Skip to content

bug(terraform): false positive for SQLDatabaseSSLDisabled in google terraform provider >=6.0.1 #7263

Open
#8029
Open
bug(terraform): false positive for SQLDatabaseSSLDisabled in google terraform provider >=6.0.1#7263
#8029
Labels
bugSomething isn't workingcommunityCommunity contributiondockerDocker querygcpPR related with GCP CloudqueryNew query featureterraformTerraform query
@henrythor

Description

@henrythor
henrythor
opened on Sep 24, 2024

Expected Behavior

A google_sql_database_instance with settings.ip_configuration[].ssl_mode set to "TRUSTED_CLIENT_CERTIFICATE_REQUIRED" or "ENCRYPTED_ONLY" should be a negative. settings.ip_configuration[].require_ssl is deprecated and removed from provider as of version 6.0.1.

Actual Behavior

kics is looking for deprecated attribute settings.ip_configuration[].require_ssl and returning a false positive in its absence

Steps to Reproduce the Problem

Use the following file

resource "google_sql_database_instance" "psql" {
  name             = "test-psql-database"
  region           = "europe-west1"
  database_version = "POSTGRES_15"
  project          = "my-project"

  settings {
    activation_policy = "ALWAYS"
    availability_type = "REGIONAL"
    disk_autoresize   = true

    ip_configuration {
      ipv4_enabled                                  = false
      private_network                               = var.vpc_id
      enable_private_path_for_google_cloud_services = true
      ssl_mode                                      = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED"
    }
    backup_configuration {
      binary_log_enabled             = var.binary_log_enabled
      enabled                        = var.backup_enabled
      location                       = var.region
      point_in_time_recovery_enabled = var.point_in_time_recovery_enabled
      start_time                     = var.backup_start_time
      transaction_log_retention_days = var.transaction_log_retention_days

      backup_retention_settings {
        retained_backups = var.retained_backups
      }
    }
  }
}

Run the following command:

docker run -t -v $PWD:/path checkmarx/kics:latest scan -p /path -o "/path/"

Get the following output:

...
Scanning with Keeping Infrastructure as Code Secure v2.1.2


Preparing Scan Assets: Done                                                                                             
Executing queries: [---------------------------------------------------] 100.00%



SQL DB Instance With SSL Disabled, Severity: HIGH, Results: 1
Description: Cloud SQL Database Instance should have SSL enabled
Platform: Terraform
Learn more about this vulnerability: https://docs.kics.io/latest/queries/terraform-queries/gcp/02474449-71aa-40a1-87ae-e14497747b00

	[1]: ../../path/cloud_sql.tf:13

		012: 
		013:     ip_configuration {
		014:       ipv4_enabled                                  = false



Results Summary:
CRITICAL: 0
HIGH: 1
MEDIUM: 0
LOW: 0
INFO: 0
TOTAL: 1

Generating Reports: Done

Specifications

N/A

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingcommunityCommunity contributiondockerDocker querygcpPR related with GCP CloudqueryNew query featureterraformTerraform query

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions