Merge pull request #6637 from Checkmarx/kics-998

fix(query): dockerfile unpinned_package_version_in_pip_install
Checkmarx · Oct 9, 2023 · bd72231 · bd72231
2 parents 898fa35 + 5d06ab3
commit bd72231
Show file tree

Hide file tree

Showing 6 changed files with 34 additions and 7 deletions.
diff --git a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego
@@ -2,6 +2,8 @@ package Cx
 
 import data.generic.dockerfile as dockerLib
 
+flags = ["-r", "-c"]
+
 CxPolicy[result] {
 	resource := input.document[i].command[name][_]
 	resource.Cmd == "run"
@@ -13,10 +15,13 @@ CxPolicy[result] {
 	yum != null
 
 	packages = dockerLib.getPackages(commands, yum)
-	length := count(packages)
+    refactorPackages = [ x | x := packages[_]; x != ""]
+    length := count(refactorPackages)
+
+	count({x | x := refactorPackages[_]; x == flags[_]}) == 0
 
 	some j
-	analyzePackages(j, packages[j], packages, length)
+	analyzePackages(j, refactorPackages[j], packages, length)
 
 	result := {
 		"documentId": input.document[i].id,
@@ -57,7 +62,7 @@ isPip(command) {
 	contains(command[j], "install")
 }
 
-analyzePackages(j, currentPackage, packages, length) {
+analyzePackages(j, currentPackage, _, length) {
 	j == length - 1
 	regex.match("^[a-zA-Z]", currentPackage) == true
 	not dockerLib.withVersion(currentPackage)

diff --git a/...n_in_pip_install/test/negative.dockerfile → ..._in_pip_install/test/negative1.dockerfile b/...n_in_pip_install/test/negative.dockerfile → ..._in_pip_install/test/negative1.dockerfile
diff --git a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/negative2.dockerfile b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/negative2.dockerfile
@@ -0,0 +1,9 @@
+FROM alpine:3.4
+RUN apk add --update py-pip=7.1.2-r0
+RUN pip3 install -r pip_requirements.txt
+COPY requirements.txt /usr/src/app/
+RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
+COPY app.py /usr/src/app/
+COPY templates/index.html /usr/src/app/templates/
+EXPOSE 5000
+CMD ["python", "/usr/src/app/app.py"]
diff --git a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/negative3.dockerfile b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/negative3.dockerfile
@@ -0,0 +1,9 @@
+FROM alpine:3.4
+RUN apk add --update py-pip=7.1.2-r0
+RUN pip3 install -c constraints.txt
+COPY requirements.txt /usr/src/app/
+RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
+COPY app.py /usr/src/app/
+COPY templates/index.html /usr/src/app/templates/
+EXPOSE 5000
+CMD ["python", "/usr/src/app/app.py"]
diff --git a/...n_in_pip_install/test/positive.dockerfile → ..._in_pip_install/test/positive1.dockerfile b/...n_in_pip_install/test/positive.dockerfile → ..._in_pip_install/test/positive1.dockerfile
diff --git a/...ies/dockerfile/unpinned_package_version_in_pip_install/test/positive_expected_result.json b/...ies/dockerfile/unpinned_package_version_in_pip_install/test/positive_expected_result.json
@@ -2,21 +2,25 @@
   {
     "queryName": "Unpinned Package Version in Pip Install",
     "severity": "MEDIUM",
-    "line": 3
+    "line": 3,
+    "filename": "positive1.dockerfile"
   },
   {
     "queryName": "Unpinned Package Version in Pip Install",
     "severity": "MEDIUM",
-    "line": 4
+    "line": 4,
+    "filename": "positive1.dockerfile"
   },
   {
     "queryName": "Unpinned Package Version in Pip Install",
     "severity": "MEDIUM",
-    "line": 15
+    "line": 15,
+    "filename": "positive1.dockerfile"
   },
   {
     "queryName": "Unpinned Package Version in Pip Install",
     "severity": "MEDIUM",
-    "line": 18
+    "line": 18,
+    "filename": "positive1.dockerfile"
   }
 ]