refactor(misconf): improve error handling in the Rego scanner (aquasecurity#6527)

nikpivkin · web-flow · commit aa822c260fb1 · 2024-04-22T15:46:10.000Z
diff --git a/pkg/iac/rego/scanner.go b/pkg/iac/rego/scanner.go
@@ -241,7 +241,10 @@ func (s *Scanner) ScanInput(ctx context.Context, inputs ...Input) (scan.Results,
 
 		staticMeta, err := s.retriever.RetrieveMetadata(ctx, module, GetInputsContents(inputs)...)
 		if err != nil {
-			return nil, err
+			s.debug.Log(
+				"Error occurred while retrieving metadata from check %q: %s",
+				module.Package.Location.File, err)
+			continue
 		}
 
 		if isPolicyWithSubtype(s.sourceType) {
@@ -267,7 +270,10 @@ func (s *Scanner) ScanInput(ctx context.Context, inputs ...Input) (scan.Results,
 			if isEnforcedRule(ruleName) {
 				ruleResults, err := s.applyRule(ctx, namespace, ruleName, inputs, staticMeta.InputOptions.Combined)
 				if err != nil {
-					return nil, err
+					s.debug.Log(
+						"Error occurred while applying rule %q from check %q: %s",
+						ruleName, module.Package.Location.File, err)
+					continue
 				}
 				results = append(results, s.embellishResultsWithRuleMetadata(ruleResults, *staticMeta)...)
 			}
diff --git a/pkg/iac/rego/scanner_test.go b/pkg/iac/rego/scanner_test.go
@@ -8,6 +8,7 @@ import (
 	"path/filepath"
 	"strings"
 	"testing"
+	"testing/fstest"
 
 	"github.com/aquasecurity/trivy/pkg/iac/severity"
 	"github.com/aquasecurity/trivy/pkg/iac/types"
@@ -976,3 +977,37 @@ deny {
 	assert.Equal(t, 0, len(results.GetPassed()))
 	assert.Equal(t, 0, len(results.GetIgnored()))
 }
+
+func Test_NoErrorsWhenUsingBadRegoCheck(t *testing.T) {
+
+	// this check cause eval_conflict_error
+	// https://www.openpolicyagent.org/docs/latest/policy-language/#functions
+	fsys := fstest.MapFS{
+		"checks/bad.rego": {
+			Data: []byte(`package defsec.test
+
+p(x) = y {
+    y := x[_]
+}
+
+deny {
+	p([1, 2, 3])
+}
+`),
+		},
+	}
+
+	var buf bytes.Buffer
+	scanner := NewScanner(
+		types.SourceYAML,
+		options.ScannerWithDebug(&buf),
+	)
+	require.NoError(
+		t,
+		scanner.LoadPolicies(false, false, fsys, []string{"checks"}, nil),
+	)
+	_, err := scanner.ScanInput(context.TODO(), Input{})
+	assert.NoError(t, err)
+	assert.Contains(t, buf.String(),
+		`Error occurred while applying rule "deny" from check "checks/bad.rego"`)
+}
