Checkmarx · rafaela-soares · Sep 28, 2022 · May 2, 2022 · May 6, 2022 · May 19, 2022
@@ -0,0 +1,10 @@
+{
+  "id": "8a301064-c291-4b20-adcb-403fe7fd95fd",
+  "queryName": "Changing Default Shell Using RUN Command",
+  "severity": "MEDIUM",
+  "category": "Best Practices",
+  "descriptionText": "Using the command RUN to override the default shell instead of the SHELL command leads to inefficiencies. It also does not make sense since Docker provides the SHELL command for this exact purpose.",
+  "descriptionUrl": "https://docs.docker.com/engine/reference/builder/#shell",
+  "platform": "Dockerfile",
+  "descriptionID": "d859b2eb"
+}
@@ -0,0 +1,56 @@
+package Cx
+
+import data.generic.common as common_lib
+
+shell_possibilities := {
+	"/bin/bash",
+	"/bin/tcsh",
+	"/bin/ksh",
+	"/bin/csh",
+	"/bin/dash",
+	"etc/shells",
+	"/bin/zsh",
+	"/bin/fish",
+	"/bin/tmux",
+	"/bin/rbash",
+	"/bin/sh",
+	"/usr/bin/zsh",
+}
+
+CxPolicy[result] {
+	resource := input.document[i].command[name][_]
+	resource.Cmd == "run"
+    value := resource.Value
+
+	contains(value[v], shell_possibilities[p])
+	run_values := split(value[v], " ")
+	command := run_values[0]
+	command_possibilities := {"mv", "chsh", "usermod", "ln"}
+	command == command_possibilities[cp] 
+
+	result := {
+    	"debug": sprintf("%s", [value[v]]),
+		"documentId": input.document[i].id,
+		"searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("FROM={{%s}}.{{%s}} should use the SHELL command to change the default shell", [name, resource.Original]),
+		"keyActualValue": sprintf("FROM={{%s}}.{{%s}} uses the RUN command to change the default shell", [name, resource.Original]),
+	}
+}
+
+CxPolicy[result] {
+	resource := input.document[i].command[name][_]
+	resource.Cmd == "run"
+    value := resource.Value
+	run_values := split(value[v], " ")
+	command := run_values[0]
+	contains(command, "powershell")
+
+	result := {
+		"documentId": input.document[i].id,
+		"searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("FROM={{%s}}.{{%s}} should use the SHELL command to change the default shell", [name, resource.Original]),
+		"keyActualValue": sprintf("FROM={{%s}}.{{%s}} uses the RUN command to change the default shell", [name, resource.Original]),
+	}
+}
@@ -2,7 +2,7 @@ FROM alpine:3.5
 RUN apk add --update py2-pip
 RUN sudo yum install -y bundler
 RUN yum install
-RUN ["powershell", "-command", "Execute-MyCmdlet", "-param1 "c:\foo.txt""]
+SHELL ["/bin/bash", "-c"]
 COPY requirements.txt /usr/src/app/
 RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
 COPY app.py /usr/src/app/

@@ -0,0 +1,11 @@
+FROM alpine:3.5
+RUN apk add --update py2-pip
+RUN sudo yum install -y bundler
+RUN yum install
+SHELL ["cmd", "/S", "/C"]
+COPY requirements.txt /usr/src/app/
+RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
+COPY app.py /usr/src/app/
+COPY templates/index.html /usr/src/app/templates/
+EXPOSE 5000
+CMD ["python", "/usr/src/app/app.py"]
@@ -0,0 +1,11 @@
+FROM alpine:3.5
+RUN apk add --update py2-pip
+RUN sudo yum install -y bundler
+RUN yum install
+SHELL ["/bin/sh", "-c"]
+COPY requirements.txt /usr/src/app/
+RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
+COPY app.py /usr/src/app/
+COPY templates/index.html /usr/src/app/templates/
+EXPOSE 5000
+CMD ["python", "/usr/src/app/app.py"]
@@ -0,0 +1,11 @@
+FROM alpine:3.5
+RUN apk add --update py2-pip
+RUN sudo yum install -y bundler
+RUN yum install
+RUN ln -sfv /bin/bash /bin/sh
+COPY requirements.txt /usr/src/app/
+RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
+COPY app.py /usr/src/app/
+COPY templates/index.html /usr/src/app/templates/
+EXPOSE 5000
+CMD ["python", "/usr/src/app/app.py"]
@@ -0,0 +1,11 @@
+FROM alpine:3.5
+RUN apk add --update py2-pip
+RUN sudo yum install -y bundler
+RUN yum install
+RUN powershell -command
+COPY requirements.txt /usr/src/app/
+RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
+COPY app.py /usr/src/app/
+COPY templates/index.html /usr/src/app/templates/
+EXPOSE 5000
+CMD ["python", "/usr/src/app/app.py"]
@@ -0,0 +1,14 @@
+[
+	{
+		"queryName": "Changing Default Shell Using RUN Command",
+		"severity": "MEDIUM",
+		"line": 5,
+		"filename": "positive1.dockerfile"
+	},
+	{
+		"queryName": "Changing Default Shell Using RUN Command",
+		"severity": "MEDIUM",
+		"line": 5,
+		"filename": "positive2.dockerfile"
+	}
+]
@@ -3,7 +3,7 @@
   "queryName": "RUN Instruction Using 'cd' Instead of WORKDIR",
   "severity": "MEDIUM",
   "category": "Build Process",
-  "descriptionText": "Use WORKDIR instead of proliferating instructions like RUN cd \u2026 && do-something, which are hard to read, troubleshoot, and maintain.",
+  "descriptionText": "When using RUN command 'cd' should only be used for full path. For relative path make use of WORKDIR command instead.",
   "descriptionUrl": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#workdir",
   "platform": "Dockerfile",
   "descriptionID": "edd9f7d3"

@@ -3,13 +3,25 @@ package Cx
 CxPolicy[result] {
 	resource := input.document[i].command[name][_]
 	resource.Cmd == "run"
-	contains(resource.Value[_], "cd ")
+	run_command := resource.Value[_]
+	values := split(run_command, " ")
+	trim_space(values[index]) == "cd"
+    path := trim_space(values[index+1])
+    not is_full_path(path)
+
 
 	result := {
 		"documentId": input.document[i].id,
 		"searchKey": sprintf("FROM={{%s}}.RUN={{%s}}", [name, resource.Value[0]]),
-		"issueType": "IncorrectValue", #"MissingAttribute" / "RedundantAttribute"
+		"issueType": "IncorrectValue",
 		"keyExpectedValue": "Using WORKDIR to change directory",
 		"keyActualValue": sprintf("RUN %s'", [resource.Value[0]]),
 	}
 }
+
+is_full_path(path){
+	regex.match("^[a-zA-Z]:[\\\/]", path)	
+}else {
+	startswith( path,"/")
+    not contains(path, "/.")
+}
@@ -0,0 +1,5 @@
+FROM nginx
+ENV AUTHOR=Docker
+RUN cd /usr/share/nginx/html
+COPY Hello_docker.html /usr/share/nginx/html
+CMD cd /usr/share/nginx/html && sed -e s/Docker/"$AUTHOR"/ Hello_docker.html > index.html ; nginx -g 'daemon off;'
@@ -1,5 +1,17 @@
 FROM nginx
 ENV AUTHOR=Docker
-RUN cd /usr/share/nginx/html
+RUN cd /../share/nginx/html
 COPY Hello_docker.html /usr/share/nginx/html
-CMD cd /usr/share/nginx/html && sed -e s/Docker/"$AUTHOR"/ Hello_docker.html > index.html ; nginx -g 'daemon off;'
+CMD cd /usr/share/nginx/html && sed -e s/Docker/"$AUTHOR"/ Hello_docker.html > index.html ; nginx -g 'daemon off;'
+
+FROM nginx
+ENV AUTHOR=Docker
+RUN cd ../share/nginx/html
+COPY Hello_docker.html /usr/share/nginx/html
+CMD cd /usr/share/nginx/html && sed -e s/Docker/"$AUTHOR"/ Hello_docker.html > index.html ; nginx -g 'daemon off;'
+
+FROM nginx
+ENV AUTHOR=Docker
+RUN cd /usr/../share/nginx/html
+COPY Hello_docker.html /usr/share/nginx/html
+CMD cd /usr/share/nginx/html && sed -e s/Docker/"$AUTHOR"/ Hello_docker.html > index.html ; nginx -g 'daemon off;'
@@ -2,6 +2,19 @@
 	{
 		"queryName": "RUN Instruction Using 'cd' Instead of WORKDIR",
 		"severity": "MEDIUM",
-		"line": 3
+		"line": 3,
+		"fileName": "positive.dockerfile"
+	},
+	{
+		"queryName": "RUN Instruction Using 'cd' Instead of WORKDIR",
+		"severity": "MEDIUM",
+		"line": 9,
+		"fileName": "positive.dockerfile"
+	},
+	{
+		"queryName": "RUN Instruction Using 'cd' Instead of WORKDIR",
+		"severity": "MEDIUM",
+		"line": 15,
+		"fileName": "positive.dockerfile"
 	}
 ]
@@ -0,0 +1,10 @@
+{
+  "id": "68a51e22-ae5a-4d48-8e87-b01a323605c9",
+  "queryName": "Using Unnamed Build Stages",
+  "severity": "LOW",
+  "category": "Build Process",
+  "descriptionText": " This query is used to ensure that build stages are named. This way even if the Dockerfile is re-ordered, the COPY instruction doesn’t break.",
+  "descriptionUrl": "https://docs.docker.com/develop/develop-images/multistage-build/",
+  "platform": "Dockerfile",
+  "descriptionID": "dea09829"
+}
@@ -0,0 +1,21 @@
+package Cx
+
+CxPolicy[result] {
+
+	commands := input.document[i].command[name][_]
+
+	commands.Cmd == "copy"
+    flags := commands.Flags
+    contains(flags[f], "--from=")
+    flag_split := split(flags[f], "=")
+    to_number(flag_split[1]) > -1
+
+
+	result := {
+		"documentId": input.document[i].id,
+		"searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, commands.Original]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": "COPY '--from' should reference a previously defined FROM alias",
+		"keyActualValue": "COPY '--from' does not reference a previously defined FROM alias",
+	}
+}
@@ -0,0 +1,11 @@
+FROM golang:1.16
+WORKDIR /go/src/github.com/alexellis/href-counter/
+RUN go get -d -v golang.org/x/net/html  
+COPY app.go ./
+RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app .
+
+FROM alpine:latest  
+RUN apk --no-cache add ca-certificates
+WORKDIR /root/
+COPY --from=0 /go/src/github.com/alexellis/href-counter/app ./
+CMD ["./app"] 
@@ -0,0 +1,8 @@
+[
+	{
+		"queryName": "Using Unnamed Build Stages",
+		"severity": "LOW",
+		"line": 10,
+		"filename": "positive1.dockerfile"
+	}
+]