Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create rule S5849: Setting capabilities is security-sensitive #4374

Merged
merged 3 commits into from
Oct 8, 2024
Merged

Create rule S5849: Setting capabilities is security-sensitive #4374

merged 3 commits into from
Oct 8, 2024

Conversation

github-actions[bot]
Copy link
Contributor

@github-actions github-actions bot commented Oct 7, 2024

You can preview this rule here (updated a few minutes after each push).

Review

A dedicated reviewer checked the rule description successfully for:

  • logical errors and incorrect information
  • information gaps and missing content
  • text style and tone
  • PR summary and labels follow the guidelines

@github-actions github-actions bot added the iac label Oct 7, 2024
pierre-loup-tristant-sonarsource
pierre-loup-tristant-sonarsource requested changes Oct 8, 2024
View reviewed changes
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The compliant code example is missing.
The content that is common to Kubernetes, Cfamilly and Ansible rules should be extracted to separate adoc files to avoid duplication.

rules/S5849/ansible/rule.adoc
Comment on lines +25 to +32
[source,yaml]
----
- name: Set cap_sys_chroot+ep on /usr/bin/example
community.general.capabilities:
path: /usr/bin/example
capability: cap_sys_admin+ep # Sensitive
state: present
----
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The compliant code example is missing.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I left it away on purpose because the only compliant solution here would be not to use the module at all.

@hendrik-buchwald-sonarsource hendrik-buchwald-sonarsource changed the title Create rule S5849 Create rule S5849: Setting capabilities is security-sensitive Oct 8, 2024
@hendrik-buchwald-sonarsource hendrik-buchwald-sonarsource marked this pull request as ready for review October 8, 2024 09:11
@sonarqube-next SonarQube-Next
Copy link

sonarqube-next bot commented Oct 8, 2024

Quality Gate passed Quality Gate passed for 'rspec-tools'

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarQube

@sonarqube-next SonarQube-Next
Copy link

sonarqube-next bot commented Oct 8, 2024

Quality Gate passed Quality Gate passed for 'rspec-frontend'

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarQube

pierre-loup-tristant-sonarsource
pierre-loup-tristant-sonarsource approved these changes Oct 8, 2024
View reviewed changes
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@hendrik-buchwald-sonarsource hendrik-buchwald-sonarsource merged commit dddd173 into master Oct 8, 2024
9 of 10 checks passed
@hendrik-buchwald-sonarsource hendrik-buchwald-sonarsource deleted the rule/S5849-add-ansible branch October 8, 2024 14:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hendrik-buchwald-sonarsource hendrik-buchwald-sonarsource hendrik-buchwald-sonarsource left review comments

@pierre-loup-tristant-sonarsource pierre-loup-tristant-sonarsource pierre-loup-tristant-sonarsource approved these changes

Assignees

@hendrik-buchwald-sonarsource hendrik-buchwald-sonarsource

Labels
iac
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@pierre-loup-tristant-sonarsource @hendrik-buchwald-sonarsource