Merge branch 'master' into hotfix/6961-GCS-not-GSC

Checkmarx · Mar 20, 2024 · 81cfd10 · 81cfd10
2 parents 72d616e + 812327b
commit 81cfd10
Show file tree

Hide file tree

Showing 6 changed files with 25 additions and 11 deletions.
diff --git a/assets/libraries/common.rego b/assets/libraries/common.rego
@@ -726,6 +726,16 @@ get_version(name) = version {
 	version := concat(".", [splited[0],splited[1]])
 }
 
+contains_element(arr, element) {
+    element == arr[_]
+}
+
+contains_with_size(arr, element){
+	count(arr)>0
+    test := arr[j]
+	contains(test, element)
+}
+
 valid_non_empty_key(field, key) = output {
 	not valid_key(field, key)
 	output = ""

diff --git a/assets/queries/dockerfile/using_platform_with_from/metadata.json b/assets/queries/dockerfile/using_platform_with_from/metadata.json
@@ -1,11 +1,11 @@
 {
   "id": "b16e8501-ef3c-44e1-a543-a093238099c9",
   "queryName": "Using Platform Flag with FROM Command",
-  "severity": "MEDIUM",
-  "category": "Supply-Chain",
-  "descriptionText": "Don't use '--platform' flag with FROM",
+  "severity": "INFO",
+  "category": "Best Practices",
+  "descriptionText": "Dockerfile must use '--platform' flag with FROM, with multi-stage build",
   "descriptionUrl": "https://docs.docker.com/engine/reference/builder/#from",
   "platform": "Dockerfile",
   "descriptionID": "5bd0baab",
   "cwe": "695"
-}
+}
diff --git a/assets/queries/dockerfile/using_platform_with_from/query.rego b/assets/queries/dockerfile/using_platform_with_from/query.rego
@@ -1,15 +1,19 @@
 package Cx
 
+import data.generic.common as common_lib
+
 CxPolicy[result] {
 	resource := input.document[i].command[name][_]
-	contains(resource.Flags[j], "--platform")
-	contains(resource.Cmd, "from")
+
+	common_lib.contains_element(resource.Value, "as")
+    contains(resource.Cmd, "from")
+	not common_lib.contains_with_size(resource.Flags, "--platform")
 
 	result := {
 		"documentId": input.document[i].id,
 		"searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": sprintf("FROM={{%s}}.{{%s}} shouldn't use the flag '--platform'", [name, resource.Original]),
-		"keyActualValue": sprintf("FROM={{%s}}.{{%s}} uses the flag '--platform'", [name, resource.Original]),
+		"keyExpectedValue": sprintf("FROM={{%s}}.{{%s}} should use the flag '--platform'", [name, resource.Original]),
+		"keyActualValue": sprintf("FROM={{%s}}.{{%s}} not use the flag '--platform'", [name, resource.Original]),
 	}
 }
diff --git a/assets/queries/dockerfile/using_platform_with_from/test/negative.dockerfile b/assets/queries/dockerfile/using_platform_with_from/test/negative.dockerfile
@@ -3,4 +3,4 @@ RUN apk add --update py2-pip
 RUN pip install --upgrade pip
 LABEL maintainer="[email protected]"
 COPY requirements.txt /usr/src/app/
-FROM baseimage
+FROM --platform=arm64 baseimage as baseimage-build
diff --git a/assets/queries/dockerfile/using_platform_with_from/test/positive.dockerfile b/assets/queries/dockerfile/using_platform_with_from/test/positive.dockerfile
@@ -3,4 +3,4 @@ RUN apk add --update py2-pip
 RUN pip install --upgrade pip
 LABEL maintainer="[email protected]"
 COPY requirements.txt /usr/src/app/
-FROM --platform=arm64 baseimage
+FROM baseimage as baseimage-build
diff --git a/assets/queries/dockerfile/using_platform_with_from/test/positive_expected_result.json b/assets/queries/dockerfile/using_platform_with_from/test/positive_expected_result.json
@@ -1,7 +1,7 @@
 [
 	{
 		"queryName": "Using Platform Flag with FROM Command",
-		"severity": "MEDIUM",
+		"severity": "INFO",
 		"line": 6
 	}
 ]