fix(general): fix inline suppression collection inside lists (#5370)

fix inline suppression collection inside lists
bridgecrewio · Jul 23, 2023 · ead2048 · ead2048
1 parent fe5d976
commit ead2048
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 5 deletions.
diff --git a/checkov/yaml_doc/base_registry.py b/checkov/yaml_doc/base_registry.py
@@ -53,10 +53,7 @@ def _scan_yaml_array(
                     if isinstance(item, str):
                         item = self.set_lines_for_item(item)
                     if STARTLINE_MARK != item and ENDLINE_MARK != item:
-                        skip_info: "_SkippedCheck" = {}
-                        if skip_infos and skip_infos[0]:
-                            # multiple items could be found, so we need to skip the correct one(s)
-                            skip_info = ([skip for skip in skip_infos if item[STARTLINE_MARK] <= skip["line_number"] <= item[ENDLINE_MARK]] or [{}])[0]
+                        skip_info = self._collect_inline_suppression_in_array(item=item, skip_infos=skip_infos)
 
                         self.update_result(
                             check,
@@ -347,3 +344,27 @@ def set_lines_for_item(self, item: str) -> dict[int | str, str | int] | str:
                 break
 
         return item_dict
+
+    def _collect_inline_suppression_in_array(self, item: Any, skip_infos: list[_SkippedCheck]) -> _SkippedCheck:
+        if skip_infos and skip_infos[0]:
+            if isinstance(item, dict):
+                # multiple items could be found, so we need to skip the correct one(s)
+                skip_info = [
+                    skip for skip in skip_infos if item[STARTLINE_MARK] <= skip["line_number"] <= item[ENDLINE_MARK]
+                ]
+                if skip_info:
+                    return skip_info[0]
+            elif isinstance(item, list):
+                # depending on the check a list of uncomplaint items can be found and need to be correctly matched
+                for sub_item in item:
+                    if isinstance(sub_item, dict):
+                        # only one of the list items need to be matched
+                        skip_info = [
+                            skip
+                            for skip in skip_infos
+                            if sub_item[STARTLINE_MARK] <= skip["line_number"] <= sub_item[ENDLINE_MARK]
+                        ]
+                        if skip_info:
+                            return skip_info[0]
+
+        return {}  # nothing found
diff --git a/tests/gitlab_ci/resources/rules/.gitlab-ci.yml b/tests/gitlab_ci/resources/rules/.gitlab-ci.yml
@@ -14,3 +14,12 @@ planOnlySubset:
     - if: $CI_PIPELINE_SOURCE != "merge_request_event" && $CI_PIPELINE_SOURCE != "schedule"
       when: manual
       allow_failure: true
+
+jobSkip:
+  script: echo "This job creates double pipelines!"
+  rules:
+    - changes:
+        - $DOCKERFILES_DIR/*
+      # checkov:skip=CKV_GITLABCI_2: Ignore
+    - if: $CI_PIPELINE_SOURCE == "push"
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
diff --git a/tests/gitlab_ci/test_runner.py b/tests/gitlab_ci/test_runner.py
@@ -22,7 +22,7 @@ def test_runner(self):
         self.assertEqual(len(report.failed_checks), 5)
         self.assertEqual(report.parsing_errors, [])
         self.assertEqual(len(report.passed_checks), 9)
-        self.assertEqual(report.skipped_checks, [])
+        self.assertEqual(len(report.skipped_checks), 1)
         report.print_console()
 
     def test_runner_honors_enforcement_rules(self):