-
Notifications
You must be signed in to change notification settings - Fork 307
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
refactor(query): containers_run_with_low_uid rewrite #3430
refactor(query): containers_run_with_low_uid rewrite #3430
Conversation
Scan submitted to Checkmarx |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Other than a comment LGTM
"documentId": id, | ||
"searchKey": sprintf("metadata.name={{%s}}.%sspec.securityContext.runAsUser", [metadata.name, path]), | ||
"documentId": doc.id, | ||
"searchKey": sprintf("%s.securityContext.runAsUser=%d", [common_lib.concat_path(path), securityContext.runAsUser]), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since in line 11 we use to_number, I assume security context can be something other than an integer, maybe use to_number in the search key as well so it doesn't conflict with %d
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"searchKey": sprintf("%s.securityContext.runAsUser=%d", [common_lib.concat_path(path), securityContext.runAsUser]), | |
"searchKey": sprintf("%s.securityContext.runAsUser=%d", [common_lib.concat_path(path), to_number(securityContext.runAsUser)]), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we need to add to_number
here, since it will only execute this line if runAsUser
is a number, otherwise, it will fail on the first to_number
, no?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think @felipe-avelar is right @joaoReigota1
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
I submit this contribution under the Apache-2.0 license.