From a8e99424ecad966caad4338dfd392fa5db8ba6a6 Mon Sep 17 00:00:00 2001
From: rafaela-soares <rafaela.soares@checkmarx.com>
Date: Fri, 28 Oct 2022 15:44:06 +0100
Subject: [PATCH] added vulnerable_openssl_version

---
 .../vulnerable_openssl_version/metadata.json  | 10 +++++
 .../vulnerable_openssl_version/query.rego     | 44 +++++++++++++++++++
 .../test/negative1.dockerfile                 |  4 ++
 .../test/negative2.dockerfile                 |  7 +++
 .../test/negative3.dockerfile                 |  7 +++
 .../test/negative4.dockerfile                 | 13 ++++++
 .../test/negative5.dockerfile                 | 13 ++++++
 .../test/negative6.dockerfile                 |  5 +++
 .../test/negative7.dockerfile                 |  7 +++
 .../test/positive1.dockerfile                 |  4 ++
 .../test/positive2.dockerfile                 |  7 +++
 .../test/positive3.dockerfile                 |  7 +++
 .../test/positive4.dockerfile                 | 13 ++++++
 .../test/positive5.dockerfile                 | 13 ++++++
 .../test/positive6.dockerfile                 |  5 +++
 .../test/positive7.dockerfile                 |  7 +++
 .../test/positive_expected_result.json        | 44 +++++++++++++++++++
 pkg/parser/docker/parser.go                   | 24 ++++++++--
 18 files changed, 230 insertions(+), 4 deletions(-)
 create mode 100644 assets/queries/dockerfile/vulnerable_openssl_version/metadata.json
 create mode 100644 assets/queries/dockerfile/vulnerable_openssl_version/query.rego
 create mode 100644 assets/queries/dockerfile/vulnerable_openssl_version/test/negative1.dockerfile
 create mode 100644 assets/queries/dockerfile/vulnerable_openssl_version/test/negative2.dockerfile
 create mode 100644 assets/queries/dockerfile/vulnerable_openssl_version/test/negative3.dockerfile
 create mode 100644 assets/queries/dockerfile/vulnerable_openssl_version/test/negative4.dockerfile
 create mode 100644 assets/queries/dockerfile/vulnerable_openssl_version/test/negative5.dockerfile
 create mode 100644 assets/queries/dockerfile/vulnerable_openssl_version/test/negative6.dockerfile
 create mode 100644 assets/queries/dockerfile/vulnerable_openssl_version/test/negative7.dockerfile
 create mode 100644 assets/queries/dockerfile/vulnerable_openssl_version/test/positive1.dockerfile
 create mode 100644 assets/queries/dockerfile/vulnerable_openssl_version/test/positive2.dockerfile
 create mode 100644 assets/queries/dockerfile/vulnerable_openssl_version/test/positive3.dockerfile
 create mode 100644 assets/queries/dockerfile/vulnerable_openssl_version/test/positive4.dockerfile
 create mode 100644 assets/queries/dockerfile/vulnerable_openssl_version/test/positive5.dockerfile
 create mode 100644 assets/queries/dockerfile/vulnerable_openssl_version/test/positive6.dockerfile
 create mode 100644 assets/queries/dockerfile/vulnerable_openssl_version/test/positive7.dockerfile
 create mode 100644 assets/queries/dockerfile/vulnerable_openssl_version/test/positive_expected_result.json

diff --git a/assets/queries/dockerfile/vulnerable_openssl_version/metadata.json b/assets/queries/dockerfile/vulnerable_openssl_version/metadata.json
new file mode 100644
index 00000000000..ecbeb04582d
--- /dev/null
+++ b/assets/queries/dockerfile/vulnerable_openssl_version/metadata.json
@@ -0,0 +1,10 @@
+{
+  "id": "5fa731ea-e844-47a6-a1e8-abc25e95847e",
+  "queryName": "Vulnerable OpenSSL Version",
+  "severity": "HIGH",
+  "category": "Supply-Chain",
+  "descriptionText": "OpenSSL versions from 3.0.0 to 3.0.5 are affected by a critical vulnerability",
+  "descriptionUrl": "https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html",
+  "platform": "Dockerfile",
+  "descriptionID": "e0d6ef5e"
+}
diff --git a/assets/queries/dockerfile/vulnerable_openssl_version/query.rego b/assets/queries/dockerfile/vulnerable_openssl_version/query.rego
new file mode 100644
index 00000000000..67516005b36
--- /dev/null
+++ b/assets/queries/dockerfile/vulnerable_openssl_version/query.rego
@@ -0,0 +1,44 @@
+package Cx
+
+CxPolicy[result] {
+	resource := input.document[i].command[name][_]
+	resource.Cmd == "run"
+
+	count(resource.Value) == 1
+	commands := resource.Value[0]
+
+	match := regex.match("(curl|wget)( )*(-(-)?[a-zA-Z-]+ *)*(\")?https://www.openssl.org/source/openssl-3.0.[0-5].tar.gz( )*(\")?", commands)
+	match == true
+
+	result := {
+		"documentId": input.document[i].id,
+		"searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": "OpenSSL version should not be vulnerable",
+		"keyActualValue": "OpenSSL version is vulnerable",
+	}
+}
+
+CxPolicy[result] {
+	resource := input.document[i].command[name][_]
+	resource.Cmd == "run"
+
+	count(resource.Value) > 1
+
+	targets := {"wget", "curl"}
+    contains(resource.Value[j], targets[_])
+
+	match := regex.match("( )*(\")?https://www.openssl.org/source/openssl-3.0.[0-5].tar.gz( )*(\")?", resource.Value[z])
+    match == true
+
+	j < z
+
+	result := {
+		"documentId": input.document[i].id,
+		"searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": "OpenSSL version should not be vulnerable",
+		"keyActualValue": "OpenSSL version is vulnerable",
+	}
+}
+
diff --git a/assets/queries/dockerfile/vulnerable_openssl_version/test/negative1.dockerfile b/assets/queries/dockerfile/vulnerable_openssl_version/test/negative1.dockerfile
new file mode 100644
index 00000000000..ff9a004ac9c
--- /dev/null
+++ b/assets/queries/dockerfile/vulnerable_openssl_version/test/negative1.dockerfile
@@ -0,0 +1,4 @@
+# basic example
+
+FROM ubuntu
+RUN wget -O- https://www.openssl.org/source/openssl-1.1.1h.tar.gz
diff --git a/assets/queries/dockerfile/vulnerable_openssl_version/test/negative2.dockerfile b/assets/queries/dockerfile/vulnerable_openssl_version/test/negative2.dockerfile
new file mode 100644
index 00000000000..58ceb9089c4
--- /dev/null
+++ b/assets/queries/dockerfile/vulnerable_openssl_version/test/negative2.dockerfile
@@ -0,0 +1,7 @@
+# example with args usage
+
+FROM ubuntu
+
+ARG OPENSSL_VERSION=1.1.1h
+
+RUN curl https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz
diff --git a/assets/queries/dockerfile/vulnerable_openssl_version/test/negative3.dockerfile b/assets/queries/dockerfile/vulnerable_openssl_version/test/negative3.dockerfile
new file mode 100644
index 00000000000..42a19ae976d
--- /dev/null
+++ b/assets/queries/dockerfile/vulnerable_openssl_version/test/negative3.dockerfile
@@ -0,0 +1,7 @@
+# example with args usage
+
+FROM ubuntu
+
+ARG OPENSSL_SRC=https://www.openssl.org/source/openssl-1.1.1h.tar.gz
+
+RUN curl ${OPENSSL_SRC}
diff --git a/assets/queries/dockerfile/vulnerable_openssl_version/test/negative4.dockerfile b/assets/queries/dockerfile/vulnerable_openssl_version/test/negative4.dockerfile
new file mode 100644
index 00000000000..f3afbff7d0b
--- /dev/null
+++ b/assets/queries/dockerfile/vulnerable_openssl_version/test/negative4.dockerfile
@@ -0,0 +1,13 @@
+# example with envs usage
+
+FROM ubuntu
+
+ENV OPENSSL3_URL  "https://www.openssl.org/source/openssl-1.1.1h.tar.gz"
+
+RUN apk update \
+    && apk upgrade \
+    && apk add make gcc
+
+RUN yum -y install \
+    && yum clean all \
+    && wget ${OPENSSL3_URL}
diff --git a/assets/queries/dockerfile/vulnerable_openssl_version/test/negative5.dockerfile b/assets/queries/dockerfile/vulnerable_openssl_version/test/negative5.dockerfile
new file mode 100644
index 00000000000..0dcd19b44a9
--- /dev/null
+++ b/assets/queries/dockerfile/vulnerable_openssl_version/test/negative5.dockerfile
@@ -0,0 +1,13 @@
+# example with envs usage
+
+FROM ubuntu
+
+ENV OPENSSL3_URL="https://www.openssl.org/source/openssl-1.1.1h.tar.gz"
+
+RUN apk update \
+    && apk upgrade \
+    && apk add make gcc
+
+RUN yum -y install \
+    && yum clean all \
+    && wget ${OPENSSL3_URL}
diff --git a/assets/queries/dockerfile/vulnerable_openssl_version/test/negative6.dockerfile b/assets/queries/dockerfile/vulnerable_openssl_version/test/negative6.dockerfile
new file mode 100644
index 00000000000..0738c1a46b6
--- /dev/null
+++ b/assets/queries/dockerfile/vulnerable_openssl_version/test/negative6.dockerfile
@@ -0,0 +1,5 @@
+# simple usage
+
+FROM ubuntu
+
+RUN ["curl", "https://www.openssl.org/source/openssl-1.1.1h.tar.gz"]
diff --git a/assets/queries/dockerfile/vulnerable_openssl_version/test/negative7.dockerfile b/assets/queries/dockerfile/vulnerable_openssl_version/test/negative7.dockerfile
new file mode 100644
index 00000000000..59cf93af195
--- /dev/null
+++ b/assets/queries/dockerfile/vulnerable_openssl_version/test/negative7.dockerfile
@@ -0,0 +1,7 @@
+# example with envs usage
+
+FROM ubuntu
+
+ENV OPENSSL3_URL="https://www.openssl.org/source/openssl-1.1.1h.tar.gz"
+
+RUN ["curl", "${OPENSSL3_URL}"]
diff --git a/assets/queries/dockerfile/vulnerable_openssl_version/test/positive1.dockerfile b/assets/queries/dockerfile/vulnerable_openssl_version/test/positive1.dockerfile
new file mode 100644
index 00000000000..eb40810a3ef
--- /dev/null
+++ b/assets/queries/dockerfile/vulnerable_openssl_version/test/positive1.dockerfile
@@ -0,0 +1,4 @@
+# basic example
+
+FROM ubuntu
+RUN wget -O- https://www.openssl.org/source/openssl-3.0.0.tar.gz
diff --git a/assets/queries/dockerfile/vulnerable_openssl_version/test/positive2.dockerfile b/assets/queries/dockerfile/vulnerable_openssl_version/test/positive2.dockerfile
new file mode 100644
index 00000000000..8b29de95399
--- /dev/null
+++ b/assets/queries/dockerfile/vulnerable_openssl_version/test/positive2.dockerfile
@@ -0,0 +1,7 @@
+# example with args usage
+
+FROM ubuntu
+
+ARG OPENSSL_VERSION=3.0.5
+
+RUN curl https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz
diff --git a/assets/queries/dockerfile/vulnerable_openssl_version/test/positive3.dockerfile b/assets/queries/dockerfile/vulnerable_openssl_version/test/positive3.dockerfile
new file mode 100644
index 00000000000..f4d4a88a971
--- /dev/null
+++ b/assets/queries/dockerfile/vulnerable_openssl_version/test/positive3.dockerfile
@@ -0,0 +1,7 @@
+# example with args usage
+
+FROM ubuntu
+
+ARG OPENSSL_SRC=https://www.openssl.org/source/openssl-3.0.4.tar.gz
+
+RUN curl ${OPENSSL_SRC}
diff --git a/assets/queries/dockerfile/vulnerable_openssl_version/test/positive4.dockerfile b/assets/queries/dockerfile/vulnerable_openssl_version/test/positive4.dockerfile
new file mode 100644
index 00000000000..152625bf893
--- /dev/null
+++ b/assets/queries/dockerfile/vulnerable_openssl_version/test/positive4.dockerfile
@@ -0,0 +1,13 @@
+# example with envs usage
+
+FROM ubuntu
+
+ENV OPENSSL3_URL "https://www.openssl.org/source/openssl-3.0.3.tar.gz"
+
+RUN apk update \
+    && apk upgrade \
+    && apk add make gcc
+
+RUN yum -y install \
+    && yum clean all \
+    && wget ${OPENSSL3_URL}
diff --git a/assets/queries/dockerfile/vulnerable_openssl_version/test/positive5.dockerfile b/assets/queries/dockerfile/vulnerable_openssl_version/test/positive5.dockerfile
new file mode 100644
index 00000000000..6f0fcc85b7c
--- /dev/null
+++ b/assets/queries/dockerfile/vulnerable_openssl_version/test/positive5.dockerfile
@@ -0,0 +1,13 @@
+# example with envs usage
+
+FROM ubuntu
+
+ENV OPENSSL3_URL=https://www.openssl.org/source/openssl-3.0.2.tar.gz
+
+RUN apk update \
+    && apk upgrade \
+    && apk add make gcc
+
+RUN yum -y install \
+    && yum clean all \
+    && wget $OPENSSL3_URL
diff --git a/assets/queries/dockerfile/vulnerable_openssl_version/test/positive6.dockerfile b/assets/queries/dockerfile/vulnerable_openssl_version/test/positive6.dockerfile
new file mode 100644
index 00000000000..6535286f07a
--- /dev/null
+++ b/assets/queries/dockerfile/vulnerable_openssl_version/test/positive6.dockerfile
@@ -0,0 +1,5 @@
+# simple usage
+
+FROM ubuntu
+
+RUN ["curl", "https://www.openssl.org/source/openssl-3.0.2.tar.gz"]
diff --git a/assets/queries/dockerfile/vulnerable_openssl_version/test/positive7.dockerfile b/assets/queries/dockerfile/vulnerable_openssl_version/test/positive7.dockerfile
new file mode 100644
index 00000000000..39ca43deb35
--- /dev/null
+++ b/assets/queries/dockerfile/vulnerable_openssl_version/test/positive7.dockerfile
@@ -0,0 +1,7 @@
+# example with envs usage
+
+FROM ubuntu
+
+ENV OPENSSL3_URL="https://www.openssl.org/source/openssl-3.0.2.tar.gz"
+
+RUN ["wget", "-O-", "${OPENSSL3_URL}"]
diff --git a/assets/queries/dockerfile/vulnerable_openssl_version/test/positive_expected_result.json b/assets/queries/dockerfile/vulnerable_openssl_version/test/positive_expected_result.json
new file mode 100644
index 00000000000..ea7e5f50ab4
--- /dev/null
+++ b/assets/queries/dockerfile/vulnerable_openssl_version/test/positive_expected_result.json
@@ -0,0 +1,44 @@
+[
+  {
+    "queryName": "Vulnerable OpenSSL Version",
+    "severity": "HIGH",
+    "line": 4,
+    "fileName": "positive1.dockerfile"
+  },
+  {
+    "queryName": "Vulnerable OpenSSL Version",
+    "severity": "HIGH",
+    "line": 7,
+    "fileName": "positive2.dockerfile"
+  },
+  {
+    "queryName": "Vulnerable OpenSSL Version",
+    "severity": "HIGH",
+    "line": 7,
+    "fileName": "positive3.dockerfile"
+  },
+  {
+    "queryName": "Vulnerable OpenSSL Version",
+    "severity": "HIGH",
+    "line": 11,
+    "fileName": "positive4.dockerfile"
+  },
+  {
+    "queryName": "Vulnerable OpenSSL Version",
+    "severity": "HIGH",
+    "line": 11,
+    "fileName": "positive5.dockerfile"
+  },
+  {
+    "queryName": "Vulnerable OpenSSL Version",
+    "severity": "HIGH",
+    "line": 5,
+    "fileName": "positive6.dockerfile"
+  },
+  {
+    "queryName": "Vulnerable OpenSSL Version",
+    "severity": "HIGH",
+    "line": 7,
+    "fileName": "positive7.dockerfile"
+  }
+]
diff --git a/pkg/parser/docker/parser.go b/pkg/parser/docker/parser.go
index dd18d33d941..4515393a597 100644
--- a/pkg/parser/docker/parser.go
+++ b/pkg/parser/docker/parser.go
@@ -54,6 +54,7 @@ func (p *Parser) Parse(_ string, fileContent []byte) ([]model.Document, []int, e
 	ignoreStruct := newIgnore()
 
 	args := make(map[string]string, 0)
+	envs := make(map[string]string, 0)
 
 	for _, child := range parsed.AST.Children {
 		child.Value = strings.ToLower(child.Value)
@@ -86,11 +87,17 @@ func (p *Parser) Parse(_ string, fileContent []byte) ([]model.Document, []int, e
 		}
 
 		if child.Value != "arg" {
-			cmd.Value = resolveArgs(cmd.Value, args)
+			cmd.Value = resolveArgsAndEnvs(cmd.Value, args)
 		} else {
 			args = saveArgs(args, cmd.Value[0])
 		}
 
+		if child.Value != "env" {
+			cmd.Value = resolveArgsAndEnvs(cmd.Value, envs)
+		} else {
+			envs = saveEnvs(envs, cmd.Value)
+		}
+
 		if fromValue == "" {
 			arguments = append(arguments, cmd)
 		} else {
@@ -149,11 +156,13 @@ func (p *Parser) GetResolvedFiles() map[string]model.ResolvedFile {
 	return make(map[string]model.ResolvedFile)
 }
 
-func resolveArgs(values []string, args map[string]string) []string {
+func resolveArgsAndEnvs(values []string, args map[string]string) []string {
 	for i := range values {
 		for arg := range args {
-			ref := fmt.Sprintf("${%s}", arg)
-			values[i] = strings.Replace(values[i], ref, args[arg], 1)
+			ref1 := fmt.Sprintf("${%s}", arg)
+			values[i] = strings.Replace(values[i], ref1, args[arg], 1)
+			ref2 := fmt.Sprintf("$%s", arg)
+			values[i] = strings.Replace(values[i], ref2, args[arg], 1)
 		}
 	}
 
@@ -172,3 +181,10 @@ func saveArgs(args map[string]string, argValue string) map[string]string {
 
 	return args
 }
+
+func saveEnvs(envs map[string]string, envValues []string) map[string]string {
+	if len(envValues) == 2 {
+		envs[envValues[0]] = envValues[1]
+	}
+	return envs
+}