fix(allowlist): Handle empty exceptions (#3266)

2026-02-10 06:45:08 +00:00 · 2024-01-12 09:54:03 +01:00
parent 9a1c034a51
commit 73780682a1
2 changed files with 63 additions and 0 deletions
--- a/prowler/providers/aws/lib/allowlist/allowlist.py
+++ b/prowler/providers/aws/lib/allowlist/allowlist.py
@@ -304,6 +304,13 @@ def is_excepted(
            is_tag_excepted = __is_item_matched__(excepted_tags, finding_tags)

            if (
+                not is_account_excepted
+                and not is_region_excepted
+                and not is_resource_excepted
+                and not is_tag_excepted
+            ):
+                excepted = False
+            elif (
                (is_account_excepted or not excepted_accounts)
                and (is_region_excepted or not excepted_regions)
                and (is_resource_excepted or not excepted_resources)
--- a/tests/providers/aws/lib/allowlist/allowlist_test.py
+++ b/tests/providers/aws/lib/allowlist/allowlist_test.py
@@ -167,6 +167,46 @@ class Test_Allowlist:
        assert len(allowlisted_findings) == 1
        assert allowlisted_findings[0].status == "WARNING"

+    def test_allowlist_all_exceptions_empty(self):
+        # Allowlist example
+        allowlist = {
+            "Accounts": {
+                "*": {
+                    "Checks": {
+                        "*": {
+                            "Tags": ["*"],
+                            "Regions": [AWS_REGION_US_EAST_1],
+                            "Resources": ["*"],
+                            "Exceptions": {
+                                "Tags": [],
+                                "Regions": [],
+                                "Accounts": [],
+                                "Resources": [],
+                            },
+                        }
+                    }
+                }
+            }
+        }
+
+        # Check Findings
+        check_findings = []
+        finding_1 = MagicMock
+        finding_1.check_metadata = MagicMock
+        finding_1.check_metadata.CheckID = "check_test"
+        finding_1.status = "FAIL"
+        finding_1.region = AWS_REGION_US_EAST_1
+        finding_1.resource_id = "prowler"
+        finding_1.resource_tags = []
+
+        check_findings.append(finding_1)
+
+        allowlisted_findings = allowlist_findings(
+            allowlist, AWS_ACCOUNT_NUMBER, check_findings
+        )
+        assert len(allowlisted_findings) == 1
+        assert allowlisted_findings[0].status == "WARNING"
+
    def test_is_allowlisted_with_everything_excepted(self):
        allowlist = {
            "Accounts": {
@@ -1187,6 +1227,22 @@ class Test_Allowlist:
            "environment=pro",
        )

+    def test_is_excepted_all_empty(self):
+        exceptions = {
+            "Accounts": [],
+            "Regions": [],
+            "Resources": [],
+            "Tags": [],
+        }
+
+        assert not is_excepted(
+            exceptions,
+            AWS_ACCOUNT_NUMBER,
+            "eu-south-2",
+            "test",
+            "environment=test",
+        )
+
    def test_is_allowlisted_in_resource(self):
        allowlist_resources = ["prowler", "^test", "prowler-pro"]