forked from semgrep/semgrep-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fixed the dockerfile.security.missing-user rule
- The previous version of this rule would have false positives on ``` HEALTHCHECK ... \ CMD ... ENTRYPOINT ... ``` There will still be false positives if CMD is not indented on the newline - There was a separate rule for ENTRYPOINT, which doesn't really make sense, since CMD and ENTRYPOINT can be used in the same Dockerfile, as per https://docs.docker.com/reference/dockerfile/#exec-form-entrypoint-example Therefore, the rule was removed - There is still a bug that will create two findings for a Dockerfile like this ``` FROM busybox ENTRYPOINT ["some-command"] CMD ["--some-arg"] ``` - The autofix arguments have changed because technically it doesn't matter where in the Dockerfile the USER directive is specified, insofar as the last specified USER is non-root. Previously, the autofix would attempt to add the USER directive above the CMD or ENTRYPOINT directives. However, since either or both of these can appear, we're not going to specify the CMD or ENTRYPOINT directive in the fix. - Cleaned up some of the test files to remove invalid syntax like calling CMD twice - Partially fixes semgrep#3436
- Loading branch information
Showing
6 changed files
with
33 additions
and
65 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,14 +1,14 @@ | ||
| FROM busybox | ||
|
|
||
| # uncomment for ok | ||
| # Leave this hear to test that the missing-user rule doesn't think that commented out lines satisfy the rule | ||
| #USER notroot | ||
|
|
||
| RUN git clone https://github.com/returntocorp/semgrep | ||
| RUN pip3 install semgrep | ||
|
|
||
| # ruleid: missing-user-entrypoint | ||
| ENTRYPOINT semgrep -f p/xss | ||
| HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 \ | ||
| CMD [ "curl" ] | ||
|
|
||
| # TODO: metavar bug | ||
| # ok: missing-user-entrypoint | ||
| ENTRYPOINT ["semgrep", "--config", "localfile", "targets"] | ||
| # ruleid: missing-user | ||
| ENTRYPOINT semgrep -f p/xss | ||
| CMD "--oss-only" |
12 changes: 6 additions & 6 deletions
12
dockerfile/security/missing-user-entrypoint.fixed.dockerfile
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,15 +1,15 @@ | ||
| FROM busybox | ||
|
|
||
| # uncomment for ok | ||
| # Leave this hear to test that the missing-user rule doesn't think that commented out lines satisfy the rule | ||
| #USER notroot | ||
|
|
||
| RUN git clone https://github.com/returntocorp/semgrep | ||
| RUN pip3 install semgrep | ||
|
|
||
| # ruleid: missing-user-entrypoint | ||
| HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 \ | ||
| CMD [ "curl" ] | ||
|
|
||
| # ok: missing-user | ||
| USER non-root | ||
| ENTRYPOINT semgrep -f p/xss | ||
|
|
||
| # TODO: metavar bug | ||
| # ok: missing-user-entrypoint | ||
| ENTRYPOINT ["semgrep", "--config", "localfile", "targets"] | ||
| CMD "--oss-only" |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,17 +1,19 @@ | ||
| FROM busybox | ||
|
|
||
| # uncomment for ok | ||
| # Leave this hear to test that the missing-user rule doesn't think that commented out lines satisfy the rule | ||
| #USER notroot | ||
|
|
||
| RUN git clone https://github.com/returntocorp/semgrep | ||
| RUN pip3 install semgrep | ||
|
|
||
| # ruleid: missing-user | ||
| CMD semgrep -f p/xss | ||
| # NOTE: The CMD subdirective should not trigger a false positive | ||
| HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 \ | ||
| CMD [ "curl" ] | ||
|
|
||
| # ruleid: missing-user | ||
| CMD semgrep --config localfile targets | ||
| # TODO: Have the rule exclude HEALTHCHECK where CMD on the newline does not follow convention and is not indented | ||
| # NOTE: The CMD subdirective should not trigger a false positive | ||
| # HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 \ | ||
| # CMD [ "curl" ] | ||
|
|
||
| # TODO: metavar ellipses bug | ||
| # ok: missing-user | ||
| CMD ["semgrep", "--version"] | ||
| # ruleid: missing-user | ||
| CMD semgrep --config localfile targets |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters