From a1b3997d376c37c1001ba8e25c2dd7051f013d48 Mon Sep 17 00:00:00 2001
From: Oleksandr Sanin <alexaaander.sanin@gmail.com>
Date: Tue, 19 May 2026 09:18:25 +0000
Subject: [PATCH] fix(terraform): guard against unhashable dict in CKV_AZURE_80

When the HCL parser receives a non-string value for dotnet_version or
dotnet_framework_version (e.g. an empty object `{}`), the refactored set
membership test `version in supported_versions` throws
`TypeError: unhashable type: 'dict'`.

Add an explicit isinstance(version, str) guard before each membership
check and return CheckResult.UNKNOWN when the version value is not a
string, matching the check's existing convention for indeterminate
configurations.

Closes #7523

Signed-off-by: Oleksandr Sanin <alexaaander.sanin@gmail.com>
---
 .../azure/AppServiceDotnetFrameworkVersion.py |  4 +++
 .../main.tf                                   | 27 +++++++++++++++++++
 2 files changed, 31 insertions(+)

diff --git a/checkov/terraform/checks/resource/azure/AppServiceDotnetFrameworkVersion.py b/checkov/terraform/checks/resource/azure/AppServiceDotnetFrameworkVersion.py
index 53ad57bd43..07cbfd31b9 100644
--- a/checkov/terraform/checks/resource/azure/AppServiceDotnetFrameworkVersion.py
+++ b/checkov/terraform/checks/resource/azure/AppServiceDotnetFrameworkVersion.py
@@ -23,6 +23,8 @@ def scan_resource_conf(self, conf) -> CheckResult:
             site_config = conf.get('site_config')[0]
             if site_config.get('dotnet_framework_version') and isinstance(site_config.get('dotnet_framework_version'), list):
                 version = site_config.get('dotnet_framework_version')[0]
+                if not isinstance(version, str):
+                    return CheckResult.UNKNOWN
                 if version in supported_versions:
                     return CheckResult.PASSED
                 self.evaluated_keys = ['site_config/[0]/dotnet_framework_version']
@@ -31,6 +33,8 @@ def scan_resource_conf(self, conf) -> CheckResult:
                 stack = site_config.get('application_stack')[0]
                 if stack.get('dotnet_version') and isinstance(stack.get('dotnet_version'), list):
                     version = stack.get('dotnet_version')[0]
+                    if not isinstance(version, str):
+                        return CheckResult.UNKNOWN
                     if version in supported_versions:
                         return CheckResult.PASSED
                     self.evaluated_keys = ['site_config/[0]/application_stack/[0]/dotnet_version']
diff --git a/tests/terraform/checks/resource/azure/example_AppServiceDotnetFrameworkVersion/main.tf b/tests/terraform/checks/resource/azure/example_AppServiceDotnetFrameworkVersion/main.tf
index 074a274eba..71f34b5dc7 100644
--- a/tests/terraform/checks/resource/azure/example_AppServiceDotnetFrameworkVersion/main.tf
+++ b/tests/terraform/checks/resource/azure/example_AppServiceDotnetFrameworkVersion/main.tf
@@ -334,6 +334,33 @@ resource "azurerm_windows_web_app" "fail2" {
   }
 }
 
+# UNKNOWN - dotnet_version is a non-string value (triggers CKV_AZURE_80 crash guard)
+resource "azurerm_windows_web_app" "unknown" {
+  #checkov:skip=CKV_AZURE_16: AD might not be required
+  name                = var.name
+  location            = var.location
+  resource_group_name = var.rg_name
+  service_plan_id     = var.service_plan_id
+
+  https_only = true
+
+  site_config {
+    application_stack {
+      dotnet_version = {}
+    }
+  }
+
+  client_certificate_enabled = true
+
+  auth_settings {
+    enabled = true
+  }
+
+  identity {
+    type = "SystemAssigned"
+  }
+}
+
 # IGNORE - no dotnet version specified
 resource "azurerm_windows_web_app" "ignore" {
   #checkov:skip=CKV_AZURE_16: AD might not be required