fix(query): generate different similarity id for each unpinned package (

#3673)
Checkmarx · Jun 16, 2021 · a0f3d8d · a0f3d8d
1 parent 38b6890
commit a0f3d8d
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 8 deletions.
diff --git a/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/query.rego b/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/query.rego
@@ -15,15 +15,16 @@ CxPolicy[result] {
 	packages = dockerLib.getPackages(commands, aptGet)
 	length := count(packages)
 
-	some j
-	analyzePackages(j, packages[j], packages, length)
+	packageName := packages[j]
+	analyzePackages(j, packageName, packages, length)
 
 	result := {
 		"documentId": input.document[i].id,
 		"searchKey": sprintf("FROM={{%s}}.RUN={{%s}}", [name, commands]),
+		"searchValue": packageName,
 		"issueType": "MissingAttribute",
-		"keyExpectedValue": sprintf("Package '%s' has version defined", [packages[j]]),
-		"keyActualValue": sprintf("Package '%s' does not have version defined", [packages[j]]),
+		"keyExpectedValue": sprintf("Package '%s' has version defined", [packageName]),
+		"keyActualValue": sprintf("Package '%s' does not have version defined", [packageName]),
 	}
 }
 
@@ -37,15 +38,19 @@ CxPolicy[result] {
 
 	resource.Value[j] != "install"
 	resource.Value[j] != "apt-get"
-	regex.match("^[a-zA-Z]", resource.Value[j]) == true
-	not dockerLib.withVersion(resource.Value[j])
+
+	packageName := resource.Value[j]
+
+	regex.match("^[a-zA-Z]", packageName) == true
+	not dockerLib.withVersion(packageName)
 
 	result := {
 		"documentId": input.document[i].id,
 		"searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]),
+		"searchValue": packageName,
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": sprintf("Package '%s' has version defined", [resource.Value[j]]),
-		"keyActualValue": sprintf("Package '%s' does not have version defined", [resource.Value[j]]),
+		"keyExpectedValue": sprintf("Package '%s' has version defined", [packageName]),
+		"keyActualValue": sprintf("Package '%s' does not have version defined", [packageName]),
 	}
 }
 

diff --git a/test/queries_content_test.go b/test/queries_content_test.go
@@ -45,6 +45,7 @@ var (
 		"../assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network",
 		"../assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network",
 		"../assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network",
+		"../assets/queries/dockerfile/apt_get_install_pin_version_not_defined",
 	}
 
 	// query category -> TODO categories ID