feat(misconf): adapt aws_default_security_group (#8538)

Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
2025-12-05 20:40:16 -08:00 · 2025-03-13 12:42:30 +06:00
parent 8bf6caf98e
commit b57eccb09c
2 changed files with 151 additions and 101 deletions
--- a/pkg/iac/adapters/terraform/aws/ec2/vpc.go
+++ b/pkg/iac/adapters/terraform/aws/ec2/vpc.go
@@ -1,6 +1,8 @@
 package ec2

 import (
+	"strconv"
+
 	"github.com/aquasecurity/trivy/pkg/iac/providers/aws/ec2"
 	"github.com/aquasecurity/trivy/pkg/iac/terraform"
 	iacTypes "github.com/aquasecurity/trivy/pkg/iac/types"
@@ -60,6 +62,15 @@ func (a *sgAdapter) adaptSecurityGroups(modules terraform.Modules) []ec2.Securit
 	for _, resource := range modules.GetResourcesByType("aws_security_group") {
 		securityGroups = append(securityGroups, a.adaptSecurityGroup(resource, modules))
 	}
+
+	for _, resource := range modules.GetResourcesByType("aws_default_security_group") {
+		sg := a.adaptSecurityGroup(resource, modules)
+		sg.IsDefault = iacTypes.Bool(true, sg.Metadata)
+		sg.Description = iacTypes.String("", sg.Metadata)
+		sg.VPCID = iacTypes.String("", sg.Metadata)
+		securityGroups = append(securityGroups, sg)
+	}
+
 	orphanResources := modules.GetResourceByIDs(a.sgRuleIDs.Orphans()...)
 	if len(orphanResources) > 0 {
 		orphanage := ec2.SecurityGroup{
@@ -171,13 +182,19 @@ func adaptSGRule(resource *terraform.Block) ec2.SecurityGroupRule {
 		cidrs = append(cidrs, ipv6cidrBlocks.AsStringValues()...)
 	}

+	protocolAddr := resource.GetAttribute("protocol")
+	protocol := protocolAddr.AsStringValueOrDefault("", resource)
+	if protocolAddr.IsNumber() {
+		protocol = iacTypes.String(strconv.Itoa(int(protocolAddr.AsNumber())), protocolAddr.GetMetadata())
+	}
+
 	return ec2.SecurityGroupRule{
 		Metadata:    resource.GetMetadata(),
 		Description: ruleDescVal,
 		CIDRs:       cidrs,
 		FromPort:    resource.GetAttribute("from_port").AsIntValueOrDefault(-1, resource),
 		ToPort:      resource.GetAttribute("to_port").AsIntValueOrDefault(-1, resource),
-		Protocol:    resource.GetAttribute("protocol").AsStringValueOrDefault("", resource),
+		Protocol:    protocol,
 	}
 }

--- a/pkg/iac/adapters/terraform/aws/ec2/vpc_test.go
+++ b/pkg/iac/adapters/terraform/aws/ec2/vpc_test.go
@@ -20,58 +20,75 @@ func Test_AdaptVPC(t *testing.T) {
 	}{
 		{
 			name: "defined",
-			terraform: `
-			resource "aws_flow_log" "this" {
-				vpc_id = aws_vpc.main.id
-			}
-			resource "aws_default_vpc" "default" {
-				tags = {
-				  Name = "Default VPC"
-				}
-			  }
+			terraform: `resource "aws_flow_log" "this" {
+  vpc_id = aws_vpc.main.id
+}
+resource "aws_default_vpc" "default" {
+  tags = {
+    Name = "Default VPC"
+  }
+}

-			  resource "aws_vpc" "main" {
-				cidr_block = "4.5.6.7/32"
-			  }
+resource "aws_vpc" "main" {
+  cidr_block = "4.5.6.7/32"
+}

-			resource "aws_security_group" "example" {
-				name        = "http"
-				description = "Allow inbound HTTP traffic"
-			  
-				ingress {
-				  description = "Rule #1"
-				  from_port   = 80
-				  to_port     = 80
-				  protocol    = "tcp"
-				  cidr_blocks = [aws_vpc.main.cidr_block]
-				}
+resource "aws_security_group" "example" {
+  name        = "http"
+  description = "Allow inbound HTTP traffic"

-				egress {
-					cidr_blocks = ["1.2.3.4/32"]
-				}
-			  }
+  ingress {
+    description = "Rule #1"
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = [aws_vpc.main.cidr_block]
+  }

-			resource "aws_network_acl_rule" "example" {
-				egress         = false
-				protocol       = "tcp"
-				from_port      = 22
-				to_port        = 22
-				rule_action    = "allow"
-				cidr_block     = "10.0.0.0/16"
-			}
+  egress {
+    cidr_blocks = ["1.2.3.4/32"]
+  }
+}

-			resource "aws_security_group_rule" "example" {
-				type              = "ingress"
-				description = "Rule #2"
-				security_group_id = aws_security_group.example.id
-				from_port         = 22
-				to_port           = 22
-				protocol          = "tcp"
-				cidr_blocks = [
-				  "1.2.3.4/32",
-				  "4.5.6.7/32",
-				]
-			  }
+resource "aws_network_acl_rule" "example" {
+  egress      = false
+  protocol    = "tcp"
+  from_port   = 22
+  to_port     = 22
+  rule_action = "allow"
+  cidr_block  = "10.0.0.0/16"
+}
+
+resource "aws_security_group_rule" "example" {
+  type              = "ingress"
+  description       = "Rule #2"
+  security_group_id = aws_security_group.example.id
+  from_port         = 22
+  to_port           = 22
+  protocol          = "tcp"
+  cidr_blocks = [
+    "1.2.3.4/32",
+    "4.5.6.7/32",
+  ]
+}
+
+resource "aws_default_security_group" "default" {
+  vpc_id = aws_vpc.main.id
+
+  ingress {
+    protocol  = -1
+    self      = true
+    from_port = 0
+    to_port   = 0
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
 `,
 			expected: ec2.EC2{
 				VPCs: []ec2.VPC{
@@ -132,6 +149,24 @@ func Test_AdaptVPC(t *testing.T) {
 							},
 						},
 					},
+					{
+						IsDefault: iacTypes.BoolTest(true),
+						IngressRules: []ec2.SecurityGroupRule{
+							{
+								Protocol: iacTypes.StringTest("-1"),
+								FromPort: iacTypes.IntTest(0),
+								ToPort:   iacTypes.IntTest(0),
+							},
+						},
+						EgressRules: []ec2.SecurityGroupRule{
+							{
+								Protocol: iacTypes.StringTest("-1"),
+								FromPort: iacTypes.IntTest(0),
+								ToPort:   iacTypes.IntTest(0),
+								CIDRs:    []iacTypes.StringValue{iacTypes.StringTest("0.0.0.0/0")},
+							},
+						},
+					},
 				},
 				NetworkACLs: []ec2.NetworkACL{
 					{
@@ -156,17 +191,16 @@ func Test_AdaptVPC(t *testing.T) {
 		},
 		{
 			name: "defaults",
-			terraform: `
-			resource "aws_security_group" "example" {
-				ingress {
-				}
+			terraform: `resource "aws_security_group" "example" {
+  ingress {
+  }

-				egress {
-				}
-			  }
+  egress {
+  }
+}

-			resource "aws_network_acl_rule" "example" {
-			}
+resource "aws_network_acl_rule" "example" {
+}
 `,
 			expected: ec2.EC2{
 				SecurityGroups: []ec2.SecurityGroup{
@@ -214,8 +248,7 @@ func Test_AdaptVPC(t *testing.T) {
 		},
 		{
 			name: "aws_flow_log refer to locals",
-			terraform: `
-locals {
+			terraform: `locals {
  vpc_id = try(aws_vpc.this.id, "")
 }

@@ -239,8 +272,7 @@ resource "aws_flow_log" "this" {
 		},
 		{
 			name: "ingress and egress rules",
-			terraform: `
-resource "aws_security_group" "example" {
+			terraform: `resource "aws_security_group" "example" {
  name        = "example"
  description = "example"
 }
@@ -300,50 +332,51 @@ resource "aws_vpc_security_group_ingress_rule" "test" {

 func TestVPCLines(t *testing.T) {
 	src := `
-	resource "aws_default_vpc" "default" {
-	  }
+resource "aws_default_vpc" "default" {
+}

-	resource "aws_vpc" "main" {
-		cidr_block = "4.5.6.7/32"
-	  }
+resource "aws_vpc" "main" {
+  cidr_block = "4.5.6.7/32"
+}

-	resource "aws_security_group" "example" {
-		name        = "http"
-		description = "Allow inbound HTTP traffic"
-	  
-		ingress {
-		  description = "HTTP from VPC"
-		  from_port   = 80
-		  to_port     = 80
-		  protocol    = "tcp"
-		  cidr_blocks = [aws_vpc.main.cidr_block]
-		}
+resource "aws_security_group" "example" {
+  name        = "http"
+  description = "Allow inbound HTTP traffic"

-		egress {
-			cidr_blocks = ["1.2.3.4/32"]
-		}
-	  }
+  ingress {
+    description = "HTTP from VPC"
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = [aws_vpc.main.cidr_block]
+  }

-	resource "aws_security_group_rule" "example" {
-		type              = "ingress"
-		security_group_id = aws_security_group.example.id
-		from_port         = 22
-		to_port           = 22
-		protocol          = "tcp"
-		cidr_blocks = [
-		  "1.2.3.4/32",
-		  "4.5.6.7/32",
-		]
-	  }
-	  
-	  resource "aws_network_acl_rule" "example" {
-		egress         = false
-		protocol       = "tcp"
-		from_port      = 22
-		to_port        = 22
-		rule_action    = "allow"
-		cidr_block     = "10.0.0.0/16"
-	}`
+  egress {
+    cidr_blocks = ["1.2.3.4/32"]
+  }
+}
+
+resource "aws_security_group_rule" "example" {
+  type              = "ingress"
+  security_group_id = aws_security_group.example.id
+  from_port         = 22
+  to_port           = 22
+  protocol          = "tcp"
+  cidr_blocks = [
+    "1.2.3.4/32",
+    "4.5.6.7/32",
+  ]
+}
+
+resource "aws_network_acl_rule" "example" {
+  egress      = false
+  protocol    = "tcp"
+  from_port   = 22
+  to_port     = 22
+  rule_action = "allow"
+  cidr_block  = "10.0.0.0/16"
+}
+`

 	modules := tftestutil.CreateModulesFromSource(t, src, ".tf")
 	adapted := Adapt(modules)