fix(rego): improve AVD-DS-0015

.gitignore

@@ -1,3 +1,5 @@
-.idea
 bundle.tar.gz
 opa
+
+.idea
+.vscode

checks/docker/update_instruction_alone.rego

@@ -56,22 +56,10 @@ deny[res] {
 }
 
 has_update(cmds, package_manager) = indexes {
-	indexes := contains_cmd_with_package_manager(cmds, update_cmds, package_manager)
+	indexes := docker.command_indexes(cmds, update_cmds, package_manager)
 }
 
 update_followed_by_install(cmds, package_manager, update_indexes) {
-	install_index := contains_cmd_with_package_manager(cmds, install_cmds, package_manager)
+	install_index := docker.command_indexes(cmds, install_cmds, package_manager)
 	update_indexes[_] < install_index[_]
 }
-
-contains_cmd_with_package_manager(cmds, cmds_to_check, package_manager) = cmd_indexes {
-	cmd_indexes = [idx |
-		cmd_parts := cmds[idx]
-		some i, j
-		i != j
-		cmd_parts[i] == package_manager[_]
-		cmd_parts[j] == cmds_to_check[_]
-		i < j
-	]
-	count(cmd_indexes) != 0
-}

checks/docker/yum_clean_all_missing.rego

@@ -17,29 +17,29 @@
 #     - type: dockerfile
 package builtin.dockerfile.DS015
 
+import future.keywords.in
+
 import data.lib.docker
 
-get_yum[output] {
+deny[res] {
 	run := docker.run[_]
-	arg := run.Value[0]
+	run_cmd := concat(" ", run.Value)
+	cmds := sh.parse_commands(run_cmd)
 
-	regex.match("yum (-[a-zA-Z]+ *)*install", arg)
+	install_indexes := has_install(cmds, {"yum"})
+	not install_followed_by_clean(cmds, {"yum"}, install_indexes)
 
-	not contains_clean_after_yum(arg)
-	output := {
-		"cmd": run,
-		"arg": arg,
-	}
+	msg := sprintf("'yum clean all' is missed: %s", [run_cmd])
+	res := result.new(msg, run)
 }
 
-deny[res] {
-	output := get_yum[_]
-	msg := sprintf("'yum clean all' is missed: %s", [output.arg])
-	res := result.new(msg, output.cmd)
+has_install(cmds, package_manager) = indexes {
+	indexes := docker.command_indexes(cmds, ["install"], package_manager)
 }
 
-contains_clean_after_yum(cmd) {
-	yum_commands := regex.find_n("(yum (-[a-zA-Z]+ *)*install)|(yum clean all)", cmd, -1)
-
-	yum_commands[count(yum_commands) - 1] == "yum clean all"
+install_followed_by_clean(cmds, package_manager, install_indexes) {
+	clean_indexes := docker.command_indexes(cmds, ["clean"], package_manager)
+	clean_all_indexes = [idx | cmd := cmds[idx]; "all" in cmd]
+	count(clean_all_indexes) > 0
+	install_indexes[count(install_indexes) - 1] < clean_all_indexes[count(clean_all_indexes) - 1]
 }

checks/docker/yum_clean_all_missing_test.rego

@@ -123,3 +123,49 @@ test_basic_allowed {
 
 	count(r) == 0
 }
+
+test_allow_clean_with_flags {
+	r := deny with input as {"Stages": [{"Name": "alpine:3.5", "Commands": [
+		{
+			"Cmd": "from",
+			"Value": ["alpine:3.5"],
+		},
+		{
+			"Cmd": "run",
+			"Value": [`if [ "$TBB" == "default" ]; then  yum -y install tbb tbb-devel && yum clean -y all; fi`],
+		},
+	]}]}
+
+	count(r) == 0
+}
+
+test_denied_clean_not_all {
+	r := deny with input as {"Stages": [{"Name": "alpine:3.5", "Commands": [
+		{
+			"Cmd": "from",
+			"Value": ["alpine:3.5"],
+		},
+		{
+			"Cmd": "run",
+			"Value": ["yum -y install bash && yum clean metadata"],
+		},
+	]}]}
+
+	count(r) == 1
+	r[_].msg == "'yum clean all' is missed: yum -y install bash && yum clean metadata"
+}
+
+test_allow_only_clean {
+	r := deny with input as {"Stages": [{"Name": "alpine:3.5", "Commands": [
+		{
+			"Cmd": "from",
+			"Value": ["alpine:3.5"],
+		},
+		{
+			"Cmd": "run",
+			"Value": ["yum clean all"],
+		},
+	]}]}
+
+	count(r) == 0
+}

lib/docker/docker.rego

@@ -74,3 +74,15 @@ healthcheck[instruction] {
 	instruction := input.Stages[_].Commands[_]
 	instruction.Cmd == "healthcheck"
 }
+
+command_indexes(cmds, cmds_to_check, package_manager) = cmd_indexes {
+	cmd_indexes = [idx |
+		cmd_parts := cmds[idx]
+		some i, j
+		i != j
+		cmd_parts[i] == package_manager[_]
+		cmd_parts[j] == cmds_to_check[_]
+		i < j
+	]
+	count(cmd_indexes) != 0
+}