Checkmarx · cx-andrep · Jun 12, 2024 · Jun 11, 2024 · Jun 11, 2024 · Jun 11, 2024
@@ -1,9 +1,9 @@
 {
   "id": "b16e8501-ef3c-44e1-a543-a093238099c9",
   "queryName": "Using Platform Flag with FROM Command",
-  "severity": "LOW",
+  "severity": "INFO",
   "category": "Best Practices",
-  "descriptionText": "'FROM' instruction should use the flag '--platform'",
+  "descriptionText": "'FROM' instruction should not use the flag '--platform'",
   "descriptionUrl": "https://docs.docker.com/engine/reference/builder/#from",
   "platform": "Dockerfile",
   "descriptionID": "5bd0baab",

@@ -5,15 +5,14 @@ import data.generic.common as common_lib
 CxPolicy[result] {
 	resource := input.document[i].command[name][_]
 
-	common_lib.contains_element(resource.Value, "as")
-    contains(resource.Cmd, "from")
-	not common_lib.contains_with_size(resource.Flags, "--platform")
+	contains(resource.Flags[j], "--platform")
+	contains(resource.Cmd, "from")
 
 	result := {
 		"documentId": input.document[i].id,
 		"searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": sprintf("FROM={{%s}}.{{%s}} should use the flag '--platform'", [name, resource.Original]),
-		"keyActualValue": sprintf("FROM={{%s}}.{{%s}} not use the flag '--platform'", [name, resource.Original]),
+		"keyExpectedValue": sprintf("FROM={{%s}}.{{%s}} should not use the '--platform' flag", [name, resource.Original]),
+		"keyActualValue": sprintf("FROM={{%s}}.{{%s}} is using the '--platform' flag", [name, resource.Original]),
 	}
 }
@@ -3,4 +3,4 @@ RUN apk add --update py2-pip
 RUN pip install --upgrade pip
 LABEL maintainer="[email protected]"
 COPY requirements.txt /usr/src/app/
-FROM --platform=arm64 baseimage as baseimage-build
+FROM baseimage as baseimage-build
@@ -3,4 +3,4 @@ RUN apk add --update py2-pip
 RUN pip install --upgrade pip
 LABEL maintainer="[email protected]"
 COPY requirements.txt /usr/src/app/
-FROM baseimage as baseimage-build
+FROM --platform=arm64 baseimage as baseimage-build