Checkmarx · gabriel-cx · Oct 31, 2022 · Oct 28, 2022
@@ -0,0 +1,10 @@
+{
+  "id": "5fa731ea-e844-47a6-a1e8-abc25e95847e",
+  "queryName": "Vulnerable OpenSSL Version",
+  "severity": "HIGH",
+  "category": "Supply-Chain",
+  "descriptionText": "OpenSSL versions from 3.0.0 to 3.0.5 are affected by a critical vulnerability",
+  "descriptionUrl": "https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html",
+  "platform": "Dockerfile",
+  "descriptionID": "e0d6ef5e"
+}
@@ -0,0 +1,44 @@
+package Cx
+
+CxPolicy[result] {
+	resource := input.document[i].command[name][_]
+	resource.Cmd == "run"
+
+	count(resource.Value) == 1
+	commands := resource.Value[0]
+
+	match := regex.match("(curl|wget)( )*(-(-)?[a-zA-Z-]+ *)*(\")?https://www.openssl.org/source/openssl-3.0.[0-5].tar.gz( )*(\")?", commands)
+	match == true
+
+	result := {
+		"documentId": input.document[i].id,
+		"searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": "OpenSSL version should not be vulnerable",
+		"keyActualValue": "OpenSSL version is vulnerable",
+	}
+}
+
+CxPolicy[result] {
+	resource := input.document[i].command[name][_]
+	resource.Cmd == "run"
+
+	count(resource.Value) > 1
+
+	targets := {"wget", "curl"}
+    contains(resource.Value[j], targets[_])
+
+	match := regex.match("( )*(\")?https://www.openssl.org/source/openssl-3.0.[0-5].tar.gz( )*(\")?", resource.Value[z])
+    match == true
+
+	j < z
+
+	result := {
+		"documentId": input.document[i].id,
+		"searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": "OpenSSL version should not be vulnerable",
+		"keyActualValue": "OpenSSL version is vulnerable",
+	}
+}
+
@@ -0,0 +1,4 @@
+# basic example
+
+FROM ubuntu
+RUN wget -O- https://www.openssl.org/source/openssl-1.1.1h.tar.gz
@@ -0,0 +1,7 @@
+# example with args usage
+
+FROM ubuntu
+
+ARG OPENSSL_VERSION=1.1.1h
+
+RUN curl https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz
@@ -0,0 +1,7 @@
+# example with args usage
+
+FROM ubuntu
+
+ARG OPENSSL_SRC=https://www.openssl.org/source/openssl-1.1.1h.tar.gz
+
+RUN curl ${OPENSSL_SRC}
@@ -0,0 +1,13 @@
+# example with envs usage
+
+FROM ubuntu
+
+ENV OPENSSL3_URL  "https://www.openssl.org/source/openssl-1.1.1h.tar.gz"
+
+RUN apk update \
+    && apk upgrade \
+    && apk add make gcc
+
+RUN yum -y install \
+    && yum clean all \
+    && wget ${OPENSSL3_URL}
@@ -0,0 +1,13 @@
+# example with envs usage
+
+FROM ubuntu
+
+ENV OPENSSL3_URL="https://www.openssl.org/source/openssl-1.1.1h.tar.gz"
+
+RUN apk update \
+    && apk upgrade \
+    && apk add make gcc
+
+RUN yum -y install \
+    && yum clean all \
+    && wget ${OPENSSL3_URL}
@@ -0,0 +1,5 @@
+# simple usage
+
+FROM ubuntu
+
+RUN ["curl", "https://www.openssl.org/source/openssl-1.1.1h.tar.gz"]
@@ -0,0 +1,7 @@
+# example with envs usage
+
+FROM ubuntu
+
+ENV OPENSSL3_URL="https://www.openssl.org/source/openssl-1.1.1h.tar.gz"
+
+RUN ["curl", "${OPENSSL3_URL}"]
@@ -0,0 +1,4 @@
+# basic example
+
+FROM ubuntu
+RUN wget -O- https://www.openssl.org/source/openssl-3.0.0.tar.gz
@@ -0,0 +1,7 @@
+# example with args usage
+
+FROM ubuntu
+
+ARG OPENSSL_VERSION=3.0.5
+
+RUN curl https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz
@@ -0,0 +1,7 @@
+# example with args usage
+
+FROM ubuntu
+
+ARG OPENSSL_SRC=https://www.openssl.org/source/openssl-3.0.4.tar.gz
+
+RUN curl ${OPENSSL_SRC}
@@ -0,0 +1,13 @@
+# example with envs usage
+
+FROM ubuntu
+
+ENV OPENSSL3_URL "https://www.openssl.org/source/openssl-3.0.3.tar.gz"
+
+RUN apk update \
+    && apk upgrade \
+    && apk add make gcc
+
+RUN yum -y install \
+    && yum clean all \
+    && wget ${OPENSSL3_URL}
@@ -0,0 +1,13 @@
+# example with envs usage
+
+FROM ubuntu
+
+ENV OPENSSL3_URL=https://www.openssl.org/source/openssl-3.0.2.tar.gz
+
+RUN apk update \
+    && apk upgrade \
+    && apk add make gcc
+
+RUN yum -y install \
+    && yum clean all \
+    && wget $OPENSSL3_URL
@@ -0,0 +1,5 @@
+# simple usage
+
+FROM ubuntu
+
+RUN ["curl", "https://www.openssl.org/source/openssl-3.0.2.tar.gz"]
@@ -0,0 +1,7 @@
+# example with envs usage
+
+FROM ubuntu
+
+ENV OPENSSL3_URL="https://www.openssl.org/source/openssl-3.0.2.tar.gz"
+
+RUN ["wget", "-O-", "${OPENSSL3_URL}"]
@@ -0,0 +1,44 @@
+[
+  {
+    "queryName": "Vulnerable OpenSSL Version",
+    "severity": "HIGH",
+    "line": 4,
+    "fileName": "positive1.dockerfile"
+  },
+  {
+    "queryName": "Vulnerable OpenSSL Version",
+    "severity": "HIGH",
+    "line": 7,
+    "fileName": "positive2.dockerfile"
+  },
+  {
+    "queryName": "Vulnerable OpenSSL Version",
+    "severity": "HIGH",
+    "line": 7,
+    "fileName": "positive3.dockerfile"
+  },
+  {
+    "queryName": "Vulnerable OpenSSL Version",
+    "severity": "HIGH",
+    "line": 11,
+    "fileName": "positive4.dockerfile"
+  },
+  {
+    "queryName": "Vulnerable OpenSSL Version",
+    "severity": "HIGH",
+    "line": 11,
+    "fileName": "positive5.dockerfile"
+  },
+  {
+    "queryName": "Vulnerable OpenSSL Version",
+    "severity": "HIGH",
+    "line": 5,
+    "fileName": "positive6.dockerfile"
+  },
+  {
+    "queryName": "Vulnerable OpenSSL Version",
+    "severity": "HIGH",
+    "line": 7,
+    "fileName": "positive7.dockerfile"
+  }
+]
@@ -54,6 +54,7 @@ func (p *Parser) Parse(_ string, fileContent []byte) ([]model.Document, []int, e
 	ignoreStruct := newIgnore()
 
 	args := make(map[string]string, 0)
+	envs := make(map[string]string, 0)
 
 	for _, child := range parsed.AST.Children {
 		child.Value = strings.ToLower(child.Value)
@@ -86,11 +87,17 @@ func (p *Parser) Parse(_ string, fileContent []byte) ([]model.Document, []int, e
 		}
 
 		if child.Value != "arg" {
-			cmd.Value = resolveArgs(cmd.Value, args)
+			cmd.Value = resolveArgsAndEnvs(cmd.Value, args)
 		} else {
 			args = saveArgs(args, cmd.Value[0])
 		}
 
+		if child.Value != "env" {
+			cmd.Value = resolveArgsAndEnvs(cmd.Value, envs)
+		} else {
+			envs = saveEnvs(envs, cmd.Value)
+		}
+
 		if fromValue == "" {
 			arguments = append(arguments, cmd)
 		} else {
@@ -149,11 +156,13 @@ func (p *Parser) GetResolvedFiles() map[string]model.ResolvedFile {
 	return make(map[string]model.ResolvedFile)
 }
 
-func resolveArgs(values []string, args map[string]string) []string {
+func resolveArgsAndEnvs(values []string, args map[string]string) []string {
 	for i := range values {
 		for arg := range args {
-			ref := fmt.Sprintf("${%s}", arg)
-			values[i] = strings.Replace(values[i], ref, args[arg], 1)
+			ref1 := fmt.Sprintf("${%s}", arg)
+			values[i] = strings.Replace(values[i], ref1, args[arg], 1)
+			ref2 := fmt.Sprintf("$%s", arg)
+			values[i] = strings.Replace(values[i], ref2, args[arg], 1)
 		}
 	}
 
@@ -172,3 +181,10 @@ func saveArgs(args map[string]string, argValue string) map[string]string {
 
 	return args
 }
+
+func saveEnvs(envs map[string]string, envValues []string) map[string]string {
+	if len(envValues) == 2 {
+		envs[envValues[0]] = envValues[1]
+	}
+	return envs
+}