Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Warnings being sent to stdout even with quiet=true after version 3.2.296 - Cloudformation #6855

Open
andresionek91 opened this issue Nov 19, 2024 · 4 comments
Labels

Comments

@andresionek91
Copy link

Describe the issue
Please explain the use case that leads to this noise being generated.
Version 3.2.296 introduces noise in the output even with quiet: true. After upgrading to this version I started getting a bunch of warnings in the stdout.

Examples
Please share an example code sample (in the IaC of your choice) + the expected outcomes.
My config file:

---
directory:
  - cdk.out
download-external-modules: false
evaluate-variables: true
external-modules-download-path: .external_modules
compact: true
quiet: true
framework:
  - cloudformation
skip-check:
  - CKV_AWS_158  # Ensure that CloudWatch Log Group is encrypted by KMS
  - CKV_AWS_116  # Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)
  - CKV_AWS_149  # Ensure that Secrets Manager secret is encrypted using KMS CMK
soft-fail-on:
  - CKV_AWS_109  # Ensure IAM policies does not allow permissions management without constraints
  - CKV_AWS_111  # Ensure IAM policies does not allow write access without constraints
  - CKV_AWS_157  # Ensure that RDS instances have Multi-AZ enabled

On the previous version 3.2.293 all checks run clean and there is nothing in the output. On the next release 3.2.296 I started getting those:

poetry run checkov --config-file .checkov --baseline .checkov.baseline
2024-11-19 17:10:34,176 [MainThread  ] [WARNI]  [Cloudformation_evaluate_non_rendered_values]- Inner_value - 123459789012.dkr.ecr.us-east-1.${AWS::URLSuffix}/cdk-hnb659fds-container-assets-123459789012-us-east-1:bb36d2badbc2c05adbfe8efcbbbcc4b20fd238aa46177f731bc13d2310ab3e9f is not a valid json. Full exception - Extra data: line 1 column 13 (char 12)
2024-11-19 17:10:34,177 [MainThread  ] [WARNI]  [Cloudformation_evaluate_non_rendered_values]- Inner_value - 123459789012.dkr.ecr.us-east-1.${AWS::URLSuffix}/cdk-hnb659fds-container-assets-123459789012-us-east-1:2b25844ee07f2972a46b1f5e05b4192e687f0b5f64d4c097128fb1d37a48dbe0 is not a valid json. Full exception - Extra data: line 1 column 13 (char 12)

Version (please complete the following information):

  • Checkov Version [e.g. 22]
    3.2.296

Additional context
Add any other context about the problem here.
On 3.2.303 it gets even worse. and I start getting those warnings as well:

2024-11-19 17:15:54,089 [MainThread ] [WARNI] Failed updating attribute for key:

LoggingConfiguration.DestinationBucketName.Fn::Select.1 and value {'Fn::Split ...REDACTED..., 'Value': 'backend', '__startline__': 3873, '__endline__': 3876}, 'Tags.1.Key': 'owner', 'Tags.1.Value': 'backend', 'Tags.1.__startline__': 3873, 'Tags.1.__endline__': 3876, 'Tags.2': {'Key': 'repo', 'Value': 'adhoc-processing', '__startline__': 3877, '__endline__': 3880}, 'Tags.2.Key': 'repo', 'Tags.2.Value': 'adhoc-processing', 'Tags.2.__startline__': 3877, 'Tags.2.__endline__': 3880, 'VersioningConfiguration.Status': 'Enabled', 'VersioningConfiguration.__startline__': 3882, 'VersioningConfiguration.__endline__': 3884}. Falling back to explicitly setting it.Exception - Parse error at 1:54 near token Fn::Select (ID)
@andresionek91
Copy link
Author

Note the Cloudformation template is being generated by AWS CDK. It synths and deploys successfully.

@mithun
Copy link

mithun commented Nov 21, 2024

A workaround for now seems to be LOG_LEVEL=ERROR checkov ...

@teyhouse
Copy link

Any Updates on this? I had to rollback to Version 3.2.301 since this completely breaks a lot of Terraform Projects with Dynamics.

@andresionek91
Copy link
Author

Version 3.2.322 is still throwing a few warnings, but it's much cleaner than before.

2024-11-29 09:42:17,817 [MainThread  ] [WARNI]  [Cloudformation_evaluate_non_rendered_values]- Inner_value - arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole is not a valid json. Full exception - Expecting value: line 1 column 1 (char 0)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants