fix(misconf): check if metadata is not nil

nikpivkin · nikpivkin · commit 6666881507e3 · 2025-03-21T17:05:21.000+06:00
Signed-off-by: nikpivkin &lt;nikita.pivkin@smartforce.io&gt;
diff --git a/pkg/iac/rego/load.go b/pkg/iac/rego/load.go
@@ -197,13 +197,13 @@ func (s *Scanner) findMatchedEmbeddedCheck(badPolicy *ast.Module) *ast.Module {
 	}
 
 	badPolicyMeta, err := MetadataFromAnnotations(badPolicy)
-	if err != nil {
+	if err != nil || badPolicyMeta == nil {
 		return nil
 	}
 
 	for _, embeddedCheck := range s.embeddedChecks {
 		meta, err := MetadataFromAnnotations(embeddedCheck)
-		if err != nil {
+		if err != nil || meta == nil {
 			continue
 		}
 		if badPolicyMeta.AVDID != "" && badPolicyMeta.AVDID == meta.AVDID {
diff --git a/pkg/iac/rego/load_test.go b/pkg/iac/rego/load_test.go
@@ -253,3 +253,18 @@ deny {
 	err := scanner.LoadPolicies(fsys)
 	require.Error(t, err)
 }
+
+func TestFallback_CheckWithoutAnnotation(t *testing.T) {
+	fsys := fstest.MapFS{
+		"check.rego": &fstest.MapFile{Data: []byte(`package builtin.test
+import data.func
+deny := func(input)
+`)},
+	}
+	scanner := rego.NewScanner(
+		rego.WithPolicyDirs("."),
+		rego.WithEmbeddedLibraries(false),
+	)
+	err := scanner.LoadPolicies(fsys)
+	require.NoError(t, err)
+}

Original file line number	Diff line number	Diff line change
`@@ -197,13 +197,13 @@ func (s Scanner) findMatchedEmbeddedCheck(badPolicy ast.Module) *ast.Module {`
`197`	`197`	`}`
`198`	`198`
`199`	`199`	`badPolicyMeta, err := MetadataFromAnnotations(badPolicy)`
`200`		`- if err != nil {`
	`200`	`+ if err != nil \|\| badPolicyMeta == nil {`
`201`	`201`	`return nil`
`202`	`202`	`}`
`203`	`203`
`204`	`204`	`for _, embeddedCheck := range s.embeddedChecks {`
`205`	`205`	`meta, err := MetadataFromAnnotations(embeddedCheck)`
`206`		`- if err != nil {`
	`206`	`+ if err != nil \|\| meta == nil {`
`207`	`207`	`continue`
`208`	`208`	`}`
`209`	`209`	`if badPolicyMeta.AVDID != "" && badPolicyMeta.AVDID == meta.AVDID {`