search

bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
https://www.checkov.io/
Apache License 2.0
7.09k stars 1.11k forks source link

CKV_AWS_192 raises an error when run it with terraform_plan framework flag #2093

Closed KrasimirNikolovTide closed 2 years ago

KrasimirNikolovTide commented 2 years ago

Describe the bug When I run checkov with terraform_plan framework I receive this error:

Traceback (most recent call last):
  File "/usr/bin/checkov", line 9, in <module>
    sys.exit(run())
  File "/usr/lib/python3.9/site-packages/checkov/main.py", line 208, in run
    scan_reports = runner_registry.run(root_folder=root_folder, external_checks_dir=external_checks_dir,
  File "/usr/lib/python3.9/site-packages/checkov/common/runners/runner_registry.py", line 59, in run
    reports = [self.runners[0].run(root_folder, external_checks_dir=external_checks_dir, files=files,
  File "/usr/lib/python3.9/site-packages/checkov/terraform/plan_runner.py", line 67, in run
    self.check_tf_definition(report, runner_filter)
  File "/usr/lib/python3.9/site-packages/checkov/terraform/plan_runner.py", line 93, in check_tf_definition
    self.run_block(definition[block_type], full_file_path, report, scanned_file,
  File "/usr/lib/python3.9/site-packages/checkov/terraform/plan_runner.py", line 109, in run_block
    results = registry.scan(scanned_file, entity, [], runner_filter)
  File "/usr/lib/python3.9/site-packages/checkov/common/checks/base_check_registry.py", line 121, in scan
    result = self.run_check(check, entity_configuration, entity_name, entity_type, scanned_file, skip_info)
  File "/usr/lib/python3.9/site-packages/checkov/common/checks/base_check_registry.py", line 135, in run_check
    result = check.run(
  File "/usr/lib/python3.9/site-packages/checkov/common/checks/base_check.py", line 75, in run
    raise e
  File "/usr/lib/python3.9/site-packages/checkov/common/checks/base_check.py", line 62, in run
    check_result["result"] = self.scan_entity_conf(entity_configuration, entity_type)
  File "/usr/lib/python3.9/site-packages/checkov/terraform/checks/resource/base_resource_check.py", line 27, in scan_entity_conf
    return self.scan_resource_conf(conf)
  File "/usr/lib/python3.9/site-packages/checkov/terraform/checks/resource/aws/WAFACLCVE202144228.py", line 27, in scan_resource_conf
    if managed_group[0].get("name") == ["AWSManagedRulesKnownBadInputsRuleSet"]:
  File "/usr/lib/python3.9/site-packages/checkov/common/parsers/node.py", line 183, in __getattr__
    raise TemplateAttributeError(f'{self.__name__}.{name} is invalid')
checkov.common.parsers.node.TemplateAttributeError: <function ListNode.__name__ at 0x7f295099e1f0>.get is invalid

To Reproduce You can use this snippet in order to do that:

resource "aws_wafv2_web_acl" "main" {
  name  = "${local.common_vars.environment}-${local.common_vars.country}-main"
  scope = "REGIONAL"
  custom_response_body {
    key          = "main-response-body"
    content      = "BLOCKED BY AWS WAF"
    content_type = "TEXT_PLAIN"
  }
  default_action {
    # Allow traffic unless it is blocked by a rule
    allow {}
  }

  rule {
    name     = "aws-managed-known-bad-inputs"
    priority = 1
    override_action {
      none {}
    }
    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesKnownBadInputsRuleSet"
        vendor_name = "AWS"
      }
    }
    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "aws-managed-known-bad-inputs"
      sampled_requests_enabled   = true
    }
  }

  rule {
    name     = "aws-managed-common-rule-set"
    priority = 2
    override_action {
      none {}
    }
    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesCommonRuleSet"
        vendor_name = "AWS"
        excluded_rule {
          name = "SizeRestrictions_BODY"
        }
        excluded_rule {
          name = "CrossSiteScripting_COOKIE"
        }
      }
    }
    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "aws-managed-common-rule-set"
      sampled_requests_enabled   = true
    }
  }

  rule {
    name     = "rate-limit-ip"
    priority = 3

    action {
      block {}
    }

    statement {
      rate_based_statement {
        limit              = 1000
        aggregate_key_type = "IP"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "rate-limit-ip"
      sampled_requests_enabled   = true
    }
  }

  visibility_config {
    cloudwatch_metrics_enabled = true
    metric_name                = "all"
    sampled_requests_enabled   = false
  }

  tags = {
    Name        = "${local.common_vars.environment}-${local.common_vars.country}-main"
    Description = "rules derived from AWSManagedRulesCommonRuleSet"
  }
}
  1. terraform plan -out test_output
  2. terrform show -json test_output | jq '.' > test_output.json
  3. checkov --framework=terraform_plan -d .

Expected behavior Failed or Passed not raising python error

Desktop (please complete the following information):

gruebel commented 2 years ago

@KrasimirNikolovTide thanks for raising the issue, I'm right now working on a fix.