Merge branch 'master' into broken_symlink

liorj-orca · Aug 29, 2023 · 904ce3f · 904ce3f
2 parents 4c96ad4 + 954212d
commit 904ce3f
Show file tree

Hide file tree

Showing 3 changed files with 87 additions and 5 deletions.
diff --git a/docs/integrations_ghactions.md b/docs/integrations_ghactions.md
@@ -6,7 +6,7 @@ This provides you the ability to run KICS scans in your Github repositories and
 
 #### Important note
 If you use a version from **v1.2 to v1.5 of the kics-github-action** it means you will be scanning your IaC files with **KICS version 1.5.15**.</br></br>
-In order to use **KICS version 1.6.x** to scan your files, you should use the **v1.6 of the kics-github-action**.
+In order to use **KICS version 1.7.x** to scan your files, you should use the **v1.7.0 of the kics-github-action**.
 
 #### Tutorial
 
@@ -16,7 +16,7 @@ In order to use **KICS version 1.6.x** to scan your files, you should use the **
 
 ```yaml
 - name: KICS Github Action
-  uses: Checkmarx/kics-github-action@v1.6
+  uses: Checkmarx/kics-github-action@v1.7.0
   with:
     # path to file or directory to scan
     path:
@@ -45,7 +45,7 @@ steps:
     # make sure results dir is created
     run: mkdir -p results-dir
   - name: run kics Scan
-    uses: Checkmarx/kics-github-action@v1.6
+    uses: Checkmarx/kics-github-action@v1.7.0
     with:
       path: 'terraform'
       output_path: results-dir

diff --git a/pkg/parser/terraform/converter/default.go b/pkg/parser/terraform/converter/default.go
@@ -260,13 +260,27 @@ func (c *converter) convertExpression(expr hclsyntax.Expression) (interface{}, e
 			Variables: inputVarMap,
 			Functions: functions.TerraformFuncs,
 		})
-		if !valueConverted.Type().HasDynamicTypes() && valueConverted.IsKnown() {
+		if !checkDynamicKnownTypes(valueConverted) {
 			return ctyjson.SimpleJSONValue{Value: valueConverted}, nil
 		}
 		return c.wrapExpr(expr)
 	}
 }
 
+func checkDynamicKnownTypes(valueConverted cty.Value) bool {
+	if !valueConverted.Type().HasDynamicTypes() && valueConverted.IsKnown() {
+		if valueConverted.Type().FriendlyName() == "tuple" {
+			for _, val := range valueConverted.AsValueSlice() {
+				if val.Type().HasDynamicTypes() || !val.IsKnown() {
+					return true
+				}
+			}
+		}
+		return false
+	}
+	return true
+}
+
 func (c *converter) objectConsExpr(value *hclsyntax.ObjectConsExpr) (model.Document, error) {
 	m := make(model.Document)
 	for _, item := range value.Items {

diff --git a/pkg/parser/terraform/converter/default_test.go b/pkg/parser/terraform/converter/default_test.go
@@ -308,7 +308,7 @@ func TestEvalFunction(t *testing.T) { //nolint
 	}
 	tests := []funcTest{
 		{
-			name: "should evaluate without problems",
+			name: "should evaluate without problems (1)",
 			input: `
 block "label_one" {
 	policy = jsonencode({
@@ -387,6 +387,74 @@ block "label_one" {
 			  `,
 			wantErr: false,
 		},
+		{
+			name: "should evaluate without problems (2)",
+			input: `data "aws_iam_policy_document" "blabla" {
+	statement {
+	  actions = [
+		"secretsmanager:GetSecretValue",
+	  ]
+	  resources = [
+		for s in [
+		  "DATABASE_READONLY_PASSWORD",
+		  "DATABASE_DATA_PASSWORD",
+		] : "arn:aws:secretsmanager:eu-west-1:${data.aws_caller_identity.this.account_id}:secret:/${var.env}/*/${s}-*"
+	  ]
+	}
+  }
+`,
+			want: `
+			{
+				"data": {
+				  "aws_iam_policy_document": {
+					"blabla": {
+					  "statement": {
+						"resources": "${[\n\t\tfor s in [\n\t\t  \"DATABASE_READONLY_PASSWORD\",\n\t\t  \"DATABASE_DATA_PASSWORD\",\n\t\t] : \"arn:aws:secretsmanager:eu-west-1:${data.aws_caller_identity.this.account_id}:secret:/${var.env}/*/${s}-*\"\n\t  ]}",
+						"actions": [
+						  "secretsmanager:GetSecretValue"
+						],
+						"_kics_lines": {
+						  "_kics__default": {
+							"_kics_line": 2
+						  },
+						  "_kics_actions": {
+							"_kics_line": 3,
+							"_kics_arr": [
+							  {
+								"_kics__default": {
+								  "_kics_line": 4
+								}
+							  }
+							]
+						  },
+						  "_kics_resources": {
+							"_kics_line": 6
+						  }
+						}
+					  },
+					  "_kics_lines": {
+						"_kics__default": {
+						  "_kics_line": 1
+						},
+						"_kics_statement": {
+						  "_kics_line": 2
+						}
+					  }
+					}
+				  }
+				},
+				"_kics_lines": {
+				  "_kics__default": {
+					"_kics_line": 0
+				  },
+				  "_kics_data": {
+					"_kics_line": 1
+				  }
+				}
+			  }
+`,
+			wantErr: false,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {