Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add check if there is actually a package manager in the run command #55

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,8 @@ In the example above, you'll notice properties are being accessed from the `inpu

You should also write a test for your rule(s). There are many examples of these in the `checks/cloud` directory.

This repository formats all rules with the `opa fmt -w <path>` option, so make sure to run it on your files before you commit.

Finally, you'll want to generate documentation for your newly added rule. Please run `make docs` to generate the documentation for your new policy and submit a PR for us to take a look at.

You can see a full example PR for a new rule being added here: [https://github.com/aquasecurity/defsec/pull/1000](https://github.com/aquasecurity/defsec/pull/1000).
15 changes: 8 additions & 7 deletions checks/docker/update_instruction_alone.rego
Original file line number Diff line number Diff line change
Expand Up @@ -24,23 +24,24 @@ deny[res] {

command = concat(" ", run.Value)

is_package_manager(command)
is_valid_update(command)
not update_followed_by_install(command)

msg := "The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement."
res := result.new(msg, run)
}

is_valid_update(command) {
chained_parts := regex.split(`\s*&&\s*`, command)

array_split := split(chained_parts[_], " ")
package_manager_regex := `(apk)|(apt-get)|(yum)`

len = count(array_split)
is_package_manager(command) {
regex.match(package_manager_regex, command)
}

update := {"update", "--update"}
update_regex := `( update)|( check-update)`

array_split[len - 1] == update[_]
is_valid_update(command) {
regex.match(update_regex, command)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When using regex, we will not be able to establish that the update command refers to the package manager. Example of a command that causes a false positive:apt-get build-dep && /bin/sh /scripts/someScript.sh update. Maybe we should split the command by && and check each part?

}

update_followed_by_install(command) {
Expand Down
8 changes: 6 additions & 2 deletions checks/docker/update_instruction_alone_test.rego
Original file line number Diff line number Diff line change
Expand Up @@ -77,16 +77,20 @@ test_allowed {
},
{
"Cmd": "run",
"Value": ["apt-get update && apt-get install -y --no-install-recommends mysql-client && rm -rf /var/lib/apt/lists/*"],
"Value": ["apt-get update && apt-get install -y --no-install-recommends mysql-client && rm -rf /var/lib/apt/lists/*"],
},
{
"Cmd": "run",
"Value": ["apk update && apk add --no-cache git ca-certificates"],
"Value": ["apk update && apk add --no-cache git ca-certificates"],
},
{
"Cmd": "run",
"Value": ["apk --update add easy-rsa"],
},
{
"Cmd": "run",
"Value": ["/bin/sh /scripts/someScript.sh update"],
},
{
"Cmd": "entrypoint",
"Value": ["mysql"],
Expand Down