fix(dockerfile): flag unpinned dnf packages followed by a flag#8064
Open
arpitjain099 wants to merge 1 commit into
Open
fix(dockerfile): flag unpinned dnf packages followed by a flag#8064arpitjain099 wants to merge 1 commit into
arpitjain099 wants to merge 1 commit into
Conversation
The missing_version_specification_in_dnf_install query treated a package token as version-pinned whenever the next token was '-v', via the clause packages[plus(j, 1)] != "-v". In dnf, '-v' means verbose, not a version, so 'RUN dnf install zip -v' (zip is not pinned) wrongly passed the check, a false negative. Drop the '-v' special case and decide solely on whether the package itself carries a version (dockerLib.withVersion). Pinned packages such as 'dnf install zip-3.0 -v' still pass, so no new false positive is introduced. Adds positive and negative test cases covering a flag that follows the package name. Closes Checkmarx#7306 Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #7306
Reason for Proposed Changes
missing_version_specification_in_dnf_installquery has a package-parsing rule that special-cases the token-v. The secondanalyzePackagesclause requirespackages[plus(j, 1)] != "-v", which treats a package as version-pinned whenever the next token happens to be-v. Indnf,-vis the verbose flag, not a version marker, so this is a false negative: an unpinned package followed by-vsilently passes the check.master.RUN dnf install zip -vis not flagged even thoughziphas no pinned version, becausezipis followed by-vand the clause skips it.RUN dnf install -y zip -vhas the same problem.Proposed Changes
-vspecial case fromanalyzePackages. A package is now decided solely on whether it carries a version (dockerLib.withVersion), regardless of the next token. The two former clauses (j == length - 1andj != length - 1) collapse into one, since the only difference between them was the bogus-vcheck.RUN dnf install zip -v(the unpinned-package-before-a-flag form the old rule missed) totest/positive.dockerfileand its expected finding totest/positive_expected_result.json.RUN dnf install -v zip-3.0totest/negative.dockerfileto confirm a genuinely pinned package followed by-vstill passes, so the fix does not introduce a false positive.go test ./test/ -run 'TestQueries$/dockerfile/missing_version_specification_in_dnf_install'passes for both positive and negative, and the content/metadata tests stay green (Rego coverage is now 100% for this query since the dead branch is gone).I submit this contribution under the Apache-2.0 license.