fix P-rules to avoid reporting registered vars as undefined (ansible#199

) Signed-off-by: hirokuni-kitahara <[email protected]>
justjais · Jun 3, 2024 · ecf1765 · ecf1765
1 parent 22438da
commit ecf1765
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 1 deletion.
diff --git a/ansible_risk_insight/rules/P003_module_argument_value_validation.py b/ansible_risk_insight/rules/P003_module_argument_value_validation.py
@@ -66,6 +66,13 @@ def process(self, ctx: AnsibleRunContext):
             wrong_values = []
             undefined_values = []
             unknown_type_values = []
+
+            registered_vars = []
+            for v_name in task.variable_set:
+                v = task.variable_set[v_name]
+                if v and v[-1].type == VariableType.RegisteredVars:
+                    registered_vars.append(v_name)
+
             if task.args.type == ArgumentsType.DICT:
                 for key in task.args.raw:
                     raw_value = task.args.raw[key]
@@ -133,7 +140,16 @@ def process(self, ctx: AnsibleRunContext):
 
                     sub_args = task.args.get(key)
                     if sub_args:
-                        undefined_vars = [v.name for v in sub_args.vars if v and v.type == VariableType.Unknown]
+                        undefined_vars = []
+                        for v in sub_args.vars:
+                            first_v_name = v.name.split(".")[0]
+                            # skip registered vars
+                            if first_v_name in registered_vars:
+                                continue
+
+                            if v and v.type == VariableType.Unknown:
+                                undefined_vars.append(v.name)
+
                         if undefined_vars:
                             undefined_values.append({"key": key, "value": raw_value, "undefined_variables": undefined_vars})
 

diff --git a/ansible_risk_insight/rules/P004_variable_validation.py b/ansible_risk_insight/rules/P004_variable_validation.py
@@ -66,7 +66,19 @@ def process(self, ctx: AnsibleRunContext):
         task_arg_keys = []
         if task.args.type == ArgumentsType.DICT:
             task_arg_keys = list(task.args.raw.keys())
+
+        registered_vars = []
+        for v_name in task.variable_set:
+            v = task.variable_set[v_name]
+            if v and v[-1].type == VariableType.RegisteredVars:
+                registered_vars.append(v_name)
+
         for v_name in task.variable_use:
+            first_v_name = v_name.split(".")[0]
+            # skip registered vars
+            if first_v_name in registered_vars:
+                continue
+
             v = task.variable_use[v_name]
             if v and v[-1].type == VariableType.Unknown:
                 if v_name not in undefined_variables: