fix(misconf): correctly adapt azure storage account (#9138)

Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
2026-01-31 13:53:14 +08:00 · 2025-07-16 12:20:57 +06:00
parent 263845cfc1
commit 51aa022260
3 changed files with 59 additions and 20 deletions
--- a/pkg/iac/adapters/arm/storage/adapt.go
+++ b/pkg/iac/adapters/arm/storage/adapt.go
@@ -6,6 +6,7 @@ import (
 	"github.com/aquasecurity/trivy/pkg/iac/providers/azure/storage"
 	"github.com/aquasecurity/trivy/pkg/iac/scanners/azure"
 	"github.com/aquasecurity/trivy/pkg/iac/types"
+	xslices "github.com/aquasecurity/trivy/pkg/x/slices"
 )

 func Adapt(deployment azure.Deployment) storage.Storage {
@@ -18,20 +19,6 @@ func adaptAccounts(deployment azure.Deployment) []storage.Account {
 	var accounts []storage.Account
 	for _, resource := range deployment.GetResourcesByType("Microsoft.Storage/storageAccounts") {

-		acl := resource.Properties.GetMapValue("networkAcls")
-
-		var bypasses []types.StringValue
-		bypassProp := acl.GetMapValue("bypass")
-		for bypass := range strings.SplitSeq(bypassProp.AsString(), ",") {
-			bypasses = append(bypasses, types.String(strings.TrimSpace(bypass), bypassProp.GetMetadata()))
-		}
-
-		networkRule := storage.NetworkRule{
-			Metadata:       acl.GetMetadata(),
-			Bypass:         bypasses,
-			AllowByDefault: types.Bool(acl.GetMapValue("defaultAction").EqualTo("Allow"), acl.GetMetadata()),
-		}
-
 		var queues []storage.Queue
 		for _, queueResource := range resource.GetResourcesByType("queueServices/queues") {
 			queues = append(queues, storage.Queue{
@@ -50,15 +37,18 @@ func adaptAccounts(deployment azure.Deployment) []storage.Account {

 		account := storage.Account{
 			Metadata:     resource.Metadata,
-			NetworkRules: []storage.NetworkRule{networkRule},
-			EnforceHTTPS: resource.Properties.GetMapValue("supportsHttpsTrafficOnly").AsBoolValue(false, resource.Properties.GetMetadata()),
+			NetworkRules: xslices.ZeroToNil(adaptNetworkRules(resource)),
+			// The default value is true since API version 2019-04-01.
+			EnforceHTTPS: resource.Properties.GetMapValue("supportsHttpsTrafficOnly").AsBoolValue(true, resource.Properties.GetMetadata()),
 			Containers:   containers,
 			QueueProperties: storage.QueueProperties{
 				Metadata:      resource.Properties.GetMetadata(),
 				EnableLogging: types.BoolDefault(false, resource.Properties.GetMetadata()),
 			},
-			MinimumTLSVersion: resource.Properties.GetMapValue("minimumTlsVersion").AsStringValue("", resource.Properties.GetMetadata()),
-			Queues:            queues,
+			// The default interpretation is TLS 1.0 for this property.
+			MinimumTLSVersion: resource.Properties.GetMapValue("minimumTlsVersion").
+				AsStringValue("TLS1_0", resource.Properties.GetMetadata()),
+			Queues: queues,
 		}

 		publicNetworkAccess := resource.Properties.GetMapValue("publicNetworkAccess")
@@ -70,3 +60,41 @@ func adaptAccounts(deployment azure.Deployment) []storage.Account {
 	}
 	return accounts
 }
+
+func adaptNetworkRules(resource azure.Resource) []storage.NetworkRule {
+	defaultBypasses := []types.StringValue{types.StringDefault("AzureServices", resource.Metadata)}
+	acl := resource.Properties.GetMapValue("networkAcls")
+	if acl.IsNull() {
+		// default network rule
+		return []storage.NetworkRule{{
+			Metadata:       resource.Metadata,
+			Bypass:         defaultBypasses,
+			AllowByDefault: types.BoolDefault(true, resource.Metadata),
+		}}
+	}
+
+	bypassProp := acl.GetMapValue("bypass")
+	bypassVal := bypassProp.AsString()
+
+	var bypasses []types.StringValue
+	if bypassVal != "" {
+		// Possible values are any combination of Logging|Metrics|AzureServices (For example, "Logging, Metrics")
+		// See https://github.com/Azure/azure-resource-manager-schemas/blob/0cb6180c9646c91ca212de0e59568c00ee3a47ec/schemas/2021-01-01/Microsoft.Storage.json#L2379
+		for bypass := range strings.SplitSeq(bypassVal, ",") {
+			bypasses = append(bypasses, types.String(strings.TrimSpace(bypass), bypassProp.GetMetadata()))
+		}
+	} else {
+		bypasses = defaultBypasses
+	}
+
+	allowByDefault := types.Bool(true, acl.GetMetadata())
+	if defaultAction := acl.GetMapValue("defaultAction"); !defaultAction.IsNull() {
+		allowByDefault = types.Bool(defaultAction.EqualTo("Allow"), defaultAction.GetMetadata())
+	}
+
+	return []storage.NetworkRule{{
+		Metadata:       acl.GetMetadata(),
+		Bypass:         bypasses,
+		AllowByDefault: allowByDefault,
+	}}
+}
--- a/pkg/iac/adapters/arm/storage/adapt_test.go
+++ b/pkg/iac/adapters/arm/storage/adapt_test.go
@@ -26,8 +26,11 @@ func TestAdapt(t *testing.T) {
 }`,
 			expected: storage.Storage{
 				Accounts: []storage.Account{{
+					MinimumTLSVersion: types.StringTest("TLS1_0"),
+					EnforceHTTPS:      types.BoolTest(true),
 					NetworkRules: []storage.NetworkRule{{
-						Bypass: []types.StringValue{types.StringTest("")},
+						Bypass:         []types.StringValue{types.StringTest("AzureServices")},
+						AllowByDefault: types.BoolTest(true),
 					}},
 					PublicNetworkAccess: types.BoolTest(true),
 				}},
--- a/pkg/iac/scanners/azure/value.go
+++ b/pkg/iac/scanners/azure/value.go
@@ -288,7 +288,11 @@ func (v Value) GetMapValue(key string) Value {
 	if v.Kind != KindObject {
 		return NullValue
 	}
-	return v.rMap[key]
+	v, exists := v.rMap[key]
+	if !exists {
+		return NullValue
+	}
+	return v
 }

 func (v Value) AsMap() map[string]Value {
@@ -370,3 +374,7 @@ func (v Value) AsStringValuesList(defaultValue string) (stringValues []types.Str

 	return stringValues
 }
+
+func (v Value) IsNull() bool {
+	return v.Kind == KindNull
+}