-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(checks): handle file:
and multi:
in AVD-DS-005
#60
Conversation
@simar7 can you please help me progress this MR? I'm very eager to eliminate this false positive. |
@nikpivkin could you take a look? |
cnt := count(copy.Value) | ||
not (cnt == 3 && startswith(add.Value[0], "file:") || startswith(add.Value[0], "multi:") && add.Value[1] == "in") | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't have permissions to make changes to this branch.
Rego does not have the &&
and ||
operators. All expressions in a rule are evaluated sequentially, which is equivalent to conjunction.
Here is the implementation of your expression in Rego:
cnt := count(copy.Value) | |
not (cnt == 3 && startswith(add.Value[0], "file:") || startswith(add.Value[0], "multi:") && add.Value[1] == "in") | |
not is_command_with_hash(add.Value, "file:") | |
not is_command_with_hash(add.Value, "multi:") |
is_command_with_hash(cmd, prefix) {
count(cmd) == 3
startswith(cmd[0], prefix)
cmd[1] == "in"
}
You can also merge main into your branch to run tests.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for providing the ability to run tests, that's very helpful!
I've updated this MR with your suggestion.
The reverse engineered `Dockerfile` of an image doesn't exactly match the original `Dockerfile`. For example, it doesn't have the original source files names. Instead, it uses `file:<hash> in`: `ADD file:8b8864b3e02a33a579dc216fd51b28a6047bc8eeaa03045b258980fe0cf7fcb3 in /__cacert_entrypoint.sh` Such commands should not trigger AVD-DS-005.
cf10630
to
be21df0
Compare
The reverse engineered
Dockerfile
of an image doesn't exactly match the originalDockerfile
. For example, it doesn't have the original source files names. Instead, it usesfile:<hash> in
:ADD file:8b8864b3e02a33a579dc216fd51b28a6047bc8eeaa03045b258980fe0cf7fcb3 in /__cacert_entrypoint.sh
Such commands should not trigger AVD-DS-005.