fix(docker): Support stages with dupe names (#1327)

* fix(docker): Support stages with dupe names

Fixes: aquasecurity/trivy#2394

Signed-off-by: Simar <[email protected]>

* revert opa back

Signed-off-by: Simar <[email protected]>

* update messaging

Signed-off-by: Simar <[email protected]>

---------

Signed-off-by: Simar <[email protected]>

go.mod

@@ -64,7 +64,7 @@ require (
 	github.com/owenrumney/go-sarif/v2 v2.1.2
 	github.com/owenrumney/squealer v1.1.1
 	github.com/sirupsen/logrus v1.9.0
-	github.com/spf13/cobra v1.6.1
+	github.com/spf13/cobra v1.7.0
 	github.com/stretchr/testify v1.8.2
 	github.com/zclconf/go-cty v1.10.0
 	github.com/zclconf/go-cty-yaml v1.0.2
@@ -82,8 +82,8 @@ require (
 )
 
 require (
-	cloud.google.com/go v0.105.0 // indirect
-	cloud.google.com/go/compute v1.14.0 // indirect
+	cloud.google.com/go v0.107.0 // indirect
+	cloud.google.com/go/compute v1.15.1 // indirect
 	cloud.google.com/go/compute/metadata v0.2.3 // indirect
 	cloud.google.com/go/iam v0.8.0 // indirect
 	cloud.google.com/go/storage v1.27.0 // indirect
@@ -116,7 +116,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.4 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
-	github.com/cespare/xxhash/v2 v2.1.2 // indirect
+	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/chai2010/gettext-go v1.0.2 // indirect
 	github.com/cloudflare/circl v1.1.0 // indirect
 	github.com/containerd/containerd v1.6.19 // indirect
@@ -143,14 +143,14 @@ require (
 	github.com/go-git/go-billy/v5 v5.4.0 // indirect
 	github.com/go-git/go-git/v5 v5.5.2 // indirect
 	github.com/go-gorp/gorp/v3 v3.0.2 // indirect
-	github.com/go-logr/logr v1.2.3 // indirect
+	github.com/go-logr/logr v1.2.4 // indirect
 	github.com/go-openapi/jsonpointer v0.19.5 // indirect
 	github.com/go-openapi/jsonreference v0.20.0 // indirect
 	github.com/go-openapi/swag v0.22.3 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
-	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/btree v1.0.1 // indirect
 	github.com/google/gnostic v0.5.7-v3refs // indirect
 	github.com/google/go-cmp v0.5.9 // indirect
@@ -166,7 +166,7 @@ require (
 	github.com/hashicorp/go-version v1.6.0 // indirect
 	github.com/huandu/xstrings v1.3.3 // indirect
 	github.com/imdario/mergo v0.3.13 // indirect
-	github.com/inconshreveable/mousetrap v1.0.1 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/jmoiron/sqlx v1.3.5 // indirect
@@ -201,10 +201,10 @@ require (
 	github.com/pjbgf/sha1cd v0.2.3 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/prometheus/client_golang v1.14.0 // indirect
+	github.com/prometheus/client_golang v1.15.0 // indirect
 	github.com/prometheus/client_model v0.3.0 // indirect
-	github.com/prometheus/common v0.37.0 // indirect
-	github.com/prometheus/procfs v0.8.0 // indirect
+	github.com/prometheus/common v0.42.0 // indirect
+	github.com/prometheus/procfs v0.9.0 // indirect
 	github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 // indirect
 	github.com/rivo/uniseg v0.2.0 // indirect
 	github.com/rubenv/sql-migrate v1.2.0 // indirect
@@ -226,17 +226,17 @@ require (
 	go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
 	golang.org/x/mod v0.10.0 // indirect
 	golang.org/x/net v0.9.0 // indirect
-	golang.org/x/oauth2 v0.1.0 // indirect
+	golang.org/x/oauth2 v0.5.0 // indirect
 	golang.org/x/sync v0.1.0 // indirect
 	golang.org/x/sys v0.7.0 // indirect
 	golang.org/x/term v0.7.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
 	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
 	google.golang.org/api v0.107.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20221227171554-f9683d7f8bef // indirect
-	google.golang.org/grpc v1.52.0 // indirect
-	google.golang.org/protobuf v1.28.1 // indirect
+	google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f // indirect
+	google.golang.org/grpc v1.54.0 // indirect
+	google.golang.org/protobuf v1.30.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect

rules/docker/lib/docker.rego

@@ -35,27 +35,23 @@ entrypoint[instruction] {
 	instruction.Cmd == "entrypoint"
 }
 
-stage_entrypoints[stage_name] = entrypoints {
+stage_entrypoints[stage] = entrypoints {
 	stage := input.Stages[_]
-	stage_name := stage.Name
 	entrypoints := [entrypoint | entrypoint := stage.Commands[_]; entrypoint.Cmd == "entrypoint"]
 }
 
-stage_cmd[stage_name] = cmds {
+stage_cmd[stage] = cmds {
 	stage := input.Stages[_]
-	stage_name := stage.Name
 	cmds := [cmd | cmd := stage.Commands[_]; cmd.Cmd == "cmd"]
 }
 
-stage_healthcheck[stage_name] = hlthchecks {
+stage_healthcheck[stage] = hlthchecks {
 	stage := input.Stages[_]
-	stage_name := stage.Name
 	hlthchecks := [hlthcheck | hlthcheck := stage.Commands[_]; hlthcheck.Cmd == "healthcheck"]
 }
 
-stage_user[stage_name] = users {
+stage_user[stage] = users {
 	stage := input.Stages[_]
-	stage_name := stage.Name
 	users := [cmd | cmd := stage.Commands[_]; cmd.Cmd == "user"]
 }
 

rules/docker/policies/multiple_cmd_instructions_listed.rego

@@ -23,6 +23,6 @@ deny[res] {
 	cmds := docker.stage_cmd[name]
 	cnt := count(cmds)
 	cnt > 1
-	msg := sprintf("There are %d duplicate CMD instructions for stage '%s'", [cnt, name])
+	msg := sprintf("There are %d duplicate CMD instructions", [cnt])
 	res := result.new(msg, cmds[1])
 }

rules/docker/policies/multiple_cmd_instructions_listed_test.rego

@@ -29,7 +29,7 @@ test_denied {
 	]}
 
 	count(r) == 1
-	r[_].msg == "There are 2 duplicate CMD instructions for stage 'golang:1.7.3'"
+	r[_].msg == "There are 2 duplicate CMD instructions"
 }
 
 test_allowed {

rules/docker/policies/multiple_entrypoint_instructions_listed.rego

@@ -20,8 +20,8 @@ package builtin.dockerfile.DS007
 import data.lib.docker
 
 deny[res] {
-	entrypoints := docker.stage_entrypoints[name]
+	entrypoints := docker.stage_entrypoints[stage]
 	count(entrypoints) > 1
-	msg := sprintf("There are %d duplicate ENTRYPOINT instructions for stage '%s'", [count(entrypoints), name])
+	msg := sprintf("There are %d duplicate ENTRYPOINT instructions", [count(entrypoints)])
 	res := result.new(msg, entrypoints[1])
 }

rules/docker/policies/multiple_entrypoint_instructions_listed_test.rego

@@ -41,7 +41,7 @@ test_denied {
 	]}
 
 	count(r) == 1
-	r[_].msg == "There are 2 duplicate ENTRYPOINT instructions for stage 'golang'"
+	r[_].msg == "There are 2 duplicate ENTRYPOINT instructions"
 }
 
 test_allowed {

rules/docker/policies/multiple_healthcheck_instructions.rego

@@ -23,6 +23,6 @@ deny[res] {
 	healthchecks := docker.stage_healthcheck[name]
 	cnt := count(healthchecks)
 	cnt > 1
-	msg := sprintf("There are %d duplicate HEALTHCHECK instructions in the stage '%s'", [cnt, name])
+	msg := sprintf("There are %d duplicate HEALTHCHECK instructions in the stage", [cnt])
 	res := result.new(msg, healthchecks[1])
 }

rules/docker/policies/multiple_healthcheck_instructions_test.rego

@@ -42,7 +42,7 @@ test_denied {
 	]}
 
 	count(r) == 1
-	r[_].msg == "There are 2 duplicate HEALTHCHECK instructions in the stage 'golang:1.7.3'"
+	r[_].msg == "There are 2 duplicate HEALTHCHECK instructions in the stage"
 }
 
 test_allowed {