fix block access by index

Signed-off-by: nikpivkin <[email protected]>
aquasecurity · Aug 9, 2024 · d71e6ac · d71e6ac
1 parent 86e8b29
commit d71e6ac
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 1 deletion.
diff --git a/pkg/iac/scanners/terraform/ignore_test.go b/pkg/iac/scanners/terraform/ignore_test.go
@@ -442,6 +442,21 @@ resource "bad" "my-rule" {
     }
   }
 }
+`,
+			assertLength: 0,
+		},
+		{
+			name: "ignore by indexed dynamic block value",
+			inputOptions: `
+// trivy:ignore:*[secure_settings.0.enabled=false]
+resource "bad" "my-rule" {
+  dynamic "secure_settings" {
+    for_each = ["false", "true"]
+    content {
+      enabled = secure_settings.value
+    }
+  }
+}
 `,
 			assertLength: 0,
 		},

diff --git a/pkg/iac/terraform/block.go b/pkg/iac/terraform/block.go
@@ -353,7 +353,7 @@ func (b *Block) getAttributeByPath(path string) (*Attribute, []string) {
 	for currentBlock := b; currentBlock != nil && stepIndex < len(steps); {
 		blocks := currentBlock.GetBlocks(steps[stepIndex])
 		var nextBlock *Block
-		if !hasIndex(steps, stepIndex) && len(blocks) > 0 {
+		if !hasIndex(steps, stepIndex+1) && len(blocks) > 0 {
 			// if index is not provided then return the first block for backwards compatibility
 			nextBlock = blocks[0]
 		} else if len(blocks) > 1 && stepIndex < len(steps)-2 {