From e8917147d74dbc2fbfe5672dd9f3bb7de8ca1193 Mon Sep 17 00:00:00 2001 From: Jonas Wielage Date: Tue, 12 Nov 2024 10:36:55 +0100 Subject: [PATCH 1/2] Update impact and severities --- rules/S6869/kubernetes/metadata.json | 2 +- rules/S7018/docker/metadata.json | 2 +- rules/S7019/docker/metadata.json | 2 +- rules/S7019/docker/rule.adoc | 10 ++++++++-- rules/S7020/docker/metadata.json | 2 +- rules/S7021/docker/metadata.json | 2 +- rules/S7023/docker/metadata.json | 2 +- rules/S7026/docker/metadata.json | 2 +- rules/S7030/docker/metadata.json | 2 +- rules/S7031/docker/metadata.json | 2 +- 10 files changed, 17 insertions(+), 11 deletions(-) diff --git a/rules/S6869/kubernetes/metadata.json b/rules/S6869/kubernetes/metadata.json index 71145c2488f..5c536161f3d 100644 --- a/rules/S6869/kubernetes/metadata.json +++ b/rules/S6869/kubernetes/metadata.json @@ -8,7 +8,7 @@ }, "tags": [ ], - "defaultSeverity": "Major", + "defaultSeverity": "Minor", "ruleSpecification": "RSPEC-6869", "sqKey": "S6869", "scope": "All", diff --git a/rules/S7018/docker/metadata.json b/rules/S7018/docker/metadata.json index 5bc765f9727..9bf90cb879e 100644 --- a/rules/S7018/docker/metadata.json +++ b/rules/S7018/docker/metadata.json @@ -16,7 +16,7 @@ "quickfix": "unknown", "code": { "impacts": { - "MAINTAINABILITY": "MEDIUM", + "MAINTAINABILITY": "LOW", "RELIABILITY": "LOW", "SECURITY": "LOW" }, diff --git a/rules/S7019/docker/metadata.json b/rules/S7019/docker/metadata.json index 1d9e68151b0..a9d6d4a998f 100644 --- a/rules/S7019/docker/metadata.json +++ b/rules/S7019/docker/metadata.json @@ -17,7 +17,7 @@ "code": { "impacts": { "MAINTAINABILITY": "MEDIUM", - "RELIABILITY": "HIGH" + "RELIABILITY": "MEDIUM" }, "attribute": "CONVENTIONAL" } diff --git a/rules/S7019/docker/rule.adoc b/rules/S7019/docker/rule.adoc index 79152084ec6..b58061fac80 100644 --- a/rules/S7019/docker/rule.adoc +++ b/rules/S7019/docker/rule.adoc @@ -1,8 +1,14 @@ -In Dockerfiles, it is recommended to use the exec form for `CMD` and `ENTRYPOINT` instructions. The exec form, which is represented as a JSON array, ensures that the process runs directly without being wrapped in a shell. This allows OS signals like SIGTERM and SIGINT to be received by the process. This practice enhances the reliability and control of your Docker containers. +In Dockerfiles, it is recommended to use the exec form for `CMD` and `ENTRYPOINT` instructions. +The exec form, which is represented as a JSON array, ensures that the process runs directly without being wrapped in a shell. +This allows OS signals like SIGTERM and SIGINT to be received by the process. This practice enhances the reliability and control of your Docker containers. == Why is this an issue? -Using the shell form instead of the exec form for CMD and ENTRYPOINT instructions in Dockerfiles can lead to several issues. When you use the shell form, the executable runs as a child process to a shell, which does not pass OS signals. This can cause problems when trying to gracefully stop containers because the main process will not receive the signal intended to terminate it. Moreover, the exec form provides more control and predictability over the execution of the command. It does not invoke a command shell, which means it does not have the potential side effects of shell processing. +Using the shell form instead of the exec form for CMD and ENTRYPOINT instructions in Dockerfiles can lead to several issues. +When you use the shell form, the executable runs as a child process to a shell, which does not pass OS signals. +This can cause problems when trying to gracefully stop containers because the main process will not receive the signal intended to terminate it. +Moreover, the exec form provides more control and predictability over the execution of the command. +It does not invoke a command shell, which means it does not have the potential side effects of shell processing. == How to fix it diff --git a/rules/S7020/docker/metadata.json b/rules/S7020/docker/metadata.json index 62292bbcb69..271f03f1b2f 100644 --- a/rules/S7020/docker/metadata.json +++ b/rules/S7020/docker/metadata.json @@ -16,7 +16,7 @@ "quickfix": "unknown", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "MEDIUM" }, "attribute": "CONVENTIONAL" } diff --git a/rules/S7021/docker/metadata.json b/rules/S7021/docker/metadata.json index 7c12987c1cb..1fa351169f1 100644 --- a/rules/S7021/docker/metadata.json +++ b/rules/S7021/docker/metadata.json @@ -16,7 +16,7 @@ "quickfix": "unknown", "code": { "impacts": { - "RELIABILITY": "HIGH" + "RELIABILITY": "MEDIUM" }, "attribute": "CONVENTIONAL" } diff --git a/rules/S7023/docker/metadata.json b/rules/S7023/docker/metadata.json index 7b193e8ebaa..a528370c661 100644 --- a/rules/S7023/docker/metadata.json +++ b/rules/S7023/docker/metadata.json @@ -17,7 +17,7 @@ "code": { "impacts": { "MAINTAINABILITY": "MEDIUM", - "RELIABILITY": "HIGH", + "RELIABILITY": "MEDIUM", "SECURITY": "MEDIUM" }, "attribute": "CONVENTIONAL" diff --git a/rules/S7026/docker/metadata.json b/rules/S7026/docker/metadata.json index ad5dcccf5a3..0ec2a048309 100644 --- a/rules/S7026/docker/metadata.json +++ b/rules/S7026/docker/metadata.json @@ -16,7 +16,7 @@ "quickfix": "unknown", "code": { "impacts": { - "MAINTAINABILITY": "MEDIUM" + "MAINTAINABILITY": "LOW" }, "attribute": "CONVENTIONAL" } diff --git a/rules/S7030/docker/metadata.json b/rules/S7030/docker/metadata.json index b98d3cffc47..1d35df87ea8 100644 --- a/rules/S7030/docker/metadata.json +++ b/rules/S7030/docker/metadata.json @@ -8,7 +8,7 @@ }, "tags": [ ], - "defaultSeverity": "Major", + "defaultSeverity": "Critical", "ruleSpecification": "RSPEC-7030", "sqKey": "S7030", "scope": "All", diff --git a/rules/S7031/docker/metadata.json b/rules/S7031/docker/metadata.json index 664fcabba17..7e3232a3fdb 100644 --- a/rules/S7031/docker/metadata.json +++ b/rules/S7031/docker/metadata.json @@ -16,7 +16,7 @@ "quickfix": "unknown", "code": { "impacts": { - "MAINTAINABILITY": "HIGH" + "MAINTAINABILITY": "MEDIUM" }, "attribute": "CONVENTIONAL" } From 6d33541ffd6ce1495a1804f52bab14b930fa8dba Mon Sep 17 00:00:00 2001 From: Jonas Wielage Date: Tue, 12 Nov 2024 11:43:00 +0100 Subject: [PATCH 2/2] Review notes --- rules/S7018/docker/metadata.json | 4 +--- rules/S7020/docker/metadata.json | 4 ++-- rules/S7031/docker/metadata.json | 4 ++-- 3 files changed, 5 insertions(+), 7 deletions(-) diff --git a/rules/S7018/docker/metadata.json b/rules/S7018/docker/metadata.json index 9bf90cb879e..f009c1fe577 100644 --- a/rules/S7018/docker/metadata.json +++ b/rules/S7018/docker/metadata.json @@ -16,9 +16,7 @@ "quickfix": "unknown", "code": { "impacts": { - "MAINTAINABILITY": "LOW", - "RELIABILITY": "LOW", - "SECURITY": "LOW" + "MAINTAINABILITY": "LOW" }, "attribute": "CONVENTIONAL" } diff --git a/rules/S7020/docker/metadata.json b/rules/S7020/docker/metadata.json index 271f03f1b2f..8f40622e68d 100644 --- a/rules/S7020/docker/metadata.json +++ b/rules/S7020/docker/metadata.json @@ -8,7 +8,7 @@ }, "tags": [ ], - "defaultSeverity": "Major", + "defaultSeverity": "Minor", "ruleSpecification": "RSPEC-7020", "sqKey": "S7020", "scope": "All", @@ -16,7 +16,7 @@ "quickfix": "unknown", "code": { "impacts": { - "MAINTAINABILITY": "MEDIUM" + "MAINTAINABILITY": "LOW" }, "attribute": "CONVENTIONAL" } diff --git a/rules/S7031/docker/metadata.json b/rules/S7031/docker/metadata.json index 7e3232a3fdb..d8dc207f3b0 100644 --- a/rules/S7031/docker/metadata.json +++ b/rules/S7031/docker/metadata.json @@ -8,7 +8,7 @@ }, "tags": [ ], - "defaultSeverity": "Major", + "defaultSeverity": "Minor", "ruleSpecification": "RSPEC-7031", "sqKey": "S7031", "scope": "All", @@ -16,7 +16,7 @@ "quickfix": "unknown", "code": { "impacts": { - "MAINTAINABILITY": "MEDIUM" + "MAINTAINABILITY": "LOW" }, "attribute": "CONVENTIONAL" }