Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Query "Update Instruction Alone" false detection for multiple update/install commands #5703

Closed
malte-laukoetter opened this issue Aug 16, 2022 · 1 comment · Fixed by #5707
Closed

Query "Update Instruction Alone" false detection for multiple update/install commands #5703

malte-laukoetter opened this issue Aug 16, 2022 · 1 comment · Fixed by #5707
Labels
bug Something isn't working community Community contribution

Comments

@malte-laukoetter
Copy link

malte-laukoetter commented Aug 16, 2022
edited

Expected Behavior

Multiple apt-get update and apt-get install commands can be used in a single RUN instruction.

Actual Behavior

For the following two Dockerfiles the query "Update Instruction Alone" reports a problem. There is no update command that is not followed by an install command in these Dockerfiles.

FROM alpine

RUN if ! which gpg ; then \
      (apt-get update ;apt-get install --no-install-recommends gnupg=2.2.19 -y ) ; \
    fi ; \
    if ! gpg --version | grep -q '^gpg (GnuPG) 1\.' ; then \
      (apt-get update ;apt-get install --no-install-recommends dirmngr=2.2.19 -y ) ; \
    fi ; \
    rm -rf /var/lib/apt/lists/*
FROM node:19.7.0
RUN npm install sqlite3; apt-get update ;apt-get install --no-install-recommends g++;

Specifications

  • Version: snapshot-34973e9d
  • Platform: Docker
  • Subsystem: Dockerfiles
  • Query: 9bae49be-0aa3-4de5-bab2-4c3a069e40cd
@malte-laukoetter malte-laukoetter added bug Something isn't working community Community contribution labels Aug 16, 2022
@malte-laukoetter malte-laukoetter changed the title Query "Update Instruction Alone" false positive for multiple update statements in a single RUN instruction Query "Update Instruction Alone" false detection for multiple update/install commands Aug 16, 2022
@cxMiguelSilva cxMiguelSilva mentioned this issue Aug 17, 2022
Merged
@cxMiguelSilva
Copy link
Collaborator

Hi @Lergin, I hope you are doing Great!!
I am happy to tell you that there is already a PR to improve the checks for update and install keywords in this Security Query.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working community Community contribution
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(query): update_instruction_alone Checkmarx/kics
2 participants
@malte-laukoetter @cxMiguelSilva