Skip to content

Commit

Permalink
Merge pull request #112 from nikpivkin/fix-ds017
Browse files Browse the repository at this point in the history
fix(rego): handle multiple install cmds in DS017
  • Loading branch information
simar7 authored Apr 17, 2024
2 parents d673b86 + f3c26e4 commit f36a5b7
Show file tree
Hide file tree
Showing 2 changed files with 59 additions and 16 deletions.
34 changes: 18 additions & 16 deletions checks/docker/update_instruction_alone.rego
Original file line number Diff line number Diff line change
Expand Up @@ -47,29 +47,31 @@ deny[res] {
run_cmd := concat(" ", run.Value)
cmds := regex.split(`\s*&&\s*`, run_cmd)

update_res = has_update(cmds)
not update_followed_by_install(cmds, update_res)
some package_manager
update_indexes := has_update(cmds, package_managers[package_manager])
not update_followed_by_install(cmds, package_manager, update_indexes)

msg := "The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement."
res := result.new(msg, run)
}

has_update(cmds) = {
"package_manager": package_manager,
"cmd_index": index,
} {
index := contains_cmd_with_package_manager(cmds, update_cmds, package_managers[package_manager])
has_update(cmds, package_manager) = indexes {
indexes := contains_cmd_with_package_manager(cmds, update_cmds, package_manager)
}

update_followed_by_install(cmds, update_res) {
install_index := contains_cmd_with_package_manager(cmds, install_cmds, update_res.package_manager)
update_res.cmd_index < install_index
update_followed_by_install(cmds, package_manager, update_indexes) {
install_index := contains_cmd_with_package_manager(cmds, install_cmds, package_manager)
update_indexes[_] < install_index[_]
}

contains_cmd_with_package_manager(cmds, cmds_to_check, package_manager) = cmd_index {
cmd_parts := split(cmds[cmd_index], " ")
some i, j
cmd_parts[i] == package_manager[_]
cmd_parts[j] == cmds_to_check[_]
i < j
contains_cmd_with_package_manager(cmds, cmds_to_check, package_manager) = cmd_indexes {
cmd_indexes = [idx |
cmd_parts := split(cmds[idx], " ")
some i, j
i != j
cmd_parts[i] == package_manager[_]
cmd_parts[j] == cmds_to_check[_]
i < j
]
count(cmd_indexes) != 0
}
41 changes: 41 additions & 0 deletions checks/docker/update_instruction_alone_test.rego
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,28 @@ test_chained_denied {
r[_].msg == "The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement."
}

test_multiple_package_managers {
r := deny with input as {"Stages": [{
"Name": "ubuntu:18.04",
"Commands": [
{
"Cmd": "from",
"Value": ["ubuntu:18.04"],
},
{
"Cmd": "run",
"Value": ["apt-get update -y && apt-get upgrade -y && apt-get install -y curl && apk-update"],
},
{
"Cmd": "entrypoint",
"Value": ["mysql"],
},
],
}]}

count(r) == 0
}

test_allowed {
r := deny with input as {"Stages": [{"Name": "ubuntu:18.04", "Commands": [
{
Expand Down Expand Up @@ -103,6 +125,25 @@ test_allowed {
count(r) == 0
}

test_allowed_multiple_install_cmds {
r := deny with input as {"Stages": [{"Name": "ubuntu:18.04", "Commands": [
{
"Cmd": "from",
"Value": ["ubuntu:18.04"],
},
{
"Cmd": "run",
"Value": ["apt-get update -y && apt-get upgrade -y && apt-get install -y curl"],
},
{
"Cmd": "entrypoint",
"Value": ["mysql"],
},
]}]}

count(r) == 0
}

test_allow_upgrade {
r := deny with input as {"Stages": [{"Name": "ubuntu:18.04", "Commands": [
{
Expand Down

0 comments on commit f36a5b7

Please sign in to comment.