Merge branch 'main' into patch-1

bridgecrewio · Oct 17, 2023 · 9996b1d · 9996b1d
2 parents 760f6f2 + f20abfc
commit 9996b1d
Show file tree

Hide file tree

Showing 5 changed files with 67 additions and 44 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,16 @@
 # CHANGELOG
 
-## [Unreleased](https://github.com/bridgecrewio/checkov/compare/2.5.9...HEAD)
+## [Unreleased](https://github.com/bridgecrewio/checkov/compare/2.5.10...HEAD)
+
+## [2.5.10](https://github.com/bridgecrewio/checkov/compare/2.5.9...2.5.10) - 2023-10-16
+
+### Feature
+
+- **terraform:** support scanning of Terraform managed modules instead of downloading them - [#5635](https://github.com/bridgecrewio/checkov/pull/5635)
+
+### Bug Fix
+
+- **terraform:** Fixing issues with checks CKV_AZURE_226 & CKV_AZURE_227 - [#5638](https://github.com/bridgecrewio/checkov/pull/5638)
 
 ## [2.5.9](https://github.com/bridgecrewio/checkov/compare/2.5.8...2.5.9) - 2023-10-15
 

diff --git a/checkov/sca_package_2/runner.py b/checkov/sca_package_2/runner.py
@@ -140,6 +140,13 @@ def run(
 
         return report
 
+    def _persist_file_if_required(self, package_files_to_persist: List[FileToPersist],
+                                  file_path: Path, root_path: Path | None) -> None:
+        if file_path.name in SCANNABLE_PACKAGE_FILES or file_path.suffix in SCANNABLE_PACKAGE_FILES_EXTENSIONS:
+            file_path_str = str(file_path)
+            # in case of root_path is None, we will get the path in related to the current work dir
+            package_files_to_persist.append(FileToPersist(file_path_str, os.path.relpath(file_path_str, root_path)))
+
     def upload_package_files(
             self,
             root_path: Path | None,
@@ -154,21 +161,18 @@ def upload_package_files(
         try:
             if root_path:
                 for file_path in root_path.glob("**/*"):
-                    if (file_path.name in SCANNABLE_PACKAGE_FILES or file_path.suffix in SCANNABLE_PACKAGE_FILES_EXTENSIONS) and not any(
-                            p in file_path.parts for p in excluded_paths) and file_path.name not in excluded_file_names:
-                        file_path_str = str(file_path)
-                        package_files_to_persist.append(
-                            FileToPersist(file_path_str, os.path.relpath(file_path_str, root_path)))
+                    if any(p in file_path.parts for p in excluded_paths) or file_path.name in excluded_file_names:
+                        logging.debug(f"[sca_package:runner](upload_package_files) - File {file_path} was excluded")
+                        continue
+                    self._persist_file_if_required(package_files_to_persist, file_path, root_path)
 
             if files:
-                root_folder = os.path.split(os.path.commonprefix(files))[0]
                 for file in files:
                     file_path = Path(file)
                     if not file_path.exists():
-                        logging.warning(f"File {file_path} doesn't exist")
+                        logging.warning(f"[sca_package:runner](upload_package_files) - File {file_path} doesn't exist")
                         continue
-                    if file_path.name in SCANNABLE_PACKAGE_FILES or file_path.suffix in SCANNABLE_PACKAGE_FILES_EXTENSIONS:
-                        package_files_to_persist.append(FileToPersist(file, os.path.relpath(file, root_folder)))
+                    self._persist_file_if_required(package_files_to_persist, file_path, root_path)
 
             logging.info(f"{len(package_files_to_persist)} sca package files found.")
             bc_integration.persist_files(package_files_to_persist)

diff --git a/checkov/version.py b/checkov/version.py
@@ -1 +1 @@
-version = '2.5.10'
+version = '2.5.11'
diff --git a/kubernetes/requirements.txt b/kubernetes/requirements.txt
@@ -1 +1 @@
-checkov==2.5.10
+checkov==2.5.11
diff --git a/tests/sca_package_2/test_runner.py b/tests/sca_package_2/test_runner.py
@@ -1,3 +1,4 @@
+import os
 from pathlib import Path
 from mock.mock import MagicMock
 
@@ -74,40 +75,48 @@ def test_upload_scannable_files_exclude_go_and_requirements():
 
 
 def test_upload_scannable_files_file_config():
-    # when
-    input_output_paths = Runner().upload_package_files(
-        root_path=None,
-        files=[
-            str(EXAMPLES_DIR / 'requirements.txt'),
-            str(EXAMPLES_DIR / 'go.sum'),
-            str(EXAMPLES_DIR / 'package-lock.json'),
-            str(EXAMPLES_DIR / 'package.json'),
-            str(EXAMPLES_DIR / 'go.mod'),
-            str(EXAMPLES_DIR / 'Microsoft.NET.Sdk.csproj')
-        ],
-        excluded_paths=set(),
-        excluded_file_names=set()
-    )
-    # expected
-    expected_output = {
-        FileToPersist(full_file_path=str(EXAMPLES_DIR / 'requirements.txt'),
-                      s3_file_key='requirements.txt'),
-        FileToPersist(full_file_path=str(EXAMPLES_DIR / 'go.sum'),
-                      s3_file_key='go.sum'),
-        FileToPersist(full_file_path=str(EXAMPLES_DIR / 'package-lock.json'),
-                      s3_file_key='package-lock.json'),
-        FileToPersist(full_file_path=str(EXAMPLES_DIR / 'package.json'),
-                      s3_file_key='package.json'),
-        FileToPersist(full_file_path=str(EXAMPLES_DIR / 'go.mod'),
-                      s3_file_key='go.mod'),
-        FileToPersist(full_file_path=str(EXAMPLES_DIR / 'Microsoft.NET.Sdk.csproj'),
-                      s3_file_key='Microsoft.NET.Sdk.csproj')
-    }
+    origin_cwd = os.getcwd()
+    try:
+        # setup
+        os.chdir(str(Path(__file__).parent))
+
+        # when
+        input_output_paths = Runner().upload_package_files(
+            root_path=None,
+            files=[
+                str(EXAMPLES_DIR / 'requirements.txt'),
+                str(EXAMPLES_DIR / 'go.sum'),
+                str(EXAMPLES_DIR / 'package-lock.json'),
+                str(EXAMPLES_DIR / 'package.json'),
+                str(EXAMPLES_DIR / 'go.mod'),
+                str(EXAMPLES_DIR / 'Microsoft.NET.Sdk.csproj')
+            ],
+            excluded_paths=set(),
+            excluded_file_names=set()
+        )
+        # expected (paths are in related to the test-working-dir)
+        expected_output = {
+            FileToPersist(full_file_path=str(EXAMPLES_DIR / 'requirements.txt'),
+                          s3_file_key='examples/requirements.txt'),
+            FileToPersist(full_file_path=str(EXAMPLES_DIR / 'go.sum'),
+                          s3_file_key='examples/go.sum'),
+            FileToPersist(full_file_path=str(EXAMPLES_DIR / 'package-lock.json'),
+                          s3_file_key='examples/package-lock.json'),
+            FileToPersist(full_file_path=str(EXAMPLES_DIR / 'package.json'),
+                          s3_file_key='examples/package.json'),
+            FileToPersist(full_file_path=str(EXAMPLES_DIR / 'go.mod'),
+                          s3_file_key='examples/go.mod'),
+            FileToPersist(full_file_path=str(EXAMPLES_DIR / 'Microsoft.NET.Sdk.csproj'),
+                          s3_file_key='examples/Microsoft.NET.Sdk.csproj')
+        }
 
-    # then
-    assert len(input_output_paths) == 6
+        # then
+        assert len(input_output_paths) == 6
 
-    assert set(input_output_paths) == expected_output
+        assert set(input_output_paths) == expected_output
+    finally:
+        # teardown
+        os.chdir(origin_cwd)
 
 
 def test_run(sca_package_2_report):