checkov icon indicating copy to clipboard operation
checkov copied to clipboard
verified publisher icon bridgecrewio

Crash with policy CKV_AZURE_70

Open kssantana opened this issue 1 year ago • 2 comments

Describe the issue When I try to create a Function APP, with HTTPS Requerid Enable, the checkov fail with error when I try to scan using the PLAN FILE in JSON Format.

We already test with the last version (3.2.122), but the issue persist.

This issue not appears on old version (3.2.107) or olders.

Examples

resource "azurerm_linux_function_app" "fcnapp" {
  name                       = local.functionapp_name
  location                   = local.location
  resource_group_name        = local.resource_group_name
  storage_account_name       = var.storage_account_name
  https_only                 = true
  storage_account_access_key = data.azurerm_storage_account.storageaccount.primary_access_key
  service_plan_id            = azurerm_app_service_plan.svcpl.id
  app_settings = {
    FUNCTIONS_EXTENSION_VERSION                 = var.functions_extension_version
    FUNCTIONS_WORKER_RUNTIME                    = var.functions_worker_runtime
    WEBSITE_CONTENTAZUREFILECONNECTIONSTRING    = "${data.azurerm_storage_account.storageaccount.primary_connection_string}"
    WEBSITE_CONTENTSHARE                        = lower("functionappcontent-${var.keyword}-001")
  }

   site_config {
    application_insights_connection_string = azurerm_application_insights.application_insights.connection_string
    application_insights_key               = azurerm_application_insights.application_insights.instrumentation_key

    application_stack {
      python_version              = var.python_version
    }
  }
  
    identity {
    type = "SystemAssigned"
  }
}

Exception Trace

2024-06-24 15:54:23,962 [ThreadPoolEx] [DEBUG]  Running check: Ensure Function app is using the latest version of TLS encryption on file /tf.json
2024-06-24 15:54:23,983 [ThreadPoolEx] [DEBUG]  File /tf.json, resource "azurerm_linux_function_app.fcnapp" check "Ensure Function app is using the latest version of TLS encryption" Result: {'result': <CheckResult.PASSED: 'PASSED'>, 'evaluated_keys': ['site_config/[0]/minimum_tls_version']}
2024-06-24 15:54:23,985 [ThreadPoolEx] [DEBUG]  skip_severity = None, explicit_skip = [], regex_match = False, suppressed_policies: []
2024-06-24 15:54:23,987 [ThreadPoolEx] [DEBUG]  bc_check_id = BC_AZR_NETWORKING_64, include_all_checkov_policies = True, is_external = False, explicit_run: []
2024-06-24 15:54:23,990 [ThreadPoolEx] [DEBUG]  should_run_check CKV_AZURE_221: True
2024-06-24 15:54:23,993 [ThreadPoolEx] [DEBUG]  Running check: Ensure that Azure Function App public network access is disabled on file /tf.json
2024-06-24 15:54:24,019 [ThreadPoolEx] [DEBUG]  File /tf.json, resource "azurerm_linux_function_app.fcnapp" check "Ensure that Azure Function App public network access is disabled" Result: {'result': <CheckResult.FAILED: 'FAILED'>, 'evaluated_keys': ['public_network_access_enabled']}
2024-06-24 15:54:24,021 [ThreadPoolEx] [DEBUG]  skip_severity = None, explicit_skip = [], regex_match = False, suppressed_policies: []
2024-06-24 15:54:24,022 [ThreadPoolEx] [DEBUG]  bc_check_id = BC_AZR_NETWORKING_21, include_all_checkov_policies = True, is_external = False, explicit_run: []
2024-06-24 15:54:24,023 [ThreadPoolEx] [DEBUG]  should_run_check CKV_AZURE_70: True
2024-06-24 15:54:24,023 [ThreadPoolEx] [DEBUG]  Running check: Ensure that Function apps is only accessible over HTTPS on file /tf.json
2024-06-24 15:54:24,024 [ThreadPoolEx] [ERROR]  Failed to run check CKV_AZURE_70 on /tf.json:azurerm_linux_function_app.fcnapp
Traceback (most recent call last):
  File "C:\Users\...\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\checkov\common\checks\base_check.py", line 68, in run   
    check_result["result"] = self.scan_entity_conf(entity_configuration, entity_type)
  File "C:\Users\...\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\checkov\terraform\checks\resource\base_resource_check.py", line 43, in scan_entity_conf
    return self.scan_resource_conf(conf)
  File "C:\Users\...\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\checkov\terraform\checks\resource\azure\FunctionAppsAccessibleOverHttps.py", line 34, in scan_resource_conf
    if 'require_https' not in auth_settings_v2.keys():
  File "C:\Users\...\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\checkov\common\parsers\node.py", line 192, in __getattr__
    raise TemplateAttributeError(f'{name} is invalid')
checkov.common.parsers.node.TemplateAttributeError: keys is invalid

Desktop (please complete the following information):

  • OS: Windows 11 and Ubuntu 22.04
  • Checkov Version: 3.2.122

kssantana avatar Jun 24 '24 19:06 kssantana

Hi @kssantana, thank you for reaching out. Seems like an easy fix, would you like to contribute a fix? 🙂

Hint: check not only if auth_settings_v2 exists, also to check that len > 0 or not None

matansha avatar Jun 26 '24 06:06 matansha

Hi,

A very similar issue is also happening for linux web apps:

2024-08-12 03:12:14,939 [MainThread ] [ERROR] Failed to run check CKV_AZURE_13 on /dev.json:azurerm_linux_web_app.web_app Traceback (most recent call last): File "/usr/local/lib/python3.8/dist-packages/checkov/common/checks/base_check.py", line 68, in run check_result["result"] = self.scan_entity_conf(entity_configuration, entity_type) File "/usr/local/lib/python3.8/dist-packages/checkov/terraform/checks/resource/base_resource_check.py", line 43, in scan_entity_conf return self.scan_resource_conf(conf) File "/usr/local/lib/python3.8/dist-packages/checkov/terraform/checks/resource/azure/AppServiceAuthentication.py", line 19, in scan_resource_conf if auth.get("enabled") and isinstance(auth.get("enabled"), list): File "/usr/local/lib/python3.8/dist-packages/checkov/common/parsers/node.py", line 192, in getattr raise TemplateAttributeError(f'{name} is invalid') checkov.common.parsers.node.TemplateAttributeError: get is invalid`

jakaxd avatar Aug 12 '24 13:08 jakaxd

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at codifiedsecurity.slack.com Thanks!

stale[bot] avatar Feb 08 '25 21:02 stale[bot]

Closing issue due to inactivity. If you feel this is in error, please re-open, or reach out to the community via slack: codifiedsecurity.slack.com Thanks!

stale[bot] avatar Feb 22 '25 23:02 stale[bot]

Can this be re-opened? I'm also getting this error

samtarplee avatar Mar 04 '25 15:03 samtarplee