fix(kustomize): handle kustomize file with empty resources section (#7109)

* fix error when resources section is empty

* add tests

---------

Co-authored-by: oshimko <[email protected]>

Author: OfekShimko

checkov/kustomize/runner.py

@@ -408,7 +408,7 @@ def _parseKustomization(self, kustomize_dir: str) -> dict[str, Any]:
             if not isinstance(file_content, dict):
                 return {}
 
-            if 'resources' in file_content:
+            if 'resources' in file_content and file_content['resources'] is not None:
                 resources = file_content['resources']
 
                 # We can differentiate between "overlays" and "bases" based on if the `resources` refers to a directory,

tests/kustomize/graph/resources/empty_resources/graph_check.yaml

@@ -0,0 +1,139 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: internal-proxy-deployment
+  labels:
+    app: internal-proxy
+spec:
+  selector:
+    matchLabels:
+      app: internal-proxy
+  template:
+    metadata:
+      labels:
+        app: internal-proxy
+    spec:
+      containers:
+      - name: internal-api
+        image: madhuakula/k8s-goat-internal-api
+        resources:
+          limits:
+            cpu: 30m
+            memory: 40Mi
+          requests:
+            cpu: 30m
+            memory: 40Mi
+        ports:
+        - containerPort: 3000
+      - name: info-app
+        image: madhuakula/k8s-goat-info-app
+        resources:
+          limits:
+            cpu: 30m
+            memory: 40Mi
+          requests:
+            cpu: 30m
+            memory: 40Mi
+        ports:
+        - containerPort: 5000
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: external-proxy-deployment
+  labels:
+    app: external-proxy
+spec:
+  selector:
+    matchLabels:
+      app: external-proxy
+  template:
+    metadata:
+      labels:
+        app: external-proxy
+    spec:
+      containers:
+      - name: internal-api
+        image: madhuakula/k8s-goat-internal-api
+        resources:
+          limits:
+            cpu: 30m
+            memory: 40Mi
+          requests:
+            cpu: 30m
+            memory: 40Mi
+        ports:
+        - containerPort: 3000
+      - name: info-app
+        image: madhuakula/k8s-goat-info-app
+        resources:
+          limits:
+            cpu: 30m
+            memory: 40Mi
+          requests:
+            cpu: 30m
+            memory: 40Mi
+        ports:
+        - containerPort: 5000
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: test-network-policy
+  namespace: default
+spec:
+  podSelector:
+    matchLabels:
+      app: internal-proxy
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        - ipBlock:
+            cidr: 172.17.0.0/16
+            except:
+              - 172.17.1.0/24
+        - podSelector:
+            matchLabels:
+              app: internal-proxy
+      ports:
+        - protocol: TCP
+          port: 6379
+  egress:
+    - to:
+        - ipBlock:
+            cidr: 10.0.0.0/24
+      ports:
+        - protocol: TCP
+          port: 5978
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: skipdeployment
+  annotations:
+    "checkov.io/skip": "CKV2_K8S_6=skip it"
+  labels:
+    app: skip
+spec:
+  selector:
+    matchLabels:
+      app: skip
+  template:
+    metadata:
+      labels:
+        app: skip
+    spec:
+      containers:
+      - name: info-app
+        image: madhuakula/k8s-goat-info-app
+        resources:
+          limits:
+            cpu: 30m
+            memory: 40Mi
+          requests:
+            cpu: 30m
+            memory: 40Mi
+        ports:
+        - containerPort: 5000

tests/kustomize/graph/resources/empty_resources/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+#  - graph_check.yaml

tests/kustomize/graph/test_running_graph_checks.py

@@ -10,10 +10,7 @@
 from tests.kustomize.utils import kustomize_exists
 
 
-@pytest.mark.skipif(not kustomize_exists(), reason="kustomize not installed")
-@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS)
-def test_runner(mocker: MockerFixture, graph_framework):
-    scan_dir_path = Path(__file__).parent / "resources" / "example_checks"
+def get_kustomize_summary(mocker: MockerFixture, graph_framework, scan_dir_path):
     dir_rel_path = os.path.realpath(scan_dir_path).replace('\\', '/')
 
     runner_filter = RunnerFilter(framework=["kustomize"], checks=["CKV2_K8S_6"])
@@ -28,7 +25,29 @@ def test_runner(mocker: MockerFixture, graph_framework):
 
     summary = report.get_summary()
 
+    return summary
+
+
+@pytest.mark.skipif(not kustomize_exists(), reason="kustomize not installed")
+@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS)
+def test_runner(mocker: MockerFixture, graph_framework):
+    scan_dir_path = Path(__file__).parent / "resources" / "example_checks"
+    summary = get_kustomize_summary(mocker=mocker, graph_framework=graph_framework, scan_dir_path=scan_dir_path)
+
     assert summary["passed"] == 1
     assert summary["failed"] == 1
     assert summary["skipped"] == 1
     assert summary["parsing_errors"] == 0
+
+
+@pytest.mark.skipif(not kustomize_exists(), reason="kustomize not installed")
+@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS)
+def test_empty_resources(mocker: MockerFixture, graph_framework):
+    scan_dir_path = Path(__file__).parent / "resources" / "empty_resources"
+
+    summary = get_kustomize_summary(mocker=mocker, graph_framework=graph_framework, scan_dir_path=scan_dir_path)
+
+    assert summary["passed"] == 0
+    assert summary["failed"] == 0
+    assert summary["skipped"] == 0
+    assert summary["parsing_errors"] == 0