From 9fc4f33a889bd8900216d3b4e868a7f56efcb3ef Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Fri, 17 May 2024 11:47:55 +0100 Subject: [PATCH 01/14] fix(query): apt-get Missing '-y' To Avoid Manual Input --- .../query.rego | 28 +++++++++---------- .../test/negative3.dockerfile | 3 ++ .../test/negative4.dockerfile | 3 ++ .../test/negative5.dockerfile | 3 ++ .../test/negative6.dockerfile | 3 ++ .../test/positive4.dockerfile | 3 ++ .../test/positive5.dockerfile | 3 ++ .../test/positive_expected_result.json | 24 ++++++++++++++++ 8 files changed, 56 insertions(+), 14 deletions(-) create mode 100644 assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/negative3.dockerfile create mode 100644 assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/negative4.dockerfile create mode 100644 assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/negative5.dockerfile create mode 100644 assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/negative6.dockerfile create mode 100644 assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive4.dockerfile create mode 100644 assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive5.dockerfile diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/query.rego b/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/query.rego index 59e376a0799..3d300482219 100644 --- a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/query.rego +++ b/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/query.rego @@ -18,7 +18,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("{{%s}} sould avoid manual input", [resource.Original]), + "keyExpectedValue": sprintf("{{%s}} should avoid manual input", [resource.Original]), "keyActualValue": sprintf("{{%s}} doesn't avoid manual input", [resource.Original]), } } @@ -32,14 +32,14 @@ CxPolicy[result] { dockerLib.arrayContains(resource.Value, {"apt-get", "install"}) not avoidManualInputInList(resource.Value) - - result := { - "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), - "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("{{%s}} should avoid manual input", [resource.Original]), - "keyActualValue": sprintf("{{%s}} doesn't avoid manual input", [resource.Original]), - } + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("{{%s}} should avoid manual input", [resource.Original]), + "keyActualValue": sprintf("{{%s}} doesn't avoid manual input", [resource.Original]), + } } isAptGet(command) { @@ -47,19 +47,19 @@ isAptGet(command) { } avoidManualInputInList(command) { - flags := ["-y", "yes", "--assumeyes", "-qy"] - + flags := ["-y", "--yes", "--assume-yes", "-qy", "-q=2", "-qq"] + contains(command[j], flags[x]) } avoidManualInput(command) { - regex.match("apt-get (-(-)?[a-zA-Z]+ *)*(-([A-Za-z])*y|-yes|--assumeyes) (-(-)?[a-zA-Z]+ *)*install", command) + regex.match("apt-get (-(-)?[a-zA-Z]+ *)*(-([A-Za-z])*y|--yes|-qq|-q=2|--assume-yes|(-q|--quiet)(.*(-q|--quiet)){1}) (-(-)?[a-zA-Z]+ *)*install", command) } avoidManualInput(command) { - regex.match("apt-get (-(-)?[a-zA-Z]+ *)*install (-(-)?[a-zA-Z]+ *)*(-([A-Za-z])*y|-yes|--assumeyes)", command) + regex.match("apt-get (-(-)?[a-zA-Z]+ *)*install (-(-)?[a-zA-Z]+ *)*(-([A-Za-z])*y|--yes|-qq|-q=2|--assume-yes|(-q|--quiet)(.*(-q|--quiet)){1})", command) } avoidManualInput(command) { - regex.match("apt-get (-(-)?[a-zA-Z]+ *)*install ([A-Za-z0-9\\W]+ *)*(-([A-Za-z])*y|-yes|--assumeyes)", command) + regex.match("apt-get (-(-)?[a-zA-Z]+ *)*install ([A-Za-z0-9\\W]+ *)*(-([A-Za-z])*y|--yes|-qq|-q=2|--assume-yes|(-q|--quiet)(.*(-q|--quiet)){1})", command) } diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/negative3.dockerfile b/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/negative3.dockerfile new file mode 100644 index 00000000000..ee3affcd7d3 --- /dev/null +++ b/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/negative3.dockerfile @@ -0,0 +1,3 @@ +FROM node:12 +RUN apt-get --yes install apt-utils +RUN ["sudo", "apt-get", "--yes" ,"install", "apt-utils"] diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/negative4.dockerfile b/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/negative4.dockerfile new file mode 100644 index 00000000000..23f54b2d5f9 --- /dev/null +++ b/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/negative4.dockerfile @@ -0,0 +1,3 @@ +FROM node:12 +RUN sudo apt-get -qq install apt-utils +RUN ["apt-get", "-qq", "install", "apt-utils"] diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/negative5.dockerfile b/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/negative5.dockerfile new file mode 100644 index 00000000000..cd1c3445323 --- /dev/null +++ b/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/negative5.dockerfile @@ -0,0 +1,3 @@ +FROM node:12 +RUN apt-get --assume-yes install apt-utils +RUN ["sudo", "apt-get", "--assume-yes", "install", "apt-utils"] diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/negative6.dockerfile b/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/negative6.dockerfile new file mode 100644 index 00000000000..052d18320f6 --- /dev/null +++ b/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/negative6.dockerfile @@ -0,0 +1,3 @@ +FROM node:12 +RUN sudo apt-get -q=2 install apt-utils +RUN ["apt-get", "-q=2", "install", "apt-utils"] \ No newline at end of file diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive4.dockerfile b/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive4.dockerfile new file mode 100644 index 00000000000..ce8ce3d9425 --- /dev/null +++ b/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive4.dockerfile @@ -0,0 +1,3 @@ +FROM node:12 +RUN ["sudo", "apt-get", "-q" ,"install", "apt-utils"] +RUN sudo apt-get -q install apt-utils diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive5.dockerfile b/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive5.dockerfile new file mode 100644 index 00000000000..1a53e550c5d --- /dev/null +++ b/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive5.dockerfile @@ -0,0 +1,3 @@ +FROM node:12 +RUN ["sudo", "apt-get", "--quiet", "install", "apt-utils"] +RUN sudo apt-get --quiet install apt-utils \ No newline at end of file diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive_expected_result.json b/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive_expected_result.json index 4ea58870642..bb21050cf2b 100644 --- a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive_expected_result.json +++ b/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive_expected_result.json @@ -40,5 +40,29 @@ "severity": "LOW", "line": 2, "filename": "positive3.dockerfile" + }, + { + "queryName": "APT-GET Missing '-y' To Avoid Manual Input", + "severity": "LOW", + "line": 2, + "filename": "positive4.dockerfile" + }, + { + "queryName": "APT-GET Missing '-y' To Avoid Manual Input", + "severity": "LOW", + "line": 3, + "filename": "positive4.dockerfile" + }, + { + "queryName": "APT-GET Missing '-y' To Avoid Manual Input", + "severity": "LOW", + "line": 3, + "filename": "positive5.dockerfile" + }, + { + "queryName": "APT-GET Missing '-y' To Avoid Manual Input", + "severity": "LOW", + "line": 2, + "filename": "positive5.dockerfile" } ] \ No newline at end of file From a198481d45cf5b355f24b0b59bd6a986f6f2425d Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Fri, 17 May 2024 12:11:46 +0100 Subject: [PATCH 02/14] -q & --quiet positive test addition and positive expected results update --- .../test/positive6.dockerfile | 3 +++ .../test/positive7.dockerfile | 3 +++ .../test/positive_expected_result.json | 24 +++++++++++++++++++ 3 files changed, 30 insertions(+) create mode 100644 assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive6.dockerfile create mode 100644 assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive7.dockerfile diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive6.dockerfile b/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive6.dockerfile new file mode 100644 index 00000000000..71265e1afdb --- /dev/null +++ b/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive6.dockerfile @@ -0,0 +1,3 @@ +FROM node:12 +RUN sudo apt-get --quiet install sl +RUN ["apt-get", "--quiet" ,"install", "apt-utils"] \ No newline at end of file diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive7.dockerfile b/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive7.dockerfile new file mode 100644 index 00000000000..31a8b223f13 --- /dev/null +++ b/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive7.dockerfile @@ -0,0 +1,3 @@ +FROM node:12 +RUN sudo apt-get -q install sl +RUN ["apt-get", "-q", "install", "apt-utils"] \ No newline at end of file diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive_expected_result.json b/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive_expected_result.json index bb21050cf2b..8942f32a2f5 100644 --- a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive_expected_result.json +++ b/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive_expected_result.json @@ -64,5 +64,29 @@ "severity": "LOW", "line": 2, "filename": "positive5.dockerfile" + }, + { + "queryName": "APT-GET Missing '-y' To Avoid Manual Input", + "severity": "LOW", + "line": 3, + "filename": "positive6.dockerfile" + }, + { + "queryName": "APT-GET Missing '-y' To Avoid Manual Input", + "severity": "LOW", + "line": 2, + "filename": "positive6.dockerfile" + }, + { + "queryName": "APT-GET Missing '-y' To Avoid Manual Input", + "severity": "LOW", + "line": 3, + "filename": "positive7.dockerfile" + }, + { + "queryName": "APT-GET Missing '-y' To Avoid Manual Input", + "severity": "LOW", + "line": 2, + "filename": "positive7.dockerfile" } ] \ No newline at end of file From af00f77698af46b0ac484f658dd0c0e135ced20a Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Fri, 17 May 2024 12:31:05 +0100 Subject: [PATCH 03/14] update main_test with bicepParser --- test/main_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/main_test.go b/test/main_test.go index 9cdebacd972..aeb5f05c69a 100644 --- a/test/main_test.go +++ b/test/main_test.go @@ -16,9 +16,9 @@ import ( "github.com/Checkmarx/kics/v2/pkg/parser" ansibleConfigParser "github.com/Checkmarx/kics/v2/pkg/parser/ansible/ini/config" ansibleHostsParser "github.com/Checkmarx/kics/v2/pkg/parser/ansible/ini/hosts" + bicepParser "github.com/Checkmarx/kics/v2/pkg/parser/bicep" buildahParser "github.com/Checkmarx/kics/v2/pkg/parser/buildah" - bicepParser "github.com/Checkmarx/kics/v2/pkg/parser/bicep" - dockerParser "github.com/Checkmarx/kics/v2/pkg/parser/docker" + dockerParser "github.com/Checkmarx/kics/v2/pkg/parser/docker" protoParser "github.com/Checkmarx/kics/v2/pkg/parser/grpc" jsonParser "github.com/Checkmarx/kics/v2/pkg/parser/json" terraformParser "github.com/Checkmarx/kics/v2/pkg/parser/terraform" From dfd15b171df35e047117e6af4bc405f798a3c203 Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Fri, 17 May 2024 12:41:14 +0100 Subject: [PATCH 04/14] fix order issue --- test/main_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/main_test.go b/test/main_test.go index aeb5f05c69a..18471cbe9c4 100644 --- a/test/main_test.go +++ b/test/main_test.go @@ -16,8 +16,8 @@ import ( "github.com/Checkmarx/kics/v2/pkg/parser" ansibleConfigParser "github.com/Checkmarx/kics/v2/pkg/parser/ansible/ini/config" ansibleHostsParser "github.com/Checkmarx/kics/v2/pkg/parser/ansible/ini/hosts" - bicepParser "github.com/Checkmarx/kics/v2/pkg/parser/bicep" buildahParser "github.com/Checkmarx/kics/v2/pkg/parser/buildah" + bicepParser "github.com/Checkmarx/kics/v2/pkg/parser/bicep" dockerParser "github.com/Checkmarx/kics/v2/pkg/parser/docker" protoParser "github.com/Checkmarx/kics/v2/pkg/parser/grpc" jsonParser "github.com/Checkmarx/kics/v2/pkg/parser/json" From 91e698a409dcf0367b1a94d23ab53f859b3f2de8 Mon Sep 17 00:00:00 2001 From: Artur Ribeiro <153724638+ArturRibeiro-CX@users.noreply.github.com> Date: Fri, 17 May 2024 13:27:11 +0100 Subject: [PATCH 05/14] Update main_test.go From a0997b35f946bb99d166c5e73dd1e6f08446a74e Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Fri, 17 May 2024 17:05:21 +0100 Subject: [PATCH 06/14] update query name and description for better understanding --- .../metadata.json | 4 +-- .../test/positive_expected_result.json | 30 +++++++++---------- docs/queries/all-queries.md | 2 +- docs/queries/dockerfile-queries.md | 2 +- .../77783205-c4ca-4f80-bb80-c777f267c547.md | 4 +-- test/main_test.go | 6 ++-- 6 files changed, 24 insertions(+), 24 deletions(-) diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/metadata.json b/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/metadata.json index cafea4d8aaf..3c51dab82b4 100644 --- a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/metadata.json +++ b/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/metadata.json @@ -1,9 +1,9 @@ { "id": "77783205-c4ca-4f80-bb80-c777f267c547", - "queryName": "APT-GET Missing '-y' To Avoid Manual Input", + "queryName": "APT-GET Missing Flag To Avoid Manual Input", "severity": "LOW", "category": "Supply-Chain", - "descriptionText": "Check if apt-get calls use the flag -y to avoid user manual input.", + "descriptionText": "Check if apt-get calls use flags to avoid user manual input.", "descriptionUrl": "https://docs.docker.com/engine/reference/builder/#run", "platform": "Dockerfile", "descriptionID": "2064113b", diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive_expected_result.json b/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive_expected_result.json index 8942f32a2f5..ead525e37e0 100644 --- a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive_expected_result.json +++ b/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive_expected_result.json @@ -1,90 +1,90 @@ [ { - "queryName": "APT-GET Missing '-y' To Avoid Manual Input", + "queryName": "APT-GET Missing Flag To Avoid Manual Input", "severity": "LOW", "line": 2, "filename": "positive1.dockerfile" }, { - "queryName": "APT-GET Missing '-y' To Avoid Manual Input", + "queryName": "APT-GET Missing Flag To Avoid Manual Input", "severity": "LOW", "line": 3, "filename": "positive1.dockerfile" }, { - "queryName": "APT-GET Missing '-y' To Avoid Manual Input", + "queryName": "APT-GET Missing Flag To Avoid Manual Input", "severity": "LOW", "line": 4, "filename": "positive1.dockerfile" }, { - "queryName": "APT-GET Missing '-y' To Avoid Manual Input", + "queryName": "APT-GET Missing Flag To Avoid Manual Input", "severity": "LOW", "line": 2, "filename": "positive2.dockerfile" }, { - "queryName": "APT-GET Missing '-y' To Avoid Manual Input", + "queryName": "APT-GET Missing Flag To Avoid Manual Input", "severity": "LOW", "line": 3, "filename": "positive2.dockerfile" }, { - "queryName": "APT-GET Missing '-y' To Avoid Manual Input", + "queryName": "APT-GET Missing Flag To Avoid Manual Input", "severity": "LOW", "line": 4, "filename": "positive2.dockerfile" }, { - "queryName": "APT-GET Missing '-y' To Avoid Manual Input", + "queryName": "APT-GET Missing Flag To Avoid Manual Input", "severity": "LOW", "line": 2, "filename": "positive3.dockerfile" }, { - "queryName": "APT-GET Missing '-y' To Avoid Manual Input", + "queryName": "APT-GET Missing Flag To Avoid Manual Input", "severity": "LOW", "line": 2, "filename": "positive4.dockerfile" }, { - "queryName": "APT-GET Missing '-y' To Avoid Manual Input", + "queryName": "APT-GET Missing Flag To Avoid Manual Input", "severity": "LOW", "line": 3, "filename": "positive4.dockerfile" }, { - "queryName": "APT-GET Missing '-y' To Avoid Manual Input", + "queryName": "APT-GET Missing Flag To Avoid Manual Input", "severity": "LOW", "line": 3, "filename": "positive5.dockerfile" }, { - "queryName": "APT-GET Missing '-y' To Avoid Manual Input", + "queryName": "APT-GET Missing Flag To Avoid Manual Input", "severity": "LOW", "line": 2, "filename": "positive5.dockerfile" }, { - "queryName": "APT-GET Missing '-y' To Avoid Manual Input", + "queryName": "APT-GET Missing Flag To Avoid Manual Input", "severity": "LOW", "line": 3, "filename": "positive6.dockerfile" }, { - "queryName": "APT-GET Missing '-y' To Avoid Manual Input", + "queryName": "APT-GET Missing Flag To Avoid Manual Input", "severity": "LOW", "line": 2, "filename": "positive6.dockerfile" }, { - "queryName": "APT-GET Missing '-y' To Avoid Manual Input", + "queryName": "APT-GET Missing Flag To Avoid Manual Input", "severity": "LOW", "line": 3, "filename": "positive7.dockerfile" }, { - "queryName": "APT-GET Missing '-y' To Avoid Manual Input", + "queryName": "APT-GET Missing Flag To Avoid Manual Input", "severity": "LOW", "line": 2, "filename": "positive7.dockerfile" diff --git a/docs/queries/all-queries.md b/docs/queries/all-queries.md index 5b62f34a322..c3a2ee103eb 100644 --- a/docs/queries/all-queries.md +++ b/docs/queries/all-queries.md @@ -621,7 +621,7 @@ This page contains all queries. |WORKDIR Path Not Absolute
6b376af8-cfe8-49ab-a08d-f32de23661a4|Dockerfile|Low|Build Process|Query details
Documentation
| |Healthcheck Instruction Missing
b03a748a-542d-44f4-bb86-9199ab4fd2d5|Dockerfile|Low|Insecure Configurations|Query details
Documentation
| |Shell Running A Pipe Without Pipefail Flag
efbf148a-67e9-42d2-ac47-02fa1c0d0b22|Dockerfile|Low|Insecure Defaults|Query details
Documentation
| -|APT-GET Missing '-y' To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547|Dockerfile|Low|Supply-Chain|Query details
Documentation
| +|APT-GET Missing Flag To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547|Dockerfile|Low|Supply-Chain|Query details
Documentation
| |Missing Flag From Dnf Install
7ebd323c-31b7-4e5b-b26f-de5e9e477af8|Dockerfile|Low|Supply-Chain|Query details
Documentation
| |Run Using 'wget' and 'curl'
fc775e75-fcfb-4c98-b2f2-910c5858b359|Dockerfile|Low|Supply-Chain|Query details
Documentation
| |Run Using apt
b84a0b47-2e99-4c9f-8933-98bcabe2b94d|Dockerfile|Low|Supply-Chain|Query details
Documentation
| diff --git a/docs/queries/dockerfile-queries.md b/docs/queries/dockerfile-queries.md index 4afff5ac246..00cb05fe7ec 100644 --- a/docs/queries/dockerfile-queries.md +++ b/docs/queries/dockerfile-queries.md @@ -40,7 +40,7 @@ This page contains all queries from Dockerfile. |WORKDIR Path Not Absolute
6b376af8-cfe8-49ab-a08d-f32de23661a4|Low|Build Process|Query details
Documentation
| |Healthcheck Instruction Missing
b03a748a-542d-44f4-bb86-9199ab4fd2d5|Low|Insecure Configurations|Query details
Documentation
| |Shell Running A Pipe Without Pipefail Flag
efbf148a-67e9-42d2-ac47-02fa1c0d0b22|Low|Insecure Defaults|Query details
Documentation
| -|APT-GET Missing '-y' To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547|Low|Supply-Chain|Query details
Documentation
| +|APT-GET Missing Flag To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547|Low|Supply-Chain|Query details
Documentation
| |Missing Flag From Dnf Install
7ebd323c-31b7-4e5b-b26f-de5e9e477af8|Low|Supply-Chain|Query details
Documentation
| |Run Using 'wget' and 'curl'
fc775e75-fcfb-4c98-b2f2-910c5858b359|Low|Supply-Chain|Query details
Documentation
| |Run Using apt
b84a0b47-2e99-4c9f-8933-98bcabe2b94d|Low|Supply-Chain|Query details
Documentation
| diff --git a/docs/queries/dockerfile-queries/77783205-c4ca-4f80-bb80-c777f267c547.md b/docs/queries/dockerfile-queries/77783205-c4ca-4f80-bb80-c777f267c547.md index 7803cabb1da..cb2f258c8f1 100644 --- a/docs/queries/dockerfile-queries/77783205-c4ca-4f80-bb80-c777f267c547.md +++ b/docs/queries/dockerfile-queries/77783205-c4ca-4f80-bb80-c777f267c547.md @@ -1,5 +1,5 @@ --- -title: APT-GET Missing '-y' To Avoid Manual Input +title: APT-GET Missing Flag To Avoid Manual Input hide: toc: true navigation: true @@ -16,7 +16,7 @@ hide: - **Query id:** 77783205-c4ca-4f80-bb80-c777f267c547 -- **Query name:** APT-GET Missing '-y' To Avoid Manual Input +- **Query name:** APT-GET Missing Flag To Avoid Manual Input - **Platform:** Dockerfile - **Severity:** Low - **Category:** Supply-Chain diff --git a/test/main_test.go b/test/main_test.go index 18471cbe9c4..628d91a61bc 100644 --- a/test/main_test.go +++ b/test/main_test.go @@ -17,8 +17,8 @@ import ( ansibleConfigParser "github.com/Checkmarx/kics/v2/pkg/parser/ansible/ini/config" ansibleHostsParser "github.com/Checkmarx/kics/v2/pkg/parser/ansible/ini/hosts" buildahParser "github.com/Checkmarx/kics/v2/pkg/parser/buildah" - bicepParser "github.com/Checkmarx/kics/v2/pkg/parser/bicep" - dockerParser "github.com/Checkmarx/kics/v2/pkg/parser/docker" + bicepParser "github.com/Checkmarx/kics/v2/pkg/parser/bicep" + dockerParser "github.com/Checkmarx/kics/v2/pkg/parser/docker" protoParser "github.com/Checkmarx/kics/v2/pkg/parser/grpc" jsonParser "github.com/Checkmarx/kics/v2/pkg/parser/json" terraformParser "github.com/Checkmarx/kics/v2/pkg/parser/terraform" @@ -303,4 +303,4 @@ func getQueryFilter() *source.QueryInspectorParameters { ExcludeQueries: source.ExcludeQueries{ByIDs: []string{}, ByCategories: []string{}}, InputDataPath: "", } -} +} \ No newline at end of file From 13f106ef86fc9049bc988ce6087e8244c13edb00 Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Fri, 17 May 2024 17:26:31 +0100 Subject: [PATCH 07/14] addition of cloudProvider common as it is a required property of metadata.json --- .../apt_get_missing_yes_flag_to_avoid_manual_input/metadata.json | 1 + 1 file changed, 1 insertion(+) diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/metadata.json b/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/metadata.json index 3c51dab82b4..b86b5c7418c 100644 --- a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/metadata.json +++ b/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/metadata.json @@ -7,6 +7,7 @@ "descriptionUrl": "https://docs.docker.com/engine/reference/builder/#run", "platform": "Dockerfile", "descriptionID": "2064113b", + "cloudProvider": "common", "cwe": "710", "oldSeverity": "MEDIUM" } \ No newline at end of file From 9659e6a454afef52d79cfd53a10f84cf37f99b38 Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Mon, 20 May 2024 09:45:07 +0100 Subject: [PATCH 08/14] change directory name and documentation to reflect query name change --- .../metadata.json | 0 .../query.rego | 29 ++++++++++++++----- .../test/negative1.dockerfile | 0 .../test/negative2.dockerfile | 0 .../test/negative3.dockerfile | 0 .../test/negative4.dockerfile | 0 .../test/negative5.dockerfile | 0 .../test/negative6.dockerfile | 0 .../test/positive1.dockerfile | 0 .../test/positive2.dockerfile | 0 .../test/positive3.dockerfile | 0 .../test/positive4.dockerfile | 0 .../test/positive5.dockerfile | 0 .../test/positive6.dockerfile | 0 .../test/positive7.dockerfile | 0 .../test/positive_expected_result.json | 0 .../77783205-c4ca-4f80-bb80-c777f267c547.md | 2 +- 17 files changed, 22 insertions(+), 9 deletions(-) rename assets/queries/dockerfile/{apt_get_missing_yes_flag_to_avoid_manual_input => apt_get_missing_flags_to_avoid_manual_input}/metadata.json (100%) rename assets/queries/dockerfile/{apt_get_missing_yes_flag_to_avoid_manual_input => apt_get_missing_flags_to_avoid_manual_input}/query.rego (71%) rename assets/queries/dockerfile/{apt_get_missing_yes_flag_to_avoid_manual_input => apt_get_missing_flags_to_avoid_manual_input}/test/negative1.dockerfile (100%) rename assets/queries/dockerfile/{apt_get_missing_yes_flag_to_avoid_manual_input => apt_get_missing_flags_to_avoid_manual_input}/test/negative2.dockerfile (100%) rename assets/queries/dockerfile/{apt_get_missing_yes_flag_to_avoid_manual_input => apt_get_missing_flags_to_avoid_manual_input}/test/negative3.dockerfile (100%) rename assets/queries/dockerfile/{apt_get_missing_yes_flag_to_avoid_manual_input => apt_get_missing_flags_to_avoid_manual_input}/test/negative4.dockerfile (100%) rename assets/queries/dockerfile/{apt_get_missing_yes_flag_to_avoid_manual_input => apt_get_missing_flags_to_avoid_manual_input}/test/negative5.dockerfile (100%) rename assets/queries/dockerfile/{apt_get_missing_yes_flag_to_avoid_manual_input => apt_get_missing_flags_to_avoid_manual_input}/test/negative6.dockerfile (100%) rename assets/queries/dockerfile/{apt_get_missing_yes_flag_to_avoid_manual_input => apt_get_missing_flags_to_avoid_manual_input}/test/positive1.dockerfile (100%) rename assets/queries/dockerfile/{apt_get_missing_yes_flag_to_avoid_manual_input => apt_get_missing_flags_to_avoid_manual_input}/test/positive2.dockerfile (100%) rename assets/queries/dockerfile/{apt_get_missing_yes_flag_to_avoid_manual_input => apt_get_missing_flags_to_avoid_manual_input}/test/positive3.dockerfile (100%) rename assets/queries/dockerfile/{apt_get_missing_yes_flag_to_avoid_manual_input => apt_get_missing_flags_to_avoid_manual_input}/test/positive4.dockerfile (100%) rename assets/queries/dockerfile/{apt_get_missing_yes_flag_to_avoid_manual_input => apt_get_missing_flags_to_avoid_manual_input}/test/positive5.dockerfile (100%) rename assets/queries/dockerfile/{apt_get_missing_yes_flag_to_avoid_manual_input => apt_get_missing_flags_to_avoid_manual_input}/test/positive6.dockerfile (100%) rename assets/queries/dockerfile/{apt_get_missing_yes_flag_to_avoid_manual_input => apt_get_missing_flags_to_avoid_manual_input}/test/positive7.dockerfile (100%) rename assets/queries/dockerfile/{apt_get_missing_yes_flag_to_avoid_manual_input => apt_get_missing_flags_to_avoid_manual_input}/test/positive_expected_result.json (100%) diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/metadata.json b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/metadata.json similarity index 100% rename from assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/metadata.json rename to assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/metadata.json diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/query.rego b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/query.rego similarity index 71% rename from assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/query.rego rename to assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/query.rego index 3d300482219..df195c6d518 100644 --- a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/query.rego +++ b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/query.rego @@ -1,6 +1,7 @@ package Cx import data.generic.dockerfile as dockerLib +import future.keywords CxPolicy[result] { resource := input.document[i].command[name][_] @@ -24,15 +25,15 @@ CxPolicy[result] { } CxPolicy[result] { - resource := input.document[i].command[name][_] - resource.Cmd == "run" + resource := input.document[i].command[name][_] + resource.Cmd == "run" - count(resource.Value) > 1 + count(resource.Value) > 1 - dockerLib.arrayContains(resource.Value, {"apt-get", "install"}) + dockerLib.arrayContains(resource.Value, {"apt-get", "install"}) - not avoidManualInputInList(resource.Value) - + not avoidManualInputInList(resource.Value) + result := { "documentId": input.document[i].id, "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), @@ -47,9 +48,21 @@ isAptGet(command) { } avoidManualInputInList(command) { - flags := ["-y", "--yes", "--assume-yes", "-qy", "-q=2", "-qq"] + flags := ["-y", "--yes", "--assume-yes", "-qy", "-q=2", "-qq"] + flagq := ["-q"] + flagquiet := ["--quiet"] + numberquiet := 1 + + flagfound := contains(command[_], flags[_]) + quiet_count := count([1 | i := numbers.range(0, count(command) - 1); command[i] == flagquiet]) + quietflag := quiet_count >= numberquiet - contains(command[j], flags[x]) + checkBoolean(flagfound, quietflag) +} + +checkBoolean(flag1, flag2) { + flag1 + not flag2 } avoidManualInput(command) { diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/negative1.dockerfile b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/negative1.dockerfile similarity index 100% rename from assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/negative1.dockerfile rename to assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/negative1.dockerfile diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/negative2.dockerfile b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/negative2.dockerfile similarity index 100% rename from assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/negative2.dockerfile rename to assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/negative2.dockerfile diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/negative3.dockerfile b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/negative3.dockerfile similarity index 100% rename from assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/negative3.dockerfile rename to assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/negative3.dockerfile diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/negative4.dockerfile b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/negative4.dockerfile similarity index 100% rename from assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/negative4.dockerfile rename to assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/negative4.dockerfile diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/negative5.dockerfile b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/negative5.dockerfile similarity index 100% rename from assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/negative5.dockerfile rename to assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/negative5.dockerfile diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/negative6.dockerfile b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/negative6.dockerfile similarity index 100% rename from assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/negative6.dockerfile rename to assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/negative6.dockerfile diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive1.dockerfile b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive1.dockerfile similarity index 100% rename from assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive1.dockerfile rename to assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive1.dockerfile diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive2.dockerfile b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive2.dockerfile similarity index 100% rename from assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive2.dockerfile rename to assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive2.dockerfile diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive3.dockerfile b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive3.dockerfile similarity index 100% rename from assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive3.dockerfile rename to assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive3.dockerfile diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive4.dockerfile b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive4.dockerfile similarity index 100% rename from assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive4.dockerfile rename to assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive4.dockerfile diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive5.dockerfile b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive5.dockerfile similarity index 100% rename from assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive5.dockerfile rename to assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive5.dockerfile diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive6.dockerfile b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive6.dockerfile similarity index 100% rename from assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive6.dockerfile rename to assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive6.dockerfile diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive7.dockerfile b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive7.dockerfile similarity index 100% rename from assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive7.dockerfile rename to assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive7.dockerfile diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive_expected_result.json b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive_expected_result.json similarity index 100% rename from assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive_expected_result.json rename to assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive_expected_result.json diff --git a/docs/queries/dockerfile-queries/77783205-c4ca-4f80-bb80-c777f267c547.md b/docs/queries/dockerfile-queries/77783205-c4ca-4f80-bb80-c777f267c547.md index cb2f258c8f1..72a9417c0a8 100644 --- a/docs/queries/dockerfile-queries/77783205-c4ca-4f80-bb80-c777f267c547.md +++ b/docs/queries/dockerfile-queries/77783205-c4ca-4f80-bb80-c777f267c547.md @@ -20,7 +20,7 @@ hide: - **Platform:** Dockerfile - **Severity:** Low - **Category:** Supply-Chain -- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input) +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/apt_get_missing_flag_to_avoid_manual_input) ### Description Check if apt-get calls use the flag -y to avoid user manual input.
From b5f416355e57f64058b329f4de64a2fc64c744a4 Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Mon, 20 May 2024 09:46:10 +0100 Subject: [PATCH 09/14] change directory name and documentation to reflect query name change --- .../metadata.json | 0 .../test/negative1.dockerfile | 0 .../test/negative2.dockerfile | 0 .../test/negative3.dockerfile | 0 .../test/negative4.dockerfile | 0 .../test/negative5.dockerfile | 0 .../test/negative6.dockerfile | 0 .../test/positive1.dockerfile | 0 .../test/positive2.dockerfile | 0 .../test/positive3.dockerfile | 0 .../test/positive4.dockerfile | 0 .../test/positive5.dockerfile | 0 .../test/positive6.dockerfile | 0 .../test/positive7.dockerfile | 0 .../test/positive_expected_result.json | 0 .../query.rego | 65 ------------------- .../77783205-c4ca-4f80-bb80-c777f267c547.md | 2 +- 17 files changed, 1 insertion(+), 66 deletions(-) rename assets/queries/dockerfile/{apt_get_missing_yes_flag_to_avoid_manual_input => apt_get_missing_flags_to_avoid_manual_input}/metadata.json (100%) rename assets/queries/dockerfile/{apt_get_missing_yes_flag_to_avoid_manual_input => apt_get_missing_flags_to_avoid_manual_input}/test/negative1.dockerfile (100%) rename assets/queries/dockerfile/{apt_get_missing_yes_flag_to_avoid_manual_input => apt_get_missing_flags_to_avoid_manual_input}/test/negative2.dockerfile (100%) rename assets/queries/dockerfile/{apt_get_missing_yes_flag_to_avoid_manual_input => apt_get_missing_flags_to_avoid_manual_input}/test/negative3.dockerfile (100%) rename assets/queries/dockerfile/{apt_get_missing_yes_flag_to_avoid_manual_input => apt_get_missing_flags_to_avoid_manual_input}/test/negative4.dockerfile (100%) rename assets/queries/dockerfile/{apt_get_missing_yes_flag_to_avoid_manual_input => apt_get_missing_flags_to_avoid_manual_input}/test/negative5.dockerfile (100%) rename assets/queries/dockerfile/{apt_get_missing_yes_flag_to_avoid_manual_input => apt_get_missing_flags_to_avoid_manual_input}/test/negative6.dockerfile (100%) rename assets/queries/dockerfile/{apt_get_missing_yes_flag_to_avoid_manual_input => apt_get_missing_flags_to_avoid_manual_input}/test/positive1.dockerfile (100%) rename assets/queries/dockerfile/{apt_get_missing_yes_flag_to_avoid_manual_input => apt_get_missing_flags_to_avoid_manual_input}/test/positive2.dockerfile (100%) rename assets/queries/dockerfile/{apt_get_missing_yes_flag_to_avoid_manual_input => apt_get_missing_flags_to_avoid_manual_input}/test/positive3.dockerfile (100%) rename assets/queries/dockerfile/{apt_get_missing_yes_flag_to_avoid_manual_input => apt_get_missing_flags_to_avoid_manual_input}/test/positive4.dockerfile (100%) rename assets/queries/dockerfile/{apt_get_missing_yes_flag_to_avoid_manual_input => apt_get_missing_flags_to_avoid_manual_input}/test/positive5.dockerfile (100%) rename assets/queries/dockerfile/{apt_get_missing_yes_flag_to_avoid_manual_input => apt_get_missing_flags_to_avoid_manual_input}/test/positive6.dockerfile (100%) rename assets/queries/dockerfile/{apt_get_missing_yes_flag_to_avoid_manual_input => apt_get_missing_flags_to_avoid_manual_input}/test/positive7.dockerfile (100%) rename assets/queries/dockerfile/{apt_get_missing_yes_flag_to_avoid_manual_input => apt_get_missing_flags_to_avoid_manual_input}/test/positive_expected_result.json (100%) delete mode 100644 assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/query.rego diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/metadata.json b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/metadata.json similarity index 100% rename from assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/metadata.json rename to assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/metadata.json diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/negative1.dockerfile b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/negative1.dockerfile similarity index 100% rename from assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/negative1.dockerfile rename to assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/negative1.dockerfile diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/negative2.dockerfile b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/negative2.dockerfile similarity index 100% rename from assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/negative2.dockerfile rename to assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/negative2.dockerfile diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/negative3.dockerfile b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/negative3.dockerfile similarity index 100% rename from assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/negative3.dockerfile rename to assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/negative3.dockerfile diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/negative4.dockerfile b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/negative4.dockerfile similarity index 100% rename from assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/negative4.dockerfile rename to assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/negative4.dockerfile diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/negative5.dockerfile b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/negative5.dockerfile similarity index 100% rename from assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/negative5.dockerfile rename to assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/negative5.dockerfile diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/negative6.dockerfile b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/negative6.dockerfile similarity index 100% rename from assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/negative6.dockerfile rename to assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/negative6.dockerfile diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive1.dockerfile b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive1.dockerfile similarity index 100% rename from assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive1.dockerfile rename to assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive1.dockerfile diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive2.dockerfile b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive2.dockerfile similarity index 100% rename from assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive2.dockerfile rename to assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive2.dockerfile diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive3.dockerfile b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive3.dockerfile similarity index 100% rename from assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive3.dockerfile rename to assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive3.dockerfile diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive4.dockerfile b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive4.dockerfile similarity index 100% rename from assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive4.dockerfile rename to assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive4.dockerfile diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive5.dockerfile b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive5.dockerfile similarity index 100% rename from assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive5.dockerfile rename to assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive5.dockerfile diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive6.dockerfile b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive6.dockerfile similarity index 100% rename from assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive6.dockerfile rename to assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive6.dockerfile diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive7.dockerfile b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive7.dockerfile similarity index 100% rename from assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive7.dockerfile rename to assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive7.dockerfile diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive_expected_result.json b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive_expected_result.json similarity index 100% rename from assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/test/positive_expected_result.json rename to assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive_expected_result.json diff --git a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/query.rego b/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/query.rego deleted file mode 100644 index 3d300482219..00000000000 --- a/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input/query.rego +++ /dev/null @@ -1,65 +0,0 @@ -package Cx - -import data.generic.dockerfile as dockerLib - -CxPolicy[result] { - resource := input.document[i].command[name][_] - resource.Cmd == "run" - - count(resource.Value) == 1 - - commands := resource.Value[j] - command := dockerLib.getCommands(commands)[_] - isAptGet(command) - - not avoidManualInput(command) - - result := { - "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), - "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("{{%s}} should avoid manual input", [resource.Original]), - "keyActualValue": sprintf("{{%s}} doesn't avoid manual input", [resource.Original]), - } -} - -CxPolicy[result] { - resource := input.document[i].command[name][_] - resource.Cmd == "run" - - count(resource.Value) > 1 - - dockerLib.arrayContains(resource.Value, {"apt-get", "install"}) - - not avoidManualInputInList(resource.Value) - - result := { - "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), - "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("{{%s}} should avoid manual input", [resource.Original]), - "keyActualValue": sprintf("{{%s}} doesn't avoid manual input", [resource.Original]), - } -} - -isAptGet(command) { - regex.match("apt-get (-(-)?[a-zA-Z]+ *)*install", command) -} - -avoidManualInputInList(command) { - flags := ["-y", "--yes", "--assume-yes", "-qy", "-q=2", "-qq"] - - contains(command[j], flags[x]) -} - -avoidManualInput(command) { - regex.match("apt-get (-(-)?[a-zA-Z]+ *)*(-([A-Za-z])*y|--yes|-qq|-q=2|--assume-yes|(-q|--quiet)(.*(-q|--quiet)){1}) (-(-)?[a-zA-Z]+ *)*install", command) -} - -avoidManualInput(command) { - regex.match("apt-get (-(-)?[a-zA-Z]+ *)*install (-(-)?[a-zA-Z]+ *)*(-([A-Za-z])*y|--yes|-qq|-q=2|--assume-yes|(-q|--quiet)(.*(-q|--quiet)){1})", command) -} - -avoidManualInput(command) { - regex.match("apt-get (-(-)?[a-zA-Z]+ *)*install ([A-Za-z0-9\\W]+ *)*(-([A-Za-z])*y|--yes|-qq|-q=2|--assume-yes|(-q|--quiet)(.*(-q|--quiet)){1})", command) -} diff --git a/docs/queries/dockerfile-queries/77783205-c4ca-4f80-bb80-c777f267c547.md b/docs/queries/dockerfile-queries/77783205-c4ca-4f80-bb80-c777f267c547.md index cb2f258c8f1..72a9417c0a8 100644 --- a/docs/queries/dockerfile-queries/77783205-c4ca-4f80-bb80-c777f267c547.md +++ b/docs/queries/dockerfile-queries/77783205-c4ca-4f80-bb80-c777f267c547.md @@ -20,7 +20,7 @@ hide: - **Platform:** Dockerfile - **Severity:** Low - **Category:** Supply-Chain -- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input) +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/apt_get_missing_flag_to_avoid_manual_input) ### Description Check if apt-get calls use the flag -y to avoid user manual input.
From b73e4c4e028d0c1dda8603d7db49b8a86d1407b5 Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Mon, 20 May 2024 09:50:48 +0100 Subject: [PATCH 10/14] fix rego query changes --- .../query.rego | 66 +++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/query.rego diff --git a/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/query.rego b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/query.rego new file mode 100644 index 00000000000..b9b247396d4 --- /dev/null +++ b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/query.rego @@ -0,0 +1,66 @@ +package Cx + +import data.generic.dockerfile as dockerLib +import future.keywords + +CxPolicy[result] { + resource := input.document[i].command[name][_] + resource.Cmd == "run" + + count(resource.Value) == 1 + + commands := resource.Value[j] + command := dockerLib.getCommands(commands)[_] + isAptGet(command) + + not avoidManualInput(command) + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("{{%s}} should avoid manual input", [resource.Original]), + "keyActualValue": sprintf("{{%s}} doesn't avoid manual input", [resource.Original]), + } +} + +CxPolicy[result] { + resource := input.document[i].command[name][_] + resource.Cmd == "run" + + count(resource.Value) > 1 + + dockerLib.arrayContains(resource.Value, {"apt-get", "install"}) + + not avoidManualInputInList(resource.Value) + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("{{%s}} should avoid manual input", [resource.Original]), + "keyActualValue": sprintf("{{%s}} doesn't avoid manual input", [resource.Original]), + } +} + +isAptGet(command) { + regex.match("apt-get (-(-)?[a-zA-Z]+ *)*install", command) +} + +avoidManualInputInList(command) { + flags := ["-y", "yes", "--assumeyes", "-qy"] + + contains(command[j], flags[x]) +} + +avoidManualInput(command) { + regex.match("apt-get (-(-)?[a-zA-Z]+ *)*(-([A-Za-z])*y|--yes|-qq|-q=2|--assume-yes|(-q|--quiet)(.*(-q|--quiet)){1}) (-(-)?[a-zA-Z]+ *)*install", command) +} + +avoidManualInput(command) { + regex.match("apt-get (-(-)?[a-zA-Z]+ *)*install (-(-)?[a-zA-Z]+ *)*(-([A-Za-z])*y|--yes|-qq|-q=2|--assume-yes|(-q|--quiet)(.*(-q|--quiet)){1})", command) +} + +avoidManualInput(command) { + regex.match("apt-get (-(-)?[a-zA-Z]+ *)*install ([A-Za-z0-9\\W]+ *)*(-([A-Za-z])*y|--yes|-qq|-q=2|--assume-yes|(-q|--quiet)(.*(-q|--quiet)){1})", command) +} From a5dec38c9471b89105844521fc4a79844aa8b8a1 Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Mon, 20 May 2024 09:58:35 +0100 Subject: [PATCH 11/14] query name change from flag to flags --- .../metadata.json | 2 +- .../test/positive_expected_result.json | 30 +++++++++---------- docs/queries/all-queries.md | 2 +- docs/queries/dockerfile-queries.md | 2 +- .../77783205-c4ca-4f80-bb80-c777f267c547.md | 4 +-- 5 files changed, 20 insertions(+), 20 deletions(-) diff --git a/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/metadata.json b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/metadata.json index b86b5c7418c..f27b58060d7 100644 --- a/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/metadata.json +++ b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/metadata.json @@ -1,6 +1,6 @@ { "id": "77783205-c4ca-4f80-bb80-c777f267c547", - "queryName": "APT-GET Missing Flag To Avoid Manual Input", + "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "category": "Supply-Chain", "descriptionText": "Check if apt-get calls use flags to avoid user manual input.", diff --git a/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive_expected_result.json b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive_expected_result.json index ead525e37e0..eb501cf7739 100644 --- a/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive_expected_result.json +++ b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive_expected_result.json @@ -1,90 +1,90 @@ [ { - "queryName": "APT-GET Missing Flag To Avoid Manual Input", + "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 2, "filename": "positive1.dockerfile" }, { - "queryName": "APT-GET Missing Flag To Avoid Manual Input", + "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 3, "filename": "positive1.dockerfile" }, { - "queryName": "APT-GET Missing Flag To Avoid Manual Input", + "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 4, "filename": "positive1.dockerfile" }, { - "queryName": "APT-GET Missing Flag To Avoid Manual Input", + "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 2, "filename": "positive2.dockerfile" }, { - "queryName": "APT-GET Missing Flag To Avoid Manual Input", + "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 3, "filename": "positive2.dockerfile" }, { - "queryName": "APT-GET Missing Flag To Avoid Manual Input", + "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 4, "filename": "positive2.dockerfile" }, { - "queryName": "APT-GET Missing Flag To Avoid Manual Input", + "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 2, "filename": "positive3.dockerfile" }, { - "queryName": "APT-GET Missing Flag To Avoid Manual Input", + "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 2, "filename": "positive4.dockerfile" }, { - "queryName": "APT-GET Missing Flag To Avoid Manual Input", + "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 3, "filename": "positive4.dockerfile" }, { - "queryName": "APT-GET Missing Flag To Avoid Manual Input", + "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 3, "filename": "positive5.dockerfile" }, { - "queryName": "APT-GET Missing Flag To Avoid Manual Input", + "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 2, "filename": "positive5.dockerfile" }, { - "queryName": "APT-GET Missing Flag To Avoid Manual Input", + "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 3, "filename": "positive6.dockerfile" }, { - "queryName": "APT-GET Missing Flag To Avoid Manual Input", + "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 2, "filename": "positive6.dockerfile" }, { - "queryName": "APT-GET Missing Flag To Avoid Manual Input", + "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 3, "filename": "positive7.dockerfile" }, { - "queryName": "APT-GET Missing Flag To Avoid Manual Input", + "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 2, "filename": "positive7.dockerfile" diff --git a/docs/queries/all-queries.md b/docs/queries/all-queries.md index c3a2ee103eb..c790ed7bdc2 100644 --- a/docs/queries/all-queries.md +++ b/docs/queries/all-queries.md @@ -621,7 +621,7 @@ This page contains all queries. |WORKDIR Path Not Absolute
6b376af8-cfe8-49ab-a08d-f32de23661a4|Dockerfile|Low|Build Process|Query details
Documentation
| |Healthcheck Instruction Missing
b03a748a-542d-44f4-bb86-9199ab4fd2d5|Dockerfile|Low|Insecure Configurations|Query details
Documentation
| |Shell Running A Pipe Without Pipefail Flag
efbf148a-67e9-42d2-ac47-02fa1c0d0b22|Dockerfile|Low|Insecure Defaults|Query details
Documentation
| -|APT-GET Missing Flag To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547|Dockerfile|Low|Supply-Chain|Query details
Documentation
| +|APT-GET Missing Flags To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547|Dockerfile|Low|Supply-Chain|Query details
Documentation
| |Missing Flag From Dnf Install
7ebd323c-31b7-4e5b-b26f-de5e9e477af8|Dockerfile|Low|Supply-Chain|Query details
Documentation
| |Run Using 'wget' and 'curl'
fc775e75-fcfb-4c98-b2f2-910c5858b359|Dockerfile|Low|Supply-Chain|Query details
Documentation
| |Run Using apt
b84a0b47-2e99-4c9f-8933-98bcabe2b94d|Dockerfile|Low|Supply-Chain|Query details
Documentation
| diff --git a/docs/queries/dockerfile-queries.md b/docs/queries/dockerfile-queries.md index 00cb05fe7ec..3dd267be650 100644 --- a/docs/queries/dockerfile-queries.md +++ b/docs/queries/dockerfile-queries.md @@ -40,7 +40,7 @@ This page contains all queries from Dockerfile. |WORKDIR Path Not Absolute
6b376af8-cfe8-49ab-a08d-f32de23661a4|Low|Build Process|Query details
Documentation
| |Healthcheck Instruction Missing
b03a748a-542d-44f4-bb86-9199ab4fd2d5|Low|Insecure Configurations|Query details
Documentation
| |Shell Running A Pipe Without Pipefail Flag
efbf148a-67e9-42d2-ac47-02fa1c0d0b22|Low|Insecure Defaults|Query details
Documentation
| -|APT-GET Missing Flag To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547|Low|Supply-Chain|Query details
Documentation
| +|APT-GET Missing Flags To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547|Low|Supply-Chain|Query details
Documentation
| |Missing Flag From Dnf Install
7ebd323c-31b7-4e5b-b26f-de5e9e477af8|Low|Supply-Chain|Query details
Documentation
| |Run Using 'wget' and 'curl'
fc775e75-fcfb-4c98-b2f2-910c5858b359|Low|Supply-Chain|Query details
Documentation
| |Run Using apt
b84a0b47-2e99-4c9f-8933-98bcabe2b94d|Low|Supply-Chain|Query details
Documentation
| diff --git a/docs/queries/dockerfile-queries/77783205-c4ca-4f80-bb80-c777f267c547.md b/docs/queries/dockerfile-queries/77783205-c4ca-4f80-bb80-c777f267c547.md index 72a9417c0a8..2fe23796c42 100644 --- a/docs/queries/dockerfile-queries/77783205-c4ca-4f80-bb80-c777f267c547.md +++ b/docs/queries/dockerfile-queries/77783205-c4ca-4f80-bb80-c777f267c547.md @@ -16,11 +16,11 @@ hide: - **Query id:** 77783205-c4ca-4f80-bb80-c777f267c547 -- **Query name:** APT-GET Missing Flag To Avoid Manual Input +- **Query name:** APT-GET Missing Flags To Avoid Manual Input - **Platform:** Dockerfile - **Severity:** Low - **Category:** Supply-Chain -- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/apt_get_missing_flag_to_avoid_manual_input) +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input) ### Description Check if apt-get calls use the flag -y to avoid user manual input.
From e1712f909a47bcdc59dba17a89708ceea2ace3b0 Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Mon, 20 May 2024 12:27:58 +0100 Subject: [PATCH 12/14] fix false positive for --quiet or -q flags for manual input --- .../query.rego | 10 +++++++--- teste/negative7.dockerfile | 3 +++ teste/negative8.dockerfile | 3 +++ 3 files changed, 13 insertions(+), 3 deletions(-) create mode 100644 teste/negative7.dockerfile create mode 100644 teste/negative8.dockerfile diff --git a/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/query.rego b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/query.rego index b9b247396d4..67b04ea572b 100644 --- a/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/query.rego +++ b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/query.rego @@ -48,9 +48,13 @@ isAptGet(command) { } avoidManualInputInList(command) { - flags := ["-y", "yes", "--assumeyes", "-qy"] - - contains(command[j], flags[x]) + flags := ["-y", "--yes", "--assume-yes", "-qy", "-q=2", "-qq"] + flagfound := contains(command[_], flags[_]) + flagfound +} else { + flagsquiet := ["-q","--quiet"] + quietflag := {z | command[y] == flagsquiet[_]; z := y} + count(quietflag) == 2 } avoidManualInput(command) { diff --git a/teste/negative7.dockerfile b/teste/negative7.dockerfile new file mode 100644 index 00000000000..ccb7da39998 --- /dev/null +++ b/teste/negative7.dockerfile @@ -0,0 +1,3 @@ +FROM node:12 +RUN sudo apt-get --quiet --quiet install sl +RUN ["apt-get", "--quiet", "--quiet" ,"install", "apt-utils"] diff --git a/teste/negative8.dockerfile b/teste/negative8.dockerfile new file mode 100644 index 00000000000..26d49daec49 --- /dev/null +++ b/teste/negative8.dockerfile @@ -0,0 +1,3 @@ +FROM node:12 +RUN sudo apt-get -q -q install sl +RUN ["apt-get", "-q", "-q", "apt-utils"] From 2dbfb07f84831aa12b5c82fa6109527f3d40224c Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Mon, 20 May 2024 14:16:17 +0100 Subject: [PATCH 13/14] fix unit tests error --- .../test}/negative7.dockerfile | 2 +- .../test}/negative8.dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) rename {teste => assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test}/negative7.dockerfile (63%) rename {teste => assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test}/negative8.dockerfile (61%) diff --git a/teste/negative7.dockerfile b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/negative7.dockerfile similarity index 63% rename from teste/negative7.dockerfile rename to assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/negative7.dockerfile index ccb7da39998..a706b837420 100644 --- a/teste/negative7.dockerfile +++ b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/negative7.dockerfile @@ -1,3 +1,3 @@ FROM node:12 -RUN sudo apt-get --quiet --quiet install sl +RUN apt-get --quiet --quiet install sl RUN ["apt-get", "--quiet", "--quiet" ,"install", "apt-utils"] diff --git a/teste/negative8.dockerfile b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/negative8.dockerfile similarity index 61% rename from teste/negative8.dockerfile rename to assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/negative8.dockerfile index 26d49daec49..822716e0fe6 100644 --- a/teste/negative8.dockerfile +++ b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/negative8.dockerfile @@ -1,3 +1,3 @@ FROM node:12 -RUN sudo apt-get -q -q install sl +RUN apt-get -q -q install sl RUN ["apt-get", "-q", "-q", "apt-utils"] From 63e9665ba1bd0b6d803b51a335cdad3abb3a9125 Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Fri, 7 Jun 2024 11:12:43 +0100 Subject: [PATCH 14/14] update import statement to only import contains --- .../apt_get_missing_flags_to_avoid_manual_input/query.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/query.rego b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/query.rego index 67b04ea572b..251c8de4840 100644 --- a/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/query.rego +++ b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/query.rego @@ -1,7 +1,7 @@ package Cx import data.generic.dockerfile as dockerLib -import future.keywords +import future.keywords.contains CxPolicy[result] { resource := input.document[i].command[name][_]