fix(detector): Fixed bug with dectector getting the wrong line #2010

Signed-off-by: João Reigota <[email protected]>
Checkmarx · May 28, 2021 · 89e356b · 89e356b
1 parent f2438a0
commit 89e356b
Show file tree

Hide file tree

Showing 5 changed files with 10 additions and 7 deletions.
diff --git a/assets/queries/cloudFormation/ecs_task_definition_invalid_cpu_or_memory/query.rego b/assets/queries/cloudFormation/ecs_task_definition_invalid_cpu_or_memory/query.rego
@@ -77,5 +77,5 @@ createSearchKey(a, b) = search {
 
 createSearchKey(a, b) = search {
 	b.Name.Ref
-	search := sprintf("Resources.%s.Properties.ContainerDefinitions.Name=%s", [a, b.Name.Ref])
+	search := sprintf("Resources.%s.Properties.ContainerDefinitions.Name.Ref=%s", [a, b.Name.Ref])
 }
diff --git a/assets/queries/dockerfile/pip_install_keeping_cached_packages/query.rego b/assets/queries/dockerfile/pip_install_keeping_cached_packages/query.rego
@@ -11,7 +11,7 @@ CxPolicy[result] {
 
 	result := {
 		"documentId": input.document[i].id,
-		"searchKey": sprintf("FROM={{%s}}.RUN={{%s}}", [name, values]),
+		"searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, values]),
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": "The '--no-cache-dir' flag is set when running 'pip/pip3 install'",
 		"keyActualValue": "The '--no-cache-dir' flag isn't set when running 'pip/pip3 install'",
@@ -30,7 +30,7 @@ CxPolicy[result] {
 
 	result := {
 		"documentId": input.document[i].id,
-		"searchKey": sprintf("FROM={{%s}}.RUN={{%s}}", [name, resource.Original]),
+		"searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]),
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": "The '--no-cache-dir' flag is set when running 'pip/pip3 install'",
 		"keyActualValue": "The '--no-cache-dir' flag isn't set when running 'pip/pip3 install'",

diff --git a/assets/queries/dockerfile/run_using_wget_and_curl/query.rego b/assets/queries/dockerfile/run_using_wget_and_curl/query.rego
@@ -11,7 +11,7 @@ CxPolicy[result] {
 
 	result := {
 		"documentId": input.document[i].id,
-		"searchKey": sprintf("FROM={{%s}}.RUN={{%s}}", [name, curl[0]]),
+		"searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, curl[0]]),
 		"issueType": "RedundantAttribute",
 		"keyExpectedValue": "Exclusively using 'wget' or 'curl'",
 		"keyActualValue": "Using both 'wget' and 'curl'",

diff --git a/assets/queries/dockerfile/run_utilities_and_posix_commands/query.rego b/assets/queries/dockerfile/run_utilities_and_posix_commands/query.rego
@@ -8,7 +8,7 @@ CxPolicy[result] {
 
 	result := {
 		"documentId": input.document[i].id,
-		"searchKey": sprintf("FROM={{%s}}.RUN={{%s}}", [name, resource.Original]),
+		"searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]),
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": "There are no dangerous commands or utilities being executed",
 		"keyActualValue": sprintf("Run instruction is executing the %s command", [resource.Value[0]]),

diff --git a/pkg/detector/helper.go b/pkg/detector/helper.go
@@ -220,8 +220,11 @@ func DetectCurrentLine(lines []string, str1, str2 string,
 	distances := make(map[int]int)
 	for i := curLine; i < len(lines); i++ {
 		if str1 != "" && str2 != "" {
-			if strings.Contains(lines[i], str1) && strings.Contains(lines[i], str2) {
-				distances[i] = levenshtein.ComputeDistance(ExtractLineFragment(lines[i], str2, false), str2)
+			if strings.Contains(lines[i], str1) {
+				restLine := lines[i][strings.Index(lines[i], str1)+len(str1):]
+				if strings.Contains(restLine, str2) {
+					distances[i] = levenshtein.ComputeDistance(ExtractLineFragment(restLine, str2, false), str2)
+				}
 			}
 		} else if str1 != "" {
 			if strings.Contains(lines[i], str1) {