-
Notifications
You must be signed in to change notification settings - Fork 30
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add check if there is actually a package manager in the run command #55
base: main
Are you sure you want to change the base?
Conversation
|
The CLA checker does not seem to be aware, that I am a member of the https://github.com/dbsystel organization, and that our organization has signed a CLA. |
Thanks could you format the rego check with |
add check if there is actually a package manager in the run command
Done I have added a line about that to the |
|
||
array_split[len - 1] == update[_] | ||
is_valid_update(command) { | ||
regex.match(update_regex, command) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When using regex, we will not be able to establish that the update command refers to the package manager. Example of a command that causes a false positive:apt-get build-dep && /bin/sh /scripts/someScript.sh update
. Maybe we should split the command by && and check each part?
@simar7 I think we should also check the package manager along with the install command. |
True, that is the other side of the original issue, that we could fix here as well. I will rework the code to also cover this false negative. |
Sounds good to me. |
Simplify rule to use regex instead of splitting
closes https://github.com/aquasecurity/defsec/issues/1256