-
Notifications
You must be signed in to change notification settings - Fork 307
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'master' into hotfix/6961-GCS-not-GSC
- Loading branch information
Showing
6 changed files
with
25 additions
and
11 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
8 changes: 4 additions & 4 deletions
8
assets/queries/dockerfile/using_platform_with_from/metadata.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,11 +1,11 @@ | ||
{ | ||
"id": "b16e8501-ef3c-44e1-a543-a093238099c9", | ||
"queryName": "Using Platform Flag with FROM Command", | ||
"severity": "MEDIUM", | ||
"category": "Supply-Chain", | ||
"descriptionText": "Don't use '--platform' flag with FROM", | ||
"severity": "INFO", | ||
"category": "Best Practices", | ||
"descriptionText": "Dockerfile must use '--platform' flag with FROM, with multi-stage build", | ||
"descriptionUrl": "https://docs.docker.com/engine/reference/builder/#from", | ||
"platform": "Dockerfile", | ||
"descriptionID": "5bd0baab", | ||
"cwe": "695" | ||
} | ||
} |
12 changes: 8 additions & 4 deletions
12
assets/queries/dockerfile/using_platform_with_from/query.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,15 +1,19 @@ | ||
package Cx | ||
|
||
import data.generic.common as common_lib | ||
|
||
CxPolicy[result] { | ||
resource := input.document[i].command[name][_] | ||
contains(resource.Flags[j], "--platform") | ||
contains(resource.Cmd, "from") | ||
|
||
common_lib.contains_element(resource.Value, "as") | ||
contains(resource.Cmd, "from") | ||
not common_lib.contains_with_size(resource.Flags, "--platform") | ||
|
||
result := { | ||
"documentId": input.document[i].id, | ||
"searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), | ||
"issueType": "IncorrectValue", | ||
"keyExpectedValue": sprintf("FROM={{%s}}.{{%s}} shouldn't use the flag '--platform'", [name, resource.Original]), | ||
"keyActualValue": sprintf("FROM={{%s}}.{{%s}} uses the flag '--platform'", [name, resource.Original]), | ||
"keyExpectedValue": sprintf("FROM={{%s}}.{{%s}} should use the flag '--platform'", [name, resource.Original]), | ||
"keyActualValue": sprintf("FROM={{%s}}.{{%s}} not use the flag '--platform'", [name, resource.Original]), | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -3,4 +3,4 @@ RUN apk add --update py2-pip | |
RUN pip install --upgrade pip | ||
LABEL maintainer="[email protected]" | ||
COPY requirements.txt /usr/src/app/ | ||
FROM baseimage | ||
FROM --platform=arm64 baseimage as baseimage-build |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -3,4 +3,4 @@ RUN apk add --update py2-pip | |
RUN pip install --upgrade pip | ||
LABEL maintainer="[email protected]" | ||
COPY requirements.txt /usr/src/app/ | ||
FROM --platform=arm64 baseimage | ||
FROM baseimage as baseimage-build |
2 changes: 1 addition & 1 deletion
2
assets/queries/dockerfile/using_platform_with_from/test/positive_expected_result.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,7 +1,7 @@ | ||
[ | ||
{ | ||
"queryName": "Using Platform Flag with FROM Command", | ||
"severity": "MEDIUM", | ||
"severity": "INFO", | ||
"line": 6 | ||
} | ||
] |