gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-23 15:37:50 -08:00
Code Issues Packages Projects Releases Wiki Activity

fix(misconf): do not erase variable type for child modules (#7941)

Browse Source 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
This commit is contained in:
Nikita Pivkin
2024-11-23 01:25:54 +06:00
committed by GitHub
parent 5448ba2a5c
commit de3b7ea24c
3 changed files with 80 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
pkg/iac/scanners/terraform/parser/evaluator.go
View File

@@ -471,7 +471,7 @@ func (e *evaluator) evaluateVariable(b *terraform.Block) (cty.Value, error) {
var val cty.Value var val cty.Value
if override, exists := e.inputVars[b.Label()]; exists { if override, exists := e.inputVars[b.Label()]; exists && override.Type() != cty.NilType {
val = override val = override
} else if def, exists := attributes["default"]; exists { } else if def, exists := attributes["default"]; exists {
val = def.NullableValue() val = def.NullableValue()

77
pkg/iac/scanners/terraform/parser/parser_test.go
View File

@@ -3,6 +3,7 @@ package parser
import ( import (
"bytes" "bytes"
"context" "context"
"io/fs"
"log/slog" "log/slog"
"os" "os"
"path/filepath" "path/filepath"
@@ -2008,3 +2009,79 @@ variable "baz" {}
assert.Contains(t, buf.String(), "Variable values was not found in the environment or variable files.") assert.Contains(t, buf.String(), "Variable values was not found in the environment or variable files.")
assert.Contains(t, buf.String(), "variables=\"foo\"") assert.Contains(t, buf.String(), "variables=\"foo\"")
} }
func Test_PassingNullToChildModule_DoesNotEraseType(t *testing.T) {
tests := []struct {
name string
fsys fs.FS
}{
{
name: "typed variable",
fsys: fstest.MapFS{
"main.tf": &fstest.MapFile{Data: []byte(`module "test" {
source = "./modules/test"
test_var = null
}`)},
"modules/test/main.tf": &fstest.MapFile{Data: []byte(`variable "test_var" {
type = number
}
resource "foo" "this" {
bar = var.test_var != null ? 1 : 2
}`)},
},
},
{
name: "typed variable with default",
fsys: fstest.MapFS{
"main.tf": &fstest.MapFile{Data: []byte(`module "test" {
source = "./modules/test"
test_var = null
}`)},
"modules/test/main.tf": &fstest.MapFile{Data: []byte(`variable "test_var" {
type = number
default = null
}
resource "foo" "this" {
bar = var.test_var != null ? 1 : 2
}`)},
},
},
{
name: "empty variable",
fsys: fstest.MapFS{
"main.tf": &fstest.MapFile{Data: []byte(`module "test" {
source = "./modules/test"
test_var = null
}`)},
"modules/test/main.tf": &fstest.MapFile{Data: []byte(`variable "test_var" {}
resource "foo" "this" {
bar = var.test_var != null ? 1 : 2
}`)},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
parser := New(
tt.fsys, "",
OptionStopOnHCLError(true),
)
require.NoError(t, parser.ParseFS(context.TODO(), "."))
_, err := parser.Load(context.TODO())
require.NoError(t, err)
modules, _, err := parser.EvaluateAll(context.TODO())
require.NoError(t, err)
res := modules.GetResourcesByType("foo")[0]
attr := res.GetAttribute("bar")
val, _ := attr.Value().AsBigFloat().Int64()
assert.Equal(t, int64(2), val)
})
}
}

4
pkg/iac/terraform/block.go
View File

@@ -585,7 +585,7 @@ func (b *Block) Values() cty.Value {
if attribute.Name() == "for_each" { if attribute.Name() == "for_each" {
continue continue
} }
values[attribute.Name()] = attribute.Value() values[attribute.Name()] = attribute.NullableValue()
} }
return cty.ObjectVal(postProcessValues(b, values)) return cty.ObjectVal(postProcessValues(b, values))
} }
@@ -643,7 +643,7 @@ func (b *Block) expandDynamic() ([]*Block, error) {
) )
forEachVal.ForEachElement(func(key, val cty.Value) (stop bool) { forEachVal.ForEachElement(func(key, val cty.Value) (stop bool) {
if val.IsNull() { if val.IsNull() || !val.IsKnown() {
return return
} }