search

bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
https://www.checkov.io/
Apache License 2.0
6.7k stars 1.07k forks source link

Crash with policy CKV_AZURE_70 #6492

Open kssantana opened 4 days ago

kssantana commented 4 days ago

Describe the issue When I try to create a Function APP, with HTTPS Requerid Enable, the checkov fail with error when I try to scan using the PLAN FILE in JSON Format.

We already test with the last version (3.2.122), but the issue persist.

This issue not appears on old version (3.2.107) or olders.

Examples

resource "azurerm_linux_function_app" "fcnapp" {
  name                       = local.functionapp_name
  location                   = local.location
  resource_group_name        = local.resource_group_name
  storage_account_name       = var.storage_account_name
  https_only                 = true
  storage_account_access_key = data.azurerm_storage_account.storageaccount.primary_access_key
  service_plan_id            = azurerm_app_service_plan.svcpl.id
  app_settings = {
    FUNCTIONS_EXTENSION_VERSION                 = var.functions_extension_version
    FUNCTIONS_WORKER_RUNTIME                    = var.functions_worker_runtime
    WEBSITE_CONTENTAZUREFILECONNECTIONSTRING    = "${data.azurerm_storage_account.storageaccount.primary_connection_string}"
    WEBSITE_CONTENTSHARE                        = lower("functionappcontent-${var.keyword}-001")
  }

   site_config {
    application_insights_connection_string = azurerm_application_insights.application_insights.connection_string
    application_insights_key               = azurerm_application_insights.application_insights.instrumentation_key

    application_stack {
      python_version              = var.python_version
    }
  }

    identity {
    type = "SystemAssigned"
  }
}

Exception Trace

2024-06-24 15:54:23,962 [ThreadPoolEx] [DEBUG]  Running check: Ensure Function app is using the latest version of TLS encryption on file /tf.json
2024-06-24 15:54:23,983 [ThreadPoolEx] [DEBUG]  File /tf.json, resource "azurerm_linux_function_app.fcnapp" check "Ensure Function app is using the latest version of TLS encryption" Result: {'result': <CheckResult.PASSED: 'PASSED'>, 'evaluated_keys': ['site_config/[0]/minimum_tls_version']}
2024-06-24 15:54:23,985 [ThreadPoolEx] [DEBUG]  skip_severity = None, explicit_skip = [], regex_match = False, suppressed_policies: []
2024-06-24 15:54:23,987 [ThreadPoolEx] [DEBUG]  bc_check_id = BC_AZR_NETWORKING_64, include_all_checkov_policies = True, is_external = False, explicit_run: []
2024-06-24 15:54:23,990 [ThreadPoolEx] [DEBUG]  should_run_check CKV_AZURE_221: True
2024-06-24 15:54:23,993 [ThreadPoolEx] [DEBUG]  Running check: Ensure that Azure Function App public network access is disabled on file /tf.json
2024-06-24 15:54:24,019 [ThreadPoolEx] [DEBUG]  File /tf.json, resource "azurerm_linux_function_app.fcnapp" check "Ensure that Azure Function App public network access is disabled" Result: {'result': <CheckResult.FAILED: 'FAILED'>, 'evaluated_keys': ['public_network_access_enabled']}
2024-06-24 15:54:24,021 [ThreadPoolEx] [DEBUG]  skip_severity = None, explicit_skip = [], regex_match = False, suppressed_policies: []
2024-06-24 15:54:24,022 [ThreadPoolEx] [DEBUG]  bc_check_id = BC_AZR_NETWORKING_21, include_all_checkov_policies = True, is_external = False, explicit_run: []
2024-06-24 15:54:24,023 [ThreadPoolEx] [DEBUG]  should_run_check CKV_AZURE_70: True
2024-06-24 15:54:24,023 [ThreadPoolEx] [DEBUG]  Running check: Ensure that Function apps is only accessible over HTTPS on file /tf.json
2024-06-24 15:54:24,024 [ThreadPoolEx] [ERROR]  Failed to run check CKV_AZURE_70 on /tf.json:azurerm_linux_function_app.fcnapp
Traceback (most recent call last):
  File "C:\Users\...\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\checkov\common\checks\base_check.py", line 68, in run   
    check_result["result"] = self.scan_entity_conf(entity_configuration, entity_type)
  File "C:\Users\...\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\checkov\terraform\checks\resource\base_resource_check.py", line 43, in scan_entity_conf
    return self.scan_resource_conf(conf)
  File "C:\Users\...\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\checkov\terraform\checks\resource\azure\FunctionAppsAccessibleOverHttps.py", line 34, in scan_resource_conf
    if 'require_https' not in auth_settings_v2.keys():
  File "C:\Users\...\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\checkov\common\parsers\node.py", line 192, in __getattr__
    raise TemplateAttributeError(f'{name} is invalid')
checkov.common.parsers.node.TemplateAttributeError: keys is invalid

Desktop (please complete the following information):

matansha commented 2 days ago

Hi @kssantana, thank you for reaching out. Seems like an easy fix, would you like to contribute a fix? 🙂

Hint: check not only if auth_settings_v2 exists, also to check that len > 0 or not None