bump to 5.0.0rc1

Pipfile

@@ -70,7 +70,7 @@ policyuniverse = "*"
 typing-extensions = ">=4.1.0"
 importlib-metadata = ">=0.12"
 cachetools = "*"
-cyclonedx-python-lib = ">=4.0.0"
+cyclonedx-python-lib = "==5.0.0rc1"  # TODO: adjust when GA https://github.com/CycloneDX/cyclonedx-python-lib/pull/440
 packageurl-python = "*"
 click = ">=8.0.0"
 aiohttp = "*"

checkov/cloudformation/checks/resource/aws/LambdaEnvironmentEncryptionSettings.py

@@ -1,4 +1,6 @@
-from typing import List
+from __future__ import annotations
+
+from typing import Any
 
 from checkov.common.models.enums import CheckResult, CheckCategories
 from checkov.cloudformation.checks.resource.base_resource_check import BaseResourceCheck
@@ -8,23 +10,23 @@ class LambdaEnvironmentEncryptionSettings(BaseResourceCheck):
     def __init__(self):
         name = "Check encryption settings for Lambda environmental variable"
         id = "CKV_AWS_173"
-        supported_resources = ['AWS::Lambda::Function', "AWS::Serverless::Function"]
-        categories = [CheckCategories.ENCRYPTION]
+        supported_resources = ("AWS::Lambda::Function", "AWS::Serverless::Function")
+        categories = (CheckCategories.ENCRYPTION,)
         super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
 
-    def scan_resource_conf(self, conf):
-        properties = conf.get('Properties')
+    def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
+        properties = conf.get("Properties")
         if properties is not None:
-            env = properties.get('Environment')
+            env = properties.get("Environment")
             if env is not None:
                 if not isinstance(env, dict):
                     return CheckResult.UNKNOWN
-                elif env.get('Variables') and not properties.get('KmsKeyArn'):
+                elif env.get("Variables") and not properties.get("KmsKeyArn"):
                     return CheckResult.FAILED
         return CheckResult.PASSED
 
-    def get_evaluated_keys(self) -> List[str]:
-        return ['Properties/Environment/Variables', 'Properties/KmsKeyArn']
+    def get_evaluated_keys(self) -> list[str]:
+        return ["Properties/KmsKeyArn"]
 
 
 check = LambdaEnvironmentEncryptionSettings()

checkov/common/output/cyclonedx.py

@@ -3,7 +3,6 @@
 import itertools
 import logging
 import os
-import sys
 from datetime import datetime
 from importlib.metadata import version as meta_version
 from pathlib import Path
@@ -16,13 +15,12 @@
     sha1sum,
     HashAlgorithm,
     HashType,
-    LicenseChoice,
-    License,
     Property,
     Tool,
 )
 from cyclonedx.model.bom import Bom
 from cyclonedx.model.component import Component, ComponentType
+from cyclonedx.model.license import DisjunctiveLicense
 from cyclonedx.model.vulnerability import (
     Vulnerability,
     VulnerabilityAdvisory,
@@ -229,12 +227,12 @@ def create_library_component(self, resource: Record | ExtraResource, check_type:
                 package_name = resource.vulnerability_details["package_name"]
 
         # add licenses, if exists
-        license_choices = None
+        disjunctive_licenses = None
         licenses = resource.vulnerability_details.get("licenses")
 
         if licenses:
-            license_choices = [
-                LicenseChoice(license=License(name=license)) for license in format_string_to_licenses(licenses)
+            disjunctive_licenses = [
+                DisjunctiveLicense(name=license) for license in format_string_to_licenses(licenses)
             ]
 
         purl = PackageURL(
@@ -257,7 +255,7 @@ def create_library_component(self, resource: Record | ExtraResource, check_type:
             name=package_name,
             version=package_version,
             type=ComponentType.LIBRARY,
-            licenses=license_choices,
+            licenses=disjunctive_licenses,
             purl=purl,
             properties=properties
         )

checkov/terraform/checks/resource/aws/LambdaEnvironmentEncryptionSettings.py

@@ -18,23 +18,19 @@ def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult:
         # check that if I have env vars I have a KMS key
         if len(conf.get("environment", [])):
             if "kms_key_arn" in conf:
-                if conf["kms_key_arn"] == [""]:
-                    self.evaluated_keys = ["environment/kms_key_arn"]
+                if conf.get("kms_key_arn") == [""]:
                     return CheckResult.FAILED
                 return CheckResult.PASSED
-            self.evaluated_keys = ["environment"]
             return CheckResult.FAILED
 
         # no env vars so should be no key as that causes state mismatch
-        if "kms_key_arn" in conf:
-            if not len(conf["kms_key_arn"]):
-                return CheckResult.PASSED
+        if "kms_key_arn" in conf and len(conf["kms_key_arn"]):
             return CheckResult.FAILED
         # neither env vars nor kms key
         return CheckResult.UNKNOWN
 
     def get_evaluated_keys(self) -> list[str]:
-        return ["environment/[0]/variables"]
+        return ["kms_key_arn"]
 
 
 check = LambdaEnvironmentEncryptionSettings()

tests/common/output/test_cyclonedx_report.py

@@ -114,7 +114,7 @@ def test_valid_cyclonedx_image_bom():
     assert package_component.type == ComponentType.LIBRARY
     assert package_component.version == "7.74.0-1.3+deb11u1"
     assert len(package_component.licenses) == 1
-    assert next(iter(package_component.licenses)).license.name == "BSD-3-Clause"
+    assert next(iter(package_component.licenses)).name == "BSD-3-Clause"
 
     assert len(cyclonedx.bom.vulnerabilities) == 1
     assert next(iter(next(iter(cyclonedx.bom.vulnerabilities)).ratings)).severity == VulnerabilitySeverity.CRITICAL