update(query): Unpinned Package Version in Apk Add (#5181)

* fix issue * add suport for -t
Checkmarx · May 2, 2022 · 2e35f77 · 2e35f77
1 parent f3a0103
commit 2e35f77
Show file tree

Hide file tree

Showing 2 changed files with 78 additions and 1 deletion.
diff --git a/assets/queries/dockerfile/unpinned_package_version_in_apk_add/query.rego b/assets/queries/dockerfile/unpinned_package_version_in_apk_add/query.rego
@@ -9,6 +9,63 @@ CxPolicy[result] {
 	count(resource.Value) == 1
 	commands := resource.Value[0]
 
+	virtual := regex.find_n("\\-\\-virtual\\s.?[a-zA-Z\\-]+\\s", commands, -1)
+	commands_trim = replace(commands, virtual[0],"")
+	apk := regex.find_n("apk (-(-)?[a-zA-Z]+ *)*add", commands_trim, -1)
+	apk != null
+
+	packages = dockerLib.getPackages(commands_trim, apk)
+
+	length := count(packages)
+
+	some j
+	analyzePackages(j, packages[j], packages, length)
+
+	result := {
+		"documentId": input.document[i].id,
+		"searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": "RUN instruction with 'apk add <package>' should use package pinning form 'apk add <package>=<version>'",
+		"keyActualValue": sprintf("RUN instruction %s does not use package pinning form", [resource.Value[0]]),
+	}
+}
+
+CxPolicy[result] {
+	resource := input.document[i].command[name][_]
+	resource.Cmd == "run"
+
+	count(resource.Value) == 1
+	commands := resource.Value[0]
+
+	virtual := regex.find_n("\\-t\\s.?[a-zA-Z\\-]+\\s", commands, -1)
+	commands_trim = replace(commands, virtual[0],"")
+	apk := regex.find_n("apk (-(-)?[a-zA-Z]+ *)*add", commands_trim, -1)
+	apk != null
+
+	packages = dockerLib.getPackages(commands_trim, apk)
+
+	length := count(packages)
+
+	some j
+	analyzePackages(j, packages[j], packages, length)
+
+	result := {
+		"documentId": input.document[i].id,
+		"searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": "RUN instruction with 'apk add <package>' should use package pinning form 'apk add <package>=<version>'",
+		"keyActualValue": sprintf("RUN instruction %s does not use package pinning form", [resource.Value[0]]),
+	}
+}
+
+CxPolicy[result] {
+	resource := input.document[i].command[name][_]
+	resource.Cmd == "run"
+
+	count(resource.Value) == 1
+	commands := resource.Value[0]
+	not regex.match("\\-\\-virtual\\s.?[a-zA-Z\\-]+\\s", commands)
+	not regex.match("\\-t\\s.?[a-zA-Z\\-]+\\s", commands)
 	apk := regex.find_n("apk (-(-)?[a-zA-Z]+ *)*add", commands, -1)
 	apk != null
 
@@ -32,7 +89,7 @@ CxPolicy[result] {
 	resource := input.document[i].command[name][_]
 	resource.Cmd == "run"
 
-	count(resource.Value) > 1
+	count(resource.Value) > 1 
 
     dockerLib.arrayContains(resource.Value, {"apk", "add"})
 

diff --git a/assets/queries/dockerfile/unpinned_package_version_in_apk_add/test/negative2.dockerfile b/assets/queries/dockerfile/unpinned_package_version_in_apk_add/test/negative2.dockerfile
@@ -0,0 +1,20 @@
+FROM alpine:3.4
+RUN apk add --update py-pip=7.1.2-r0
+RUN sudo pip install --upgrade pip
+COPY requirements.txt /usr/src/app/
+RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
+COPY app.py /usr/src/app/
+COPY templates/index.html /usr/src/app/templates/
+EXPOSE 5000
+CMD ["python", "/usr/src/app/app.py"]
+
+FROM alpine:3.1
+RUN apk add --virtual .test py-pip=7.1.2-r0
+RUN ["apk", "add", "--virtual .test", "py-pip=7.1.2-r0"]
+RUN sudo pip install --upgrade pip
+COPY requirements.txt /usr/src/app/
+RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
+COPY app.py /usr/src/app/
+COPY templates/index.html /usr/src/app/templates/
+EXPOSE 5000
+CMD ["python", "/usr/src/app/app.py"]