False negative when SecurityGroupIngress is defined at resource level

[danfaizer]

IDs

AVD-AWS-0107

Description

You can define a SecurityGroupIngress in 2 ways:

1. Within the AWS::EC2::SecurityGroup resource
2. At resource level AWS::EC2::SecurityGroupIngress and referring to a SecurityGroup.

In case 1. the security control works and the "too broad" access is reported.
In case 2. the security control does not work and the "too broad" access is NOT reported.

The control should be reported in both definitions.

Reproduction Steps

1. Create a security group with a security group ingress rule referencing the security group.
`security-group.yaml`

AWSTemplateFormatVersion: 2010-09-09
Description: AWS CloudFormation security group template
Resources:
  SecurityGroup:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      VpcId: 'vpc-01234567890abcdef'
      GroupDescription: Enable SSH access to the internet

  SecurityGroupIngress:
    Type: 'AWS::EC2::SecurityGroupIngress'
    Properties:
      GroupId: !Ref SecurityGroup
      IpProtocol: tcp
      FromPort: '22'
      ToPort: '22'
      CidrIp: 0.0.0.0/0

2. Scan with trivy:

trivy config security-group.yaml
2024-05-22T18:04:16+02:00	INFO	Misconfiguration scanning is enabled
2024-05-22T18:04:17+02:00	INFO	Detected config files	num=1

### Target

AWS

### Scanner

Misconfiguration

### Target OS

_No response_

### Debug Output

```bash
trivy config security-group.yaml --debug
2024-05-22T18:04:37+02:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-05-22T18:04:37+02:00	DEBUG	Cache dir	dir="/Users/jamiroquake/Library/Caches/trivy"
2024-05-22T18:04:37+02:00	INFO	Misconfiguration scanning is enabled
2024-05-22T18:04:37+02:00	DEBUG	Policies successfully loaded from disk
2024-05-22T18:04:37+02:00	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-05-22T18:04:37+02:00	DEBUG	[nuget] The nuget packages directory couldn't be found. License search disabled
2024-05-22T18:04:37+02:00	DEBUG	Scanning files for misconfigurations...	scanner="CloudFormation"
2024-05-22T18:04:37+02:00	DEBUG	[misconf] 04:37.060370000 cloudformation.scanner.rego      Overriding filesystem for checks!
2024-05-22T18:04:37+02:00	DEBUG	[misconf] 04:37.061434000 cloudformation.scanner.rego      Loaded 3 embedded libraries.
2024-05-22T18:04:37+02:00	DEBUG	[misconf] 04:37.085418000 cloudformation.scanner.rego      Loaded 191 embedded policies.
2024-05-22T18:04:37+02:00	DEBUG	[misconf] 04:37.120571000 cloudformation.scanner.rego      Loaded 194 policies from disk.
2024-05-22T18:04:37+02:00	DEBUG	[misconf] 04:37.120805000 cloudformation.scanner.rego      Overriding filesystem for data!
2024-05-22T18:04:37+02:00	DEBUG	[misconf] 04:37.286846000 cloudformation.scanner           Found 1 results for AVD-AWS-0099
2024-05-22T18:04:37+02:00	DEBUG	[misconf] 04:37.290866000 cloudformation.scanner.rego      Scanning 1 inputs...
2024-05-22T18:04:37+02:00	DEBUG	Scanning files for misconfigurations...	scanner="Helm"
2024-05-22T18:04:37+02:00	DEBUG	[misconf] 04:37.293701000 helm.scanner.rego                Overriding filesystem for checks!
2024-05-22T18:04:37+02:00	DEBUG	[misconf] 04:37.294397000 helm.scanner.rego                Loaded 3 embedded libraries.
2024-05-22T18:04:37+02:00	DEBUG	[misconf] 04:37.319590000 helm.scanner.rego                Loaded 191 embedded policies.
2024-05-22T18:04:37+02:00	DEBUG	[misconf] 04:37.345048000 helm.scanner.rego                Loaded 194 policies from disk.
2024-05-22T18:04:37+02:00	DEBUG	[misconf] 04:37.345294000 helm.scanner.rego                Overriding filesystem for data!
2024-05-22T18:04:37+02:00	DEBUG	OS is not detected.
2024-05-22T18:04:37+02:00	INFO	Detected config files	num=1
2024-05-22T18:04:37+02:00	DEBUG	Scanned config file	path="security-group.yaml"

Version

trivy --version
Version: 0.51.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-04-16 06:12:18.601562975 +0000 UTC
  NextUpdate: 2024-04-16 12:12:18.601562704 +0000 UTC
  DownloadedAt: 2024-04-16 11:36:59.614942 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-10-27 00:56:52.8927736 +0000 UTC
  NextUpdate: 2023-10-30 00:56:52.8927731 +0000 UTC
  DownloadedAt: 2023-10-27 11:28:08.392459 +0000 UTC
Check Bundle:
  Digest: sha256:6d0771effa53c6cf8130861fc3ac28f5515c35a028edb4bb1e67261b9218c80e
  DownloadedAt: 2024-05-22 09:51:25.538091 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[simar7]

@nikpivkin can you take a look?

[nikpivkin]

Hi @danfaizer !

I created issue #6754