kics
kics copied to clipboard
Published
20 hours ago •
Checkmarx
Checkmarx
Kics panics when parsing a dynamic key enclosed within parentheses
When a key containing variables is enclosed within parentheses inside the terraform file, kics panics with an error panic: value is unknown.
sample file content:
~/kics-sample > cat test.tf
variable "abc" {}
data "aws_lb" "frontend" {
tags = {
("kubernetes.io/cluster/${var.abc}") = "owned"
}
}
sample file validation:
~/kics-sample > terraform validate .
Success! The configuration is valid.
Expected Behavior
Successful kics scan with no errors.
Actual Behavior
~/kics-sample > docker run -t -v "$PWD":/path checkmarx/kics scan -p "/path" -o "/path/" --verbose
Scanning with Keeping Infrastructure as Code Secure v1.5.11
6:40AM INF Scanning with Keeping Infrastructure as Code Secure v1.5.11
6:40AM INF Operating system: linux
6:40AM INF Total memory: 5.8G
6:40AM INF CPU: 2.0
Preparing Scan Assets: | 6:40AM INF Total files in the project: 3
Preparing Scan Assets: | 6:40AM INF Loading queries of type: terraform
Preparing Scan Assets: - 6:40AM INF Inspector initialized, number of queries=981
Preparing Scan Assets: | 6:40AM INF Query execution timeout=1m0s
Preparing Scan Assets: Done
panic: value is unknown
goroutine 63 [running]:
github.com/zclconf/go-cty/cty.Value.AsString({{{0x7a2db78?, 0x40003d12e1?}}, {0x5f5adc0?, 0xb8e17c0?}})
/go/pkg/mod/github.com/zclconf/[email protected]/cty/value_ops.go:1262 +0x10c
github.com/Checkmarx/kics/pkg/parser/terraform/converter.(*converter).convertStringPart(0x6f28?, {0x7a2fa70?, 0x40017f8690?})
/app/pkg/parser/terraform/converter/default.go:374 +0x2ec
github.com/Checkmarx/kics/pkg/parser/terraform/converter.(*converter).convertKey(0x4000b77068?, {0x7a2fa30?, 0x40014b7b78?})
/app/pkg/parser/terraform/converter/default.go:311 +0x118
github.com/Checkmarx/kics/pkg/parser/terraform/converter.(*converter).objectConsExpr(0x13?, 0x40004601e0)
/app/pkg/parser/terraform/converter/default.go:279 +0x90
github.com/Checkmarx/kics/pkg/parser/terraform/converter.(*converter).convertExpression(0x5f9cda0?, {0x7a2f9f0?, 0x40004601e0})
/app/pkg/parser/terraform/converter/default.go:245 +0x34c
github.com/Checkmarx/kics/pkg/parser/terraform/converter.(*converter).convertBody(0xa?, 0x40017fc6e0, 0x3)
/app/pkg/parser/terraform/converter/default.go:95 +0x404
github.com/Checkmarx/kics/pkg/parser/terraform/converter.(*converter).convertBlock(0x5f9cda0?, 0x400198bc20, 0x4000dae660, 0xa?)
/app/pkg/parser/terraform/converter/default.go:181 +0x44
github.com/Checkmarx/kics/pkg/parser/terraform/converter.(*converter).convertBody(0x29?, 0x40017fc790, 0x0)
/app/pkg/parser/terraform/converter/default.go:118 +0x2b4
github.com/Checkmarx/kics/pkg/parser/terraform/converter.glob..func1(0x4001cd2980?, 0x72?)
/app/pkg/parser/terraform/converter/default.go:32 +0x90
github.com/Checkmarx/kics/pkg/parser/terraform.(*Parser).Parse(0x400111bb20, {0x40009f9b40, 0xd}, {0x4001cd2980, 0x72, 0x80})
/app/pkg/parser/terraform/terraform.go:125 +0x134
github.com/Checkmarx/kics/pkg/parser.(*Parser).Parse(0x4000d8c690, {0x40009f9b40, 0xd}, {0x4001cd2980, 0x72, 0x80})
/app/pkg/parser/parser.go:128 +0x124
github.com/Checkmarx/kics/pkg/kics.(*Service).sink(0x40006f7ce0, {0x7a2bb18, 0x400012c000}, {0x40009f9b40, 0xd}, {0x6bee617, 0x7}, {0x79a37c8, 0x4000bf9258})
/app/pkg/kics/sink.go:41 +0x120
github.com/Checkmarx/kics/pkg/kics.(*Service).PrepareSources.func1({0x7a2bb18, 0x400012c000}, {0x40009f9b40, 0xd}, {0x7a06740?, 0x4000bf9258})
/app/pkg/kics/service.go:69 +0x84
github.com/Checkmarx/kics/pkg/engine/provider.(*FileSystemSourceProvider).walkDir.func1({0x40009f9b40, 0xd}, {0x7a33370, 0x40000a9140}, {0x0?, 0x0?})
/app/pkg/engine/provider/filesystem.go:163 +0x394
path/filepath.walk({0x40009f9b40, 0xd}, {0x7a33370, 0x40000a9140}, 0x4001315e08)
/usr/local/go/src/path/filepath/path.go:430 +0xd0
path/filepath.walk({0x4001635a66, 0x5}, {0x7a33370, 0x4001cf7980}, 0x4000b77e08)
/usr/local/go/src/path/filepath/path.go:454 +0x1ec
path/filepath.Walk({0x4001635a66, 0x5}, 0x40012df608)
/usr/local/go/src/path/filepath/path.go:517 +0x70
github.com/Checkmarx/kics/pkg/engine/provider.(*FileSystemSourceProvider).walkDir(0x4001635a66?, {0x7a2bb18?, 0x400012c000?}, {0x4001635a66?, 0x0?}, 0x0, 0xffff94b2e5b8?, 0x20?, 0x40000d2800?)
/app/pkg/engine/provider/filesystem.go:128 +0x78
github.com/Checkmarx/kics/pkg/engine/provider.(*FileSystemSourceProvider).GetSources(0x4000606380, {0x7a2bb18, 0x400012c000}, 0x0?, 0x4000743d00, 0x0?)
/app/pkg/engine/provider/filesystem.go:117 +0x150
github.com/Checkmarx/kics/pkg/kics.(*Service).PrepareSources(0x40006f7ce0, {0x7a2bb18, 0x400012c000}, {0x6bee617, 0x7}, 0x0?, 0x0?)
/app/pkg/kics/service.go:65 +0x180
created by github.com/Checkmarx/kics/pkg/scanner.PrepareAndScan
/app/pkg/scanner/scanner.go:24 +0xb8
Error occurs when kics fails to parse ("kubernetes.io/cluster/${var.abc}") expression.
Steps to Reproduce the Problem
console > mkdir kics-sample && cd $_
console > echo 'variable "abc" {}
data "aws_lb" "frontend" {
tags = {
("kubernetes.io/cluster/${var.abc}") = "owned"
}
}' > test.tf
console > docker run -t -v "$PWD":/path checkmarx/kics scan -p "/path" -o "/path/" --verbose
Specifications
- Version:
v1.5.11 - Platform:
Mac OS (darwin/arm64)
Hello, @VishwaBhat!
Thank you so much for using KICS and reporting this bug! We are working on that in PR #5695 😊
