search

bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
https://www.checkov.io/
Apache License 2.0
6.85k stars 1.09k forks source link

Checkov Crashes due to Python Import Errors on Ubuntu and Windows #6540

Open massimiliano96 opened 2 months ago

massimiliano96 commented 2 months ago

Describe the issue Checkov is failing to run, crashing with issues related to Python imports. This problem is occurring on both Ubuntu and Windows systems, and different error traces are provided for each.

Examples checkov -d src/static -o junitxml --output-file-path output/ --check CKV_AWS_24

Exception Trace On Ubuntu:

Traceback (most recent call last):
  File "/usr/local/bin/checkov", line 2, in <module>
    from checkov.main import Checkov
  File "/usr/local/lib/python3.10/dist-packages/checkov/main.py", line 52, in <module>
    from checkov.common.runners.runner_registry import RunnerRegistry
  File "/usr/local/lib/python3.10/dist-packages/checkov/common/runners/runner_registry.py", line 54, in <module>
    from checkov.terraform.context_parsers.registry import parser_registry
  File "/usr/local/lib/python3.10/dist-packages/checkov/terraform/context_parsers/__init__.py", line 1, in <module>
    from checkov.terraform.context_parsers.parsers import *  # noqa
  File "/usr/local/lib/python3.10/dist-packages/checkov/terraform/context_parsers/parsers/data_context_parser.py", line 3, in <module>
    from hcl2 import START_LINE, END_LINE
ImportError: cannot import name 'START_LINE' from 'hcl2' (unknown location)

On Windows:

Traceback (most recent call last):
  File "C:\Users\massi\Desktop\projects\cac-poc\cac-env\Scripts\checkov", line 2, in <module>
    from checkov.main import Checkov
  File "C:\users\massi\desktop\projects\cac-poc\cac-env\lib\site-packages\checkov\main.py", line 52, in <module>
    from checkov.common.runners.runner_registry import RunnerRegistry
  File "C:\users\massi\desktop\projects\cac-poc\cac-env\lib\site-packages\checkov\common\runners\runner_registry.py", line 39, in <module>
    from checkov.common.output.spdx import SPDX
  File "C:\users\massi\desktop\projects\cac-poc\cac-env\lib\site-packages\checkov\common\output\spdx.py", line 11, in <module>
    from spdx_tools.spdx.model.actor import Actor, ActorType
  File "C:\users\massi\desktop\projects\cac-poc\cac-env\lib\site-packages\spdx_tools\spdx\model\__init__.py", line 7, in <module>
    from spdx_tools.spdx.model.actor import Actor, ActorType
  File "C:\users\massi\desktop\projects\cac-poc\cac-env\lib\site-packages\spdx_tools\spdx\model\actor.py", line 6, in <module>
    from beartype.typing import Optional
  File "C:\users\massi\desktop\projects\cac-poc\cac-env\lib\site-packages\beartype\__init__.py", line 58, in <module>
    from beartype._decor.decormain import (
  File "C:\users\massi\desktop\projects\cac-poc\cac-env\lib\site-packages\beartype\_decor\decormain.py", line 26, in <module>
    from beartype._conf.confcls import (
  File "C:\users\massi\desktop\projects\cac-poc\cac-env\lib\site-packages\beartype\_conf\confcls.py", line 46, in <module>
    from beartype._conf.confoverrides import (
  File "C:\users\massi\desktop\projects\cac-poc\cac-env\lib\site-packages\beartype\_conf\confoverrides.py", line 15, in <module>
    from beartype._data.hint.datahinttyping import (
  File "C:\users\massi\desktop\projects\cac-poc\cac-env\lib\site-packages\beartype\_data\hint\datahinttyping.py", line 290, in <module>
    BeartypeReturn = Union[BeartypeableT, BeartypeConfedDecorator]
  File "C:\Python39\lib\typing.py", line 243, in inner
    return func(*args, **kwds)
  File "C:\Python39\lib\typing.py", line 316, in __getitem__
    return self._getitem(self, parameters)
  File "C:\Python39\lib\typing.py", line 421, in Union
    parameters = _remove_dups_flatten(parameters)
  File "C:\Python39\lib\typing.py", line 215, in _remove_dups_flatten
    all_params = set(params)
TypeError: unhashable type: 'list'

Desktop (please complete the following information):

mannycepeda1989 commented 1 month ago

Good afternoon @massimiliano96 would you please be able to share a test file or dir to reproduce this issue?

massimiliano96 commented 1 month ago

main.tf:

provider "aws" {
  region = var.region
}

data "aws_vpc" "selected" {
  filter {
    name   = "tag:Name"
    values = [var.vpc_name]
  }
}

resource "aws_security_group" "not_compliant" {
  name        = "not_compliant"
  description = "Security group to allow custom access"
  vpc_id      = data.aws_vpc.selected.id

  ingress {
    description = "Unlimited SSH access"
    from_port   = var.port
    to_port     = var.port
    protocol    = "tcp"
    cidr_blocks = [var.cidr]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
  tags = {
    name = "security-group"
  }
}

resource "aws_security_group" "compliant" {
  name        = "compliant"
  description = "Security group to allow custom access only from 1.1.1.1"
  vpc_id      = data.aws_vpc.selected.id

  ingress {
    description = "Custom Access"
    from_port   = var.port
    to_port     = var.port
    protocol    = "tcp"
    cidr_blocks = ["1.1.1.1/32"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

variables.tf:

variable "region" {
  description = "The AWS region to create resources in"
  type        = string
  default     = "eu-central-1"
}

variable "vpc_name" {
  description = "The name of the VPC to use"
  type        = string
  default = "vpc-idp-poc-de-int"
}

variable "cidr" {
  description = "The CIDR block to allow access"
  type        = string
  default     = "0.0.0.0/0"
}

variable "port" {
  description = "The port to allow access"
  type        = number
  default     = 22
}
checkov -d src/static --external-checks-dir src/policies/checkov/custom_tag_check -o junitxml --output-file-path output/ --check CKV_AWS_24
Traceback (most recent call last):
  File "/usr/local/bin/checkov", line 2, in <module>
    from checkov.main import Checkov
  File "/usr/local/lib/python3.10/dist-packages/checkov/main.py", line 52, in <module>
    from checkov.common.runners.runner_registry import RunnerRegistry
  File "/usr/local/lib/python3.10/dist-packages/checkov/common/runners/runner_registry.py", line 54, in <module>
    from checkov.terraform.context_parsers.registry import parser_registry
  File "/usr/local/lib/python3.10/dist-packages/checkov/terraform/context_parsers/__init__.py", line 1, in <module>
    from checkov.terraform.context_parsers.parsers import *  # noqa
  File "/usr/local/lib/python3.10/dist-packages/checkov/terraform/context_parsers/parsers/data_context_parser.py", line 3, in <module>
    from hcl2 import START_LINE, END_LINE
ImportError: cannot import name 'START_LINE' from 'hcl2' (unknown location)
gruebel commented 1 month ago

hey @massimiliano96 this has nothing to do with your scanned files, but rather with your Python environment. You probably installed also other packages and this messed checkov up. Please check, if you have bc-python-hcl2 installed with version 0.4.2 and there shouldn't be the package python-hcl2 otherwise you need to delete it.

In genreal I highly recommend to use dedicated venvs for CLI tools, pipx is a great tool for it.