Checkmarx · cx-andrep · Jun 7, 2024 · May 17, 2024 · May 17, 2024 · May 17, 2024
@@ -1,12 +1,13 @@
 {
   "id": "77783205-c4ca-4f80-bb80-c777f267c547",
-  "queryName": "APT-GET Missing '-y' To Avoid Manual Input",
+  "queryName": "APT-GET Missing Flags To Avoid Manual Input",
   "severity": "LOW",
   "category": "Supply-Chain",
-  "descriptionText": "Check if apt-get calls use the flag -y to avoid user manual input.",
+  "descriptionText": "Check if apt-get calls use flags to avoid user manual input.",
   "descriptionUrl": "https://docs.docker.com/engine/reference/builder/#run",
   "platform": "Dockerfile",
   "descriptionID": "2064113b",
+  "cloudProvider": "common",
   "cwe": "710",
   "oldSeverity": "MEDIUM"
 }
@@ -0,0 +1,70 @@
+package Cx
+
+import data.generic.dockerfile as dockerLib
+import future.keywords.contains
+
+CxPolicy[result] {
+	resource := input.document[i].command[name][_]
+	resource.Cmd == "run"
+
+	count(resource.Value) == 1
+
+	commands := resource.Value[j]
+	command := dockerLib.getCommands(commands)[_]
+	isAptGet(command)
+
+	not avoidManualInput(command)
+
+	result := {
+		"documentId": input.document[i].id,
+		"searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("{{%s}} should avoid manual input", [resource.Original]),
+		"keyActualValue": sprintf("{{%s}} doesn't avoid manual input", [resource.Original]),
+	}
+}
+
+CxPolicy[result] {
+    resource := input.document[i].command[name][_]
+    resource.Cmd == "run"
+
+    count(resource.Value) > 1
+
+    dockerLib.arrayContains(resource.Value, {"apt-get", "install"})
+
+    not avoidManualInputInList(resource.Value)
+
+    result := {
+        "documentId": input.document[i].id,
+        "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]),
+        "issueType": "IncorrectValue",
+        "keyExpectedValue": sprintf("{{%s}} should avoid manual input", [resource.Original]),
+        "keyActualValue": sprintf("{{%s}} doesn't avoid manual input", [resource.Original]),
+    }
+}
+
+isAptGet(command) {
+	regex.match("apt-get (-(-)?[a-zA-Z]+ *)*install", command)
+}
+
+avoidManualInputInList(command) {
+    flags := ["-y", "--yes", "--assume-yes", "-qy", "-q=2", "-qq"]
+    flagfound := contains(command[_], flags[_])
+    flagfound
+} else {
+    flagsquiet := ["-q","--quiet"]
+    quietflag := {z | command[y] == flagsquiet[_]; z := y}
+    count(quietflag) == 2
+}
+
+avoidManualInput(command) {
+	regex.match("apt-get (-(-)?[a-zA-Z]+ *)*(-([A-Za-z])*y|--yes|-qq|-q=2|--assume-yes|(-q|--quiet)(.*(-q|--quiet)){1}) (-(-)?[a-zA-Z]+ *)*install", command)
+}
+
+avoidManualInput(command) {
+	regex.match("apt-get (-(-)?[a-zA-Z]+ *)*install (-(-)?[a-zA-Z]+ *)*(-([A-Za-z])*y|--yes|-qq|-q=2|--assume-yes|(-q|--quiet)(.*(-q|--quiet)){1})", command)
+}
+
+avoidManualInput(command) {
+	regex.match("apt-get (-(-)?[a-zA-Z]+ *)*install ([A-Za-z0-9\\W]+ *)*(-([A-Za-z])*y|--yes|-qq|-q=2|--assume-yes|(-q|--quiet)(.*(-q|--quiet)){1})", command)
+}
@@ -0,0 +1,3 @@
+FROM node:12
+RUN apt-get --yes install apt-utils
+RUN ["sudo", "apt-get", "--yes" ,"install", "apt-utils"]
@@ -0,0 +1,3 @@
+FROM node:12
+RUN sudo apt-get -qq install apt-utils
+RUN ["apt-get", "-qq", "install", "apt-utils"] 
@@ -0,0 +1,3 @@
+FROM node:12
+RUN apt-get --assume-yes install apt-utils
+RUN ["sudo", "apt-get", "--assume-yes", "install", "apt-utils"] 
@@ -0,0 +1,3 @@
+FROM node:12
+RUN sudo apt-get -q=2 install apt-utils
+RUN ["apt-get", "-q=2", "install", "apt-utils"]
@@ -0,0 +1,3 @@
+FROM node:12
+RUN apt-get --quiet --quiet install sl
+RUN ["apt-get", "--quiet", "--quiet" ,"install", "apt-utils"] 
@@ -0,0 +1,3 @@
+FROM node:12
+RUN apt-get -q -q install sl
+RUN ["apt-get", "-q", "-q", "apt-utils"]
@@ -0,0 +1,3 @@
+FROM node:12
+RUN ["sudo", "apt-get", "-q" ,"install", "apt-utils"]
+RUN sudo apt-get -q install apt-utils
@@ -0,0 +1,3 @@
+FROM node:12
+RUN ["sudo", "apt-get", "--quiet", "install", "apt-utils"] 
+RUN sudo apt-get --quiet install apt-utils
@@ -0,0 +1,3 @@
+FROM node:12
+RUN sudo apt-get --quiet install sl
+RUN ["apt-get", "--quiet" ,"install", "apt-utils"] 
@@ -0,0 +1,3 @@
+FROM node:12
+RUN sudo apt-get -q install sl
+RUN ["apt-get", "-q", "install", "apt-utils"] 
@@ -0,0 +1,92 @@
+[
+  {
+    "queryName": "APT-GET Missing Flags To Avoid Manual Input",
+    "severity": "LOW",
+    "line": 2,
+    "filename": "positive1.dockerfile"
+  },
+  {
+    "queryName": "APT-GET Missing Flags To Avoid Manual Input",
+    "severity": "LOW",
+    "line": 3,
+    "filename": "positive1.dockerfile"
+  },
+  {
+    "queryName": "APT-GET Missing Flags To Avoid Manual Input",
+    "severity": "LOW",
+    "line": 4,
+    "filename": "positive1.dockerfile"
+  },
+  {
+    "queryName": "APT-GET Missing Flags To Avoid Manual Input",
+    "severity": "LOW",
+    "line": 2,
+    "filename": "positive2.dockerfile"
+  },
+  {
+    "queryName": "APT-GET Missing Flags To Avoid Manual Input",
+    "severity": "LOW",
+    "line": 3,
+    "filename": "positive2.dockerfile"
+  },
+  {
+    "queryName": "APT-GET Missing Flags To Avoid Manual Input",
+    "severity": "LOW",
+    "line": 4,
+    "filename": "positive2.dockerfile"
+  },
+  {
+    "queryName": "APT-GET Missing Flags To Avoid Manual Input",
+    "severity": "LOW",
+    "line": 2,
+    "filename": "positive3.dockerfile"
+  },
+  {
+    "queryName": "APT-GET Missing Flags To Avoid Manual Input",
+    "severity": "LOW",
+    "line": 2,
+    "filename": "positive4.dockerfile"  
+  },
+  {
+    "queryName": "APT-GET Missing Flags To Avoid Manual Input",
+    "severity": "LOW",
+    "line": 3,
+    "filename": "positive4.dockerfile"    
+  },
+  {
+    "queryName": "APT-GET Missing Flags To Avoid Manual Input",
+    "severity": "LOW",
+    "line": 3,
+    "filename": "positive5.dockerfile"  
+  }, 
+  {
+    "queryName": "APT-GET Missing Flags To Avoid Manual Input",
+    "severity": "LOW",
+    "line": 2,
+    "filename": "positive5.dockerfile"
+  },
+  {
+    "queryName": "APT-GET Missing Flags To Avoid Manual Input",
+    "severity": "LOW",
+    "line": 3,
+    "filename": "positive6.dockerfile"  
+  }, 
+  {
+    "queryName": "APT-GET Missing Flags To Avoid Manual Input",
+    "severity": "LOW",
+    "line": 2,
+    "filename": "positive6.dockerfile"
+  },
+  {
+    "queryName": "APT-GET Missing Flags To Avoid Manual Input",
+    "severity": "LOW",
+    "line": 3,
+    "filename": "positive7.dockerfile"  
+  }, 
+  {
+    "queryName": "APT-GET Missing Flags To Avoid Manual Input",
+    "severity": "LOW",
+    "line": 2,
+    "filename": "positive7.dockerfile"
+  }
+]
@@ -621,7 +621,7 @@ This page contains all queries.
 |WORKDIR Path Not Absolute<br/><sup><sub>6b376af8-cfe8-49ab-a08d-f32de23661a4</sub></sup>|Dockerfile|<span style="color:#edd57e">Low</span>|Build Process|<a href="../dockerfile-queries/6b376af8-cfe8-49ab-a08d-f32de23661a4" target="_blank">Query details</a><br><a href="https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#workdir">Documentation</a><br/>|
 |Healthcheck Instruction Missing<br/><sup><sub>b03a748a-542d-44f4-bb86-9199ab4fd2d5</sub></sup>|Dockerfile|<span style="color:#edd57e">Low</span>|Insecure Configurations|<a href="../dockerfile-queries/b03a748a-542d-44f4-bb86-9199ab4fd2d5" target="_blank">Query details</a><br><a href="https://docs.docker.com/engine/reference/builder/#healthcheck">Documentation</a><br/>|
 |Shell Running A Pipe Without Pipefail Flag<br/><sup><sub>efbf148a-67e9-42d2-ac47-02fa1c0d0b22</sub></sup>|Dockerfile|<span style="color:#edd57e">Low</span>|Insecure Defaults|<a href="../dockerfile-queries/efbf148a-67e9-42d2-ac47-02fa1c0d0b22" target="_blank">Query details</a><br><a href="https://docs.docker.com/engine/reference/builder/#run">Documentation</a><br/>|
-|APT-GET Missing '-y' To Avoid Manual Input<br/><sup><sub>77783205-c4ca-4f80-bb80-c777f267c547</sub></sup>|Dockerfile|<span style="color:#edd57e">Low</span>|Supply-Chain|<a href="../dockerfile-queries/77783205-c4ca-4f80-bb80-c777f267c547" target="_blank">Query details</a><br><a href="https://docs.docker.com/engine/reference/builder/#run">Documentation</a><br/>|
+|APT-GET Missing Flags To Avoid Manual Input<br/><sup><sub>77783205-c4ca-4f80-bb80-c777f267c547</sub></sup>|Dockerfile|<span style="color:#edd57e">Low</span>|Supply-Chain|<a href="../dockerfile-queries/77783205-c4ca-4f80-bb80-c777f267c547" target="_blank">Query details</a><br><a href="https://docs.docker.com/engine/reference/builder/#run">Documentation</a><br/>|
 |Missing Flag From Dnf Install<br/><sup><sub>7ebd323c-31b7-4e5b-b26f-de5e9e477af8</sub></sup>|Dockerfile|<span style="color:#edd57e">Low</span>|Supply-Chain|<a href="../dockerfile-queries/7ebd323c-31b7-4e5b-b26f-de5e9e477af8" target="_blank">Query details</a><br><a href="https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run">Documentation</a><br/>|
 |Run Using 'wget' and 'curl'<br/><sup><sub>fc775e75-fcfb-4c98-b2f2-910c5858b359</sub></sup>|Dockerfile|<span style="color:#edd57e">Low</span>|Supply-Chain|<a href="../dockerfile-queries/fc775e75-fcfb-4c98-b2f2-910c5858b359" target="_blank">Query details</a><br><a href="https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run">Documentation</a><br/>|
 |Run Using apt<br/><sup><sub>b84a0b47-2e99-4c9f-8933-98bcabe2b94d</sub></sup>|Dockerfile|<span style="color:#edd57e">Low</span>|Supply-Chain|<a href="../dockerfile-queries/b84a0b47-2e99-4c9f-8933-98bcabe2b94d" target="_blank">Query details</a><br><a href="https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run">Documentation</a><br/>|

@@ -40,7 +40,7 @@ This page contains all queries from Dockerfile.
 |WORKDIR Path Not Absolute<br/><sup><sub>6b376af8-cfe8-49ab-a08d-f32de23661a4</sub></sup>|<span style="color:#edd57e">Low</span>|Build Process|<a href="../dockerfile-queries/6b376af8-cfe8-49ab-a08d-f32de23661a4" target="_blank">Query details</a><br><a href="https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#workdir">Documentation</a><br/>|
 |Healthcheck Instruction Missing<br/><sup><sub>b03a748a-542d-44f4-bb86-9199ab4fd2d5</sub></sup>|<span style="color:#edd57e">Low</span>|Insecure Configurations|<a href="../dockerfile-queries/b03a748a-542d-44f4-bb86-9199ab4fd2d5" target="_blank">Query details</a><br><a href="https://docs.docker.com/engine/reference/builder/#healthcheck">Documentation</a><br/>|
 |Shell Running A Pipe Without Pipefail Flag<br/><sup><sub>efbf148a-67e9-42d2-ac47-02fa1c0d0b22</sub></sup>|<span style="color:#edd57e">Low</span>|Insecure Defaults|<a href="../dockerfile-queries/efbf148a-67e9-42d2-ac47-02fa1c0d0b22" target="_blank">Query details</a><br><a href="https://docs.docker.com/engine/reference/builder/#run">Documentation</a><br/>|
-|APT-GET Missing '-y' To Avoid Manual Input<br/><sup><sub>77783205-c4ca-4f80-bb80-c777f267c547</sub></sup>|<span style="color:#edd57e">Low</span>|Supply-Chain|<a href="../dockerfile-queries/77783205-c4ca-4f80-bb80-c777f267c547" target="_blank">Query details</a><br><a href="https://docs.docker.com/engine/reference/builder/#run">Documentation</a><br/>|
+|APT-GET Missing Flags To Avoid Manual Input<br/><sup><sub>77783205-c4ca-4f80-bb80-c777f267c547</sub></sup>|<span style="color:#edd57e">Low</span>|Supply-Chain|<a href="../dockerfile-queries/77783205-c4ca-4f80-bb80-c777f267c547" target="_blank">Query details</a><br><a href="https://docs.docker.com/engine/reference/builder/#run">Documentation</a><br/>|
 |Missing Flag From Dnf Install<br/><sup><sub>7ebd323c-31b7-4e5b-b26f-de5e9e477af8</sub></sup>|<span style="color:#edd57e">Low</span>|Supply-Chain|<a href="../dockerfile-queries/7ebd323c-31b7-4e5b-b26f-de5e9e477af8" target="_blank">Query details</a><br><a href="https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run">Documentation</a><br/>|
 |Run Using 'wget' and 'curl'<br/><sup><sub>fc775e75-fcfb-4c98-b2f2-910c5858b359</sub></sup>|<span style="color:#edd57e">Low</span>|Supply-Chain|<a href="../dockerfile-queries/fc775e75-fcfb-4c98-b2f2-910c5858b359" target="_blank">Query details</a><br><a href="https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run">Documentation</a><br/>|
 |Run Using apt<br/><sup><sub>b84a0b47-2e99-4c9f-8933-98bcabe2b94d</sub></sup>|<span style="color:#edd57e">Low</span>|Supply-Chain|<a href="../dockerfile-queries/b84a0b47-2e99-4c9f-8933-98bcabe2b94d" target="_blank">Query details</a><br><a href="https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run">Documentation</a><br/>|

@@ -1,5 +1,5 @@
 ---
-title: APT-GET Missing '-y' To Avoid Manual Input
+title: APT-GET Missing Flag To Avoid Manual Input
 hide:
   toc: true
   navigation: true
@@ -16,11 +16,11 @@ hide:
 </style>
 
 -   **Query id:** 77783205-c4ca-4f80-bb80-c777f267c547
--   **Query name:** APT-GET Missing '-y' To Avoid Manual Input
+-   **Query name:** APT-GET Missing Flags To Avoid Manual Input
 -   **Platform:** Dockerfile
 -   **Severity:** <span style="color:#edd57e">Low</span>
 -   **Category:** Supply-Chain
--   **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input)
+-   **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input)
 
 ### Description
 Check if apt-get calls use the flag -y to avoid user manual input.<br>

@@ -303,4 +303,4 @@ func getQueryFilter() *source.QueryInspectorParameters {
 		ExcludeQueries: source.ExcludeQueries{ByIDs: []string{}, ByCategories: []string{}},
 		InputDataPath:  "",
 	}
-}
+}
-Original file line number
+Diff line change
@@ Expand Up / @@ -303,4 +303,4 @@ func getQueryFilter() *source.QueryInspectorParameters { @@
     		ExcludeQueries: source.ExcludeQueries{ByIDs: []string{}, ByCategories: []string{}},
     		InputDataPath:  "",
     	}
-    }
+    }