diff --git a/rules/S6869/kubernetes/metadata.json b/rules/S6869/kubernetes/metadata.json index 71145c2488f..5c536161f3d 100644 --- a/rules/S6869/kubernetes/metadata.json +++ b/rules/S6869/kubernetes/metadata.json @@ -8,7 +8,7 @@ }, "tags": [ ], - "defaultSeverity": "Major", + "defaultSeverity": "Minor", "ruleSpecification": "RSPEC-6869", "sqKey": "S6869", "scope": "All", diff --git a/rules/S7018/docker/metadata.json b/rules/S7018/docker/metadata.json index 5bc765f9727..f009c1fe577 100644 --- a/rules/S7018/docker/metadata.json +++ b/rules/S7018/docker/metadata.json @@ -16,9 +16,7 @@ "quickfix": "unknown", "code": { "impacts": { - "MAINTAINABILITY": "MEDIUM", - "RELIABILITY": "LOW", - "SECURITY": "LOW" + "MAINTAINABILITY": "LOW" }, "attribute": "CONVENTIONAL" } diff --git a/rules/S7019/docker/metadata.json b/rules/S7019/docker/metadata.json index 1d9e68151b0..a9d6d4a998f 100644 --- a/rules/S7019/docker/metadata.json +++ b/rules/S7019/docker/metadata.json @@ -17,7 +17,7 @@ "code": { "impacts": { "MAINTAINABILITY": "MEDIUM", - "RELIABILITY": "HIGH" + "RELIABILITY": "MEDIUM" }, "attribute": "CONVENTIONAL" } diff --git a/rules/S7019/docker/rule.adoc b/rules/S7019/docker/rule.adoc index 79152084ec6..b58061fac80 100644 --- a/rules/S7019/docker/rule.adoc +++ b/rules/S7019/docker/rule.adoc @@ -1,8 +1,14 @@ -In Dockerfiles, it is recommended to use the exec form for `CMD` and `ENTRYPOINT` instructions. The exec form, which is represented as a JSON array, ensures that the process runs directly without being wrapped in a shell. This allows OS signals like SIGTERM and SIGINT to be received by the process. This practice enhances the reliability and control of your Docker containers. +In Dockerfiles, it is recommended to use the exec form for `CMD` and `ENTRYPOINT` instructions. +The exec form, which is represented as a JSON array, ensures that the process runs directly without being wrapped in a shell. +This allows OS signals like SIGTERM and SIGINT to be received by the process. This practice enhances the reliability and control of your Docker containers. == Why is this an issue? -Using the shell form instead of the exec form for CMD and ENTRYPOINT instructions in Dockerfiles can lead to several issues. When you use the shell form, the executable runs as a child process to a shell, which does not pass OS signals. This can cause problems when trying to gracefully stop containers because the main process will not receive the signal intended to terminate it. Moreover, the exec form provides more control and predictability over the execution of the command. It does not invoke a command shell, which means it does not have the potential side effects of shell processing. +Using the shell form instead of the exec form for CMD and ENTRYPOINT instructions in Dockerfiles can lead to several issues. +When you use the shell form, the executable runs as a child process to a shell, which does not pass OS signals. +This can cause problems when trying to gracefully stop containers because the main process will not receive the signal intended to terminate it. +Moreover, the exec form provides more control and predictability over the execution of the command. +It does not invoke a command shell, which means it does not have the potential side effects of shell processing. == How to fix it diff --git a/rules/S7020/docker/metadata.json b/rules/S7020/docker/metadata.json index 62292bbcb69..8f40622e68d 100644 --- a/rules/S7020/docker/metadata.json +++ b/rules/S7020/docker/metadata.json @@ -8,7 +8,7 @@ }, "tags": [ ], - "defaultSeverity": "Major", + "defaultSeverity": "Minor", "ruleSpecification": "RSPEC-7020", "sqKey": "S7020", "scope": "All", @@ -16,7 +16,7 @@ "quickfix": "unknown", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "LOW" }, "attribute": "CONVENTIONAL" } diff --git a/rules/S7021/docker/metadata.json b/rules/S7021/docker/metadata.json index 7c12987c1cb..1fa351169f1 100644 --- a/rules/S7021/docker/metadata.json +++ b/rules/S7021/docker/metadata.json @@ -16,7 +16,7 @@ "quickfix": "unknown", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "MEDIUM" }, "attribute": "CONVENTIONAL" } diff --git a/rules/S7023/docker/metadata.json b/rules/S7023/docker/metadata.json index 7b193e8ebaa..a528370c661 100644 --- a/rules/S7023/docker/metadata.json +++ b/rules/S7023/docker/metadata.json @@ -17,7 +17,7 @@ "code": { "impacts": { "MAINTAINABILITY": "MEDIUM", - "RELIABILITY": "HIGH", + "RELIABILITY": "MEDIUM", "SECURITY": "MEDIUM" }, "attribute": "CONVENTIONAL" diff --git a/rules/S7026/docker/metadata.json b/rules/S7026/docker/metadata.json index ad5dcccf5a3..0ec2a048309 100644 --- a/rules/S7026/docker/metadata.json +++ b/rules/S7026/docker/metadata.json @@ -16,7 +16,7 @@ "quickfix": "unknown", "code": { "impacts": { - "MAINTAINABILITY": "MEDIUM" + "MAINTAINABILITY": "LOW" }, "attribute": "CONVENTIONAL" } diff --git a/rules/S7030/docker/metadata.json b/rules/S7030/docker/metadata.json index b98d3cffc47..1d35df87ea8 100644 --- a/rules/S7030/docker/metadata.json +++ b/rules/S7030/docker/metadata.json @@ -8,7 +8,7 @@ }, "tags": [ ], - "defaultSeverity": "Major", + "defaultSeverity": "Critical", "ruleSpecification": "RSPEC-7030", "sqKey": "S7030", "scope": "All", diff --git a/rules/S7031/docker/metadata.json b/rules/S7031/docker/metadata.json index 664fcabba17..d8dc207f3b0 100644 --- a/rules/S7031/docker/metadata.json +++ b/rules/S7031/docker/metadata.json @@ -8,7 +8,7 @@ }, "tags": [ ], - "defaultSeverity": "Major", + "defaultSeverity": "Minor", "ruleSpecification": "RSPEC-7031", "sqKey": "S7031", "scope": "All", @@ -16,7 +16,7 @@ "quickfix": "unknown", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "LOW" }, "attribute": "CONVENTIONAL" }