fix: add warning log for exception in update_check_metadata

Co-authored-by: jfagoagas <16007882+jfagoagas@users.noreply.github.com>
fix: remove return statements from finally blocks to avoid swallowing exceptions
2026-03-24 04:28:02 +00:00 · 2026-02-14 08:48:08 +00:00 · 2026-02-14 08:47:18 +00:00 · 2026-02-14 08:39:45 +00:00
3 changed files with 31 additions and 43 deletions
--- a/prowler/lib/check/custom_checks_metadata.py
+++ b/prowler/lib/check/custom_checks_metadata.py
@@ -128,8 +128,11 @@ def update_check_metadata(check_metadata, custom_metadata):
                        setattr(check_metadata, attribute, custom_metadata[attribute])
                    except ValueError:
                        pass
-    finally:
-        return check_metadata
+    except Exception:
+        logger.warning(
+            "Failed to update custom checks metadata, returning original metadata"
+        )
+    return check_metadata


 def update_check_metadata_remediation(
--- a/prowler/providers/aws/services/iam/iam_service.py
+++ b/prowler/providers/aws/services/iam/iam_service.py
@@ -112,8 +112,8 @@ class IAM(AWSService):

    def _get_roles(self):
        logger.info("IAM - List Roles...")
+        roles = []
        try:
-            roles = []
            get_roles_paginator = self.client.get_paginator("list_roles")
            for page in get_roles_paginator.paginate():
                for role in page["Roles"]:
@@ -142,8 +142,7 @@ class IAM(AWSService):
            logger.error(
                f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
            )
-        finally:
-            return roles
+        return roles

    def _get_credential_report(self):
        logger.info("IAM - Get Credential Report...")
@@ -175,13 +174,12 @@ class IAM(AWSService):
            logger.error(
                f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
            )
-        finally:
-            return credential_list
+        return credential_list

    def _get_groups(self):
        logger.info("IAM - Get Groups...")
+        groups = []
        try:
-            groups = []
            get_groups_paginator = self.client.get_paginator("list_groups")
            for page in get_groups_paginator.paginate():
                for group in page["Groups"]:
@@ -194,20 +192,18 @@ class IAM(AWSService):
            logger.error(
                f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
            )
-        finally:
-            return groups
+        return groups

    def _get_account_summary(self):
        logger.info("IAM - Get Account Summary...")
+        account_summary = None
        try:
            account_summary = self.client.get_account_summary()
        except Exception as error:
            logger.error(
                f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
            )
-            account_summary = None
-        finally:
-            return account_summary
+        return account_summary

    def _get_password_policy(self):
        logger.info("IAM - Get Password Policy...")
@@ -274,14 +270,13 @@ class IAM(AWSService):
                f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
            )

-        finally:
-            return stored_password_policy
+        return stored_password_policy

    def _get_users(self):
        logger.info("IAM - Get Users...")
+        users = []
        try:
            get_users_paginator = self.client.get_paginator("list_users")
-            users = []
            for page in get_users_paginator.paginate():
                for user in page["Users"]:
                    if not self.audit_resources or (
@@ -311,13 +306,12 @@ class IAM(AWSService):
            logger.error(
                f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
            )
-        finally:
-            return users
+        return users

    def _list_virtual_mfa_devices(self):
        logger.info("IAM - List Virtual MFA Devices...")
+        mfa_devices = []
        try:
-            mfa_devices = []
            list_virtual_mfa_devices_paginator = self.client.get_paginator(
                "list_virtual_mfa_devices"
            )
@@ -329,8 +323,7 @@ class IAM(AWSService):
            logger.error(
                f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
            )
-        finally:
-            return mfa_devices
+        return mfa_devices

    def _list_attached_group_policies(self):
        logger.info("IAM - List Attached Group Policies...")
@@ -677,12 +670,11 @@ class IAM(AWSService):

    def _list_entities_role_for_policy(self, policy_arn):
        logger.info("IAM - List Entities Role For Policy...")
+        roles = []
        try:
-            roles = []
            roles = self.client.list_entities_for_policy(
                PolicyArn=policy_arn, EntityFilter="Role"
            )["PolicyRoles"]
-            return roles
        except ClientError as error:
            if error.response["Error"]["Code"] == "AccessDenied":
                logger.error(
@@ -697,18 +689,16 @@ class IAM(AWSService):
            logger.error(
                f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
            )
-        finally:
-            return roles
+        return roles

    def _list_entities_for_policy(self, policy_arn):
        logger.info("IAM - List Entities For Policy...")
+        entities = {
+            "Users": [],
+            "Groups": [],
+            "Roles": [],
+        }
        try:
-            entities = {
-                "Users": [],
-                "Groups": [],
-                "Roles": [],
-            }
-
            paginator = self.client.get_paginator("list_entities_for_policy")
            for response in paginator.paginate(PolicyArn=policy_arn):
                entities["Users"].extend(
@@ -720,7 +710,6 @@ class IAM(AWSService):
                entities["Roles"].extend(
                    role["RoleName"] for role in response.get("PolicyRoles", [])
                )
-            return entities
        except ClientError as error:
            if error.response["Error"]["Code"] == "AccessDenied":
                logger.error(
@@ -735,13 +724,12 @@ class IAM(AWSService):
            logger.error(
                f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
            )
-        finally:
-            return entities
+        return entities

    def _list_policies(self, scope):
        logger.info("IAM - List Policies...")
+        policies = {}
        try:
-            policies = {}
            list_policies_paginator = self.client.get_paginator("list_policies")
            for page in list_policies_paginator.paginate(
                Scope=scope, OnlyAttached=False if scope == "Local" else True
@@ -762,8 +750,7 @@ class IAM(AWSService):
            logger.error(
                f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
            )
-        finally:
-            return policies
+        return policies

    def _list_policies_version(self, policies):
        logger.info("IAM - List Policies Version...")
@@ -817,8 +804,8 @@ class IAM(AWSService):

    def _list_server_certificates(self) -> list:
        logger.info("IAM - List Server Certificates...")
+        server_certificates = []
        try:
-            server_certificates = []
            for certificate in self.client.list_server_certificates()[
                "ServerCertificateMetadataList"
            ]:
@@ -837,8 +824,7 @@ class IAM(AWSService):
            logger.error(
                f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
            )
-        finally:
-            return server_certificates
+        return server_certificates

    def _list_tags(self, resource: any):
        logger.info("IAM - List Tags...")
--- a/prowler/providers/aws/services/iam/iam_user_two_active_access_key/iam_user_two_active_access_key.py
+++ b/prowler/providers/aws/services/iam/iam_user_two_active_access_key/iam_user_two_active_access_key.py
@@ -5,8 +5,8 @@ from prowler.providers.aws.services.iam.iam_client import iam_client

 class iam_user_two_active_access_key(Check):
    def execute(self) -> Check_Report_AWS:
+        findings = []
        try:
-            findings = []
            response = iam_client.credential_report
            for user in response:
                report = Check_Report_AWS(metadata=self.metadata(), resource=user)
@@ -34,5 +34,4 @@ class iam_user_two_active_access_key(Check):
                findings.append(report)
        except Exception as error:
            logger.error(f"{error.__class__.__name__} -- {error}")
-        finally:
-            return findings
+        return findings
Author	SHA1	Message	Date
copilot-swe-agent[bot]	cebe6cf8e2	fix: add warning log for exception in update_check_metadata Co-authored-by: jfagoagas <16007882+jfagoagas@users.noreply.github.com>	2026-02-14 08:48:08 +00:00
copilot-swe-agent[bot]	eaa746f7b9	fix: remove return statements from finally blocks to avoid swallowing exceptions Co-authored-by: jfagoagas <16007882+jfagoagas@users.noreply.github.com>	2026-02-14 08:47:18 +00:00
copilot-swe-agent[bot]	57222f6e0b	Initial plan	2026-02-14 08:39:45 +00:00