Checkov crashes due to missing null checks in CKV_K8S_49

[jsojourner11]

Describe the issue
When running checkov over a terraform plan file which contained kubernetes_cluster_role resources that had null values for the api_groups and/or resources and/or verbs, checkov could not finish evaluating and instead crashed.
I would expect Checkov to do a null check, and complete evaluation.

Examples
This is the relevant sample from our plan.json file.

{
            "address": "module.kubernetes-fluent-bit-for-eks.kubernetes_cluster_role.fluent_bit[0]",
            "module_address": "module.kubernetes-fluent-bit-for-eks",
            "mode": "managed",
            "type": "kubernetes_cluster_role",
            "name": "fluent_bit",
            "index": 0,
            "provider_name": "registry.terraform.io/hashicorp/kubernetes",
            "change": {
                "actions": [
                    "create"
                ],
                "before": null,
                "after": {
                    "aggregation_rule": [],
                    "metadata": [
                        {
                            "annotations": null,
                            "generate_name": null,
                            "labels": null,
                            "name": "fluent-bit-role"
                        }
                    ],
                    "rule": [
                        {
                            "api_groups": null,
                            "non_resource_urls": [
                                "/metrics"
                            ],
                            "resource_names": null,
                            "resources": null,
                            "verbs": [
                                "get"
                            ]
                        },
                        {
                            "api_groups": [
                                ""
                            ],
                            "non_resource_urls": null,
                            "resource_names": null,
                            "resources": [
                                "pods",
                                "namespaces",
                                "pods/logs",
                                "configmaps"
                            ],
                            "verbs": [
                                "get",
                                "list",
                                "watch"
                            ]
                        },
                        {
                            "api_groups": [
                                ""
                            ],
                            "non_resource_urls": null,
                            "resource_names": null,
                            "resources": [
                                "configmaps"
                            ],
                            "verbs": [
                                "create",
                                "update"
                            ]
                        }
                    ]
                },
                "after_unknown": {
                    "aggregation_rule": [],
                    "id": true,
                    "metadata": [
                        {
                            "generation": true,
                            "resource_version": true,
                            "uid": true
                        }
                    ],
                    "rule": [
                        {
                            "non_resource_urls": [
                                false
                            ],
                            "verbs": [
                                false
                            ]
                        },
                        {
                            "api_groups": [
                                false
                            ],
                            "resources": [
                                false,
                                false,
                                false,
                                false
                            ],
                            "verbs": [
                                false,
                                false,
                                false
                            ]
                        },
                        {
                            "api_groups": [
                                false
                            ],
                            "resources": [
                                false
                            ],
                            "verbs": [
                                false,
                                false
                            ]
                        }
                    ]
                },
                "before_sensitive": false,
                "after_sensitive": {
                    "aggregation_rule": [],
                    "metadata": [
                        {}
                    ],
                    "rule": [
                        {
                            "non_resource_urls": [
                                false
                            ],
                            "verbs": [
                                false
                            ]
                        },
                        {
                            "api_groups": [
                                false
                            ],
                            "resources": [
                                false,
                                false,
                                false,
                                false
                            ],
                            "verbs": [
                                false,
                                false,
                                false
                            ]
                        },
                        {
                            "api_groups": [
                                false
                            ],
                            "resources": [
                                false
                            ],
                            "verbs": [
                                false,
                                false
                            ]
                        }
                    ]
                }
            }
        }

Exception Trace

[MainThread  ] [ERROR]  Failed to run check: Minimize wildcard use in Roles and ClusterRoles for configuration: {'aggregation_rule': [[]], 'metadata': [{'annotations': [None], 'generate_name': [None], 'labels': [None], 'name': ['fluent-bit-role'], '__startline__': [1], '__endline__': [1], 'start_line': [0], 'end_line': [0]}], 'rule': [{'api_groups': [None], 'non_resource_urls': [['/metrics']], 'resource_names': [None], 'resources': [None], 'verbs': [['get']], '__startline__': [1], '__endline__': [1], 'start_line': [0], 'end_line': [0]}, {'api_groups': [['']], 'non_resource_urls': [None], 'resource_names': [None], 'resources': [['pods', 'namespaces', 'pods/logs', 'configmaps']], 'verbs': [['get', 'list', 'watch']], '__startline__': [1], '__endline__': [1], 'start_line': [0], 'end_line': [0]}, {'api_groups': [['']], 'non_resource_urls': [None], 'resource_names': [None], 'resources': [['configmaps']], 'verbs': [['create', 'update']], '__startline__': [1], '__endline__': [1], 'start_line': [0], 'end_line': [0]}], '__startline__': [1], '__endline__': [1], 'start_line': [0], 'end_line': [0], '__address__': 'module.kuberntes-fluent-bit-for-eks.kubernetes_cluster_role.fluent_bit[0]', '__change_actions__': ['create']} at file: /../terraform/plan.json
Traceback (most recent call last):
  File "/usr/local/bin/checkov", line 9, in <module>
    sys.exit(run())
  File "/usr/local/lib/python3.9/site-packages/checkov/main.py", line 342, in run
    scan_reports = runner_registry.run(external_checks_dir=external_checks_dir, files=config.file,
  File "/usr/local/lib/python3.9/site-packages/checkov/common/runners/runner_registry.py", line 79, in run
    self.runners[0].run(root_folder, external_checks_dir=external_checks_dir, files=files,
  File "/usr/local/lib/python3.9/site-packages/checkov/terraform/plan_runner.py", line 81, in run
    self.check_tf_definition(report, root_folder, runner_filter)
  File "/usr/local/lib/python3.9/site-packages/checkov/terraform/plan_runner.py", line 100, in check_tf_definition
    self.run_block(definition[block_type], None, full_file_path, root_folder, report, scanned_file,
  File "/usr/local/lib/python3.9/site-packages/checkov/terraform/plan_runner.py", line 120, in run_block
    results = registry.scan(scanned_file, entity, [], runner_filter, report_type=CheckType.TERRAFORM_PLAN)
  File "/usr/local/lib/python3.9/site-packages/checkov/common/checks/base_check_registry.py", line 126, in scan
    result = self.run_check(check, entity_configuration, entity_name, entity_type, scanned_file, skip_info)
  File "/usr/local/lib/python3.9/site-packages/checkov/common/checks/base_check_registry.py", line 140, in run_check
    result = check.run(
  File "/usr/local/lib/python3.9/site-packages/checkov/common/checks/base_check.py", line 70, in run
    check_result["result"] = self.scan_entity_conf(entity_configuration, entity_type)
  File "/usr/local/lib/python3.9/site-packages/checkov/terraform/checks/resource/base_resource_check.py", line 43, in scan_entity_conf
    return self.scan_resource_conf(conf)
  File "/usr/local/lib/python3.9/site-packages/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py", line 21, in scan_resource_conf
    if "*" in rule["api_groups"][0]:
TypeError: argument of type 'NoneType' is not iterable

Desktop (please complete the following information):

• OS: Centos 7.9
• Checkov Version 2.2.335

Additional context
The problem seems to be on these lines where we attempt to access the first element of null:

checkov/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py

Line 22 in 7bb149c

if "*" in rule["api_groups"][0]:

checkov/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py

Line 25 in 7bb149c

if "*" in rule["resources"][0]:

checkov/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py

Line 28 in 7bb149c

if "*" in rule["verbs"][0]:

[gruebel]

hey @jsojourner11 thanks for reaching out.

Yeah, this kind of error pop up from time to time, because TF plan resources add null values for attributes, which would normally not be added in a template file. I'm actually curious about the crashing. Is it really terminating the run or just logging it and continuing?

Since you already found the problematic code parts, are you interested in contributing the needed changes?

[jsojourner11]

It is terminating the run and does not continue after that point.
I don't think I can commit to contributing to the fix at this point, but if I get a moment, I can submit a pull request

[stale]

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at https://slack.bridgecrew.io
Thanks!

[ArjunMenon-bit]

@jsojourner11 @gruebel I would like to contribute to fix this issue. This would be my first contribution to this project, so would be great if I could get some guidance as well.
So I understood the issue right, we would just to add a check to ensure the value is not 'None' before executing the if statement.