-
Notifications
You must be signed in to change notification settings - Fork 290
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bug(aws): vpc peering route table with unrestricted cidr false-positive #6973
Comments
Hi @Szakalakamaka , Thank you for your inputs! (APPSEC-2449) |
Hi @Szakalakamaka , Our AppSec team is requesting the following: Thank you again. |
Judging by the example code you are trying to stop people adding a 0.0.0.0/0 route via a peer connect (which I do not think will work anyway as the peer connect only routes ips within the vpc cidr ranges), but this alert is being triggered if any route in the same route table as a peer connect is for 0.0.0.0/0. This triggers KICS:
even though the route is not tied to the peer connect. |
Hi @Szakalakamaka @tnt-anthony-williams, During my evaluation, I conducted testing across different versions of KICS to assess the presence of false positives (FPs). KICS Versions Tested: Test Files:
Testing Results: Conclusion: Thanks for the information provided so far and for your patience! |
This simple file triggers the false positive:
KICS run:
|
Hi @Szakalakamaka @tnt-anthony-williams , We have merged the PR that addresses the false positive issue you reported. This should resolve the problem as described. However, if you encounter any further issues, please feel free to re-open this issue or create a new one if necessary. Thank you for your contribution and feedback! |
It seems that the issue may stem from the query found at this link, which likely scans every AWS route. Consequently, it may flag route tables associated with Internet Gateway (IGW) and NAT Gateway configurations, which are expected to have 0.0.0.0/0 blocks, as instances of "VPC Peering Route Table with Unrestricted CIDR." This leads to false-positive findings across all VPCs by default.
Expected Outcome
Expected Behavior
Ideally, the vulnerability detection should only occur for route tables specifically designated for VPC peering.
Current Behavior
Actual Behavior
Despite not utilizing VPC peering, the detection of "VPC Peering Route Table with Unrestricted CIDR" persists.
Steps to Recreate the Issue
Steps to Reproduce the Problem
Specifications
The text was updated successfully, but these errors were encountered: