From da6768ee1fbf136d5525f86d46ceb60b31b566c2 Mon Sep 17 00:00:00 2001
From: cx-henriqueAlvelos <henrique.alvelos@checkmarx.com>
Date: Fri, 11 Aug 2023 17:59:36 +0100
Subject: [PATCH 1/5] fix(query): dockerfile
 unpinned_package_version_in_pip_install

---
 .../query.rego                                       | 11 ++++++++---
 .../{negative.dockerfile => negative1.dockerfile}    |  0
 .../test/negative2.dockerfile                        |  9 +++++++++
 .../test/negative3.dockerfile                        |  9 +++++++++
 .../{positive.dockerfile => positive1.dockerfile}    |  0
 .../test/positive_expected_result.json               | 12 ++++++++----
 6 files changed, 34 insertions(+), 7 deletions(-)
 rename assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/{negative.dockerfile => negative1.dockerfile} (100%)
 create mode 100644 assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/negative2.dockerfile
 create mode 100644 assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/negative3.dockerfile
 rename assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/{positive.dockerfile => positive1.dockerfile} (100%)

diff --git a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego
index f2cb65d48a5..bbb12fc672b 100644
--- a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego
+++ b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego
@@ -2,6 +2,8 @@ package Cx
 
 import data.generic.dockerfile as dockerLib
 
+flags = ["-r", "-c"]
+
 CxPolicy[result] {
 	resource := input.document[i].command[name][_]
 	resource.Cmd == "run"
@@ -12,11 +14,14 @@ CxPolicy[result] {
 	yum := regex.find_n("pip(3)? (-(-)?[a-zA-Z]+ *)*install", commands, -1)
 	yum != null
 
-	packages = dockerLib.getPackages(commands, yum)
-	length := count(packages)
+	packages = getPackages(commands, yum)
+    refactorPackages = [ x | x := packages[_]; x != ""]
+    length := count(refactorPackages)
+
+	count({x | x := packages[_]; x != flags[_]}) == length
 
 	some j
-	analyzePackages(j, packages[j], packages, length)
+	analyzePackages(j, refactorPackages[j], packages, length)
 
 	result := {
 		"documentId": input.document[i].id,
diff --git a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/negative.dockerfile b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/negative1.dockerfile
similarity index 100%
rename from assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/negative.dockerfile
rename to assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/negative1.dockerfile
diff --git a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/negative2.dockerfile b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/negative2.dockerfile
new file mode 100644
index 00000000000..9cccff38e1a
--- /dev/null
+++ b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/negative2.dockerfile
@@ -0,0 +1,9 @@
+FROM alpine:3.4
+RUN apk add --update py-pip=7.1.2-r0
+RUN pip3 install -r pip_requirements.txt
+COPY requirements.txt /usr/src/app/
+RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
+COPY app.py /usr/src/app/
+COPY templates/index.html /usr/src/app/templates/
+EXPOSE 5000
+CMD ["python", "/usr/src/app/app.py"]
diff --git a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/negative3.dockerfile b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/negative3.dockerfile
new file mode 100644
index 00000000000..45b7b963e50
--- /dev/null
+++ b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/negative3.dockerfile
@@ -0,0 +1,9 @@
+FROM alpine:3.4
+RUN apk add --update py-pip=7.1.2-r0
+RUN pip3 install -c constraints.txt
+COPY requirements.txt /usr/src/app/
+RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
+COPY app.py /usr/src/app/
+COPY templates/index.html /usr/src/app/templates/
+EXPOSE 5000
+CMD ["python", "/usr/src/app/app.py"]
\ No newline at end of file
diff --git a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/positive.dockerfile b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/positive1.dockerfile
similarity index 100%
rename from assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/positive.dockerfile
rename to assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/positive1.dockerfile
diff --git a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/positive_expected_result.json b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/positive_expected_result.json
index ab2bb5198d3..4ffe50570bf 100644
--- a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/positive_expected_result.json
+++ b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/positive_expected_result.json
@@ -2,21 +2,25 @@
   {
     "queryName": "Unpinned Package Version in Pip Install",
     "severity": "MEDIUM",
-    "line": 3
+    "line": 3,
+    "filename": "positive1.dockerfile"
   },
   {
     "queryName": "Unpinned Package Version in Pip Install",
     "severity": "MEDIUM",
-    "line": 4
+    "line": 4,
+    "filename": "positive1.dockerfile"
   },
   {
     "queryName": "Unpinned Package Version in Pip Install",
     "severity": "MEDIUM",
-    "line": 15
+    "line": 15,
+    "filename": "positive1.dockerfile"
   },
   {
     "queryName": "Unpinned Package Version in Pip Install",
     "severity": "MEDIUM",
-    "line": 18
+    "line": 18,
+    "filename": "positive1.dockerfile"
   }
 ]

From a0a14b5145a8bb8a091039e7aec00a7ba3412bb2 Mon Sep 17 00:00:00 2001
From: cx-henriqueAlvelos <henrique.alvelos@checkmarx.com>
Date: Fri, 11 Aug 2023 18:25:24 +0100
Subject: [PATCH 2/5] fix getPackages

---
 .../unpinned_package_version_in_pip_install/query.rego          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego
index bbb12fc672b..6de3331d518 100644
--- a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego
+++ b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego
@@ -14,7 +14,7 @@ CxPolicy[result] {
 	yum := regex.find_n("pip(3)? (-(-)?[a-zA-Z]+ *)*install", commands, -1)
 	yum != null
 
-	packages = getPackages(commands, yum)
+	packages = dockerLib.getPackages(commands, yum)
     refactorPackages = [ x | x := packages[_]; x != ""]
     length := count(refactorPackages)
 

From 46dc062f0b81ceb8541f7b93001c803c31ee11e0 Mon Sep 17 00:00:00 2001
From: cx-henriqueAlvelos <henrique.alvelos@checkmarx.com>
Date: Sat, 12 Aug 2023 08:57:24 +0100
Subject: [PATCH 3/5] fixed counter and args

---
 .../unpinned_package_version_in_pip_install/query.rego      | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego
index 6de3331d518..96738e52487 100644
--- a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego
+++ b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego
@@ -18,7 +18,7 @@ CxPolicy[result] {
     refactorPackages = [ x | x := packages[_]; x != ""]
     length := count(refactorPackages)
 
-	count({x | x := packages[_]; x != flags[_]}) == length
+	count({x | x := refactorPackages[_]; x != flags[_]}) == length
 
 	some j
 	analyzePackages(j, refactorPackages[j], packages, length)
@@ -62,10 +62,10 @@ isPip(command) {
 	contains(command[j], "install")
 }
 
-analyzePackages(j, currentPackage, packages, length) {
+analyzePackages(j, currentPackage, _, length) {
 	j == length - 1
 	regex.match("^[a-zA-Z]", currentPackage) == true
-	not dockerLib.withVersion(currentPackage)
+	not withVersion(currentPackage)
 }
 
 analyzePackages(j, currentPackage, packages, length) {

From 5e7e34334bea4201d73bf2575e2c2a3441055129 Mon Sep 17 00:00:00 2001
From: cx-henriqueAlvelos <henrique.alvelos@checkmarx.com>
Date: Sat, 12 Aug 2023 08:58:43 +0100
Subject: [PATCH 4/5] fixed function

---
 .../unpinned_package_version_in_pip_install/query.rego          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego
index 96738e52487..1a211dd6cb8 100644
--- a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego
+++ b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego
@@ -65,7 +65,7 @@ isPip(command) {
 analyzePackages(j, currentPackage, _, length) {
 	j == length - 1
 	regex.match("^[a-zA-Z]", currentPackage) == true
-	not withVersion(currentPackage)
+	not dockerLib.withVersion(currentPackage)
 }
 
 analyzePackages(j, currentPackage, packages, length) {

From bbfd0fcef75fcafc767d8cb20effa394e90eec1b Mon Sep 17 00:00:00 2001
From: cx-henriqueAlvelos <henrique.alvelos@checkmarx.com>
Date: Sat, 12 Aug 2023 09:52:36 +0100
Subject: [PATCH 5/5] fixed count

---
 .../unpinned_package_version_in_pip_install/query.rego          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego
index 1a211dd6cb8..268199179fb 100644
--- a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego
+++ b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego
@@ -18,7 +18,7 @@ CxPolicy[result] {
     refactorPackages = [ x | x := packages[_]; x != ""]
     length := count(refactorPackages)
 
-	count({x | x := refactorPackages[_]; x != flags[_]}) == length
+	count({x | x := refactorPackages[_]; x == flags[_]}) == 0
 
 	some j
 	analyzePackages(j, refactorPackages[j], packages, length)