fix(terraform): fix index out of range in load module #7314

checkov/terraform/module_loading/module_finder.py

@@ -83,8 +83,14 @@ def find_modules(path: str, loaded_files_cache: Optional[Dict[str, Any]] = None,
                 for module_name, module_data in module.items():
                     md = ModuleDownload(os.path.dirname(file_path))
                     md.module_name = module_name
-                    md.module_link = module_data.get("source", [None])[0]
-                    md.version = module_data.get("version", [None])[0]
+                    try:
+                        md.module_link = module_data.get("source", [None])[0]
+                    except IndexError:
+                        md.module_link = None
+                    try:
+                        md.version = module_data.get("version", [None])[0]
+                    except IndexError:
+                        md.version = None
                     if md.module_link:
                         md.address = f"{md.module_link}:{md.version}" if md.version else md.module_link
                     modules_found.append(md)
@@ -148,7 +154,7 @@ def _download_module(ml_registry: ModuleLoaderRegistry, module_download: ModuleD
                 logging.warning(log_message)
             return False
     except Exception as e:
-        logging.warning(f"Unable to load module ({module_download.address}): {e}")
+        logging.warning(f"Unable to load module in module_finder ({module_download.address}): {e}")
         return False
 
     return True

checkov/terraform/module_loading/registry.py

@@ -118,18 +118,28 @@ def load(
                     self.module_content_cache[module_address] = ModuleContent(None)
                     continue
                 else:
-                    v = module_address.rsplit(':', 1)
-                    if v[0] not in self.module_latest or self.module_latest[v[0]] < v[1]:
-                        self.module_latest[v[0]] = v[1]
+                    # safely derive module key/version even when module_address lacks ':' (e.g., github ?ref=... case)
+                    if ':' in module_address:
+                        key, ver = module_address.rsplit(':', 1)
+                        ver = ver or (source_version or 'HEAD')
+                    else:
+                        key, ver = module_address, (source_version or 'HEAD')
+                    if key not in self.module_latest or self.module_latest.get(key, '') < ver:
+                        self.module_latest[key] = ver
                     self.module_content_cache[module_address] = content
                     return content
 
         if last_exception is not None:
             raise last_exception
 
-        v = module_address.rsplit(':', 1)
-        if v[0] not in self.module_latest or self.module_latest[v[0]] < v[1]:
-            self.module_latest[v[0]] = v[1]
+        # safely derive module key/version even when module_address lacks ':' (e.g., github ?ref=... case)
+        if ':' in module_address:
+            key, ver = module_address.rsplit(':', 1)
+            ver = ver or (source_version or 'HEAD')
+        else:
+            key, ver = module_address, (source_version or 'HEAD')
+        if key not in self.module_latest or self.module_latest.get(key, '') < ver:
+            self.module_latest[key] = ver
         self.module_content_cache[module_address] = content
         return content
 

tests/terraform/module_loading/test_module_finder_index_error.py

@@ -0,0 +1,37 @@
+import logging
+
+import pytest
+
+from checkov.terraform.module_loading.module_finder import ModuleDownload, _download_module
+from checkov.terraform.module_loading.registry import module_loader_registry
+
+
+@pytest.mark.parametrize(
+    "module_link",
+    [
+        "github.com/someorg/terraform-aws-mcaf-role?ref=v0.3.3",
+        "terraform-aws-modules/kms/aws",
+    ],
+    ids=[
+        "github_ref",
+        "registry",
+    ],
+)
+def test_download_module_logs_index_error(caplog, module_link):
+    """
+    Validate that ModuleFinder not logs a warning with the address and the IndexError
+    ('list index out of range').
+    """
+    caplog.set_level(logging.WARNING)
+
+    md = ModuleDownload(source_dir=".")
+    md.module_link = module_link
+    md.version = None  # version is embedded in module_link for github_ref cases
+    md.address = module_link
+    md.tf_managed = False
+
+    success = _download_module(module_loader_registry, md)
+
+    assert success is False
+    assert "Unable to load module in module_finder" not in caplog.text
+    assert "list index out of range" not in caplog.text