Bug - Modernisation Platform - Terraform Static Analysis Scheduled Nightly Job failing.
Closed this issue · 4 comments
Expected Behavior
The nightly scheduled Terraform Static Analysis job should run successfully and present any rule failures.
Actual Behavior
This job is now failing with a number of issues:
1 Instance of it not downloading the database:
2024-10-11T07:14:58.7045218Z Running Trivy in terraform/environments
...
2024-10-11T07:14:58.7052764Z 2024-10-11T07:05:17Z ERROR [vulndb] Failed to download artifact repo="ghcr.io/aquasecurity/trivy-db:2" err="oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-db/blobs/sha256:d5984d994db8053be4c3cb88a0358784726280ff174ad24bb84b92138b8f4acb: TOOMANYREQUESTS: retry-after: 31.143µs, allowed: 44000/minute"
2024-10-11T07:14:58.7057231Z 2024-10-11T07:05:17Z FATAL Fatal error init error: DB error: failed to download vulnerability DB: OCI artifact error: failed to download vulnerability DB: failed to download artifact from any source
2024-10-11T07:14:58.7059255Z trivy_exitcode=1
~83 instances of trivy not liking some for_each blocks:
2024-10-11T07:14:58.7076740Z Running Trivy in terraform/environments/analytical-platform-compute
...
2024-10-11T07:14:58.7097915Z 2024-10-11T07:05:22Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.ram-ec2-retagging[0].data.aws_subnet.host" value="cty.NilVal"
...
2024-10-11T07:14:58.7101841Z trivy_exitcode=2
- Couple of actual failures
2024-10-11T07:14:58.9104770Z modules/repository/main.tf (terraform)
2024-10-11T07:14:58.9104858Z ======================================
2024-10-11T07:14:58.9105024Z Tests: 14 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 13)
2024-10-11T07:14:58.9105130Z Failures: 1 (HIGH: 1, CRITICAL: 0)
2024-10-11T07:14:58.9105134Z
2024-10-11T07:14:58.9105317Z HIGH: Branch protection does not require signed commits.
2024-10-11T07:14:58.9105523Z ════════════════════════════════════════
2024-10-11T07:14:58.9105753Z GitHub branch protection should be set to require signed commits.
2024-10-11T07:14:58.9105758Z
2024-10-11T07:14:58.9106300Z You can do this by setting the require_signed_commits
attribute to 'true'.
2024-10-11T07:14:58.9106306Z
2024-10-11T07:14:58.9106435Z
2024-10-11T07:14:58.9106647Z See https://avd.aquasec.com/misconfig/avd-git-0004
2024-10-11T07:14:58.9106825Z ────────────────────────────────────────
2024-10-11T07:14:58.9107011Z modules/repository/main.tf:62
2024-10-11T07:14:58.9107381Z via modules/repository/main.tf:56-77 (github_branch_protection.default)
2024-10-11T07:14:58.9107707Z via repositories.tf:239-260 (module.modernisation-platform-environments)
2024-10-11T07:14:58.9107868Z ────────────────────────────────────────
2024-10-11T07:14:58.9108035Z 56 resource "github_branch_protection" "default" {
2024-10-11T07:14:58.9108112Z ..
2024-10-11T07:14:58.9108526Z 62 [ require_signed_commits = var.name == "modernisation-platform-environments" ? false : true
2024-10-11T07:14:58.9108604Z ..
2024-10-11T07:14:58.9108681Z 77 }
2024-10-11T07:14:58.9108843Z ────────────────────────────────────────
2024-10-11T07:14:58.9108848Z
2024-10-11T07:14:58.9108864Z
2024-10-11T07:14:58.9108951Z trivy_exitcode=3
Steps to Reproduce the Problem
The nightly scheduled run has been failing all week and the errors are reproducible when run manually.
Version
No response
Modules
No response
Account
No response
Further information from @connormaglynn
that for-each seems like it's a red herring :redherring: Since it shows as exitcode=0 on a successful run :white_tick:
2024-10-02T07:42:20.0550349Z Running Trivy in terraform/environments/ccms-ebs
2024-10-02T07:42:20.0550737Z 2024-10-02T07:33:19Z INFO [vuln] Vulnerability scanning is enabled
2024-10-02T07:42:20.0551041Z 2024-10-02T07:33:19Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-02T07:42:20.0551272Z 2024-10-02T07:33:19Z INFO [secret] Secret scanning is enabled
2024-10-02T07:42:20.0551759Z 2024-10-02T07:33:19Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-02T07:42:20.0552462Z 2024-10-02T07:33:19Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-10-02T07:42:20.0552779Z 2024-10-02T07:33:19Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-02T07:42:20.0553578Z 2024-10-02T07:33:19Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-10-02T07:42:20.0554479Z 2024-10-02T07:33:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.ram-ec2-retagging[0].data.aws_subnet.host" value="cty.NilVal"
2024-10-02T07:42:20.0554866Z 2024-10-02T07:33:19Z INFO Number of language-specific files num=0
2024-10-02T07:42:20.0555061Z 2024-10-02T07:33:19Z INFO Detected config files num=1
2024-10-02T07:42:20.0555153Z trivy_exitcode=0
My guess would be that it's just those new errors that need fixing :spanner:
Added an ignore for ADV-GIT-0004 (#8246) but the for-each errors are still occuring though all with 0 as the exitcode. See https://github.com/ministryofjustice/modernisation-platform/actions/runs/11291228740/job/31404717096
Another failure of this job - https://github.com/ministryofjustice/modernisation-platform/actions/runs/11434921306/job/31830151972
closed as using cached trivy db