Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security policy prioritiy ordering fails when "Malicious Packages" type rule has higher priority than "Vulnerability" type rule. #265

Closed
3 tasks done
EitanJoseph opened this issue Nov 4, 2024 · 3 comments · Fixed by #268
Closed
3 tasks done

Security policy prioritiy ordering fails when "Malicious Packages" type rule has higher priority than "Vulnerability" type rule. #265

EitanJoseph opened this issue Nov 4, 2024 · 3 comments · Fixed by #268
Assignees
@alexhung
Labels
bug Something isn't working

Comments

@EitanJoseph
Copy link

EitanJoseph commented Nov 4, 2024
edited
Loading

Describe the bug
Terraform: 1.9.8
Artifactory: 7.59.9
Xray: 3.74.8

Providers:
jfrog/xray version: 2.13.0
jfrog/artifactory version: 12.3.2

When creating a security policy, the provider fails when there is a "Malicious Packages" type rule with higher priority than a "Vulnerability" type rule for the same policy. See the example below:

resource "xray_security_policy" "security_review" {
  name        = "security-policy"
  description = "Security policy description"
  type        = "security"

  rule {
    name     = "malicious_packages"
    priority = 1

    criteria {
      malicious_package = true
    }

    actions {
      webhooks                           = ["AdoWebhookTest"]
      block_release_bundle_distribution  = false
      block_release_bundle_promotion     = false
      fail_build                         = false
      notify_watch_recipients            = false
      notify_deployer                    = false
      create_ticket_enabled              = false 
      build_failure_grace_period_in_days = 0     

      block_download {
        unscanned = false
        active    = true
      }
    }
  }

  rule {
    name     = "any_high_and_critrical"
    priority = 2

    criteria {
      min_severity = "High"
    }

    actions {
      webhooks                           = ["AdoWebhookTest"]
      block_release_bundle_distribution  = false
      block_release_bundle_promotion     = false
      fail_build                         = false
      notify_watch_recipients            = false
      notify_deployer                    = false
      create_ticket_enabled              = false 
      build_failure_grace_period_in_days = 0     

      block_download {
        unscanned = false
        active    = true
      }
    }
  }
}

The reason I believe this to be a bug: If you were to swap the priorities, setting the "Vulnerabilities" rule priority 1 and the "Malicious Packages" rule priority 2 then the provider will work. The JFrog UI allows for for either priority ordering and as such the provider should also handle both.

Requirements for and issue

  • A fully functioning terraform snippet that can be copy&pasted (no outside files or ENV vars unless that's part of the issue)
  • Your version of Artifactory and Xray (you can curl Artifactory version at $host/artifactory/api/system/version and Xray version at
    $host/xray/api/v1/system/version
  • Your version of terraform

Expected behavior
You should be able to update or create a new policy with any ordering of priorities for rules.

Additional context
N/A
@EitanJoseph EitanJoseph added the bug Something isn't working label Nov 4, 2024
@alexhung
Copy link
Member

alexhung commented Nov 4, 2024

@EitanJoseph Thanks for the report! I agree that the ordering shouldn't matter. Let me investigate if this is a API issue.

@alexhung
Copy link
Member

alexhung commented Nov 6, 2024

@EitanJoseph What's the error message (or logs) when the provider fails? Can you share?

@alexhung alexhung added the question Further information is requested label Nov 6, 2024
@EitanJoseph
Copy link
Author

EitanJoseph commented Nov 7, 2024
edited
Loading

@EitanJoseph What's the error message (or logs) when the provider fails? Can you share?

Using that code snippet the error message I'm getting is:

 Error: Provider produced inconsistent result after apply


 When applying changes to xray_security_policy.security_review, provider "provider[\"registry.terraform.io/jfrog/xray\"]" produced an unexpected new value: .rule: planned set element
 cty.ObjectVal(map[string]cty.Value{"actions":cty.SetVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"block_download":cty.SetVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"active":cty.True,
 "unscanned":cty.False})}), "block_release_bundle_distribution":cty.False, "block_release_bundle_promotion":cty.False, "build_failure_grace_period_in_days":cty.NumberIntVal(0),
 "create_ticket_enabled":cty.False, "fail_build":cty.False, "mails":cty.NullVal(cty.Set(cty.String)), "notify_deployer":cty.False, "notify_watch_recipients":cty.False,
 "webhooks":cty.SetVal([]cty.Value{cty.StringVal("AdoWebhookTest")})})}), "criteria":cty.SetVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"applicable_cves_only":cty.False,
 "cvss_range":cty.ListValEmpty(cty.Object(map[string]cty.Type{"from":cty.Number, "to":cty.Number})), "exposures":cty.ListValEmpty(cty.Object(map[string]cty.Type{"applications":cty.Bool,
 "iac":cty.Bool, "min_severity":cty.String, "secrets":cty.Bool, "services":cty.Bool})), "fix_version_dependant":cty.False, "malicious_package":cty.False, "min_severity":cty.StringVal("High"),  
 "package_name":cty.NullVal(cty.String), "package_type":cty.NullVal(cty.String), "package_versions":cty.NullVal(cty.Set(cty.String)), "vulnerability_ids":cty.NullVal(cty.Set(cty.String))})}),  
 "name":cty.StringVal("any_high_and_critical"), "priority":cty.NumberIntVal(2)}) does not correlate with any element in actual.


 This is a bug in the provider, which should be reported in the provider's own issue tracker.

 Error: Provider produced inconsistent result after apply


 When applying changes to xray_security_policy.security_review, provider "provider[\"registry.terraform.io/jfrog/xray\"]" produced an unexpected new value: .rule: planned set element
 cty.ObjectVal(map[string]cty.Value{"actions":cty.SetVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"block_download":cty.SetVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"active":cty.True,
 "unscanned":cty.False})}), "block_release_bundle_distribution":cty.False, "block_release_bundle_promotion":cty.False, "build_failure_grace_period_in_days":cty.NumberIntVal(0),
 "create_ticket_enabled":cty.False, "fail_build":cty.False, "mails":cty.NullVal(cty.Set(cty.String)), "notify_deployer":cty.False, "notify_watch_recipients":cty.False,
 "webhooks":cty.SetVal([]cty.Value{cty.StringVal("AdoWebhookTest")})})}), "criteria":cty.SetVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"applicable_cves_only":cty.False,
 "cvss_range":cty.ListValEmpty(cty.Object(map[string]cty.Type{"from":cty.Number, "to":cty.Number})), "exposures":cty.ListValEmpty(cty.Object(map[string]cty.Type{"applications":cty.Bool,
 "iac":cty.Bool, "min_severity":cty.String, "secrets":cty.Bool, "services":cty.Bool})), "fix_version_dependant":cty.False, "malicious_package":cty.True, "min_severity":cty.NullVal(cty.String), 
 "package_name":cty.NullVal(cty.String), "package_type":cty.NullVal(cty.String), "package_versions":cty.NullVal(cty.Set(cty.String)), "vulnerability_ids":cty.NullVal(cty.Set(cty.String))})}),  
 "name":cty.StringVal("malicious_packages"), "priority":cty.NumberIntVal(1)}) does not correlate with any element in actual.


 This is a bug in the provider, which should be reported in the provider's own issue tracker.

@alexhung alexhung mentioned this issue Nov 7, 2024
Merged
@alexhung alexhung removed the question Further information is requested label Nov 7, 2024
alexhung added a commit that referenced this issue Nov 11, 2024
@alexhung
Merge pull request #268 from jfrog/GH-265-fix-inconsistent-result-error
96aae25 
Fix unknown value error when creating new security policy
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@alexhung alexhung

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix unknown value error when creating new security policy jfrog/terraform-provider-xray
2 participants
@alexhung @EitanJoseph