57Z    INFO    [terraform scanner] Scanning root module        file_path="."
2025-03-23T03:17:57Z    DEBUG   [terraform parser] Setting project/module root  module="root" file_path="."
2025-03-23T03:17:57Z    DEBUG   [terraform parser] Parsing FS   module="root" file_path="."
2025-03-23T03:17:57Z    DEBUG   [terraform parser] Parsing      module="root" file_path="_gcs.tf"
2025-03-23T03:17:57Z    DEBUG   [terraform parser] Added file   module="root" file_path="_gcs.tf"
2025-03-23T03:17:57Z    DEBUG   [terraform parser] Loading module       module="root" module="root"
2025-03-23T03:17:57Z    DEBUG   [terraform parser] Read block(s) and ignore(s)  module="root" blocks=2 ignores=0
2025-03-23T03:17:57Z    DEBUG   [terraform parser] Added input variables from tfvars    module="root" count=0
2025-03-23T03:17:57Z    DEBUG   [terraform parser] Working directory for module evaluation      module="root" file_path="/"
2025-03-23T03:17:57Z    DEBUG   [terraform evaluator] Starting module evaluation...     path="."
2025-03-23T03:17:57Z    DEBUG   [terraform evaluator] Starting iteration        iteration=0
2025-03-23T03:17:57Z    DEBUG   [terraform evaluator] Starting iteration        iteration=1
2025-03-23T03:17:57Z    DEBUG   [terraform evaluator] Context unchanged iteration=1
2025-03-23T03:17:57Z    DEBUG   [terraform evaluator] Starting post-submodules evaluation...
2025-03-23T03:17:57Z    DEBUG   [terraform evaluator] Starting iteration        iteration=0
2025-03-23T03:17:57Z    DEBUG   [terraform evaluator] Starting iteration        iteration=1
2025-03-23T03:17:57Z    DEBUG   [terraform evaluator] Context unchanged iteration=1
2025-03-23T03:17:57Z    DEBUG   [terraform evaluator] Module evaluation complete.
2025-03-23T03:17:57Z    DEBUG   [terraform parser] Finished parsing module      module="root"
2025-03-23T03:17:57Z    DEBUG   [terraform executor] Adapting modules...
2025-03-23T03:17:57Z    DEBUG   [terraform executor] Adapted module(s) into state data. count=1
2025-03-23T03:17:57Z    DEBUG   [rego] Scanning inputs  count=1
2025-03-23T03:17:57Z    DEBUG   [terraform executor] Finished applying rules.
2025-03-23T03:17:57Z    DEBUG   [terraform executor] Applying ignores...
panic: cannot produce tokens for unknown value

goroutine 1 [running]:
github.com/hashicorp/hcl/v2/hclwrite.appendTokensForValue({{{0x62f2be0, 0x93875c0}}, {0x47da660, 0x933ea30}}, {0xc0058c6ec0, 0x5, 0x8})
        /home/runner/go/pkg/mod/github.com/hashicorp/hcl/[email protected]/hclwrite/generate.go:189 +0x1307
github.com/hashicorp/hcl/v2/hclwrite.appendTokensForValue({{{0x62f2ac8, 0xc003d56750}}, {0x4522680, 0xc003d56768}}, {0x0, 0x0, 0x0})
        /home/runner/go/pkg/mod/github.com/hashicorp/hcl/[email protected]/hclwrite/generate.go:251 +0x10d4
github.com/hashicorp/hcl/v2/hclwrite.TokensForValue({{{0x62f2ac8?, 0xc003d56750?}}, {0x4522680?, 0xc003d56768?}})
        /home/runner/go/pkg/mod/github.com/hashicorp/hcl/[email protected]/hclwrite/generate.go:27 +0x2f
github.com/hashicorp/hcl/v2/hclwrite.NewExpressionLiteral({{{0x62f2ac8?, 0xc003d56750?}}, {0x4522680?, 0xc003d56768?}})
        /home/runner/go/pkg/mod/github.com/hashicorp/hcl/[email protected]/hclwrite/ast_expression.go:64 +0x2e
github.com/hashicorp/hcl/v2/hclwrite.(*Body).SetAttributeValue(0xc003d56678, {0xc0021427c0, 0x7}, {{{0x62f2ac8?, 0xc003d56750?}}, {0x4522680?, 0xc003d56768?}})
        /home/runner/go/pkg/mod/github.com/hashicorp/hcl/[email protected]/hclwrite/ast_body.go:170 +0x17d
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/executor.writeBlock(0xc0014d9dc0, 0xc0058c6dc0, {{0xc005519498, 0x7}, 0x5, 0x8, {0x0, 0x0}, 0x0, {0x0, ...}, ...})
        /home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/executor/executor.go:134 +0x3f6
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/executor.(*Executor).renderCause(0xc00324db80, {0xc00507ce00?, 0xe?, 0x10?}, {{0xc005519498, 0x7}, 0x5, 0x8, {0x0, 0x0}, ...})
        /home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/executor/executor.go:102 +0x168
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/executor.(*Executor).Execute(0xc00324db80, {0x62f0568, 0xc001035800}, {0xc00507ce00, 0x1, 0x1}, {0x6274750, 0x1})
        /home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/executor/executor.go:86 +0xcc5
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform.(*Scanner).ScanFS(0xc000ffc7e0, {0x62f0568, 0xc001035800}, {0x6292500, 0xc0014f0180}, {0x6274750, 0x1})
        /home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/scanner.go:148 +0xa34
github.com/aquasecurity/trivy/pkg/misconf.(*Scanner).Scan(0xc000fe17c0, {0x62f0610, 0xc0008e2770}, {0x6292500, 0xc0014f0168})
        /home/runner/work/trivy/trivy/pkg/misconf/scanner.go:151 +0x297
github.com/aquasecurity/trivy/pkg/fanal/analyzer/config.(*Analyzer).PostAnalyze(0xc000365dc0, {0x62f0610?, 0xc0008e2770?}, {{0x6292500?, 0xc0014f0168?}, {0x0?, 0x0?}})
        /home/runner/work/trivy/trivy/pkg/fanal/analyzer/config/config.go:44 +0x45
github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.PostAnalyze({0xc00076c660, {0xc00132a140, 0x4, 0x4}, {0xc0014f9700, 0x8, 0x8}, 0xc001149ec0, {0x0, 0x0}}, ...)
        /home/runner/work/trivy/trivy/pkg/fanal/analyzer/analyzer.go:505 +0x2e2
github.com/aquasecurity/trivy/pkg/fanal/artifact/local.Artifact.Inspect({{0x7ffe6a366f65, 0x12}, 0xc0013052a0, {0x7f6f940ff0d8, 0xc00142ea20}, {0x6292420, 0x93875c0}, {0xc00076c660, {0xc00132a140, 0x4, ...}, ...}, ...}, ...)
        /home/runner/work/trivy/trivy/pkg/fanal/artifact/local/fs.go:204 +0x729
github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact({{_, _}, {_, _}}, {_, _}, {{0x0, 0x0, 0x0}, {0x0, ...}, ...})
        /home/runner/work/trivy/trivy/pkg/scanner/scan.go:156 +0xff
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scan(_, {_, _}, {{{0x51659ec, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, ...}, ...}, ...)
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:627 +0x377
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact(_, {_, _}, {{{0x51659ec, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, ...}, ...}, ...)
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:259 +0xb1
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanFS(_, {_, _}, {{{0x51659ec, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, ...}, ...})
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:204 +0xc5
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).ScanFilesystem(_, {_, _}, {{{0x51659ec, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, ...}, ...})
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:184 +0x211
github.com/aquasecurity/trivy/pkg/commands/artifact.Run({_, _}, {{{0x51659ec, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, {0xc000077968, ...}, ...}, ...}, ...)
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:400 +0x8ec
github.com/aquasecurity/trivy/pkg/commands.NewConfigCommand.func2(0xc000cab508, {0xc00140e500, 0x1, 0x4})
        /home/runner/work/trivy/trivy/pkg/commands/app.go:726 +0x2d3
github.com/spf13/cobra.(*Command).execute(0xc000cab508, {0xc00140e4c0, 0x4, 0x4})
        /home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1015 +0xa94
github.com/spf13/cobra.(*Command).ExecuteC(0xc000c29808)
        /home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1148 +0x40c
github.com/spf13/cobra.(*Command).Execute(0x51bbeaf?)
        /home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1071 +0x13
main.run()
        /home/runner/work/trivy/trivy/cmd/trivy/main.go:45 +0x113
main.main()
        /home/runner/work/trivy/trivy/cmd/trivy/main.go:19 +0x1f

Operating System

Ubuntu 24.04

Version

0.60.0

Checklist
@simar7 simar7 added kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning labels Mar 25, 2025
@simar7 simar7 added this to the v0.61.0 milestone Mar 25, 2025
@simar7 simar7 self-assigned this Mar 25, 2025
simar7 added a commit to simar7/trivy that referenced this issue Mar 25, 2025
@simar7
fix(misconf): Check values wholly prior to evalution
0e7ff44 
Fixes: aquasecurity#8603
@simar7 simar7 mentioned this issue Mar 25, 2025
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@simar7 simar7

Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Projects
Trivy Roadmap
Status: No status
Milestone
v0.61.0
Development

Successfully merging a pull request may close this issue.

fix(misconf): Check values wholly prior to evalution simar7/trivy
1 participant
@simar7