From 7a68a9e96c1843efe2b8db83e315173ff2b763c8 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Wed, 11 Mar 2026 22:11:34 +0000 Subject: [PATCH 01/84] Changed identification of docker files to be case insensitive on files named 'dockerfile' --- pkg/analyzer/analyzer.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkg/analyzer/analyzer.go b/pkg/analyzer/analyzer.go index ee4c9984b37..88c55eeaea7 100644 --- a/pkg/analyzer/analyzer.go +++ b/pkg/analyzer/analyzer.go @@ -433,9 +433,11 @@ func (a *analyzerInfo) worker( //nolint: gocyclo if errExt == nil { linesCount, _ := utils.LineCounter(a.filePath, a.fallbackMinifiedFileLOC) + ext := strings.ToLower(ext) + switch ext { // Dockerfile (direct identification) - case ".dockerfile", "Dockerfile": + case ".dockerfile", "dockerfile": if a.isAvailableType(dockerfile) { results <- dockerfile locCount <- linesCount From b835b6cb8ed2452439bf2f9bab4f81e451f208a8 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Wed, 11 Mar 2026 22:11:35 +0000 Subject: [PATCH 02/84] removed legacy redundant function 'isDockerfile' from analyzer --- pkg/analyzer/analyzer.go | 28 ++-------------------------- 1 file changed, 2 insertions(+), 26 deletions(-) diff --git a/pkg/analyzer/analyzer.go b/pkg/analyzer/analyzer.go index 88c55eeaea7..e0d4d5f617e 100644 --- a/pkg/analyzer/analyzer.go +++ b/pkg/analyzer/analyzer.go @@ -434,7 +434,7 @@ func (a *analyzerInfo) worker( //nolint: gocyclo linesCount, _ := utils.LineCounter(a.filePath, a.fallbackMinifiedFileLOC) ext := strings.ToLower(ext) - + switch ext { // Dockerfile (direct identification) case ".dockerfile", "dockerfile": @@ -445,7 +445,7 @@ func (a *analyzerInfo) worker( //nolint: gocyclo } // Dockerfile (indirect identification) case "possibleDockerfile", ".ubi8", ".debian": - if a.isAvailableType(dockerfile) && isDockerfile(a.filePath) { + if a.isAvailableType(dockerfile) { results <- dockerfile locCount <- linesCount fileInfo <- fileTypeInfo{filePath: a.filePath, fileType: dockerfile, locCount: linesCount} @@ -489,30 +489,6 @@ func (a *analyzerInfo) worker( //nolint: gocyclo } } -func isDockerfile(path string) bool { - content, err := os.ReadFile(filepath.Clean(path)) - if err != nil { - log.Error().Msgf("failed to analyze file: %s", err) - return false - } - - regexes := []*regexp.Regexp{ - regexp.MustCompile(`\s*FROM\s*`), - regexp.MustCompile(`\s*RUN\s*`), - } - - check := true - - for _, regex := range regexes { - if !regex.Match(content) { - check = false - break - } - } - - return check -} - // overrides k8s match when all regexes pass for azureresourcemanager key and extension is set to json func needsOverride(check bool, returnType, key, ext string) bool { if check && returnType == kubernetes && key == arm && ext == json { From da487cd1cd4ca5188d2ff523a20717e40f404d84 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Wed, 11 Mar 2026 22:11:35 +0000 Subject: [PATCH 03/84] Improved dockerfile identification to account for relevant folder names and all files with prefix 'dockerfile.' as well as all files with the '.dockerfile' extension type in a case insensitive matter (improvement on first commit) --- pkg/analyzer/analyzer.go | 13 +------------ pkg/utils/get_extension.go | 29 +++++++++++++++++++---------- 2 files changed, 20 insertions(+), 22 deletions(-) diff --git a/pkg/analyzer/analyzer.go b/pkg/analyzer/analyzer.go index e0d4d5f617e..4bd0f28753d 100644 --- a/pkg/analyzer/analyzer.go +++ b/pkg/analyzer/analyzer.go @@ -433,25 +433,14 @@ func (a *analyzerInfo) worker( //nolint: gocyclo if errExt == nil { linesCount, _ := utils.LineCounter(a.filePath, a.fallbackMinifiedFileLOC) - ext := strings.ToLower(ext) - switch ext { - // Dockerfile (direct identification) + // Dockerfile case ".dockerfile", "dockerfile": if a.isAvailableType(dockerfile) { results <- dockerfile locCount <- linesCount fileInfo <- fileTypeInfo{filePath: a.filePath, fileType: dockerfile, locCount: linesCount} } - // Dockerfile (indirect identification) - case "possibleDockerfile", ".ubi8", ".debian": - if a.isAvailableType(dockerfile) { - results <- dockerfile - locCount <- linesCount - fileInfo <- fileTypeInfo{filePath: a.filePath, fileType: dockerfile, locCount: linesCount} - } else { - unwanted <- a.filePath - } // Terraform case ".tf", "tfvars": if a.isAvailableType(terraform) { diff --git a/pkg/utils/get_extension.go b/pkg/utils/get_extension.go index cfc9bc48861..5b35f50e204 100644 --- a/pkg/utils/get_extension.go +++ b/pkg/utils/get_extension.go @@ -14,7 +14,6 @@ import ( // GetExtension gets the extension of a file path func GetExtension(path string) (string, error) { - targets := []string{"Dockerfile", "tfvars"} // Get file information fileInfo, err := os.Stat(path) @@ -26,12 +25,24 @@ func GetExtension(path string) (string, error) { return "", fmt.Errorf("the path %s is a directory", path) } + base := filepath.Base(path) + if strings.HasPrefix(strings.ToLower(base), "dockerfile.") { + return ".dockerfile", nil + } + ext := filepath.Ext(path) - if ext == "" { - base := filepath.Base(path) + if strings.ToLower(ext) == ".dockerfile" { + return ".dockerfile", nil + } - if Contains(base, targets) { - ext = base + dir := strings.ToLower(filepath.Base(filepath.Dir(path))) + if (dir == "docker" || dir == "dockerfile" || dir == "dockerfiles") && readPossibleDockerFile(path) { + return ".dockerfile", nil + } + + if ext == "" { + if base == "tfvars" { + ext = ".tfvars" } else { isText, err := isTextFile(path) @@ -39,10 +50,8 @@ func GetExtension(path string) (string, error) { return "", err } - if isText { - if readPossibleDockerFile(path) { - ext = "possibleDockerfile" - } + if isText && readPossibleDockerFile(path) { + return ".dockerfile", nil } } } @@ -70,7 +79,7 @@ func readPossibleDockerFile(path string) bool { for scanner.Scan() { if strings.HasPrefix(scanner.Text(), "FROM") { return true - } else if strings.HasPrefix(scanner.Text(), "#") { + } else if strings.HasPrefix(scanner.Text(), "#") || strings.HasPrefix(scanner.Text(), "ARG") || scanner.Text() == "" { continue } else { return false From 8e17353348cd3c6b69111eab52924250f2cc8eed Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Thu, 12 Mar 2026 14:02:31 +0000 Subject: [PATCH 04/84] Fixed 'dockerfile' keyword not being recognized as a valid file extension, added support for all ubi8/debian files in case of valid dockerfile structure, added support for lower case dockerfile commands - most queries will have issues with this but relevant text files are properly detected as a 'dockerfile' as intended --- .../missing_user_instruction/query.rego | 3 +- pkg/analyzer/analyzer.go | 32 +++++++++---------- pkg/parser/docker/parser.go | 6 ++-- pkg/utils/get_extension.go | 24 ++++++++------ 4 files changed, 37 insertions(+), 28 deletions(-) diff --git a/assets/queries/dockerfile/missing_user_instruction/query.rego b/assets/queries/dockerfile/missing_user_instruction/query.rego index 51913455708..b4019390ca0 100644 --- a/assets/queries/dockerfile/missing_user_instruction/query.rego +++ b/assets/queries/dockerfile/missing_user_instruction/query.rego @@ -1,6 +1,7 @@ package Cx import data.generic.dockerfile as dockerLib +import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].command[name] @@ -14,7 +15,7 @@ CxPolicy[result] { "searchKey": sprintf("FROM={{%s}}", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "The 'Dockerfile' should contain the 'USER' instruction", - "keyActualValue": "The 'Dockerfile' does not contain any 'USER' instruction", + "keyActualValue": "The 'Dockerfile' does not contain any 'USER' instruction" } } diff --git a/pkg/analyzer/analyzer.go b/pkg/analyzer/analyzer.go index 4bd0f28753d..8b658d4e8cb 100644 --- a/pkg/analyzer/analyzer.go +++ b/pkg/analyzer/analyzer.go @@ -98,22 +98,21 @@ var ( listKeywordsGoogleDeployment = []string{"resources"} armRegexTypes = []string{"blueprint", "templateArtifact", "roleAssignmentArtifact", "policyAssignmentArtifact"} possibleFileTypes = map[string]bool{ - ".yml": true, - ".yaml": true, - ".json": true, - ".dockerfile": true, - "Dockerfile": true, - "possibleDockerfile": true, - ".debian": true, - ".ubi8": true, - ".tf": true, - "tfvars": true, - ".proto": true, - ".sh": true, - ".cfg": true, - ".conf": true, - ".ini": true, - ".bicep": true, + ".yml": true, + ".yaml": true, + ".json": true, + ".dockerfile": true, + "dockerfile": true, + ".debian": true, + ".ubi8": true, + ".tf": true, + "tfvars": true, + ".proto": true, + ".sh": true, + ".cfg": true, + ".conf": true, + ".ini": true, + ".bicep": true, } supportedRegexes = map[string][]string{ "azureresourcemanager": append(armRegexTypes, arm), @@ -430,6 +429,7 @@ func (a *analyzerInfo) worker( //nolint: gocyclo }() ext, errExt := utils.GetExtension(a.filePath) + if errExt == nil { linesCount, _ := utils.LineCounter(a.filePath, a.fallbackMinifiedFileLOC) diff --git a/pkg/parser/docker/parser.go b/pkg/parser/docker/parser.go index 7f97835b07e..43c7e7aa473 100644 --- a/pkg/parser/docker/parser.go +++ b/pkg/parser/docker/parser.go @@ -59,7 +59,9 @@ func (p *Parser) Parse(_ string, fileContent []byte) ([]model.Document, []int, e for _, child := range parsed.AST.Children { child.Value = strings.ToLower(child.Value) if child.Value == "from" { - fromValue = strings.TrimPrefix(child.Original, "FROM ") + if strings.HasPrefix(strings.ToUpper(child.Original), "FROM ") { + fromValue = child.Original[5:] + } } if ignoreStruct.getIgnoreComments(child) { @@ -133,7 +135,7 @@ func (p *Parser) GetKind() model.FileKind { // SupportedExtensions returns Dockerfile extensions func (p *Parser) SupportedExtensions() []string { - return []string{"Dockerfile", ".dockerfile", ".ubi8", ".debian", "possibleDockerfile"} + return []string{"Dockerfile", ".dockerfile", "dockerfile", ".ubi8", ".debian", "possibleDockerfile"} } // SupportedTypes returns types supported by this parser, which are dockerfile diff --git a/pkg/utils/get_extension.go b/pkg/utils/get_extension.go index 5b35f50e204..61701654d78 100644 --- a/pkg/utils/get_extension.go +++ b/pkg/utils/get_extension.go @@ -14,9 +14,9 @@ import ( // GetExtension gets the extension of a file path func GetExtension(path string) (string, error) { - // Get file information fileInfo, err := os.Stat(path) + extDockerfile := ".dockerfile" if err != nil { return "", fmt.Errorf("file %s not found", path) } @@ -27,20 +27,25 @@ func GetExtension(path string) (string, error) { base := filepath.Base(path) if strings.HasPrefix(strings.ToLower(base), "dockerfile.") { - return ".dockerfile", nil + return extDockerfile, nil } ext := filepath.Ext(path) - if strings.ToLower(ext) == ".dockerfile" { - return ".dockerfile", nil + if strings.EqualFold(ext, ".dockerfile") { + return extDockerfile, nil } dir := strings.ToLower(filepath.Base(filepath.Dir(path))) if (dir == "docker" || dir == "dockerfile" || dir == "dockerfiles") && readPossibleDockerFile(path) { - return ".dockerfile", nil + return extDockerfile, nil } - if ext == "" { + switch ext { + case ".ubi8", ".debian": + if readPossibleDockerFile(path) { + return extDockerfile, nil + } + case "": if base == "tfvars" { ext = ".tfvars" } else { @@ -51,9 +56,10 @@ func GetExtension(path string) (string, error) { } if isText && readPossibleDockerFile(path) { - return ".dockerfile", nil + return extDockerfile, nil } } + } return ext, nil @@ -77,9 +83,9 @@ func readPossibleDockerFile(path string) bool { scanner := bufio.NewScanner(file) // Read lines from the file for scanner.Scan() { - if strings.HasPrefix(scanner.Text(), "FROM") { + if strings.HasPrefix(strings.ToLower(scanner.Text()), "from") { return true - } else if strings.HasPrefix(scanner.Text(), "#") || strings.HasPrefix(scanner.Text(), "ARG") || scanner.Text() == "" { + } else if strings.HasPrefix(scanner.Text(), "#") || strings.HasPrefix(strings.ToLower(scanner.Text()), "arg") || scanner.Text() == "" { continue } else { return false From 17d6b14ed142af4a722fc17dd3d1f022a28fe820 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Thu, 12 Mar 2026 14:36:56 +0000 Subject: [PATCH 05/84] Minor optimization --- pkg/utils/get_extension.go | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/pkg/utils/get_extension.go b/pkg/utils/get_extension.go index 61701654d78..f23f544a313 100644 --- a/pkg/utils/get_extension.go +++ b/pkg/utils/get_extension.go @@ -83,12 +83,14 @@ func readPossibleDockerFile(path string) bool { scanner := bufio.NewScanner(file) // Read lines from the file for scanner.Scan() { - if strings.HasPrefix(strings.ToLower(scanner.Text()), "from") { - return true - } else if strings.HasPrefix(scanner.Text(), "#") || strings.HasPrefix(strings.ToLower(scanner.Text()), "arg") || scanner.Text() == "" { + if strings.HasPrefix(scanner.Text(), "#") || strings.HasPrefix(strings.ToLower(scanner.Text()), "arg") || scanner.Text() == "" { continue } else { - return false + if strings.HasPrefix(strings.ToLower(scanner.Text()), "from") { + return true + } else { + return false + } } } return false From 087df77b58be62db1f5c18d87fa17b23dcbae6ef Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Thu, 12 Mar 2026 16:31:06 +0000 Subject: [PATCH 06/84] Initial test files/cases plus minor changes to supported dockerfile formats for consistency --- pkg/parser/docker/parser.go | 2 +- pkg/parser/docker/parser_test.go | 2 +- pkg/parser/parser_test.go | 1 + pkg/remediation/scan.go | 2 +- pkg/utils/get_extension_test.go | 120 +++++++++++++++++- test/fixtures/dockerfile/DOCKERfile.txt | 17 +++ test/fixtures/dockerfile/Dockerfile.something | 8 ++ test/fixtures/dockerfile/any_name.debian | 8 ++ test/fixtures/dockerfile/any_name.ubi8 | 8 ++ test/fixtures/dockerfile/dockerFILE | 7 + test/fixtures/dockerfile/file.Dockerfile | 7 + test/fixtures/dockerfile/file_2.DOCKERfile | 7 + test/fixtures/dockerfile/random_name | 7 + .../test_folder_names/docker/any_file.txt | 5 + .../test_folder_names/dockerfile/any_file.txt | 5 + .../dockerfiles/any_file.txt | 5 + .../Docker/any_file.txt | 5 + .../Dockerfile/any_file.txt | 5 + .../Dockerfiles/any_file.txt | 5 + .../negative_dockerfile/not_dockerfile.debian | 7 + .../negative_dockerfile/not_dockerfile.txt | 3 + .../negative_dockerfile/not_dockerfile.ubi8 | 5 + 22 files changed, 234 insertions(+), 7 deletions(-) create mode 100644 test/fixtures/dockerfile/DOCKERfile.txt create mode 100644 test/fixtures/dockerfile/Dockerfile.something create mode 100644 test/fixtures/dockerfile/any_name.debian create mode 100644 test/fixtures/dockerfile/any_name.ubi8 create mode 100644 test/fixtures/dockerfile/dockerFILE create mode 100644 test/fixtures/dockerfile/file.Dockerfile create mode 100644 test/fixtures/dockerfile/file_2.DOCKERfile create mode 100644 test/fixtures/dockerfile/random_name create mode 100644 test/fixtures/dockerfile/test_folder_names/docker/any_file.txt create mode 100644 test/fixtures/dockerfile/test_folder_names/dockerfile/any_file.txt create mode 100644 test/fixtures/dockerfile/test_folder_names/dockerfiles/any_file.txt create mode 100644 test/fixtures/dockerfile/test_folder_names_case/Docker/any_file.txt create mode 100644 test/fixtures/dockerfile/test_folder_names_case/Dockerfile/any_file.txt create mode 100644 test/fixtures/dockerfile/test_folder_names_case/Dockerfiles/any_file.txt create mode 100644 test/fixtures/negative_dockerfile/not_dockerfile.debian create mode 100644 test/fixtures/negative_dockerfile/not_dockerfile.txt create mode 100644 test/fixtures/negative_dockerfile/not_dockerfile.ubi8 diff --git a/pkg/parser/docker/parser.go b/pkg/parser/docker/parser.go index 43c7e7aa473..fc507ef3d88 100644 --- a/pkg/parser/docker/parser.go +++ b/pkg/parser/docker/parser.go @@ -135,7 +135,7 @@ func (p *Parser) GetKind() model.FileKind { // SupportedExtensions returns Dockerfile extensions func (p *Parser) SupportedExtensions() []string { - return []string{"Dockerfile", ".dockerfile", "dockerfile", ".ubi8", ".debian", "possibleDockerfile"} + return []string{"Dockerfile", ".dockerfile", "dockerfile", ".ubi8", ".debian"} } // SupportedTypes returns types supported by this parser, which are dockerfile diff --git a/pkg/parser/docker/parser_test.go b/pkg/parser/docker/parser_test.go index 3f6d6076ba9..5ca430dbbc1 100644 --- a/pkg/parser/docker/parser_test.go +++ b/pkg/parser/docker/parser_test.go @@ -17,7 +17,7 @@ func TestParser_GetKind(t *testing.T) { // TestParser_SupportedExtensions tests the functions [SupportedExtensions()] and all the methods called by them func TestParser_SupportedExtensions(t *testing.T) { p := &Parser{} - require.Equal(t, []string{"Dockerfile", ".dockerfile", ".ubi8", ".debian", "possibleDockerfile"}, p.SupportedExtensions()) + require.Equal(t, []string{"Dockerfile", ".dockerfile", "dockerfile", ".ubi8", ".debian"}, p.SupportedExtensions()) } // TestParser_SupportedExtensions tests the functions [SupportedTypes()] and all the methods called by them diff --git a/pkg/parser/parser_test.go b/pkg/parser/parser_test.go index 73d1f4d44b7..bbc45a089c5 100644 --- a/pkg/parser/parser_test.go +++ b/pkg/parser/parser_test.go @@ -94,6 +94,7 @@ func TestParser_SupportedExtensions(t *testing.T) { require.Contains(t, extensions, ".tf") require.Contains(t, extensions, ".yaml") require.Contains(t, extensions, ".dockerfile") + require.Contains(t, extensions, "dockerfile") require.Contains(t, extensions, "Dockerfile") } diff --git a/pkg/remediation/scan.go b/pkg/remediation/scan.go index e48f5648ee0..aa67dda52a9 100644 --- a/pkg/remediation/scan.go +++ b/pkg/remediation/scan.go @@ -95,7 +95,7 @@ func getPayload(filePath string, content []byte, openAPIResolveReferences bool, var err error switch ext { - case ".dockerfile", "Dockerfile", "possibleDockerfile", ".ubi8", ".debian": + case ".dockerfile", "Dockerfile", ".ubi8", ".debian": p, err = parser.NewBuilder().Add(&dockerParser.Parser{}).Build([]string{""}, []string{""}) case terraformExtension: diff --git a/pkg/utils/get_extension_test.go b/pkg/utils/get_extension_test.go index 73f5955effa..442e08c2641 100644 --- a/pkg/utils/get_extension_test.go +++ b/pkg/utils/get_extension_test.go @@ -18,15 +18,106 @@ func TestGetExtension(t *testing.T) { }{ { name: "Get extension from a file named as Dockerfile and without extension defined ('Dockerfile')", - want: "Dockerfile", + want: ".dockerfile", filePath: "../../Dockerfile", toCreate: false, err: nil, }, { - name: "Get extension from a file not named as Dockerfile and without extension defined ('Dockerfile-example')", - want: "possibleDockerfile", - filePath: "../../test/fixtures/dockerfile/Dockerfile-example", + name: "Get extension from a file named as dockerFILE and without extension defined ('dockerFILE')", + want: ".dockerfile", + filePath: "../../test/fixtures/dockerfile/dockerFILE", + toCreate: false, + err: nil, + }, + { + name: "Get extension from a file not named 'dockerfile' with extension defined as Dockerfile ('file.Dockerfile')", + want: ".dockerfile", + filePath: "../../test/fixtures/dockerfile/file.Dockerfile", + toCreate: false, + err: nil, + }, + { + name: "Get extension from a file not named 'dockerfile' with extension defined as DOCKERfile ('file_2.DOCKERfile')", + want: ".dockerfile", + filePath: "../../test/fixtures/dockerfile/file_2.DOCKERfile", + toCreate: false, + err: nil, + }, + { + name: "Get extension from a file named 'Dockerfile' with any extension defined ('Dockerfile.something')", + want: ".dockerfile", + filePath: "../../test/fixtures/dockerfile/Dockerfile.something", + toCreate: false, + err: nil, + }, + { + name: "Get extension from a file named 'DOCKERfile' with any extension defined ('DOCKERfile.txt')", + want: ".dockerfile", + filePath: "../../test/fixtures/dockerfile/DOCKERfile.txt", + toCreate: false, + err: nil, + }, + { + name: "Get extension from a file not named as Dockerfile and without a relevant extension defined ('any_file.txt'), should detect due to parent folder 'docker'", + want: ".dockerfile", + filePath: "../../test/fixtures/dockerfile/test_folder_names/docker/any_file.txt", + toCreate: false, + err: nil, + }, + { + name: "Get extension from a file not named as Dockerfile and without a relevant extension defined ('any_file.txt'), should detect due to parent folder 'Docker'", + want: ".dockerfile", + filePath: "../../test/fixtures/dockerfile/test_folder_names_case/Docker/any_file.txt", + toCreate: false, + err: nil, + }, + { + name: "Get extension from a file not named as Dockerfile and without a relevant extension defined ('any_file.txt'), should detect due to parent folder 'dockerfile'", + want: ".dockerfile", + filePath: "../../test/fixtures/dockerfile/test_folder_names/dockerfile/any_file.txt", + toCreate: false, + err: nil, + }, + { + name: "Get extension from a file not named as Dockerfile and without a relevant extension defined ('any_file.txt'), should detect due to parent folder 'Dockerfile'", + want: ".dockerfile", + filePath: "../../test/fixtures/dockerfile/test_folder_names_case/Dockerfile/any_file.txt", + toCreate: false, + err: nil, + }, + { + name: "Get extension from a file not named as Dockerfile and without a relevant extension defined ('any_file.txt'), should detect due to parent folder 'dockerfiles'", + want: ".dockerfile", + filePath: "../../test/fixtures/dockerfile/test_folder_names/dockerfiles/any_file.txt", + toCreate: false, + err: nil, + }, + { + name: "Get extension from a file not named as Dockerfile and without a relevant extension defined ('any_file.txt'), should detect due to parent folder 'Dockerfiles'", + want: ".dockerfile", + filePath: "../../test/fixtures/dockerfile/test_folder_names_case/Dockerfiles/any_file.txt", + toCreate: false, + err: nil, + }, + { + name: "Get extension from a file not named as Dockerfile and without extension defined ('random_name'), due to parent folder scan will identify dockerfile syntax regardless", + want: ".dockerfile", + filePath: "../../test/fixtures/dockerfile/random_name", + toCreate: false, + err: nil, + }, + { + name: "Get extension from a valid text file with dockerfile syntax and '.ubi8' extension ('any_name.ubi8')", + want: ".dockerfile", + filePath: "../../test/fixtures/dockerfile/any_name.ubi8", + toCreate: false, + err: nil, + }, + { + name: "Get extension from a valid text file with dockerfile syntax and '.debian' extension ('any_name.debian')", + want: ".dockerfile", + filePath: "../../test/fixtures/dockerfile/any_name.debian", toCreate: false, err: nil, }, @@ -44,6 +135,27 @@ func TestGetExtension(t *testing.T) { toCreate: false, err: nil, }, + { + name: "Get literal extension from a file not named as Dockerfile and with extension that is not .dockerfile,.ubi8 or .debian, regardless of text syntax", + want: ".txt", + filePath: "../../test/fixtures/negative_dockerfile/not_dockerfile.txt", + toCreate: false, + err: nil, + }, + { + name: "Get literal extension from a valid text file with '.ubi8' extension that lacks relevant dockerfile syntax('any_name.ubi8')", + want: ".ubi8", + filePath: "../../test/fixtures/negative_dockerfile/not_dockerfile.ubi8", + toCreate: false, + err: nil, + }, + { + name: "Get literal extension from a valid text file with '.debian' extension that lacks relevant dockerfile syntax('any_name.debian')", + want: ".debian", + filePath: "../../test/fixtures/negative_dockerfile/not_dockerfile.debian", + toCreate: false, + err: nil, + }, { name: "Get error when analyze a folder", want: "", diff --git a/test/fixtures/dockerfile/DOCKERfile.txt b/test/fixtures/dockerfile/DOCKERfile.txt new file mode 100644 index 00000000000..6ff5c5c2694 --- /dev/null +++ b/test/fixtures/dockerfile/DOCKERfile.txt @@ -0,0 +1,17 @@ + + + + + + + + + + + + +FROM alpine:3.19 AS builder + +COPY . . + +HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ "executable" ] \ No newline at end of file diff --git a/test/fixtures/dockerfile/Dockerfile.something b/test/fixtures/dockerfile/Dockerfile.something new file mode 100644 index 00000000000..9b120bfb8ab --- /dev/null +++ b/test/fixtures/dockerfile/Dockerfile.something @@ -0,0 +1,8 @@ +ARG VERSION=1.0 +ARG BASE_IMAGE=ubuntu:22.04 + +FROM alpine:3.19 AS builder + +COPY . . + +HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ "executable" ] \ No newline at end of file diff --git a/test/fixtures/dockerfile/any_name.debian b/test/fixtures/dockerfile/any_name.debian new file mode 100644 index 00000000000..9b120bfb8ab --- /dev/null +++ b/test/fixtures/dockerfile/any_name.debian @@ -0,0 +1,8 @@ +ARG VERSION=1.0 +ARG BASE_IMAGE=ubuntu:22.04 + +FROM alpine:3.19 AS builder + +COPY . . + +HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ "executable" ] \ No newline at end of file diff --git a/test/fixtures/dockerfile/any_name.ubi8 b/test/fixtures/dockerfile/any_name.ubi8 new file mode 100644 index 00000000000..9b120bfb8ab --- /dev/null +++ b/test/fixtures/dockerfile/any_name.ubi8 @@ -0,0 +1,8 @@ +ARG VERSION=1.0 +ARG BASE_IMAGE=ubuntu:22.04 + +FROM alpine:3.19 AS builder + +COPY . . + +HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ "executable" ] \ No newline at end of file diff --git a/test/fixtures/dockerfile/dockerFILE b/test/fixtures/dockerfile/dockerFILE new file mode 100644 index 00000000000..ca2ebdfb132 --- /dev/null +++ b/test/fixtures/dockerfile/dockerFILE @@ -0,0 +1,7 @@ +ARG BASE_IMAGE=ubuntu:22.04 + +FROM alpine:3.19 AS builder + +COPY . . + +HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ "executable" ] \ No newline at end of file diff --git a/test/fixtures/dockerfile/file.Dockerfile b/test/fixtures/dockerfile/file.Dockerfile new file mode 100644 index 00000000000..ca2ebdfb132 --- /dev/null +++ b/test/fixtures/dockerfile/file.Dockerfile @@ -0,0 +1,7 @@ +ARG BASE_IMAGE=ubuntu:22.04 + +FROM alpine:3.19 AS builder + +COPY . . + +HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ "executable" ] \ No newline at end of file diff --git a/test/fixtures/dockerfile/file_2.DOCKERfile b/test/fixtures/dockerfile/file_2.DOCKERfile new file mode 100644 index 00000000000..ca2ebdfb132 --- /dev/null +++ b/test/fixtures/dockerfile/file_2.DOCKERfile @@ -0,0 +1,7 @@ +ARG BASE_IMAGE=ubuntu:22.04 + +FROM alpine:3.19 AS builder + +COPY . . + +HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ "executable" ] \ No newline at end of file diff --git a/test/fixtures/dockerfile/random_name b/test/fixtures/dockerfile/random_name new file mode 100644 index 00000000000..28b863ff8de --- /dev/null +++ b/test/fixtures/dockerfile/random_name @@ -0,0 +1,7 @@ +ARG BASE_IMAGE=ubuntu:22.04 + +FROM alpine:3.19 AS builder + +COPY . . + +HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ "executable" ]C:\Users\AndrePer\OneDrive - Checkmarx\Documents\kics\test\fixtures\dockerfile\dockerfile.3 \ No newline at end of file diff --git a/test/fixtures/dockerfile/test_folder_names/docker/any_file.txt b/test/fixtures/dockerfile/test_folder_names/docker/any_file.txt new file mode 100644 index 00000000000..83acf398c06 --- /dev/null +++ b/test/fixtures/dockerfile/test_folder_names/docker/any_file.txt @@ -0,0 +1,5 @@ +FROM alpine:3.19 AS builder + +COPY . . + +HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ "executable" ] \ No newline at end of file diff --git a/test/fixtures/dockerfile/test_folder_names/dockerfile/any_file.txt b/test/fixtures/dockerfile/test_folder_names/dockerfile/any_file.txt new file mode 100644 index 00000000000..83acf398c06 --- /dev/null +++ b/test/fixtures/dockerfile/test_folder_names/dockerfile/any_file.txt @@ -0,0 +1,5 @@ +FROM alpine:3.19 AS builder + +COPY . . + +HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ "executable" ] \ No newline at end of file diff --git a/test/fixtures/dockerfile/test_folder_names/dockerfiles/any_file.txt b/test/fixtures/dockerfile/test_folder_names/dockerfiles/any_file.txt new file mode 100644 index 00000000000..83acf398c06 --- /dev/null +++ b/test/fixtures/dockerfile/test_folder_names/dockerfiles/any_file.txt @@ -0,0 +1,5 @@ +FROM alpine:3.19 AS builder + +COPY . . + +HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ "executable" ] \ No newline at end of file diff --git a/test/fixtures/dockerfile/test_folder_names_case/Docker/any_file.txt b/test/fixtures/dockerfile/test_folder_names_case/Docker/any_file.txt new file mode 100644 index 00000000000..83acf398c06 --- /dev/null +++ b/test/fixtures/dockerfile/test_folder_names_case/Docker/any_file.txt @@ -0,0 +1,5 @@ +FROM alpine:3.19 AS builder + +COPY . . + +HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ "executable" ] \ No newline at end of file diff --git a/test/fixtures/dockerfile/test_folder_names_case/Dockerfile/any_file.txt b/test/fixtures/dockerfile/test_folder_names_case/Dockerfile/any_file.txt new file mode 100644 index 00000000000..83acf398c06 --- /dev/null +++ b/test/fixtures/dockerfile/test_folder_names_case/Dockerfile/any_file.txt @@ -0,0 +1,5 @@ +FROM alpine:3.19 AS builder + +COPY . . + +HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ "executable" ] \ No newline at end of file diff --git a/test/fixtures/dockerfile/test_folder_names_case/Dockerfiles/any_file.txt b/test/fixtures/dockerfile/test_folder_names_case/Dockerfiles/any_file.txt new file mode 100644 index 00000000000..83acf398c06 --- /dev/null +++ b/test/fixtures/dockerfile/test_folder_names_case/Dockerfiles/any_file.txt @@ -0,0 +1,5 @@ +FROM alpine:3.19 AS builder + +COPY . . + +HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ "executable" ] \ No newline at end of file diff --git a/test/fixtures/negative_dockerfile/not_dockerfile.debian b/test/fixtures/negative_dockerfile/not_dockerfile.debian new file mode 100644 index 00000000000..d9e8b4e17a4 --- /dev/null +++ b/test/fixtures/negative_dockerfile/not_dockerfile.debian @@ -0,0 +1,7 @@ +package main + +import "fmt" + +func main() { + fmt.Println("Hello, World!") +} \ No newline at end of file diff --git a/test/fixtures/negative_dockerfile/not_dockerfile.txt b/test/fixtures/negative_dockerfile/not_dockerfile.txt new file mode 100644 index 00000000000..847945a42b0 --- /dev/null +++ b/test/fixtures/negative_dockerfile/not_dockerfile.txt @@ -0,0 +1,3 @@ +# should not flag since name is not "dockerfile" and extension is not .dockerfile, .ubi8 or .debian (.txt) + +FROM alpine:3.19 AS builder \ No newline at end of file diff --git a/test/fixtures/negative_dockerfile/not_dockerfile.ubi8 b/test/fixtures/negative_dockerfile/not_dockerfile.ubi8 new file mode 100644 index 00000000000..3d781ec4ba6 --- /dev/null +++ b/test/fixtures/negative_dockerfile/not_dockerfile.ubi8 @@ -0,0 +1,5 @@ +public class HelloWorld { + public static void main(String[] args) { + System.out.println("Hello, World!"); + } +} \ No newline at end of file From 11ca94219ef164793c67218a7f5b271772979ca3 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Thu, 12 Mar 2026 17:00:28 +0000 Subject: [PATCH 07/84] Added new helper function 'isDockerfileExtension' to get_extension utility to lower cyclomatic complexity --- pkg/utils/get_extension.go | 57 ++++++++++++++++++++------------------ 1 file changed, 30 insertions(+), 27 deletions(-) diff --git a/pkg/utils/get_extension.go b/pkg/utils/get_extension.go index f23f544a313..480f9affd45 100644 --- a/pkg/utils/get_extension.go +++ b/pkg/utils/get_extension.go @@ -14,9 +14,7 @@ import ( // GetExtension gets the extension of a file path func GetExtension(path string) (string, error) { - // Get file information fileInfo, err := os.Stat(path) - extDockerfile := ".dockerfile" if err != nil { return "", fmt.Errorf("file %s not found", path) } @@ -25,44 +23,49 @@ func GetExtension(path string) (string, error) { return "", fmt.Errorf("the path %s is a directory", path) } - base := filepath.Base(path) - if strings.HasPrefix(strings.ToLower(base), "dockerfile.") { - return extDockerfile, nil + if ext, ok := isDockerfileExtension(path); ok { + return ext, nil } ext := filepath.Ext(path) - if strings.EqualFold(ext, ".dockerfile") { - return extDockerfile, nil - } - - dir := strings.ToLower(filepath.Base(filepath.Dir(path))) - if (dir == "docker" || dir == "dockerfile" || dir == "dockerfiles") && readPossibleDockerFile(path) { - return extDockerfile, nil - } - switch ext { case ".ubi8", ".debian": if readPossibleDockerFile(path) { - return extDockerfile, nil + return ".dockerfile", nil } case "": - if base == "tfvars" { - ext = ".tfvars" - } else { - isText, err := isTextFile(path) + if filepath.Base(path) == "tfvars" { + return ".tfvars", nil + } + isText, err := isTextFile(path) + if err != nil { + return "", err + } + if isText && readPossibleDockerFile(path) { + return ".dockerfile", nil + } + } + return ext, nil +} - if err != nil { - return "", err - } +func isDockerfileExtension(path string) (string, bool) { + extDockerfile := ".dockerfile" + base := filepath.Base(path) - if isText && readPossibleDockerFile(path) { - return extDockerfile, nil - } - } + if strings.HasPrefix(strings.ToLower(base), "dockerfile.") { + return extDockerfile, true + } + if strings.EqualFold(filepath.Ext(path), ".dockerfile") { + return extDockerfile, true } - return ext, nil + dir := strings.ToLower(filepath.Base(filepath.Dir(path))) + if (dir == "docker" || dir == "dockerfile" || dir == "dockerfiles") && readPossibleDockerFile(path) { + return extDockerfile, true + } + + return "", false } func readPossibleDockerFile(path string) bool { From 8d4adfbcea84e6194c7d19da7a3a68fcd04fdcb5 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Thu, 12 Mar 2026 17:51:54 +0000 Subject: [PATCH 08/84] reverted accidental query change, fixed linting errors, fixed test errors, fixed 'gitignore' files exclusion, docker parser will handle said case like before but with explicit 'gitignore' extension rather than 'possibleDockerfile' like before --- .../dockerfile/missing_user_instruction/query.rego | 3 +-- pkg/analyzer/analyzer.go | 5 +++++ pkg/remediation/scan.go | 2 +- pkg/utils/get_extension.go | 8 ++++---- 4 files changed, 11 insertions(+), 7 deletions(-) diff --git a/assets/queries/dockerfile/missing_user_instruction/query.rego b/assets/queries/dockerfile/missing_user_instruction/query.rego index b4019390ca0..51913455708 100644 --- a/assets/queries/dockerfile/missing_user_instruction/query.rego +++ b/assets/queries/dockerfile/missing_user_instruction/query.rego @@ -1,7 +1,6 @@ package Cx import data.generic.dockerfile as dockerLib -import data.generic.common as common_lib CxPolicy[result] { resource := input.document[i].command[name] @@ -15,7 +14,7 @@ CxPolicy[result] { "searchKey": sprintf("FROM={{%s}}", [name]), "issueType": "MissingAttribute", "keyExpectedValue": "The 'Dockerfile' should contain the 'USER' instruction", - "keyActualValue": "The 'Dockerfile' does not contain any 'USER' instruction" + "keyActualValue": "The 'Dockerfile' does not contain any 'USER' instruction", } } diff --git a/pkg/analyzer/analyzer.go b/pkg/analyzer/analyzer.go index 8b658d4e8cb..43230a973bf 100644 --- a/pkg/analyzer/analyzer.go +++ b/pkg/analyzer/analyzer.go @@ -113,6 +113,7 @@ var ( ".conf": true, ".ini": true, ".bicep": true, + "gitignore": true, } supportedRegexes = map[string][]string{ "azureresourcemanager": append(armRegexTypes, arm), @@ -434,6 +435,10 @@ func (a *analyzerInfo) worker( //nolint: gocyclo linesCount, _ := utils.LineCounter(a.filePath, a.fallbackMinifiedFileLOC) switch ext { + case "gitignore": + { + unwanted <- a.filePath + } // Dockerfile case ".dockerfile", "dockerfile": if a.isAvailableType(dockerfile) { diff --git a/pkg/remediation/scan.go b/pkg/remediation/scan.go index aa67dda52a9..112295cd2c6 100644 --- a/pkg/remediation/scan.go +++ b/pkg/remediation/scan.go @@ -95,7 +95,7 @@ func getPayload(filePath string, content []byte, openAPIResolveReferences bool, var err error switch ext { - case ".dockerfile", "Dockerfile", ".ubi8", ".debian": + case ".dockerfile", "Dockerfile", "gitignore", ".ubi8", ".debian": p, err = parser.NewBuilder().Add(&dockerParser.Parser{}).Build([]string{""}, []string{""}) case terraformExtension: diff --git a/pkg/utils/get_extension.go b/pkg/utils/get_extension.go index 480f9affd45..5d7bb20db1e 100644 --- a/pkg/utils/get_extension.go +++ b/pkg/utils/get_extension.go @@ -23,6 +23,10 @@ func GetExtension(path string) (string, error) { return "", fmt.Errorf("the path %s is a directory", path) } + if strings.HasSuffix(filepath.Clean(path), "gitignore") { + return "gitignore", nil + } + if ext, ok := isDockerfileExtension(path); ok { return ext, nil } @@ -69,10 +73,6 @@ func isDockerfileExtension(path string) (string, bool) { } func readPossibleDockerFile(path string) bool { - path = filepath.Clean(path) - if strings.HasSuffix(path, "gitignore") { - return true - } file, err := os.Open(path) if err != nil { return false From bb88ff3a450da8f37c1c951d760c9b2139902fee Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Thu, 12 Mar 2026 18:40:46 +0000 Subject: [PATCH 09/84] linting fix and optimized case of file named dockerfile without extension so that it 1- gets detected regardless of syntax inside 2- gets detected withouth checking syntax inside through the code optimizing detection speed for said files --- pkg/analyzer/analyzer.go | 4 +--- pkg/utils/get_extension.go | 14 ++++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/pkg/analyzer/analyzer.go b/pkg/analyzer/analyzer.go index 43230a973bf..dafa3b11551 100644 --- a/pkg/analyzer/analyzer.go +++ b/pkg/analyzer/analyzer.go @@ -436,9 +436,7 @@ func (a *analyzerInfo) worker( //nolint: gocyclo switch ext { case "gitignore": - { - unwanted <- a.filePath - } + unwanted <- a.filePath // Dockerfile case ".dockerfile", "dockerfile": if a.isAvailableType(dockerfile) { diff --git a/pkg/utils/get_extension.go b/pkg/utils/get_extension.go index 5d7bb20db1e..1a194e8c395 100644 --- a/pkg/utils/get_extension.go +++ b/pkg/utils/get_extension.go @@ -14,6 +14,7 @@ import ( // GetExtension gets the extension of a file path func GetExtension(path string) (string, error) { + extDockerfile := ".dockerfile" fileInfo, err := os.Stat(path) if err != nil { return "", fmt.Errorf("file %s not found", path) @@ -27,7 +28,7 @@ func GetExtension(path string) (string, error) { return "gitignore", nil } - if ext, ok := isDockerfileExtension(path); ok { + if ext, ok := isDockerfileExtension(path, extDockerfile); ok { return ext, nil } @@ -35,7 +36,7 @@ func GetExtension(path string) (string, error) { switch ext { case ".ubi8", ".debian": if readPossibleDockerFile(path) { - return ".dockerfile", nil + return extDockerfile, nil } case "": if filepath.Base(path) == "tfvars" { @@ -46,17 +47,17 @@ func GetExtension(path string) (string, error) { return "", err } if isText && readPossibleDockerFile(path) { - return ".dockerfile", nil + return extDockerfile, nil } } return ext, nil } -func isDockerfileExtension(path string) (string, bool) { - extDockerfile := ".dockerfile" +func isDockerfileExtension(path string, extDockerfile string) (string, bool) { base := filepath.Base(path) - if strings.HasPrefix(strings.ToLower(base), "dockerfile.") { + lower := strings.ToLower(base) + if lower == "dockerfile" || strings.HasPrefix(lower, "dockerfile.") { return extDockerfile, true } @@ -73,6 +74,7 @@ func isDockerfileExtension(path string) (string, bool) { } func readPossibleDockerFile(path string) bool { + path = filepath.Clean(path) file, err := os.Open(path) if err != nil { return false From 813c9f6193073b2a6ade7c6ef0ee7976547f3933 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Thu, 12 Mar 2026 21:47:45 +0000 Subject: [PATCH 10/84] More changes to fix go lint, d variable so 'dockerfile' is not used twice and minor simplificaton of query arguments --- pkg/utils/get_extension.go | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/pkg/utils/get_extension.go b/pkg/utils/get_extension.go index 1a194e8c395..b496cd7c31f 100644 --- a/pkg/utils/get_extension.go +++ b/pkg/utils/get_extension.go @@ -53,20 +53,21 @@ func GetExtension(path string) (string, error) { return ext, nil } -func isDockerfileExtension(path string, extDockerfile string) (string, bool) { +func isDockerfileExtension(path, extDockerfile string) (string, bool) { base := filepath.Base(path) + d := "dockerfile" lower := strings.ToLower(base) - if lower == "dockerfile" || strings.HasPrefix(lower, "dockerfile.") { + if lower == d || strings.HasPrefix(lower, "dockerfile.") { return extDockerfile, true } - if strings.EqualFold(filepath.Ext(path), ".dockerfile") { + if strings.EqualFold(filepath.Ext(path), extDockerfile) { return extDockerfile, true } dir := strings.ToLower(filepath.Base(filepath.Dir(path))) - if (dir == "docker" || dir == "dockerfile" || dir == "dockerfiles") && readPossibleDockerFile(path) { + if (dir == "docker" || dir == d || dir == "dockerfiles") && readPossibleDockerFile(path) { return extDockerfile, true } From f1147e38f902f77e7a9336554e9f27e368934de3 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Fri, 13 Mar 2026 16:41:36 +0000 Subject: [PATCH 11/84] Added samples for case insensitive testing on dockerfiles, added E2E test 105, improved uni tests to include new case insensitive samples --- e2e/fixtures/E2E_CLI_105_PAYLOAD.json | 1896 +++++++++++++++++ e2e/fixtures/E2E_CLI_105_RESULT.json | 492 +++++ .../e2e-cli-075_ansible_host_detected.go | 2 +- .../e2e-cli-105_valid_dockerfile_detected.go | 31 + pkg/utils/get_extension_test.go | 86 +- test/fixtures/dockerfile/Dockerfile-example | 14 +- .../dockerfile/{ => any_name}/DOCKERfile.txt | 0 .../{ => any_name}/Dockerfile.something | 0 .../dockerfile/{ => any_name}/any_name.debian | 0 .../dockerfile/{ => any_name}/any_name.ubi8 | 0 .../{file.Dockerfile => any_name/dockerFILE} | 3 + .../dockerfile/any_name/file.Dockerfile | 10 + .../{ => any_name}/file_2.DOCKERfile | 5 +- .../{dockerFILE => any_name/random_name} | 0 .../case_insensitive_tests/DOCKERfile.txt | 17 + .../Dockerfile.something | 8 + .../case_insensitive_tests/any_name.debian | 8 + .../case_insensitive_tests/any_name.ubi8 | 8 + .../case_insensitive_tests/dockerFILE | 10 + .../case_insensitive_tests/file.Dockerfile | 10 + .../case_insensitive_tests/file_2.DOCKERfile | 8 + .../case_insensitive_tests/random_name | 7 + test/fixtures/dockerfile/random_name | 7 - 23 files changed, 2590 insertions(+), 32 deletions(-) create mode 100644 e2e/fixtures/E2E_CLI_105_PAYLOAD.json create mode 100644 e2e/fixtures/E2E_CLI_105_RESULT.json create mode 100644 e2e/testcases/e2e-cli-105_valid_dockerfile_detected.go rename test/fixtures/dockerfile/{ => any_name}/DOCKERfile.txt (100%) rename test/fixtures/dockerfile/{ => any_name}/Dockerfile.something (100%) rename test/fixtures/dockerfile/{ => any_name}/any_name.debian (100%) rename test/fixtures/dockerfile/{ => any_name}/any_name.ubi8 (100%) rename test/fixtures/dockerfile/{file.Dockerfile => any_name/dockerFILE} (80%) create mode 100644 test/fixtures/dockerfile/any_name/file.Dockerfile rename test/fixtures/dockerfile/{ => any_name}/file_2.DOCKERfile (66%) rename test/fixtures/dockerfile/{dockerFILE => any_name/random_name} (100%) create mode 100644 test/fixtures/dockerfile/case_insensitive_tests/DOCKERfile.txt create mode 100644 test/fixtures/dockerfile/case_insensitive_tests/Dockerfile.something create mode 100644 test/fixtures/dockerfile/case_insensitive_tests/any_name.debian create mode 100644 test/fixtures/dockerfile/case_insensitive_tests/any_name.ubi8 create mode 100644 test/fixtures/dockerfile/case_insensitive_tests/dockerFILE create mode 100644 test/fixtures/dockerfile/case_insensitive_tests/file.Dockerfile create mode 100644 test/fixtures/dockerfile/case_insensitive_tests/file_2.DOCKERfile create mode 100644 test/fixtures/dockerfile/case_insensitive_tests/random_name delete mode 100644 test/fixtures/dockerfile/random_name diff --git a/e2e/fixtures/E2E_CLI_105_PAYLOAD.json b/e2e/fixtures/E2E_CLI_105_PAYLOAD.json new file mode 100644 index 00000000000..d0a6488b123 --- /dev/null +++ b/e2e/fixtures/E2E_CLI_105_PAYLOAD.json @@ -0,0 +1,1896 @@ +{ + "document": [ + { + "args": [], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 13, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 13 + }, + { + "Cmd": "copy", + "EndLine": 15, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 15 + }, + { + "Cmd": "healthcheck", + "EndLine": 17, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 17 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "openjdk:10-jdk": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM openjdk:10-jdk", + "SubCmd": "", + "Value": [ + "openjdk:10-jdk" + ], + "_kics_line": 1 + }, + { + "Cmd": "volume", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "VOLUME /tmp", + "SubCmd": "", + "Value": [ + "/tmp" + ], + "_kics_line": 2 + }, + { + "Cmd": "add", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "ADD http://source.file/package.file.tar.gz /temp", + "SubCmd": "", + "Value": [ + "http://source.file/package.file.tar.gz", + "/temp" + ], + "_kics_line": 3 + }, + { + "Cmd": "run", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "RUN tar -xjf /temp/package.file.tar.gz ", + "SubCmd": "", + "Value": [ + "tar -xjf /temp/package.file.tar.gz" + ], + "_kics_line": 4 + }, + { + "Cmd": "arg", + "EndLine": 5, + "Flags": [], + "JSON": false, + "Original": "ARG JAR_FILE", + "SubCmd": "", + "Value": [ + "JAR_FILE" + ], + "_kics_line": 5 + }, + { + "Cmd": "add", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "ADD ${JAR_FILE} app.jar", + "SubCmd": "", + "Value": [ + "${JAR_FILE}", + "app.jar" + ], + "_kics_line": 6 + }, + { + "Cmd": "entrypoint", + "EndLine": 7, + "Flags": [], + "JSON": true, + "Original": "ENTRYPOINT [\"java\",\"-Djava.security.egd=file:/dev/./urandom\",\"-jar\",\"/app.jar\"]", + "SubCmd": "", + "Value": [ + "java", + "-Djava.security.egd=file:/dev/./urandom", + "-jar", + "/app.jar" + ], + "_kics_line": 7 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "ARG VERSION=1.0", + "SubCmd": "", + "Value": [ + "VERSION=1.0" + ], + "_kics_line": 1 + }, + { + "Cmd": "arg", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "ARG BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 2 + } + ], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 4 + }, + { + "Cmd": "copy", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 6 + }, + { + "Cmd": "healthcheck", + "EndLine": 8, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 8 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "ARG VERSION=1.0", + "SubCmd": "", + "Value": [ + "VERSION=1.0" + ], + "_kics_line": 1 + }, + { + "Cmd": "arg", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "ARG BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 2 + } + ], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 4 + }, + { + "Cmd": "copy", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 6 + }, + { + "Cmd": "healthcheck", + "EndLine": 8, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 8 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "ARG VERSION=1.0", + "SubCmd": "", + "Value": [ + "VERSION=1.0" + ], + "_kics_line": 1 + }, + { + "Cmd": "arg", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "ARG BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 2 + } + ], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 4 + }, + { + "Cmd": "copy", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 6 + }, + { + "Cmd": "healthcheck", + "EndLine": 8, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 8 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "alpine:latest": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:latest", + "SubCmd": "", + "Value": [ + "alpine:latest" + ], + "_kics_line": 1 + }, + { + "Cmd": "copy", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "COPY {{ file_path }} /test", + "SubCmd": "", + "Value": [ + "{{", + "file_path", + "}}", + "/test" + ], + "_kics_line": 3 + }, + { + "Cmd": "run", + "EndLine": 5, + "Flags": [], + "JSON": false, + "Original": "RUN echo \"failure\"", + "SubCmd": "", + "Value": [ + "echo \"failure\"" + ], + "_kics_line": 5 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "ARG BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 1 + }, + { + "Cmd": "arg", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "ARG JAR_FILE", + "SubCmd": "", + "Value": [ + "JAR_FILE" + ], + "_kics_line": 4 + } + ], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 6 + }, + { + "Cmd": "copy", + "EndLine": 8, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 8 + }, + { + "Cmd": "healthcheck", + "EndLine": 10, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 10 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "ARG BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 2 + } + ], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 6 + }, + { + "Cmd": "copy", + "EndLine": 8, + "Flags": [], + "JSON": false, + "Original": "COPY .. .", + "SubCmd": "", + "Value": [ + "..", + "." + ], + "_kics_line": 8 + }, + { + "Cmd": "healthcheck", + "EndLine": 10, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 10 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "ARG BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 1 + } + ], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 4 + }, + { + "Cmd": "copy", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "COPY .. .", + "SubCmd": "", + "Value": [ + "..", + "." + ], + "_kics_line": 6 + }, + { + "Cmd": "healthcheck", + "EndLine": 8, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 8 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "ARG BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 1 + } + ], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 3 + }, + { + "Cmd": "copy", + "EndLine": 5, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 5 + }, + { + "Cmd": "healthcheck", + "EndLine": 7, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 7 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "alpine:3.19 as builder": [ + { + "Cmd": "from", + "EndLine": 13, + "Flags": [], + "JSON": false, + "Original": "from alpine:3.19 as builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "as", + "builder" + ], + "_kics_line": 13 + }, + { + "Cmd": "copy", + "EndLine": 15, + "Flags": [], + "JSON": false, + "Original": "copy . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 15 + }, + { + "Cmd": "healthcheck", + "EndLine": 17, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "cmd", + "executable" + ], + "_kics_line": 17 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "openjdk:10-jdk": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "from openjdk:10-jdk", + "SubCmd": "", + "Value": [ + "openjdk:10-jdk" + ], + "_kics_line": 1 + }, + { + "Cmd": "volume", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "volume /tmp", + "SubCmd": "", + "Value": [ + "/tmp" + ], + "_kics_line": 2 + }, + { + "Cmd": "add", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "add http://source.file/package.file.tar.gz /temp", + "SubCmd": "", + "Value": [ + "http://source.file/package.file.tar.gz", + "/temp" + ], + "_kics_line": 3 + }, + { + "Cmd": "run", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "run tar -xjf /temp/package.file.tar.gz ", + "SubCmd": "", + "Value": [ + "tar -xjf /temp/package.file.tar.gz" + ], + "_kics_line": 4 + }, + { + "Cmd": "arg", + "EndLine": 5, + "Flags": [], + "JSON": false, + "Original": "arg JAR_FILE", + "SubCmd": "", + "Value": [ + "JAR_FILE" + ], + "_kics_line": 5 + }, + { + "Cmd": "add", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "add ${JAR_FILE} app.jar", + "SubCmd": "", + "Value": [ + "${JAR_FILE}", + "app.jar" + ], + "_kics_line": 6 + }, + { + "Cmd": "entrypoint", + "EndLine": 7, + "Flags": [], + "JSON": true, + "Original": "entrypoint [\"java\",\"-Djava.security.egd=file:/dev/./urandom\",\"-jar\",\"/app.jar\"]", + "SubCmd": "", + "Value": [ + "java", + "-Djava.security.egd=file:/dev/./urandom", + "-jar", + "/app.jar" + ], + "_kics_line": 7 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "arg VERSION=1.0", + "SubCmd": "", + "Value": [ + "VERSION=1.0" + ], + "_kics_line": 1 + }, + { + "Cmd": "arg", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "arg BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 2 + } + ], + "command": { + "alpine:3.19 as builder": [ + { + "Cmd": "from", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "from alpine:3.19 as builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "as", + "builder" + ], + "_kics_line": 4 + }, + { + "Cmd": "copy", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "copy . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 6 + }, + { + "Cmd": "healthcheck", + "EndLine": 8, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "cmd", + "executable" + ], + "_kics_line": 8 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "arg VERSION=1.0", + "SubCmd": "", + "Value": [ + "VERSION=1.0" + ], + "_kics_line": 1 + }, + { + "Cmd": "arg", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "arg BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 2 + } + ], + "command": { + "alpine:3.19 as builder": [ + { + "Cmd": "from", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "from alpine:3.19 as builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "as", + "builder" + ], + "_kics_line": 4 + }, + { + "Cmd": "copy", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "copy . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 6 + }, + { + "Cmd": "healthcheck", + "EndLine": 8, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "cmd", + "executable" + ], + "_kics_line": 8 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "arg VERSION=1.0", + "SubCmd": "", + "Value": [ + "VERSION=1.0" + ], + "_kics_line": 1 + }, + { + "Cmd": "arg", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "arg BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 2 + } + ], + "command": { + "alpine:3.19 as builder": [ + { + "Cmd": "from", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "from alpine:3.19 as builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "as", + "builder" + ], + "_kics_line": 4 + }, + { + "Cmd": "copy", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "copy . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 6 + }, + { + "Cmd": "healthcheck", + "EndLine": 8, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "cmd", + "executable" + ], + "_kics_line": 8 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "alpine:latest": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "from alpine:latest", + "SubCmd": "", + "Value": [ + "alpine:latest" + ], + "_kics_line": 1 + }, + { + "Cmd": "copy", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "copy {{ file_path }} /test", + "SubCmd": "", + "Value": [ + "{{", + "file_path", + "}}", + "/test" + ], + "_kics_line": 3 + }, + { + "Cmd": "run", + "EndLine": 5, + "Flags": [], + "JSON": false, + "Original": "run echo \"failure\"", + "SubCmd": "", + "Value": [ + "echo \"failure\"" + ], + "_kics_line": 5 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "arg BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 1 + }, + { + "Cmd": "arg", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "arg JAR_FILE", + "SubCmd": "", + "Value": [ + "JAR_FILE" + ], + "_kics_line": 4 + } + ], + "command": { + "alpine:3.19 as builder": [ + { + "Cmd": "from", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "from alpine:3.19 as builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "as", + "builder" + ], + "_kics_line": 6 + }, + { + "Cmd": "copy", + "EndLine": 8, + "Flags": [], + "JSON": false, + "Original": "copy . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 8 + }, + { + "Cmd": "healthcheck", + "EndLine": 10, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "cmd", + "executable" + ], + "_kics_line": 10 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "arg BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 2 + } + ], + "command": { + "alpine:3.19 as builder": [ + { + "Cmd": "from", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "from alpine:3.19 as builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "as", + "builder" + ], + "_kics_line": 6 + }, + { + "Cmd": "copy", + "EndLine": 8, + "Flags": [], + "JSON": false, + "Original": "copy . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 8 + }, + { + "Cmd": "healthcheck", + "EndLine": 10, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "cmd", + "executable" + ], + "_kics_line": 10 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "arg BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 1 + } + ], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "from alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 4 + }, + { + "Cmd": "copy", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "copy .. .", + "SubCmd": "", + "Value": [ + "..", + "." + ], + "_kics_line": 6 + }, + { + "Cmd": "healthcheck", + "EndLine": 8, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "cmd", + "executable" + ], + "_kics_line": 8 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "arg BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 1 + } + ], + "command": { + "alpine:3.19 as builder": [ + { + "Cmd": "from", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "from alpine:3.19 as builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "as", + "builder" + ], + "_kics_line": 3 + }, + { + "Cmd": "copy", + "EndLine": 5, + "Flags": [], + "JSON": false, + "Original": "copy . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 5 + }, + { + "Cmd": "healthcheck", + "EndLine": 7, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "cmd", + "executable" + ], + "_kics_line": 7 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 1 + }, + { + "Cmd": "copy", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 3 + }, + { + "Cmd": "healthcheck", + "EndLine": 5, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 5 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 1 + }, + { + "Cmd": "copy", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 3 + }, + { + "Cmd": "healthcheck", + "EndLine": 5, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 5 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 1 + }, + { + "Cmd": "copy", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 3 + }, + { + "Cmd": "healthcheck", + "EndLine": 5, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 5 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 1 + }, + { + "Cmd": "copy", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 3 + }, + { + "Cmd": "healthcheck", + "EndLine": 5, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 5 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 1 + }, + { + "Cmd": "copy", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 3 + }, + { + "Cmd": "healthcheck", + "EndLine": 5, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 5 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 1 + }, + { + "Cmd": "copy", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 3 + }, + { + "Cmd": "healthcheck", + "EndLine": 5, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 5 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "package", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "package main", + "SubCmd": "", + "Value": [ + "" + ], + "_kics_line": 1 + }, + { + "Cmd": "import", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "import \"fmt\"", + "SubCmd": "", + "Value": [ + "" + ], + "_kics_line": 3 + }, + { + "Cmd": "func", + "EndLine": 5, + "Flags": [], + "JSON": false, + "Original": "func main() {", + "SubCmd": "", + "Value": [ + "" + ], + "_kics_line": 5 + }, + { + "Cmd": "fmt.println(\"hello,", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "fmt.Println(\"Hello, World!\")", + "SubCmd": "", + "Value": [ + "" + ], + "_kics_line": 6 + }, + { + "Cmd": "}", + "EndLine": 7, + "Flags": null, + "JSON": false, + "Original": "}", + "SubCmd": "", + "Value": [ + "" + ], + "_kics_line": 7 + } + ], + "command": {}, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "public", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "public class HelloWorld {", + "SubCmd": "", + "Value": [ + "" + ], + "_kics_line": 1 + }, + { + "Cmd": "public", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "public static void main(String[] args) {", + "SubCmd": "", + "Value": [ + "" + ], + "_kics_line": 2 + }, + { + "Cmd": "system.out.println(\"hello,", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "System.out.println(\"Hello, World!\");", + "SubCmd": "", + "Value": [ + "" + ], + "_kics_line": 3 + }, + { + "Cmd": "}", + "EndLine": 4, + "Flags": null, + "JSON": false, + "Original": "}", + "SubCmd": "", + "Value": [ + "" + ], + "_kics_line": 4 + }, + { + "Cmd": "}", + "EndLine": 5, + "Flags": null, + "JSON": false, + "Original": "}", + "SubCmd": "", + "Value": [ + "" + ], + "_kics_line": 5 + } + ], + "command": {}, + "file": "file", + "id": "0" + } + ] +} diff --git a/e2e/fixtures/E2E_CLI_105_RESULT.json b/e2e/fixtures/E2E_CLI_105_RESULT.json new file mode 100644 index 00000000000..15bba606139 --- /dev/null +++ b/e2e/fixtures/E2E_CLI_105_RESULT.json @@ -0,0 +1,492 @@ +{ + "kics_version": "development", + "files_scanned": 28, + "lines_scanned": 226, + "files_parsed": 28, + "lines_parsed": 218, + "lines_ignored": 8, + "files_failed_to_scan": 0, + "queries_total": 48, + "queries_failed_to_execute": 1, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 25, + "INFO": 0, + "LOW": 6, + "MEDIUM": 4, + "TRACE": 0 + }, + "total_counter": 35, + "total_bom_resources": 0, + "start": "2026-03-13T15:59:29.4211175Z", + "end": "2026-03-13T15:59:30.4080105Z", + "paths": [ + "/path/test/fixtures/dockerfile", + "/path/test/fixtures/negative_dockerfile" + ], + "queries": [ + { + "query_name": "Missing User Instruction", + "query_id": "fd54f200-402c-4333-a5a4-36ef6709af2f", + "query_url": "https://docs.docker.com/engine/reference/builder/#user", + "severity": "HIGH", + "platform": "Dockerfile", + "cwe": "250", + "risk_score": "7.7", + "cloud_provider": "COMMON", + "category": "Build Process", + "experimental": false, + "description": "Always set a user in the runtime stage of your Dockerfile. Without it, the container defaults to root, even if earlier build stages define a user.", + "description_id": "eb49caf6", + "files": [ + { + "file_name": "/path/test/fixtures/dockerfile/any_name/DOCKERfile.txt", + "similarity_id": "5663f110b46dbc0378ff0540fc4a54700c80197a1ced862564f987d4f2e7116d", + "line": 13, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "/path/test/fixtures/dockerfile/any_name/file_2.DOCKERfile", + "similarity_id": "29858cfa69a98973cc1ae10f84e66267240bd630126eba2ba15e58a7aa2dd54d", + "line": 4, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "/path/test/fixtures/dockerfile/case_insensitive_tests/corrupted_dockerfile", + "similarity_id": "c5df5bbf63b3ba015d5e7a528f1c1159545d6b6cd7df31aea7411935822bd295", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:latest}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "/path/test/fixtures/dockerfile/case_insensitive_tests/dockerFILE", + "similarity_id": "9977ed3614740afd406ca0a86f0df4da5e8680efbb6e9e66ff71ae1dc2d9025f", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.19 as builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "/path/test/fixtures/dockerfile/any_name/file.Dockerfile", + "similarity_id": "1d972910b640dfb968ab630847182b4a19f44b78aeeaa0ef93c96c7e27aa8b6a", + "line": 6, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "/path/test/fixtures/dockerfile/test_folder_names_case/Dockerfile/any_file.txt", + "similarity_id": "47d6f707c904f56fe3ca1cc7bce1d2e0ae41d421da983110a5c15fc7e48105df", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "/path/test/fixtures/dockerfile/any_name/dockerFILE", + "similarity_id": "e97a5ec241eb063c5757aed13a666c8126e4375ac9aed300cdc72d4ae883dfdc", + "line": 6, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "/path/test/fixtures/dockerfile/case_insensitive_tests/random_name", + "similarity_id": "4df62f3dddaa0fe84e53c387514ff1ffb2405fb47a80011271dfc6742078a0e8", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.19 as builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "/path/test/fixtures/dockerfile/any_name/random_name", + "similarity_id": "ee3531797486eec98e3dd28ec8cc5f7f6f00743d1cf79cd47f6859df87026f59", + "line": 3, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "/path/test/fixtures/dockerfile/test_folder_names/dockerfile/any_file.txt", + "similarity_id": "c2e7f0c0c566a723ff253f4a95e837749faba964ec008551c1f87a7faa476110", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "/path/test/fixtures/dockerfile/test_folder_names_case/Docker/any_file.txt", + "similarity_id": "6da391b0e3e24d85f72b3ace5db0569be32ef11e6f9a433b138ae4e0b004df58", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "/path/test/fixtures/dockerfile/test_folder_names/dockerfiles/any_file.txt", + "similarity_id": "e150676345e87674484ea970ca810125007b743069646ac448feaba242b7211f", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "/path/test/fixtures/dockerfile/case_insensitive_tests/Dockerfile-example", + "similarity_id": "4f6a063f2127071c0ee7f63c2fc28f663297e9fa775f1e894789aa97b3d76363", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{openjdk:10-jdk}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "/path/test/fixtures/dockerfile/case_insensitive_tests/DOCKERfile.txt", + "similarity_id": "f9caf5d57d5872073bc7b7a555a3283708f72c9990689c8d4e6b3ce1957b496a", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.19 as builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "/path/test/fixtures/dockerfile/any_name/any_name.ubi8", + "similarity_id": "4d64348b27180d867de9cf04a51db582786ea6622adb94fb54fdbac03b284769", + "line": 4, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "/path/test/fixtures/dockerfile/case_insensitive_tests/any_name.debian", + "similarity_id": "c949a1c23fe7c61dea7daac22ce6a13ffb8dec65b4bcbeacc76bf295518e72ef", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.19 as builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "/path/test/fixtures/dockerfile/any_name/Dockerfile-example", + "similarity_id": "e2ce59bd4b3af78da6c5d27b85a6a82131e24d4efbdd7182f03951a17d57e614", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{openjdk:10-jdk}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "/path/test/fixtures/dockerfile/any_name/Dockerfile.something", + "similarity_id": "b41a39fe06c21fc69fbd6e8f7b3e2c44e8d0d7a8e2b0e0c251f5d6a174e031ee", + "line": 4, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "/path/test/fixtures/dockerfile/test_folder_names_case/Dockerfiles/any_file.txt", + "similarity_id": "b58c4c4ed6c88b82fdf62608154342a31a2de95eaae39716ff4f6ccf1a5bcdda", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "/path/test/fixtures/dockerfile/case_insensitive_tests/any_name.ubi8", + "similarity_id": "ce95928798897e3f22c2677202d38812030cc2dfb5cf0470d397d7baaf8c1de1", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.19 as builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "/path/test/fixtures/dockerfile/case_insensitive_tests/Dockerfile.something", + "similarity_id": "2b1d191f474528c93b66c1f5f891efd3763834725ed4008cbd216702f576ef20", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.19 as builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "/path/test/fixtures/dockerfile/test_folder_names/docker/any_file.txt", + "similarity_id": "9d78b93c92fe63c29dec006a12993b74dc6c6fbf29ae295ff7c6e19136657e2d", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "/path/test/fixtures/dockerfile/any_name/corrupted_dockerfile", + "similarity_id": "3b246c7fab3ccd04b8a768ed5ad49fe749bb5b10d8ec9793744b3b7342c8cb43", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:latest}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "/path/test/fixtures/dockerfile/case_insensitive_tests/file_2.DOCKERfile", + "similarity_id": "b0694a2913d293ea034d0fe62bd549aed2dd316a81fb82b611a7ab901e32b1b6", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "/path/test/fixtures/dockerfile/any_name/any_name.debian", + "similarity_id": "ef335c394fbaebc802c99ba59b1b3ec830043ac020b711efc7cf497752b73429", + "line": 4, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + } + ] + }, + { + "query_name": "Add Instead of Copy", + "query_id": "9513a694-aa0d-41d8-be61-3271e056f36b", + "query_url": "https://docs.docker.com/engine/reference/builder/#add", + "severity": "MEDIUM", + "platform": "Dockerfile", + "cwe": "610", + "risk_score": "5.2", + "category": "Supply-Chain", + "experimental": false, + "description": "Using ADD to load external installation scripts could lead to an evil web server leveraging this and loading a malicious script.", + "description_id": "0aedd324", + "files": [ + { + "file_name": "/path/test/fixtures/dockerfile/any_name/Dockerfile-example", + "similarity_id": "3f6df15f029bab62aac046654e04f787ff09b8c61bc6ccb8abdf11b8a9162886", + "line": 6, + "issue_type": "IncorrectValue", + "search_key": "FROM={{openjdk:10-jdk}}.{{ADD ${JAR_FILE} app.jar}}", + "search_line": -1, + "search_value": "", + "expected_value": "'COPY' ${JAR_FILE}", + "actual_value": "'ADD' ${JAR_FILE}" + }, + { + "file_name": "/path/test/fixtures/dockerfile/case_insensitive_tests/Dockerfile-example", + "similarity_id": "86a9e39633f72e3a93a6412eb11153740c5eba8edac285ce8046b8e6a1655506", + "line": 1, + "issue_type": "IncorrectValue", + "search_key": "FROM={{openjdk:10-jdk}}.{{add ${JAR_FILE} app.jar}}", + "search_line": -1, + "search_value": "", + "expected_value": "'COPY' ${JAR_FILE}", + "actual_value": "'ADD' ${JAR_FILE}" + } + ] + }, + { + "query_name": "Image Version Using 'latest'", + "query_id": "f45ea400-6bbe-4501-9fc7-1c3d75c32067", + "query_url": "https://docs.docker.com/develop/dev-best-practices/", + "severity": "MEDIUM", + "platform": "Dockerfile", + "cwe": "1357", + "risk_score": "5.1", + "category": "Best Practices", + "experimental": false, + "description": "When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag", + "description_id": "22f535ec", + "files": [ + { + "file_name": "/path/test/fixtures/dockerfile/case_insensitive_tests/corrupted_dockerfile", + "similarity_id": "549bf684768e813a7c47c93394adccb913fa19227c01b72a30e1e3628fdff75d", + "line": 1, + "issue_type": "IncorrectValue", + "search_key": "FROM={{alpine:latest}}", + "search_line": -1, + "search_value": "", + "expected_value": "FROM alpine:latest:'version' where version should not be 'latest'", + "actual_value": "FROM alpine:latest'" + }, + { + "file_name": "/path/test/fixtures/dockerfile/any_name/corrupted_dockerfile", + "similarity_id": "5ce04edae6af79859372aa1df8ac452d212b1f9086d023a8929cc4813c4cc8da", + "line": 1, + "issue_type": "IncorrectValue", + "search_key": "FROM={{alpine:latest}}", + "search_line": -1, + "search_value": "", + "expected_value": "FROM alpine:latest:'version' where version should not be 'latest'", + "actual_value": "FROM alpine:latest'" + } + ] + }, + { + "query_name": "Curl or Wget Instead of Add", + "query_id": "4b410d24-1cbe-4430-a632-62c9a931cf1c", + "query_url": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", + "severity": "LOW", + "platform": "Dockerfile", + "cwe": "610", + "risk_score": "2.8", + "category": "Best Practices", + "experimental": false, + "description": "Use of Curl or Wget should be done instead of Add to fetch packages from remote URLs due to the use of Add being strongly discouraged", + "description_id": "29e8216b", + "files": [ + { + "file_name": "/path/test/fixtures/dockerfile/any_name/Dockerfile-example", + "similarity_id": "ead0530c4a2e4acfaa1e4f7146582e526720d6fd1bf423297f0e068017c9868f", + "line": 3, + "issue_type": "IncorrectValue", + "search_key": "FROM={{openjdk:10-jdk}}.{{ADD http://source.file/package.file.tar.gz /temp}}", + "search_line": -1, + "search_value": "", + "expected_value": "Should use 'curl' or 'wget' to download http://source.file/package.file.tar.gz", + "actual_value": "'ADD' http://source.file/package.file.tar.gz" + }, + { + "file_name": "/path/test/fixtures/dockerfile/case_insensitive_tests/Dockerfile-example", + "similarity_id": "4a41ea8cb8093e0852046f5b11a4c5705e4973525319c92f05ce3935fe7594a8", + "line": 1, + "issue_type": "IncorrectValue", + "search_key": "FROM={{openjdk:10-jdk}}.{{add http://source.file/package.file.tar.gz /temp}}", + "search_line": -1, + "search_value": "", + "expected_value": "Should use 'curl' or 'wget' to download http://source.file/package.file.tar.gz", + "actual_value": "'ADD' http://source.file/package.file.tar.gz" + } + ] + }, + { + "query_name": "Healthcheck Instruction Missing", + "query_id": "b03a748a-542d-44f4-bb86-9199ab4fd2d5", + "query_url": "https://docs.docker.com/engine/reference/builder/#healthcheck", + "severity": "LOW", + "platform": "Dockerfile", + "cwe": "710", + "risk_score": "3.6", + "category": "Insecure Configurations", + "experimental": false, + "description": "Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working", + "description_id": "426121ee", + "files": [ + { + "file_name": "/path/test/fixtures/dockerfile/any_name/Dockerfile-example", + "similarity_id": "2cc23de86e69dec07197cfc0e7266f07f7d6bd6c9e7065f785583d8788a23abb", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{openjdk:10-jdk}}", + "search_line": -1, + "search_value": "", + "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", + "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" + }, + { + "file_name": "/path/test/fixtures/dockerfile/any_name/corrupted_dockerfile", + "similarity_id": "df38a06e4359d643206a6e67240cbbf070130c75ffeb461f44cca8495ce05014", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:latest}}", + "search_line": -1, + "search_value": "", + "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", + "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" + }, + { + "file_name": "/path/test/fixtures/dockerfile/case_insensitive_tests/Dockerfile-example", + "similarity_id": "4b896966a01b1dcd6cccce6a2be286296754da04726aa658062e940ad22ad174", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{openjdk:10-jdk}}", + "search_line": -1, + "search_value": "", + "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", + "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" + }, + { + "file_name": "/path/test/fixtures/dockerfile/case_insensitive_tests/corrupted_dockerfile", + "similarity_id": "5144da2a31e3d6a7d59ceae76bb30685fc147794929785906b3d748413409506", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:latest}}", + "search_line": -1, + "search_value": "", + "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", + "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" + } + ] + } + ] +} diff --git a/e2e/testcases/e2e-cli-075_ansible_host_detected.go b/e2e/testcases/e2e-cli-075_ansible_host_detected.go index 241bf3a7d21..b261a1d32ea 100644 --- a/e2e/testcases/e2e-cli-075_ansible_host_detected.go +++ b/e2e/testcases/e2e-cli-075_ansible_host_detected.go @@ -4,7 +4,7 @@ package testcases // should perform the scan successfully detect ansible and return result 40 func init() { //nolint testSample := TestCase{ - Name: "should perform a valid scan and and detect ansible [E2E-CLI-075]", + Name: "should perform a valid scan and detect ansible [E2E-CLI-075]", Args: args{ Args: []cmdArgs{ []string{"scan", "-o", "/path/e2e/output", diff --git a/e2e/testcases/e2e-cli-105_valid_dockerfile_detected.go b/e2e/testcases/e2e-cli-105_valid_dockerfile_detected.go new file mode 100644 index 00000000000..c58e47a07f5 --- /dev/null +++ b/e2e/testcases/e2e-cli-105_valid_dockerfile_detected.go @@ -0,0 +1,31 @@ +package testcases + +// E2E-CLI-105 - KICS scan +// should perform the scan successfully detect all valid dockerfile documents and return result 50 +func init() { //nolint + testSample := TestCase{ + Name: "should perform a valid scan with all dockerfile documents parsed [E2E-CLI-105]", + Args: args{ + Args: []cmdArgs{ + []string{"scan", "-o", "/path/e2e/output", + "--output-name", "E2E_CLI_105_RESULT", + "-p", "\"/path/test/fixtures/dockerfile\"", + "-p", "\"/path/test/fixtures/negative_dockerfile\"", + "--payload-path", "/path/e2e/output/E2E_CLI_105_PAYLOAD.json", + }, + }, + ExpectedResult: []ResultsValidation{ + { + ResultsFile: "E2E_CLI_105_RESULT", + ResultsFormats: []string{"json"}, + }, + }, + ExpectedPayload: []string{ + "E2E_CLI_105_PAYLOAD.json", + }, + }, + WantStatus: []int{50}, + } + + Tests = append(Tests, testSample) +} diff --git a/pkg/utils/get_extension_test.go b/pkg/utils/get_extension_test.go index 442e08c2641..37df89de556 100644 --- a/pkg/utils/get_extension_test.go +++ b/pkg/utils/get_extension_test.go @@ -26,35 +26,35 @@ func TestGetExtension(t *testing.T) { { name: "Get extension from a file named as dockerFILE and without extension defined ('dockerFILE')", want: ".dockerfile", - filePath: "../../test/fixtures/dockerfile/dockerFILE", + filePath: "../../test/fixtures/dockerfile/any_name/dockerFILE", toCreate: false, err: nil, }, { name: "Get extension from a file not named 'dockerfile' with extension defined as Dockerfile ('file.Dockerfile')", want: ".dockerfile", - filePath: "../../test/fixtures/dockerfile/file.Dockerfile", + filePath: "../../test/fixtures/dockerfile/any_name/file.Dockerfile", toCreate: false, err: nil, }, { name: "Get extension from a file not named 'dockerfile' with extension defined as DOCKERfile ('file_2.DOCKERfile')", want: ".dockerfile", - filePath: "../../test/fixtures/dockerfile/file_2.DOCKERfile", + filePath: "../../test/fixtures/dockerfile/any_name/file_2.DOCKERfile", toCreate: false, err: nil, }, { name: "Get extension from a file named 'Dockerfile' with any extension defined ('Dockerfile.something')", want: ".dockerfile", - filePath: "../../test/fixtures/dockerfile/Dockerfile.something", + filePath: "../../test/fixtures/dockerfile/any_name/Dockerfile.something", toCreate: false, err: nil, }, { name: "Get extension from a file named 'DOCKERfile' with any extension defined ('DOCKERfile.txt')", want: ".dockerfile", - filePath: "../../test/fixtures/dockerfile/DOCKERfile.txt", + filePath: "../../test/fixtures/dockerfile/any_name/DOCKERfile.txt", toCreate: false, err: nil, }, @@ -103,28 +103,21 @@ func TestGetExtension(t *testing.T) { { name: "Get extension from a file not named as Dockerfile and without extension defined ('random_name'), due to parent folder scan will identify dockerfile syntax regardless", want: ".dockerfile", - filePath: "../../test/fixtures/dockerfile/random_name", + filePath: "../../test/fixtures/dockerfile/any_name/random_name", toCreate: false, err: nil, }, { name: "Get extension from a valid text file with dockerfile syntax and '.ubi8' extension ('any_name.ubi8')", want: ".dockerfile", - filePath: "../../test/fixtures/dockerfile/any_name.ubi8", + filePath: "../../test/fixtures/dockerfile/any_name/any_name.ubi8", toCreate: false, err: nil, }, { name: "Get extension from a valid text file with dockerfile syntax and '.debian' extension ('any_name.debian')", want: ".dockerfile", - filePath: "../../test/fixtures/dockerfile/any_name.debian", - toCreate: false, - err: nil, - }, - { - name: "Get extension from a file with extension defined ('positive.tf')", - want: ".tf", - filePath: "../../test/fixtures/all_auth_users_get_read_access/test/positive.tf", + filePath: "../../test/fixtures/dockerfile/any_name/any_name.debian", toCreate: false, err: nil, }, @@ -163,6 +156,69 @@ func TestGetExtension(t *testing.T) { toCreate: true, err: fmt.Errorf("the path %s is a directory", "../../test/fixtures/for_test_folder"), }, + { + name: "Get extension from a file with extension defined ('positive.tf')", + want: ".tf", + filePath: "../../test/fixtures/all_auth_users_get_read_access/test/positive.tf", + toCreate: false, + err: nil, + }, + { + name: "(Case_insensitive_tests) -- Get extension from a file named as dockerFILE and without extension defined ('dockerFILE')", + want: ".dockerfile", + filePath: "../../test/fixtures/dockerfile/case_insensitive_tests/dockerFILE", + toCreate: false, + err: nil, + }, + { + name: "(Case_insensitive_tests) -- Get extension from a file not named 'dockerfile' with extension defined as Dockerfile ('file.Dockerfile')", + want: ".dockerfile", + filePath: "../../test/fixtures/dockerfile/case_insensitive_tests/file.Dockerfile", + toCreate: false, + err: nil, + }, + { + name: "(Case_insensitive_tests) -- Get extension from a file not named 'dockerfile' with extension defined as DOCKERfile ('file_2.DOCKERfile')", + want: ".dockerfile", + filePath: "../../test/fixtures/dockerfile/case_insensitive_tests/file_2.DOCKERfile", + toCreate: false, + err: nil, + }, + { + name: "(Case_insensitive_tests) -- Get extension from a file named 'Dockerfile' with any extension defined ('Dockerfile.something')", + want: ".dockerfile", + filePath: "../../test/fixtures/dockerfile/case_insensitive_tests/Dockerfile.something", + toCreate: false, + err: nil, + }, + { + name: "(Case_insensitive_tests) -- Get extension from a file named 'DOCKERfile' with any extension defined ('DOCKERfile.txt')", + want: ".dockerfile", + filePath: "../../test/fixtures/dockerfile/case_insensitive_tests/DOCKERfile.txt", + toCreate: false, + err: nil, + }, + { + name: "(Case_insensitive_tests) -- Get extension from a file not named as Dockerfile and without extension defined ('random_name'), due to parent folder scan will identify dockerfile syntax regardless", + want: ".dockerfile", + filePath: "../../test/fixtures/dockerfile/case_insensitive_tests/random_name", + toCreate: false, + err: nil, + }, + { + name: "(Case_insensitive_tests) -- Get extension from a valid text file with dockerfile syntax and '.ubi8' extension ('any_name.ubi8')", + want: ".dockerfile", + filePath: "../../test/fixtures/dockerfile/case_insensitive_tests/any_name.ubi8", + toCreate: false, + err: nil, + }, + { + name: "(Case_insensitive_tests) -- Get extension from a valid text file with dockerfile syntax and '.debian' extension ('any_name.debian')", + want: ".dockerfile", + filePath: "../../test/fixtures/dockerfile/case_insensitive_tests/any_name.debian", + toCreate: false, + err: nil, + }, } for _, test := range tests { diff --git a/test/fixtures/dockerfile/Dockerfile-example b/test/fixtures/dockerfile/Dockerfile-example index 4bd67e4f18f..e41733e34fe 100644 --- a/test/fixtures/dockerfile/Dockerfile-example +++ b/test/fixtures/dockerfile/Dockerfile-example @@ -1,7 +1,7 @@ -FROM openjdk:10-jdk -VOLUME /tmp -ADD http://source.file/package.file.tar.gz /temp -RUN tar -xjf /temp/package.file.tar.gz -ARG JAR_FILE -ADD ${JAR_FILE} app.jar -ENTRYPOINT ["java","-Djava.security.egd=file:/dev/./urandom","-jar","/app.jar"] +from openjdk:10-jdk +volume /tmp +add http://source.file/package.file.tar.gz /temp +run tar -xjf /temp/package.file.tar.gz +arg JAR_FILE +add ${JAR_FILE} app.jar +entrypoint ["java","-Djava.security.egd=file:/dev/./urandom","-jar","/app.jar"] diff --git a/test/fixtures/dockerfile/DOCKERfile.txt b/test/fixtures/dockerfile/any_name/DOCKERfile.txt similarity index 100% rename from test/fixtures/dockerfile/DOCKERfile.txt rename to test/fixtures/dockerfile/any_name/DOCKERfile.txt diff --git a/test/fixtures/dockerfile/Dockerfile.something b/test/fixtures/dockerfile/any_name/Dockerfile.something similarity index 100% rename from test/fixtures/dockerfile/Dockerfile.something rename to test/fixtures/dockerfile/any_name/Dockerfile.something diff --git a/test/fixtures/dockerfile/any_name.debian b/test/fixtures/dockerfile/any_name/any_name.debian similarity index 100% rename from test/fixtures/dockerfile/any_name.debian rename to test/fixtures/dockerfile/any_name/any_name.debian diff --git a/test/fixtures/dockerfile/any_name.ubi8 b/test/fixtures/dockerfile/any_name/any_name.ubi8 similarity index 100% rename from test/fixtures/dockerfile/any_name.ubi8 rename to test/fixtures/dockerfile/any_name/any_name.ubi8 diff --git a/test/fixtures/dockerfile/file.Dockerfile b/test/fixtures/dockerfile/any_name/dockerFILE similarity index 80% rename from test/fixtures/dockerfile/file.Dockerfile rename to test/fixtures/dockerfile/any_name/dockerFILE index ca2ebdfb132..151a7d85c3b 100644 --- a/test/fixtures/dockerfile/file.Dockerfile +++ b/test/fixtures/dockerfile/any_name/dockerFILE @@ -1,5 +1,8 @@ ARG BASE_IMAGE=ubuntu:22.04 +# Comments between arg +ARG JAR_FILE + FROM alpine:3.19 AS builder COPY . . diff --git a/test/fixtures/dockerfile/any_name/file.Dockerfile b/test/fixtures/dockerfile/any_name/file.Dockerfile new file mode 100644 index 00000000000..3a7f648d220 --- /dev/null +++ b/test/fixtures/dockerfile/any_name/file.Dockerfile @@ -0,0 +1,10 @@ +# Comments before arg +ARG BASE_IMAGE=ubuntu:22.04 + +# Comments after arg + +FROM alpine:3.19 AS builder + +COPY .. . + +HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ "executable" ] diff --git a/test/fixtures/dockerfile/file_2.DOCKERfile b/test/fixtures/dockerfile/any_name/file_2.DOCKERfile similarity index 66% rename from test/fixtures/dockerfile/file_2.DOCKERfile rename to test/fixtures/dockerfile/any_name/file_2.DOCKERfile index ca2ebdfb132..589ac77f479 100644 --- a/test/fixtures/dockerfile/file_2.DOCKERfile +++ b/test/fixtures/dockerfile/any_name/file_2.DOCKERfile @@ -1,7 +1,8 @@ ARG BASE_IMAGE=ubuntu:22.04 +# Comments before FROM FROM alpine:3.19 AS builder -COPY . . +COPY .. . -HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ "executable" ] \ No newline at end of file +HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ "executable" ] diff --git a/test/fixtures/dockerfile/dockerFILE b/test/fixtures/dockerfile/any_name/random_name similarity index 100% rename from test/fixtures/dockerfile/dockerFILE rename to test/fixtures/dockerfile/any_name/random_name diff --git a/test/fixtures/dockerfile/case_insensitive_tests/DOCKERfile.txt b/test/fixtures/dockerfile/case_insensitive_tests/DOCKERfile.txt new file mode 100644 index 00000000000..453f5147d38 --- /dev/null +++ b/test/fixtures/dockerfile/case_insensitive_tests/DOCKERfile.txt @@ -0,0 +1,17 @@ + + + + + + + + + + + + +from alpine:3.19 as builder + +copy . . + +healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ "executable" ] \ No newline at end of file diff --git a/test/fixtures/dockerfile/case_insensitive_tests/Dockerfile.something b/test/fixtures/dockerfile/case_insensitive_tests/Dockerfile.something new file mode 100644 index 00000000000..104b1d85e89 --- /dev/null +++ b/test/fixtures/dockerfile/case_insensitive_tests/Dockerfile.something @@ -0,0 +1,8 @@ +arg VERSION=1.0 +arg BASE_IMAGE=ubuntu:22.04 + +from alpine:3.19 as builder + +copy . . + +healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ "executable" ] \ No newline at end of file diff --git a/test/fixtures/dockerfile/case_insensitive_tests/any_name.debian b/test/fixtures/dockerfile/case_insensitive_tests/any_name.debian new file mode 100644 index 00000000000..104b1d85e89 --- /dev/null +++ b/test/fixtures/dockerfile/case_insensitive_tests/any_name.debian @@ -0,0 +1,8 @@ +arg VERSION=1.0 +arg BASE_IMAGE=ubuntu:22.04 + +from alpine:3.19 as builder + +copy . . + +healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ "executable" ] \ No newline at end of file diff --git a/test/fixtures/dockerfile/case_insensitive_tests/any_name.ubi8 b/test/fixtures/dockerfile/case_insensitive_tests/any_name.ubi8 new file mode 100644 index 00000000000..104b1d85e89 --- /dev/null +++ b/test/fixtures/dockerfile/case_insensitive_tests/any_name.ubi8 @@ -0,0 +1,8 @@ +arg VERSION=1.0 +arg BASE_IMAGE=ubuntu:22.04 + +from alpine:3.19 as builder + +copy . . + +healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ "executable" ] \ No newline at end of file diff --git a/test/fixtures/dockerfile/case_insensitive_tests/dockerFILE b/test/fixtures/dockerfile/case_insensitive_tests/dockerFILE new file mode 100644 index 00000000000..a9b4c423e2c --- /dev/null +++ b/test/fixtures/dockerfile/case_insensitive_tests/dockerFILE @@ -0,0 +1,10 @@ +arg BASE_IMAGE=ubuntu:22.04 + +# Comments between arg +arg JAR_FILE + +from alpine:3.19 as builder + +copy . . + +healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ "executable" ] \ No newline at end of file diff --git a/test/fixtures/dockerfile/case_insensitive_tests/file.Dockerfile b/test/fixtures/dockerfile/case_insensitive_tests/file.Dockerfile new file mode 100644 index 00000000000..66464c06378 --- /dev/null +++ b/test/fixtures/dockerfile/case_insensitive_tests/file.Dockerfile @@ -0,0 +1,10 @@ +# Comments before arg +arg BASE_IMAGE=ubuntu:22.04 + +# Comments after arg + +from alpine:3.19 as builder + +copy . . + +healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ "executable" ] diff --git a/test/fixtures/dockerfile/case_insensitive_tests/file_2.DOCKERfile b/test/fixtures/dockerfile/case_insensitive_tests/file_2.DOCKERfile new file mode 100644 index 00000000000..b09209f5e55 --- /dev/null +++ b/test/fixtures/dockerfile/case_insensitive_tests/file_2.DOCKERfile @@ -0,0 +1,8 @@ +arg BASE_IMAGE=ubuntu:22.04 +# Comments before from + +from alpine:3.19 AS builder + +copy .. . + +healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ "executable" ] diff --git a/test/fixtures/dockerfile/case_insensitive_tests/random_name b/test/fixtures/dockerfile/case_insensitive_tests/random_name new file mode 100644 index 00000000000..424b06c294c --- /dev/null +++ b/test/fixtures/dockerfile/case_insensitive_tests/random_name @@ -0,0 +1,7 @@ +arg BASE_IMAGE=ubuntu:22.04 + +from alpine:3.19 as builder + +copy . . + +healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ "executable" ] \ No newline at end of file diff --git a/test/fixtures/dockerfile/random_name b/test/fixtures/dockerfile/random_name deleted file mode 100644 index 28b863ff8de..00000000000 --- a/test/fixtures/dockerfile/random_name +++ /dev/null @@ -1,7 +0,0 @@ -ARG BASE_IMAGE=ubuntu:22.04 - -FROM alpine:3.19 AS builder - -COPY . . - -HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ "executable" ]C:\Users\AndrePer\OneDrive - Checkmarx\Documents\kics\test\fixtures\dockerfile\dockerfile.3 \ No newline at end of file From f47018c61fced8cebeea3714af68bd08ef096b80 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Fri, 13 Mar 2026 17:58:14 +0000 Subject: [PATCH 12/84] fix for E2E --- e2e/fixtures/E2E_CLI_105_PAYLOAD.json | 3642 ++++++++--------- e2e/fixtures/E2E_CLI_105_RESULT.json | 903 ++-- .../e2e-cli-105_valid_dockerfile_detected.go | 4 +- test/fixtures/dockerfile/Dockerfile-example | 14 +- 4 files changed, 2170 insertions(+), 2393 deletions(-) diff --git a/e2e/fixtures/E2E_CLI_105_PAYLOAD.json b/e2e/fixtures/E2E_CLI_105_PAYLOAD.json index d0a6488b123..d48c034cde2 100644 --- a/e2e/fixtures/E2E_CLI_105_PAYLOAD.json +++ b/e2e/fixtures/E2E_CLI_105_PAYLOAD.json @@ -1,1896 +1,1750 @@ { - "document": [ - { - "args": [], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 13, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 13 - }, - { - "Cmd": "copy", - "EndLine": 15, - "Flags": [], - "JSON": false, - "Original": "COPY . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 15 - }, - { - "Cmd": "healthcheck", - "EndLine": 17, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 17 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [], - "command": { - "openjdk:10-jdk": [ - { - "Cmd": "from", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "FROM openjdk:10-jdk", - "SubCmd": "", - "Value": [ - "openjdk:10-jdk" - ], - "_kics_line": 1 - }, - { - "Cmd": "volume", - "EndLine": 2, - "Flags": [], - "JSON": false, - "Original": "VOLUME /tmp", - "SubCmd": "", - "Value": [ - "/tmp" - ], - "_kics_line": 2 - }, - { - "Cmd": "add", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "ADD http://source.file/package.file.tar.gz /temp", - "SubCmd": "", - "Value": [ - "http://source.file/package.file.tar.gz", - "/temp" - ], - "_kics_line": 3 - }, - { - "Cmd": "run", - "EndLine": 4, - "Flags": [], - "JSON": false, - "Original": "RUN tar -xjf /temp/package.file.tar.gz ", - "SubCmd": "", - "Value": [ - "tar -xjf /temp/package.file.tar.gz" - ], - "_kics_line": 4 - }, - { - "Cmd": "arg", - "EndLine": 5, - "Flags": [], - "JSON": false, - "Original": "ARG JAR_FILE", - "SubCmd": "", - "Value": [ - "JAR_FILE" - ], - "_kics_line": 5 - }, - { - "Cmd": "add", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "ADD ${JAR_FILE} app.jar", - "SubCmd": "", - "Value": [ - "${JAR_FILE}", - "app.jar" - ], - "_kics_line": 6 - }, - { - "Cmd": "entrypoint", - "EndLine": 7, - "Flags": [], - "JSON": true, - "Original": "ENTRYPOINT [\"java\",\"-Djava.security.egd=file:/dev/./urandom\",\"-jar\",\"/app.jar\"]", - "SubCmd": "", - "Value": [ - "java", - "-Djava.security.egd=file:/dev/./urandom", - "-jar", - "/app.jar" - ], - "_kics_line": 7 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "ARG VERSION=1.0", - "SubCmd": "", - "Value": [ - "VERSION=1.0" - ], - "_kics_line": 1 - }, - { - "Cmd": "arg", - "EndLine": 2, - "Flags": [], - "JSON": false, - "Original": "ARG BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 2 - } - ], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 4, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 4 - }, - { - "Cmd": "copy", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "COPY . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 6 - }, - { - "Cmd": "healthcheck", - "EndLine": 8, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 8 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "ARG VERSION=1.0", - "SubCmd": "", - "Value": [ - "VERSION=1.0" - ], - "_kics_line": 1 - }, - { - "Cmd": "arg", - "EndLine": 2, - "Flags": [], - "JSON": false, - "Original": "ARG BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 2 - } - ], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 4, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 4 - }, - { - "Cmd": "copy", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "COPY . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 6 - }, - { - "Cmd": "healthcheck", - "EndLine": 8, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 8 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "ARG VERSION=1.0", - "SubCmd": "", - "Value": [ - "VERSION=1.0" - ], - "_kics_line": 1 - }, - { - "Cmd": "arg", - "EndLine": 2, - "Flags": [], - "JSON": false, - "Original": "ARG BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 2 - } - ], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 4, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 4 - }, - { - "Cmd": "copy", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "COPY . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 6 - }, - { - "Cmd": "healthcheck", - "EndLine": 8, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 8 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [], - "command": { - "alpine:latest": [ - { - "Cmd": "from", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:latest", - "SubCmd": "", - "Value": [ - "alpine:latest" - ], - "_kics_line": 1 - }, - { - "Cmd": "copy", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "COPY {{ file_path }} /test", - "SubCmd": "", - "Value": [ - "{{", - "file_path", - "}}", - "/test" - ], - "_kics_line": 3 - }, - { - "Cmd": "run", - "EndLine": 5, - "Flags": [], - "JSON": false, - "Original": "RUN echo \"failure\"", - "SubCmd": "", - "Value": [ - "echo \"failure\"" - ], - "_kics_line": 5 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "ARG BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 1 - }, - { - "Cmd": "arg", - "EndLine": 4, - "Flags": [], - "JSON": false, - "Original": "ARG JAR_FILE", - "SubCmd": "", - "Value": [ - "JAR_FILE" - ], - "_kics_line": 4 - } - ], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 6 - }, - { - "Cmd": "copy", - "EndLine": 8, - "Flags": [], - "JSON": false, - "Original": "COPY . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 8 - }, - { - "Cmd": "healthcheck", - "EndLine": 10, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 10 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 2, - "Flags": [], - "JSON": false, - "Original": "ARG BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 2 - } - ], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 6 - }, - { - "Cmd": "copy", - "EndLine": 8, - "Flags": [], - "JSON": false, - "Original": "COPY .. .", - "SubCmd": "", - "Value": [ - "..", - "." - ], - "_kics_line": 8 - }, - { - "Cmd": "healthcheck", - "EndLine": 10, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 10 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "ARG BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 1 - } - ], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 4, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 4 - }, - { - "Cmd": "copy", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "COPY .. .", - "SubCmd": "", - "Value": [ - "..", - "." - ], - "_kics_line": 6 - }, - { - "Cmd": "healthcheck", - "EndLine": 8, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 8 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "ARG BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 1 - } - ], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 3 - }, - { - "Cmd": "copy", - "EndLine": 5, - "Flags": [], - "JSON": false, - "Original": "COPY . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 5 - }, - { - "Cmd": "healthcheck", - "EndLine": 7, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 7 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [], - "command": { - "alpine:3.19 as builder": [ - { - "Cmd": "from", - "EndLine": 13, - "Flags": [], - "JSON": false, - "Original": "from alpine:3.19 as builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "as", - "builder" - ], - "_kics_line": 13 - }, - { - "Cmd": "copy", - "EndLine": 15, - "Flags": [], - "JSON": false, - "Original": "copy . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 15 - }, - { - "Cmd": "healthcheck", - "EndLine": 17, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "cmd", - "executable" - ], - "_kics_line": 17 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [], - "command": { - "openjdk:10-jdk": [ - { - "Cmd": "from", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "from openjdk:10-jdk", - "SubCmd": "", - "Value": [ - "openjdk:10-jdk" - ], - "_kics_line": 1 - }, - { - "Cmd": "volume", - "EndLine": 2, - "Flags": [], - "JSON": false, - "Original": "volume /tmp", - "SubCmd": "", - "Value": [ - "/tmp" - ], - "_kics_line": 2 - }, - { - "Cmd": "add", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "add http://source.file/package.file.tar.gz /temp", - "SubCmd": "", - "Value": [ - "http://source.file/package.file.tar.gz", - "/temp" - ], - "_kics_line": 3 - }, - { - "Cmd": "run", - "EndLine": 4, - "Flags": [], - "JSON": false, - "Original": "run tar -xjf /temp/package.file.tar.gz ", - "SubCmd": "", - "Value": [ - "tar -xjf /temp/package.file.tar.gz" - ], - "_kics_line": 4 - }, - { - "Cmd": "arg", - "EndLine": 5, - "Flags": [], - "JSON": false, - "Original": "arg JAR_FILE", - "SubCmd": "", - "Value": [ - "JAR_FILE" - ], - "_kics_line": 5 - }, - { - "Cmd": "add", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "add ${JAR_FILE} app.jar", - "SubCmd": "", - "Value": [ - "${JAR_FILE}", - "app.jar" - ], - "_kics_line": 6 - }, - { - "Cmd": "entrypoint", - "EndLine": 7, - "Flags": [], - "JSON": true, - "Original": "entrypoint [\"java\",\"-Djava.security.egd=file:/dev/./urandom\",\"-jar\",\"/app.jar\"]", - "SubCmd": "", - "Value": [ - "java", - "-Djava.security.egd=file:/dev/./urandom", - "-jar", - "/app.jar" - ], - "_kics_line": 7 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "arg VERSION=1.0", - "SubCmd": "", - "Value": [ - "VERSION=1.0" - ], - "_kics_line": 1 - }, - { - "Cmd": "arg", - "EndLine": 2, - "Flags": [], - "JSON": false, - "Original": "arg BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 2 - } - ], - "command": { - "alpine:3.19 as builder": [ - { - "Cmd": "from", - "EndLine": 4, - "Flags": [], - "JSON": false, - "Original": "from alpine:3.19 as builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "as", - "builder" - ], - "_kics_line": 4 - }, - { - "Cmd": "copy", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "copy . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 6 - }, - { - "Cmd": "healthcheck", - "EndLine": 8, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "cmd", - "executable" - ], - "_kics_line": 8 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "arg VERSION=1.0", - "SubCmd": "", - "Value": [ - "VERSION=1.0" - ], - "_kics_line": 1 - }, - { - "Cmd": "arg", - "EndLine": 2, - "Flags": [], - "JSON": false, - "Original": "arg BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 2 - } - ], - "command": { - "alpine:3.19 as builder": [ - { - "Cmd": "from", - "EndLine": 4, - "Flags": [], - "JSON": false, - "Original": "from alpine:3.19 as builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "as", - "builder" - ], - "_kics_line": 4 - }, - { - "Cmd": "copy", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "copy . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 6 - }, - { - "Cmd": "healthcheck", - "EndLine": 8, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "cmd", - "executable" - ], - "_kics_line": 8 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "arg VERSION=1.0", - "SubCmd": "", - "Value": [ - "VERSION=1.0" - ], - "_kics_line": 1 - }, - { - "Cmd": "arg", - "EndLine": 2, - "Flags": [], - "JSON": false, - "Original": "arg BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 2 - } - ], - "command": { - "alpine:3.19 as builder": [ - { - "Cmd": "from", - "EndLine": 4, - "Flags": [], - "JSON": false, - "Original": "from alpine:3.19 as builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "as", - "builder" - ], - "_kics_line": 4 - }, - { - "Cmd": "copy", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "copy . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 6 - }, - { - "Cmd": "healthcheck", - "EndLine": 8, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "cmd", - "executable" - ], - "_kics_line": 8 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [], - "command": { - "alpine:latest": [ - { - "Cmd": "from", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "from alpine:latest", - "SubCmd": "", - "Value": [ - "alpine:latest" - ], - "_kics_line": 1 - }, - { - "Cmd": "copy", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "copy {{ file_path }} /test", - "SubCmd": "", - "Value": [ - "{{", - "file_path", - "}}", - "/test" - ], - "_kics_line": 3 - }, - { - "Cmd": "run", - "EndLine": 5, - "Flags": [], - "JSON": false, - "Original": "run echo \"failure\"", - "SubCmd": "", - "Value": [ - "echo \"failure\"" - ], - "_kics_line": 5 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "arg BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 1 - }, - { - "Cmd": "arg", - "EndLine": 4, - "Flags": [], - "JSON": false, - "Original": "arg JAR_FILE", - "SubCmd": "", - "Value": [ - "JAR_FILE" - ], - "_kics_line": 4 - } - ], - "command": { - "alpine:3.19 as builder": [ - { - "Cmd": "from", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "from alpine:3.19 as builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "as", - "builder" - ], - "_kics_line": 6 - }, - { - "Cmd": "copy", - "EndLine": 8, - "Flags": [], - "JSON": false, - "Original": "copy . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 8 - }, - { - "Cmd": "healthcheck", - "EndLine": 10, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "cmd", - "executable" - ], - "_kics_line": 10 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 2, - "Flags": [], - "JSON": false, - "Original": "arg BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 2 - } - ], - "command": { - "alpine:3.19 as builder": [ - { - "Cmd": "from", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "from alpine:3.19 as builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "as", - "builder" - ], - "_kics_line": 6 - }, - { - "Cmd": "copy", - "EndLine": 8, - "Flags": [], - "JSON": false, - "Original": "copy . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 8 - }, - { - "Cmd": "healthcheck", - "EndLine": 10, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "cmd", - "executable" - ], - "_kics_line": 10 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "arg BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 1 - } - ], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 4, - "Flags": [], - "JSON": false, - "Original": "from alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 4 - }, - { - "Cmd": "copy", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "copy .. .", - "SubCmd": "", - "Value": [ - "..", - "." - ], - "_kics_line": 6 - }, - { - "Cmd": "healthcheck", - "EndLine": 8, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "cmd", - "executable" - ], - "_kics_line": 8 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "arg BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 1 - } - ], - "command": { - "alpine:3.19 as builder": [ - { - "Cmd": "from", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "from alpine:3.19 as builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "as", - "builder" - ], - "_kics_line": 3 - }, - { - "Cmd": "copy", - "EndLine": 5, - "Flags": [], - "JSON": false, - "Original": "copy . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 5 - }, - { - "Cmd": "healthcheck", - "EndLine": 7, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "cmd", - "executable" - ], - "_kics_line": 7 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 1 - }, - { - "Cmd": "copy", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "COPY . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 3 - }, - { - "Cmd": "healthcheck", - "EndLine": 5, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 5 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 1 - }, - { - "Cmd": "copy", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "COPY . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 3 - }, - { - "Cmd": "healthcheck", - "EndLine": 5, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 5 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 1 - }, - { - "Cmd": "copy", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "COPY . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 3 - }, - { - "Cmd": "healthcheck", - "EndLine": 5, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 5 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 1 - }, - { - "Cmd": "copy", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "COPY . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 3 - }, - { - "Cmd": "healthcheck", - "EndLine": 5, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 5 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 1 - }, - { - "Cmd": "copy", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "COPY . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 3 - }, - { - "Cmd": "healthcheck", - "EndLine": 5, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 5 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 1 - }, - { - "Cmd": "copy", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "COPY . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 3 - }, - { - "Cmd": "healthcheck", - "EndLine": 5, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 5 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "package", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "package main", - "SubCmd": "", - "Value": [ - "" - ], - "_kics_line": 1 - }, - { - "Cmd": "import", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "import \"fmt\"", - "SubCmd": "", - "Value": [ - "" - ], - "_kics_line": 3 - }, - { - "Cmd": "func", - "EndLine": 5, - "Flags": [], - "JSON": false, - "Original": "func main() {", - "SubCmd": "", - "Value": [ - "" - ], - "_kics_line": 5 - }, - { - "Cmd": "fmt.println(\"hello,", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "fmt.Println(\"Hello, World!\")", - "SubCmd": "", - "Value": [ - "" - ], - "_kics_line": 6 - }, - { - "Cmd": "}", - "EndLine": 7, - "Flags": null, - "JSON": false, - "Original": "}", - "SubCmd": "", - "Value": [ - "" - ], - "_kics_line": 7 - } - ], - "command": {}, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "public", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "public class HelloWorld {", - "SubCmd": "", - "Value": [ - "" - ], - "_kics_line": 1 - }, - { - "Cmd": "public", - "EndLine": 2, - "Flags": [], - "JSON": false, - "Original": "public static void main(String[] args) {", - "SubCmd": "", - "Value": [ - "" - ], - "_kics_line": 2 - }, - { - "Cmd": "system.out.println(\"hello,", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "System.out.println(\"Hello, World!\");", - "SubCmd": "", - "Value": [ - "" - ], - "_kics_line": 3 - }, - { - "Cmd": "}", - "EndLine": 4, - "Flags": null, - "JSON": false, - "Original": "}", - "SubCmd": "", - "Value": [ - "" - ], - "_kics_line": 4 - }, - { - "Cmd": "}", - "EndLine": 5, - "Flags": null, - "JSON": false, - "Original": "}", - "SubCmd": "", - "Value": [ - "" - ], - "_kics_line": 5 - } - ], - "command": {}, - "file": "file", - "id": "0" - } - ] + "document": [ + { + "args": [], + "command": { + "openjdk:10-jdk": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM openjdk:10-jdk", + "SubCmd": "", + "Value": [ + "openjdk:10-jdk" + ], + "_kics_line": 1 + }, + { + "Cmd": "volume", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "VOLUME /tmp", + "SubCmd": "", + "Value": [ + "/tmp" + ], + "_kics_line": 2 + }, + { + "Cmd": "add", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "ADD http://source.file/package.file.tar.gz /temp", + "SubCmd": "", + "Value": [ + "http://source.file/package.file.tar.gz", + "/temp" + ], + "_kics_line": 3 + }, + { + "Cmd": "run", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "RUN tar -xjf /temp/package.file.tar.gz", + "SubCmd": "", + "Value": [ + "tar -xjf /temp/package.file.tar.gz" + ], + "_kics_line": 4 + }, + { + "Cmd": "arg", + "EndLine": 5, + "Flags": [], + "JSON": false, + "Original": "ARG JAR_FILE", + "SubCmd": "", + "Value": [ + "JAR_FILE" + ], + "_kics_line": 5 + }, + { + "Cmd": "add", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "ADD ${JAR_FILE} app.jar", + "SubCmd": "", + "Value": [ + "${JAR_FILE}", + "app.jar" + ], + "_kics_line": 6 + }, + { + "Cmd": "entrypoint", + "EndLine": 7, + "Flags": [], + "JSON": true, + "Original": "ENTRYPOINT [\"java\",\"-Djava.security.egd=file:/dev/./urandom\",\"-jar\",\"/app.jar\"]", + "SubCmd": "", + "Value": [ + "java", + "-Djava.security.egd=file:/dev/./urandom", + "-jar", + "/app.jar" + ], + "_kics_line": 7 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 13, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 13 + }, + { + "Cmd": "copy", + "EndLine": 15, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 15 + }, + { + "Cmd": "healthcheck", + "EndLine": 17, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 17 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "ARG VERSION=1.0", + "SubCmd": "", + "Value": [ + "VERSION=1.0" + ], + "_kics_line": 1 + }, + { + "Cmd": "arg", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "ARG BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 2 + } + ], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 4 + }, + { + "Cmd": "copy", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 6 + }, + { + "Cmd": "healthcheck", + "EndLine": 8, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 8 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "ARG VERSION=1.0", + "SubCmd": "", + "Value": [ + "VERSION=1.0" + ], + "_kics_line": 1 + }, + { + "Cmd": "arg", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "ARG BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 2 + } + ], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 4 + }, + { + "Cmd": "copy", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 6 + }, + { + "Cmd": "healthcheck", + "EndLine": 8, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 8 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "ARG VERSION=1.0", + "SubCmd": "", + "Value": [ + "VERSION=1.0" + ], + "_kics_line": 1 + }, + { + "Cmd": "arg", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "ARG BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 2 + } + ], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 4 + }, + { + "Cmd": "copy", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 6 + }, + { + "Cmd": "healthcheck", + "EndLine": 8, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 8 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "ARG BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 1 + }, + { + "Cmd": "arg", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "ARG JAR_FILE", + "SubCmd": "", + "Value": [ + "JAR_FILE" + ], + "_kics_line": 4 + } + ], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 6 + }, + { + "Cmd": "copy", + "EndLine": 8, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 8 + }, + { + "Cmd": "healthcheck", + "EndLine": 10, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 10 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "ARG BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 2 + } + ], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 6 + }, + { + "Cmd": "copy", + "EndLine": 8, + "Flags": [], + "JSON": false, + "Original": "COPY .. .", + "SubCmd": "", + "Value": [ + "..", + "." + ], + "_kics_line": 8 + }, + { + "Cmd": "healthcheck", + "EndLine": 10, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 10 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "ARG BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 1 + } + ], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 4 + }, + { + "Cmd": "copy", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "COPY .. .", + "SubCmd": "", + "Value": [ + "..", + "." + ], + "_kics_line": 6 + }, + { + "Cmd": "healthcheck", + "EndLine": 8, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 8 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "ARG BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 1 + } + ], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 3 + }, + { + "Cmd": "copy", + "EndLine": 5, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 5 + }, + { + "Cmd": "healthcheck", + "EndLine": 7, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 7 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "alpine:3.19 as builder": [ + { + "Cmd": "from", + "EndLine": 13, + "Flags": [], + "JSON": false, + "Original": "from alpine:3.19 as builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "as", + "builder" + ], + "_kics_line": 13 + }, + { + "Cmd": "copy", + "EndLine": 15, + "Flags": [], + "JSON": false, + "Original": "copy . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 15 + }, + { + "Cmd": "healthcheck", + "EndLine": 17, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "cmd", + "executable" + ], + "_kics_line": 17 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "arg VERSION=1.0", + "SubCmd": "", + "Value": [ + "VERSION=1.0" + ], + "_kics_line": 1 + }, + { + "Cmd": "arg", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "arg BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 2 + } + ], + "command": { + "alpine:3.19 as builder": [ + { + "Cmd": "from", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "from alpine:3.19 as builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "as", + "builder" + ], + "_kics_line": 4 + }, + { + "Cmd": "copy", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "copy . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 6 + }, + { + "Cmd": "healthcheck", + "EndLine": 8, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "cmd", + "executable" + ], + "_kics_line": 8 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "arg VERSION=1.0", + "SubCmd": "", + "Value": [ + "VERSION=1.0" + ], + "_kics_line": 1 + }, + { + "Cmd": "arg", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "arg BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 2 + } + ], + "command": { + "alpine:3.19 as builder": [ + { + "Cmd": "from", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "from alpine:3.19 as builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "as", + "builder" + ], + "_kics_line": 4 + }, + { + "Cmd": "copy", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "copy . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 6 + }, + { + "Cmd": "healthcheck", + "EndLine": 8, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "cmd", + "executable" + ], + "_kics_line": 8 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "arg VERSION=1.0", + "SubCmd": "", + "Value": [ + "VERSION=1.0" + ], + "_kics_line": 1 + }, + { + "Cmd": "arg", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "arg BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 2 + } + ], + "command": { + "alpine:3.19 as builder": [ + { + "Cmd": "from", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "from alpine:3.19 as builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "as", + "builder" + ], + "_kics_line": 4 + }, + { + "Cmd": "copy", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "copy . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 6 + }, + { + "Cmd": "healthcheck", + "EndLine": 8, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "cmd", + "executable" + ], + "_kics_line": 8 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "arg BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 1 + }, + { + "Cmd": "arg", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "arg JAR_FILE", + "SubCmd": "", + "Value": [ + "JAR_FILE" + ], + "_kics_line": 4 + } + ], + "command": { + "alpine:3.19 as builder": [ + { + "Cmd": "from", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "from alpine:3.19 as builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "as", + "builder" + ], + "_kics_line": 6 + }, + { + "Cmd": "copy", + "EndLine": 8, + "Flags": [], + "JSON": false, + "Original": "copy . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 8 + }, + { + "Cmd": "healthcheck", + "EndLine": 10, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "cmd", + "executable" + ], + "_kics_line": 10 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "arg BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 2 + } + ], + "command": { + "alpine:3.19 as builder": [ + { + "Cmd": "from", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "from alpine:3.19 as builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "as", + "builder" + ], + "_kics_line": 6 + }, + { + "Cmd": "copy", + "EndLine": 8, + "Flags": [], + "JSON": false, + "Original": "copy . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 8 + }, + { + "Cmd": "healthcheck", + "EndLine": 10, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "cmd", + "executable" + ], + "_kics_line": 10 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "arg BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 1 + } + ], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "from alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 4 + }, + { + "Cmd": "copy", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "copy .. .", + "SubCmd": "", + "Value": [ + "..", + "." + ], + "_kics_line": 6 + }, + { + "Cmd": "healthcheck", + "EndLine": 8, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "cmd", + "executable" + ], + "_kics_line": 8 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "arg BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 1 + } + ], + "command": { + "alpine:3.19 as builder": [ + { + "Cmd": "from", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "from alpine:3.19 as builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "as", + "builder" + ], + "_kics_line": 3 + }, + { + "Cmd": "copy", + "EndLine": 5, + "Flags": [], + "JSON": false, + "Original": "copy . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 5 + }, + { + "Cmd": "healthcheck", + "EndLine": 7, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "cmd", + "executable" + ], + "_kics_line": 7 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "alpine:latest": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:latest", + "SubCmd": "", + "Value": [ + "alpine:latest" + ], + "_kics_line": 1 + }, + { + "Cmd": "copy", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "COPY {{ file_path }} /test", + "SubCmd": "", + "Value": [ + "{{", + "file_path", + "}}", + "/test" + ], + "_kics_line": 3 + }, + { + "Cmd": "run", + "EndLine": 5, + "Flags": [], + "JSON": false, + "Original": "RUN echo \"failure\"", + "SubCmd": "", + "Value": [ + "echo \"failure\"" + ], + "_kics_line": 5 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 1 + }, + { + "Cmd": "copy", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 3 + }, + { + "Cmd": "healthcheck", + "EndLine": 5, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 5 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 1 + }, + { + "Cmd": "copy", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 3 + }, + { + "Cmd": "healthcheck", + "EndLine": 5, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 5 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 1 + }, + { + "Cmd": "copy", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 3 + }, + { + "Cmd": "healthcheck", + "EndLine": 5, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 5 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 1 + }, + { + "Cmd": "copy", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 3 + }, + { + "Cmd": "healthcheck", + "EndLine": 5, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 5 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 1 + }, + { + "Cmd": "copy", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 3 + }, + { + "Cmd": "healthcheck", + "EndLine": 5, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 5 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 1 + }, + { + "Cmd": "copy", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 3 + }, + { + "Cmd": "healthcheck", + "EndLine": 5, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 5 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "package", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "package main", + "SubCmd": "", + "Value": [ + "" + ], + "_kics_line": 1 + }, + { + "Cmd": "import", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "import \"fmt\"", + "SubCmd": "", + "Value": [ + "" + ], + "_kics_line": 3 + }, + { + "Cmd": "func", + "EndLine": 5, + "Flags": [], + "JSON": false, + "Original": "func main() {", + "SubCmd": "", + "Value": [ + "" + ], + "_kics_line": 5 + }, + { + "Cmd": "fmt.println(\"hello,", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "fmt.Println(\"Hello, World!\")", + "SubCmd": "", + "Value": [ + "" + ], + "_kics_line": 6 + }, + { + "Cmd": "}", + "EndLine": 7, + "Flags": null, + "JSON": false, + "Original": "}", + "SubCmd": "", + "Value": [ + "" + ], + "_kics_line": 7 + } + ], + "command": {}, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "public", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "public class HelloWorld {", + "SubCmd": "", + "Value": [ + "" + ], + "_kics_line": 1 + }, + { + "Cmd": "public", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "public static void main(String[] args) {", + "SubCmd": "", + "Value": [ + "" + ], + "_kics_line": 2 + }, + { + "Cmd": "system.out.println(\"hello,", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "System.out.println(\"Hello, World!\");", + "SubCmd": "", + "Value": [ + "" + ], + "_kics_line": 3 + }, + { + "Cmd": "}", + "EndLine": 4, + "Flags": null, + "JSON": false, + "Original": "}", + "SubCmd": "", + "Value": [ + "" + ], + "_kics_line": 4 + }, + { + "Cmd": "}", + "EndLine": 5, + "Flags": null, + "JSON": false, + "Original": "}", + "SubCmd": "", + "Value": [ + "" + ], + "_kics_line": 5 + } + ], + "command": {}, + "file": "file", + "id": "0" + } + ] } diff --git a/e2e/fixtures/E2E_CLI_105_RESULT.json b/e2e/fixtures/E2E_CLI_105_RESULT.json index 15bba606139..5c4c55498d8 100644 --- a/e2e/fixtures/E2E_CLI_105_RESULT.json +++ b/e2e/fixtures/E2E_CLI_105_RESULT.json @@ -1,492 +1,415 @@ { - "kics_version": "development", - "files_scanned": 28, - "lines_scanned": 226, - "files_parsed": 28, - "lines_parsed": 218, - "lines_ignored": 8, - "files_failed_to_scan": 0, - "queries_total": 48, - "queries_failed_to_execute": 1, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 25, - "INFO": 0, - "LOW": 6, - "MEDIUM": 4, - "TRACE": 0 - }, - "total_counter": 35, - "total_bom_resources": 0, - "start": "2026-03-13T15:59:29.4211175Z", - "end": "2026-03-13T15:59:30.4080105Z", - "paths": [ - "/path/test/fixtures/dockerfile", - "/path/test/fixtures/negative_dockerfile" - ], - "queries": [ - { - "query_name": "Missing User Instruction", - "query_id": "fd54f200-402c-4333-a5a4-36ef6709af2f", - "query_url": "https://docs.docker.com/engine/reference/builder/#user", - "severity": "HIGH", - "platform": "Dockerfile", - "cwe": "250", - "risk_score": "7.7", - "cloud_provider": "COMMON", - "category": "Build Process", - "experimental": false, - "description": "Always set a user in the runtime stage of your Dockerfile. Without it, the container defaults to root, even if earlier build stages define a user.", - "description_id": "eb49caf6", - "files": [ - { - "file_name": "/path/test/fixtures/dockerfile/any_name/DOCKERfile.txt", - "similarity_id": "5663f110b46dbc0378ff0540fc4a54700c80197a1ced862564f987d4f2e7116d", - "line": 13, - "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 AS builder}}", - "search_line": -1, - "search_value": "", - "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", - "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" - }, - { - "file_name": "/path/test/fixtures/dockerfile/any_name/file_2.DOCKERfile", - "similarity_id": "29858cfa69a98973cc1ae10f84e66267240bd630126eba2ba15e58a7aa2dd54d", - "line": 4, - "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 AS builder}}", - "search_line": -1, - "search_value": "", - "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", - "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" - }, - { - "file_name": "/path/test/fixtures/dockerfile/case_insensitive_tests/corrupted_dockerfile", - "similarity_id": "c5df5bbf63b3ba015d5e7a528f1c1159545d6b6cd7df31aea7411935822bd295", - "line": 1, - "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:latest}}", - "search_line": -1, - "search_value": "", - "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", - "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" - }, - { - "file_name": "/path/test/fixtures/dockerfile/case_insensitive_tests/dockerFILE", - "similarity_id": "9977ed3614740afd406ca0a86f0df4da5e8680efbb6e9e66ff71ae1dc2d9025f", - "line": 1, - "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 as builder}}", - "search_line": -1, - "search_value": "", - "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", - "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" - }, - { - "file_name": "/path/test/fixtures/dockerfile/any_name/file.Dockerfile", - "similarity_id": "1d972910b640dfb968ab630847182b4a19f44b78aeeaa0ef93c96c7e27aa8b6a", - "line": 6, - "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 AS builder}}", - "search_line": -1, - "search_value": "", - "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", - "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" - }, - { - "file_name": "/path/test/fixtures/dockerfile/test_folder_names_case/Dockerfile/any_file.txt", - "similarity_id": "47d6f707c904f56fe3ca1cc7bce1d2e0ae41d421da983110a5c15fc7e48105df", - "line": 1, - "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 AS builder}}", - "search_line": -1, - "search_value": "", - "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", - "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" - }, - { - "file_name": "/path/test/fixtures/dockerfile/any_name/dockerFILE", - "similarity_id": "e97a5ec241eb063c5757aed13a666c8126e4375ac9aed300cdc72d4ae883dfdc", - "line": 6, - "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 AS builder}}", - "search_line": -1, - "search_value": "", - "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", - "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" - }, - { - "file_name": "/path/test/fixtures/dockerfile/case_insensitive_tests/random_name", - "similarity_id": "4df62f3dddaa0fe84e53c387514ff1ffb2405fb47a80011271dfc6742078a0e8", - "line": 1, - "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 as builder}}", - "search_line": -1, - "search_value": "", - "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", - "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" - }, - { - "file_name": "/path/test/fixtures/dockerfile/any_name/random_name", - "similarity_id": "ee3531797486eec98e3dd28ec8cc5f7f6f00743d1cf79cd47f6859df87026f59", - "line": 3, - "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 AS builder}}", - "search_line": -1, - "search_value": "", - "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", - "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" - }, - { - "file_name": "/path/test/fixtures/dockerfile/test_folder_names/dockerfile/any_file.txt", - "similarity_id": "c2e7f0c0c566a723ff253f4a95e837749faba964ec008551c1f87a7faa476110", - "line": 1, - "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 AS builder}}", - "search_line": -1, - "search_value": "", - "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", - "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" - }, - { - "file_name": "/path/test/fixtures/dockerfile/test_folder_names_case/Docker/any_file.txt", - "similarity_id": "6da391b0e3e24d85f72b3ace5db0569be32ef11e6f9a433b138ae4e0b004df58", - "line": 1, - "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 AS builder}}", - "search_line": -1, - "search_value": "", - "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", - "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" - }, - { - "file_name": "/path/test/fixtures/dockerfile/test_folder_names/dockerfiles/any_file.txt", - "similarity_id": "e150676345e87674484ea970ca810125007b743069646ac448feaba242b7211f", - "line": 1, - "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 AS builder}}", - "search_line": -1, - "search_value": "", - "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", - "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" - }, - { - "file_name": "/path/test/fixtures/dockerfile/case_insensitive_tests/Dockerfile-example", - "similarity_id": "4f6a063f2127071c0ee7f63c2fc28f663297e9fa775f1e894789aa97b3d76363", - "line": 1, - "issue_type": "MissingAttribute", - "search_key": "FROM={{openjdk:10-jdk}}", - "search_line": -1, - "search_value": "", - "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", - "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" - }, - { - "file_name": "/path/test/fixtures/dockerfile/case_insensitive_tests/DOCKERfile.txt", - "similarity_id": "f9caf5d57d5872073bc7b7a555a3283708f72c9990689c8d4e6b3ce1957b496a", - "line": 1, - "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 as builder}}", - "search_line": -1, - "search_value": "", - "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", - "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" - }, - { - "file_name": "/path/test/fixtures/dockerfile/any_name/any_name.ubi8", - "similarity_id": "4d64348b27180d867de9cf04a51db582786ea6622adb94fb54fdbac03b284769", - "line": 4, - "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 AS builder}}", - "search_line": -1, - "search_value": "", - "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", - "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" - }, - { - "file_name": "/path/test/fixtures/dockerfile/case_insensitive_tests/any_name.debian", - "similarity_id": "c949a1c23fe7c61dea7daac22ce6a13ffb8dec65b4bcbeacc76bf295518e72ef", - "line": 1, - "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 as builder}}", - "search_line": -1, - "search_value": "", - "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", - "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" - }, - { - "file_name": "/path/test/fixtures/dockerfile/any_name/Dockerfile-example", - "similarity_id": "e2ce59bd4b3af78da6c5d27b85a6a82131e24d4efbdd7182f03951a17d57e614", - "line": 1, - "issue_type": "MissingAttribute", - "search_key": "FROM={{openjdk:10-jdk}}", - "search_line": -1, - "search_value": "", - "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", - "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" - }, - { - "file_name": "/path/test/fixtures/dockerfile/any_name/Dockerfile.something", - "similarity_id": "b41a39fe06c21fc69fbd6e8f7b3e2c44e8d0d7a8e2b0e0c251f5d6a174e031ee", - "line": 4, - "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 AS builder}}", - "search_line": -1, - "search_value": "", - "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", - "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" - }, - { - "file_name": "/path/test/fixtures/dockerfile/test_folder_names_case/Dockerfiles/any_file.txt", - "similarity_id": "b58c4c4ed6c88b82fdf62608154342a31a2de95eaae39716ff4f6ccf1a5bcdda", - "line": 1, - "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 AS builder}}", - "search_line": -1, - "search_value": "", - "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", - "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" - }, - { - "file_name": "/path/test/fixtures/dockerfile/case_insensitive_tests/any_name.ubi8", - "similarity_id": "ce95928798897e3f22c2677202d38812030cc2dfb5cf0470d397d7baaf8c1de1", - "line": 1, - "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 as builder}}", - "search_line": -1, - "search_value": "", - "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", - "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" - }, - { - "file_name": "/path/test/fixtures/dockerfile/case_insensitive_tests/Dockerfile.something", - "similarity_id": "2b1d191f474528c93b66c1f5f891efd3763834725ed4008cbd216702f576ef20", - "line": 1, - "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 as builder}}", - "search_line": -1, - "search_value": "", - "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", - "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" - }, - { - "file_name": "/path/test/fixtures/dockerfile/test_folder_names/docker/any_file.txt", - "similarity_id": "9d78b93c92fe63c29dec006a12993b74dc6c6fbf29ae295ff7c6e19136657e2d", - "line": 1, - "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 AS builder}}", - "search_line": -1, - "search_value": "", - "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", - "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" - }, - { - "file_name": "/path/test/fixtures/dockerfile/any_name/corrupted_dockerfile", - "similarity_id": "3b246c7fab3ccd04b8a768ed5ad49fe749bb5b10d8ec9793744b3b7342c8cb43", - "line": 1, - "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:latest}}", - "search_line": -1, - "search_value": "", - "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", - "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" - }, - { - "file_name": "/path/test/fixtures/dockerfile/case_insensitive_tests/file_2.DOCKERfile", - "similarity_id": "b0694a2913d293ea034d0fe62bd549aed2dd316a81fb82b611a7ab901e32b1b6", - "line": 1, - "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 AS builder}}", - "search_line": -1, - "search_value": "", - "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", - "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" - }, - { - "file_name": "/path/test/fixtures/dockerfile/any_name/any_name.debian", - "similarity_id": "ef335c394fbaebc802c99ba59b1b3ec830043ac020b711efc7cf497752b73429", - "line": 4, - "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 AS builder}}", - "search_line": -1, - "search_value": "", - "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", - "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" - } - ] - }, - { - "query_name": "Add Instead of Copy", - "query_id": "9513a694-aa0d-41d8-be61-3271e056f36b", - "query_url": "https://docs.docker.com/engine/reference/builder/#add", - "severity": "MEDIUM", - "platform": "Dockerfile", - "cwe": "610", - "risk_score": "5.2", - "category": "Supply-Chain", - "experimental": false, - "description": "Using ADD to load external installation scripts could lead to an evil web server leveraging this and loading a malicious script.", - "description_id": "0aedd324", - "files": [ - { - "file_name": "/path/test/fixtures/dockerfile/any_name/Dockerfile-example", - "similarity_id": "3f6df15f029bab62aac046654e04f787ff09b8c61bc6ccb8abdf11b8a9162886", - "line": 6, - "issue_type": "IncorrectValue", - "search_key": "FROM={{openjdk:10-jdk}}.{{ADD ${JAR_FILE} app.jar}}", - "search_line": -1, - "search_value": "", - "expected_value": "'COPY' ${JAR_FILE}", - "actual_value": "'ADD' ${JAR_FILE}" - }, - { - "file_name": "/path/test/fixtures/dockerfile/case_insensitive_tests/Dockerfile-example", - "similarity_id": "86a9e39633f72e3a93a6412eb11153740c5eba8edac285ce8046b8e6a1655506", - "line": 1, - "issue_type": "IncorrectValue", - "search_key": "FROM={{openjdk:10-jdk}}.{{add ${JAR_FILE} app.jar}}", - "search_line": -1, - "search_value": "", - "expected_value": "'COPY' ${JAR_FILE}", - "actual_value": "'ADD' ${JAR_FILE}" - } - ] - }, - { - "query_name": "Image Version Using 'latest'", - "query_id": "f45ea400-6bbe-4501-9fc7-1c3d75c32067", - "query_url": "https://docs.docker.com/develop/dev-best-practices/", - "severity": "MEDIUM", - "platform": "Dockerfile", - "cwe": "1357", - "risk_score": "5.1", - "category": "Best Practices", - "experimental": false, - "description": "When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag", - "description_id": "22f535ec", - "files": [ - { - "file_name": "/path/test/fixtures/dockerfile/case_insensitive_tests/corrupted_dockerfile", - "similarity_id": "549bf684768e813a7c47c93394adccb913fa19227c01b72a30e1e3628fdff75d", - "line": 1, - "issue_type": "IncorrectValue", - "search_key": "FROM={{alpine:latest}}", - "search_line": -1, - "search_value": "", - "expected_value": "FROM alpine:latest:'version' where version should not be 'latest'", - "actual_value": "FROM alpine:latest'" - }, - { - "file_name": "/path/test/fixtures/dockerfile/any_name/corrupted_dockerfile", - "similarity_id": "5ce04edae6af79859372aa1df8ac452d212b1f9086d023a8929cc4813c4cc8da", - "line": 1, - "issue_type": "IncorrectValue", - "search_key": "FROM={{alpine:latest}}", - "search_line": -1, - "search_value": "", - "expected_value": "FROM alpine:latest:'version' where version should not be 'latest'", - "actual_value": "FROM alpine:latest'" - } - ] - }, - { - "query_name": "Curl or Wget Instead of Add", - "query_id": "4b410d24-1cbe-4430-a632-62c9a931cf1c", - "query_url": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", - "severity": "LOW", - "platform": "Dockerfile", - "cwe": "610", - "risk_score": "2.8", - "category": "Best Practices", - "experimental": false, - "description": "Use of Curl or Wget should be done instead of Add to fetch packages from remote URLs due to the use of Add being strongly discouraged", - "description_id": "29e8216b", - "files": [ - { - "file_name": "/path/test/fixtures/dockerfile/any_name/Dockerfile-example", - "similarity_id": "ead0530c4a2e4acfaa1e4f7146582e526720d6fd1bf423297f0e068017c9868f", - "line": 3, - "issue_type": "IncorrectValue", - "search_key": "FROM={{openjdk:10-jdk}}.{{ADD http://source.file/package.file.tar.gz /temp}}", - "search_line": -1, - "search_value": "", - "expected_value": "Should use 'curl' or 'wget' to download http://source.file/package.file.tar.gz", - "actual_value": "'ADD' http://source.file/package.file.tar.gz" - }, - { - "file_name": "/path/test/fixtures/dockerfile/case_insensitive_tests/Dockerfile-example", - "similarity_id": "4a41ea8cb8093e0852046f5b11a4c5705e4973525319c92f05ce3935fe7594a8", - "line": 1, - "issue_type": "IncorrectValue", - "search_key": "FROM={{openjdk:10-jdk}}.{{add http://source.file/package.file.tar.gz /temp}}", - "search_line": -1, - "search_value": "", - "expected_value": "Should use 'curl' or 'wget' to download http://source.file/package.file.tar.gz", - "actual_value": "'ADD' http://source.file/package.file.tar.gz" - } - ] - }, - { - "query_name": "Healthcheck Instruction Missing", - "query_id": "b03a748a-542d-44f4-bb86-9199ab4fd2d5", - "query_url": "https://docs.docker.com/engine/reference/builder/#healthcheck", - "severity": "LOW", - "platform": "Dockerfile", - "cwe": "710", - "risk_score": "3.6", - "category": "Insecure Configurations", - "experimental": false, - "description": "Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working", - "description_id": "426121ee", - "files": [ - { - "file_name": "/path/test/fixtures/dockerfile/any_name/Dockerfile-example", - "similarity_id": "2cc23de86e69dec07197cfc0e7266f07f7d6bd6c9e7065f785583d8788a23abb", - "line": 1, - "issue_type": "MissingAttribute", - "search_key": "FROM={{openjdk:10-jdk}}", - "search_line": -1, - "search_value": "", - "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", - "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" - }, - { - "file_name": "/path/test/fixtures/dockerfile/any_name/corrupted_dockerfile", - "similarity_id": "df38a06e4359d643206a6e67240cbbf070130c75ffeb461f44cca8495ce05014", - "line": 1, - "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:latest}}", - "search_line": -1, - "search_value": "", - "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", - "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" - }, - { - "file_name": "/path/test/fixtures/dockerfile/case_insensitive_tests/Dockerfile-example", - "similarity_id": "4b896966a01b1dcd6cccce6a2be286296754da04726aa658062e940ad22ad174", - "line": 1, - "issue_type": "MissingAttribute", - "search_key": "FROM={{openjdk:10-jdk}}", - "search_line": -1, - "search_value": "", - "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", - "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" - }, - { - "file_name": "/path/test/fixtures/dockerfile/case_insensitive_tests/corrupted_dockerfile", - "similarity_id": "5144da2a31e3d6a7d59ceae76bb30685fc147794929785906b3d748413409506", - "line": 1, - "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:latest}}", - "search_line": -1, - "search_value": "", - "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", - "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" - } - ] - } - ] + "kics_version": "development", + "files_scanned": 26, + "lines_scanned": 212, + "files_parsed": 26, + "lines_parsed": 204, + "lines_ignored": 8, + "files_failed_to_scan": 0, + "queries_total": 48, + "queries_failed_to_execute": 1, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 23, + "INFO": 0, + "LOW": 3, + "MEDIUM": 2, + "TRACE": 0 + }, + "total_counter": 28, + "total_bom_resources": 0, + "start": "2026-03-13T16:37:29.4562916Z", + "end": "2026-03-13T16:37:30.3687083Z", + "paths": [ + "/path/test/fixtures/dockerfile", + "/path/test/fixtures/negative_dockerfile" + ], + "queries": [ + { + "query_name": "Missing User Instruction", + "query_id": "fd54f200-402c-4333-a5a4-36ef6709af2f", + "query_url": "https://docs.docker.com/engine/reference/builder/#user", + "severity": "HIGH", + "platform": "Dockerfile", + "cwe": "250", + "risk_score": "7.7", + "cloud_provider": "COMMON", + "category": "Build Process", + "experimental": false, + "description": "Always set a user in the runtime stage of your Dockerfile. Without it, the container defaults to root, even if earlier build stages define a user.", + "description_id": "eb49caf6", + "files": [ + { + "file_name": "path/test/fixtures/dockerfile/any_name/file.Dockerfile", + "similarity_id": "1d972910b640dfb968ab630847182b4a19f44b78aeeaa0ef93c96c7e27aa8b6a", + "line": 6, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "path/test/fixtures/dockerfile/test_folder_names_case/Docker/any_file.txt", + "similarity_id": "6da391b0e3e24d85f72b3ace5db0569be32ef11e6f9a433b138ae4e0b004df58", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "path/test/fixtures/dockerfile/corrupted_dockerfile", + "similarity_id": "558c83370b9fc9e230035e00ff7b5302cd64c16f700e73c830579947e250a381", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:latest}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/random_name", + "similarity_id": "4df62f3dddaa0fe84e53c387514ff1ffb2405fb47a80011271dfc6742078a0e8", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.19 as builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "path/test/fixtures/dockerfile/test_folder_names/dockerfiles/any_file.txt", + "similarity_id": "e150676345e87674484ea970ca810125007b743069646ac448feaba242b7211f", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/DOCKERfile.txt", + "similarity_id": "f9caf5d57d5872073bc7b7a555a3283708f72c9990689c8d4e6b3ce1957b496a", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.19 as builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "path/test/fixtures/dockerfile/test_folder_names/dockerfile/any_file.txt", + "similarity_id": "c2e7f0c0c566a723ff253f4a95e837749faba964ec008551c1f87a7faa476110", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "path/test/fixtures/dockerfile/any_name/random_name", + "similarity_id": "ee3531797486eec98e3dd28ec8cc5f7f6f00743d1cf79cd47f6859df87026f59", + "line": 3, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "path/test/fixtures/dockerfile/test_folder_names_case/Dockerfile/any_file.txt", + "similarity_id": "47d6f707c904f56fe3ca1cc7bce1d2e0ae41d421da983110a5c15fc7e48105df", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/any_name.ubi8", + "similarity_id": "ce95928798897e3f22c2677202d38812030cc2dfb5cf0470d397d7baaf8c1de1", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.19 as builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/dockerFILE", + "similarity_id": "9977ed3614740afd406ca0a86f0df4da5e8680efbb6e9e66ff71ae1dc2d9025f", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.19 as builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/any_name.debian", + "similarity_id": "c949a1c23fe7c61dea7daac22ce6a13ffb8dec65b4bcbeacc76bf295518e72ef", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.19 as builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "path/test/fixtures/dockerfile/any_name/file_2.DOCKERfile", + "similarity_id": "29858cfa69a98973cc1ae10f84e66267240bd630126eba2ba15e58a7aa2dd54d", + "line": 4, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/Dockerfile.something", + "similarity_id": "2b1d191f474528c93b66c1f5f891efd3763834725ed4008cbd216702f576ef20", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.19 as builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "path/test/fixtures/dockerfile/any_name/any_name.debian", + "similarity_id": "ef335c394fbaebc802c99ba59b1b3ec830043ac020b711efc7cf497752b73429", + "line": 4, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "path/test/fixtures/dockerfile/Dockerfile-example", + "similarity_id": "aeaf42752011d846797cea09ce1a0eb5457673c67b0fb16914a0c639a253e5c7", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{openjdk:10-jdk}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/file_2.DOCKERfile", + "similarity_id": "b0694a2913d293ea034d0fe62bd549aed2dd316a81fb82b611a7ab901e32b1b6", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "path/test/fixtures/dockerfile/any_name/Dockerfile.something", + "similarity_id": "b41a39fe06c21fc69fbd6e8f7b3e2c44e8d0d7a8e2b0e0c251f5d6a174e031ee", + "line": 4, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "path/test/fixtures/dockerfile/any_name/dockerFILE", + "similarity_id": "e97a5ec241eb063c5757aed13a666c8126e4375ac9aed300cdc72d4ae883dfdc", + "line": 6, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "path/test/fixtures/dockerfile/test_folder_names/docker/any_file.txt", + "similarity_id": "9d78b93c92fe63c29dec006a12993b74dc6c6fbf29ae295ff7c6e19136657e2d", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "path/test/fixtures/dockerfile/test_folder_names_case/Dockerfiles/any_file.txt", + "similarity_id": "b58c4c4ed6c88b82fdf62608154342a31a2de95eaae39716ff4f6ccf1a5bcdda", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "path/test/fixtures/dockerfile/any_name/DOCKERfile.txt", + "similarity_id": "5663f110b46dbc0378ff0540fc4a54700c80197a1ced862564f987d4f2e7116d", + "line": 13, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "path/test/fixtures/dockerfile/any_name/any_name.ubi8", + "similarity_id": "4d64348b27180d867de9cf04a51db582786ea6622adb94fb54fdbac03b284769", + "line": 4, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + } + ] + }, + { + "query_name": "Add Instead of Copy", + "query_id": "9513a694-aa0d-41d8-be61-3271e056f36b", + "query_url": "https://docs.docker.com/engine/reference/builder/#add", + "severity": "MEDIUM", + "platform": "Dockerfile", + "cwe": "610", + "risk_score": "5.2", + "category": "Supply-Chain", + "experimental": false, + "description": "Using ADD to load external installation scripts could lead to an evil web server leveraging this and loading a malicious script.", + "description_id": "0aedd324", + "files": [ + { + "file_name": "path/test/fixtures/dockerfile/Dockerfile-example", + "similarity_id": "9d6bb1f4ca1093d79890b1b24b00dbb2e8fa60ca0df6b2ba391db348256eec6f", + "line": 6, + "issue_type": "IncorrectValue", + "search_key": "FROM={{openjdk:10-jdk}}.{{ADD ${JAR_FILE} app.jar}}", + "search_line": -1, + "search_value": "", + "expected_value": "'COPY' ${JAR_FILE}", + "actual_value": "'ADD' ${JAR_FILE}" + } + ] + }, + { + "query_name": "Image Version Using 'latest'", + "query_id": "f45ea400-6bbe-4501-9fc7-1c3d75c32067", + "query_url": "https://docs.docker.com/develop/dev-best-practices/", + "severity": "MEDIUM", + "platform": "Dockerfile", + "cwe": "1357", + "risk_score": "5.1", + "category": "Best Practices", + "experimental": false, + "description": "When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag", + "description_id": "22f535ec", + "files": [ + { + "file_name": "path/test/fixtures/dockerfile/corrupted_dockerfile", + "similarity_id": "b8c6f58c6b52c4155b70475008be34bcf7ca39a15378ca1828e657a75ba907f3", + "line": 1, + "issue_type": "IncorrectValue", + "search_key": "FROM={{alpine:latest}}", + "search_line": -1, + "search_value": "", + "expected_value": "FROM alpine:latest:'version' where version should not be 'latest'", + "actual_value": "FROM alpine:latest'" + } + ] + }, + { + "query_name": "Curl or Wget Instead of Add", + "query_id": "4b410d24-1cbe-4430-a632-62c9a931cf1c", + "query_url": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", + "severity": "LOW", + "platform": "Dockerfile", + "cwe": "610", + "risk_score": "2.8", + "category": "Best Practices", + "experimental": false, + "description": "Use of Curl or Wget should be done instead of Add to fetch packages from remote URLs due to the use of Add being strongly discouraged", + "description_id": "29e8216b", + "files": [ + { + "file_name": "path/test/fixtures/dockerfile/Dockerfile-example", + "similarity_id": "37ebb20d72a17217823809f4bbf670db1167d627157c42c0b4dd9b063e30b5bd", + "line": 3, + "issue_type": "IncorrectValue", + "search_key": "FROM={{openjdk:10-jdk}}.{{ADD http://source.file/package.file.tar.gz /temp}}", + "search_line": -1, + "search_value": "", + "expected_value": "Should use 'curl' or 'wget' to download http://source.file/package.file.tar.gz", + "actual_value": "'ADD' http://source.file/package.file.tar.gz" + } + ] + }, + { + "query_name": "Healthcheck Instruction Missing", + "query_id": "b03a748a-542d-44f4-bb86-9199ab4fd2d5", + "query_url": "https://docs.docker.com/engine/reference/builder/#healthcheck", + "severity": "LOW", + "platform": "Dockerfile", + "cwe": "710", + "risk_score": "3.6", + "category": "Insecure Configurations", + "experimental": false, + "description": "Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working", + "description_id": "426121ee", + "files": [ + { + "file_name": "path/test/fixtures/dockerfile/Dockerfile-example", + "similarity_id": "4d0420e48f4c7d991ed6694980266d5b7313da8abb2e29b2dd777ce7c6f6251d", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{openjdk:10-jdk}}", + "search_line": -1, + "search_value": "", + "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", + "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" + }, + { + "file_name": "path/test/fixtures/dockerfile/corrupted_dockerfile", + "similarity_id": "ae470ca681b82da606c6080acf7ea93906066db785bf47e2372ef7b342f43f7e", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:latest}}", + "search_line": -1, + "search_value": "", + "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", + "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" + } + ] + } + ] } diff --git a/e2e/testcases/e2e-cli-105_valid_dockerfile_detected.go b/e2e/testcases/e2e-cli-105_valid_dockerfile_detected.go index c58e47a07f5..fdc5b87ecbb 100644 --- a/e2e/testcases/e2e-cli-105_valid_dockerfile_detected.go +++ b/e2e/testcases/e2e-cli-105_valid_dockerfile_detected.go @@ -9,8 +9,8 @@ func init() { //nolint Args: []cmdArgs{ []string{"scan", "-o", "/path/e2e/output", "--output-name", "E2E_CLI_105_RESULT", - "-p", "\"/path/test/fixtures/dockerfile\"", - "-p", "\"/path/test/fixtures/negative_dockerfile\"", + "-p", "/path/test/fixtures/dockerfile", + "-p", "/path/test/fixtures/negative_dockerfile", "--payload-path", "/path/e2e/output/E2E_CLI_105_PAYLOAD.json", }, }, diff --git a/test/fixtures/dockerfile/Dockerfile-example b/test/fixtures/dockerfile/Dockerfile-example index e41733e34fe..d7d7935b60b 100644 --- a/test/fixtures/dockerfile/Dockerfile-example +++ b/test/fixtures/dockerfile/Dockerfile-example @@ -1,7 +1,7 @@ -from openjdk:10-jdk -volume /tmp -add http://source.file/package.file.tar.gz /temp -run tar -xjf /temp/package.file.tar.gz -arg JAR_FILE -add ${JAR_FILE} app.jar -entrypoint ["java","-Djava.security.egd=file:/dev/./urandom","-jar","/app.jar"] +FROM openjdk:10-jdk +VOLUME /tmp +ADD http://source.file/package.file.tar.gz /temp +RUN tar -xjf /temp/package.file.tar.gz +ARG JAR_FILE +ADD ${JAR_FILE} app.jar +ENTRYPOINT ["java","-Djava.security.egd=file:/dev/./urandom","-jar","/app.jar"] From 1c599741c2bb22b1914df5b57b837ab401eb9b8d Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Sun, 15 Mar 2026 12:06:06 +0000 Subject: [PATCH 13/84] Changed relevant functions to always treat/set the extension of valid dockerfiles as '.dockerfile' --- pkg/analyzer/analyzer.go | 1 - pkg/parser/docker/parser.go | 2 +- pkg/parser/docker/parser_test.go | 2 +- pkg/parser/parser_test.go | 2 -- pkg/remediation/scan.go | 2 +- 5 files changed, 3 insertions(+), 6 deletions(-) diff --git a/pkg/analyzer/analyzer.go b/pkg/analyzer/analyzer.go index dafa3b11551..c3e4da6373a 100644 --- a/pkg/analyzer/analyzer.go +++ b/pkg/analyzer/analyzer.go @@ -102,7 +102,6 @@ var ( ".yaml": true, ".json": true, ".dockerfile": true, - "dockerfile": true, ".debian": true, ".ubi8": true, ".tf": true, diff --git a/pkg/parser/docker/parser.go b/pkg/parser/docker/parser.go index fc507ef3d88..8d36af3e9fa 100644 --- a/pkg/parser/docker/parser.go +++ b/pkg/parser/docker/parser.go @@ -135,7 +135,7 @@ func (p *Parser) GetKind() model.FileKind { // SupportedExtensions returns Dockerfile extensions func (p *Parser) SupportedExtensions() []string { - return []string{"Dockerfile", ".dockerfile", "dockerfile", ".ubi8", ".debian"} + return []string{".dockerfile", ".ubi8", ".debian"} } // SupportedTypes returns types supported by this parser, which are dockerfile diff --git a/pkg/parser/docker/parser_test.go b/pkg/parser/docker/parser_test.go index 5ca430dbbc1..2ba37077bdb 100644 --- a/pkg/parser/docker/parser_test.go +++ b/pkg/parser/docker/parser_test.go @@ -17,7 +17,7 @@ func TestParser_GetKind(t *testing.T) { // TestParser_SupportedExtensions tests the functions [SupportedExtensions()] and all the methods called by them func TestParser_SupportedExtensions(t *testing.T) { p := &Parser{} - require.Equal(t, []string{"Dockerfile", ".dockerfile", "dockerfile", ".ubi8", ".debian"}, p.SupportedExtensions()) + require.Equal(t, []string{".dockerfile", ".ubi8", ".debian"}, p.SupportedExtensions()) } // TestParser_SupportedExtensions tests the functions [SupportedTypes()] and all the methods called by them diff --git a/pkg/parser/parser_test.go b/pkg/parser/parser_test.go index bbc45a089c5..0eff1ce94ea 100644 --- a/pkg/parser/parser_test.go +++ b/pkg/parser/parser_test.go @@ -94,8 +94,6 @@ func TestParser_SupportedExtensions(t *testing.T) { require.Contains(t, extensions, ".tf") require.Contains(t, extensions, ".yaml") require.Contains(t, extensions, ".dockerfile") - require.Contains(t, extensions, "dockerfile") - require.Contains(t, extensions, "Dockerfile") } func initilizeBuilder() []*Parser { diff --git a/pkg/remediation/scan.go b/pkg/remediation/scan.go index 112295cd2c6..a9adddf0ee7 100644 --- a/pkg/remediation/scan.go +++ b/pkg/remediation/scan.go @@ -95,7 +95,7 @@ func getPayload(filePath string, content []byte, openAPIResolveReferences bool, var err error switch ext { - case ".dockerfile", "Dockerfile", "gitignore", ".ubi8", ".debian": + case ".dockerfile", "gitignore", ".ubi8", ".debian": p, err = parser.NewBuilder().Add(&dockerParser.Parser{}).Build([]string{""}, []string{""}) case terraformExtension: From 51b5a521ce816c9baddf6a99d49acec502ca6344 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Mon, 16 Mar 2026 10:55:15 +0000 Subject: [PATCH 14/84] Removed last mention of 'dockerfile' without dot notation --- pkg/analyzer/analyzer.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/analyzer/analyzer.go b/pkg/analyzer/analyzer.go index c3e4da6373a..b968805dc01 100644 --- a/pkg/analyzer/analyzer.go +++ b/pkg/analyzer/analyzer.go @@ -437,7 +437,7 @@ func (a *analyzerInfo) worker( //nolint: gocyclo case "gitignore": unwanted <- a.filePath // Dockerfile - case ".dockerfile", "dockerfile": + case ".dockerfile": if a.isAvailableType(dockerfile) { results <- dockerfile locCount <- linesCount From 122bd04146082742254e281030a0efe653d22b8e Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Mon, 16 Mar 2026 11:18:20 +0000 Subject: [PATCH 15/84] Changed 'gitignore' check for better check order in 'GetExtension' function --- pkg/utils/get_extension.go | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/pkg/utils/get_extension.go b/pkg/utils/get_extension.go index b496cd7c31f..9c7c6a9862e 100644 --- a/pkg/utils/get_extension.go +++ b/pkg/utils/get_extension.go @@ -24,10 +24,6 @@ func GetExtension(path string) (string, error) { return "", fmt.Errorf("the path %s is a directory", path) } - if strings.HasSuffix(filepath.Clean(path), "gitignore") { - return "gitignore", nil - } - if ext, ok := isDockerfileExtension(path, extDockerfile); ok { return ext, nil } @@ -39,6 +35,9 @@ func GetExtension(path string) (string, error) { return extDockerfile, nil } case "": + if strings.HasSuffix(filepath.Clean(path), "gitignore") { + return "gitignore", nil + } if filepath.Base(path) == "tfvars" { return ".tfvars", nil } From 2da32f613f2fc7e5664c64275655eafbfcf46240 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Mon, 16 Mar 2026 12:15:39 +0000 Subject: [PATCH 16/84] Slightly more restrictive check to FROM command to ensure it has a trailing whitespace --- pkg/utils/get_extension.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/utils/get_extension.go b/pkg/utils/get_extension.go index 9c7c6a9862e..7e9994c3f62 100644 --- a/pkg/utils/get_extension.go +++ b/pkg/utils/get_extension.go @@ -91,7 +91,7 @@ func readPossibleDockerFile(path string) bool { if strings.HasPrefix(scanner.Text(), "#") || strings.HasPrefix(strings.ToLower(scanner.Text()), "arg") || scanner.Text() == "" { continue } else { - if strings.HasPrefix(strings.ToLower(scanner.Text()), "from") { + if strings.HasPrefix(strings.ToLower(scanner.Text()), "from ") { return true } else { return false From 1bfe1264d25b5006fba5f389e6c0c680259a3354 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Tue, 17 Mar 2026 10:47:39 +0000 Subject: [PATCH 17/84] Updates to functions, removed unnecessary if statement on scan.go and unnecessary 'gitignore' case in analyzer's workers --- pkg/analyzer/analyzer.go | 3 --- pkg/parser/docker/parser.go | 4 +--- pkg/remediation/scan.go | 2 +- pkg/utils/get_extension.go | 13 +++++-------- 4 files changed, 7 insertions(+), 15 deletions(-) diff --git a/pkg/analyzer/analyzer.go b/pkg/analyzer/analyzer.go index b968805dc01..f5fc6804ac8 100644 --- a/pkg/analyzer/analyzer.go +++ b/pkg/analyzer/analyzer.go @@ -112,7 +112,6 @@ var ( ".conf": true, ".ini": true, ".bicep": true, - "gitignore": true, } supportedRegexes = map[string][]string{ "azureresourcemanager": append(armRegexTypes, arm), @@ -434,8 +433,6 @@ func (a *analyzerInfo) worker( //nolint: gocyclo linesCount, _ := utils.LineCounter(a.filePath, a.fallbackMinifiedFileLOC) switch ext { - case "gitignore": - unwanted <- a.filePath // Dockerfile case ".dockerfile": if a.isAvailableType(dockerfile) { diff --git a/pkg/parser/docker/parser.go b/pkg/parser/docker/parser.go index 8d36af3e9fa..a676b1cfee7 100644 --- a/pkg/parser/docker/parser.go +++ b/pkg/parser/docker/parser.go @@ -59,9 +59,7 @@ func (p *Parser) Parse(_ string, fileContent []byte) ([]model.Document, []int, e for _, child := range parsed.AST.Children { child.Value = strings.ToLower(child.Value) if child.Value == "from" { - if strings.HasPrefix(strings.ToUpper(child.Original), "FROM ") { - fromValue = child.Original[5:] - } + fromValue = child.Original[5:] } if ignoreStruct.getIgnoreComments(child) { diff --git a/pkg/remediation/scan.go b/pkg/remediation/scan.go index a9adddf0ee7..b95ebfb65b2 100644 --- a/pkg/remediation/scan.go +++ b/pkg/remediation/scan.go @@ -95,7 +95,7 @@ func getPayload(filePath string, content []byte, openAPIResolveReferences bool, var err error switch ext { - case ".dockerfile", "gitignore", ".ubi8", ".debian": + case ".dockerfile", ".ubi8", ".debian": p, err = parser.NewBuilder().Add(&dockerParser.Parser{}).Build([]string{""}, []string{""}) case terraformExtension: diff --git a/pkg/utils/get_extension.go b/pkg/utils/get_extension.go index 7e9994c3f62..45073ecb2a0 100644 --- a/pkg/utils/get_extension.go +++ b/pkg/utils/get_extension.go @@ -16,6 +16,7 @@ import ( func GetExtension(path string) (string, error) { extDockerfile := ".dockerfile" fileInfo, err := os.Stat(path) + if err != nil { return "", fmt.Errorf("file %s not found", path) } @@ -36,7 +37,7 @@ func GetExtension(path string) (string, error) { } case "": if strings.HasSuffix(filepath.Clean(path), "gitignore") { - return "gitignore", nil + return "", nil } if filepath.Base(path) == "tfvars" { return ".tfvars", nil @@ -88,15 +89,11 @@ func readPossibleDockerFile(path string) bool { scanner := bufio.NewScanner(file) // Read lines from the file for scanner.Scan() { - if strings.HasPrefix(scanner.Text(), "#") || strings.HasPrefix(strings.ToLower(scanner.Text()), "arg") || scanner.Text() == "" { + line := strings.TrimSpace(scanner.Text()) + if line == "" || line[0] == '#' || strings.HasPrefix(strings.ToLower(line), "arg") { continue - } else { - if strings.HasPrefix(strings.ToLower(scanner.Text()), "from ") { - return true - } else { - return false - } } + return strings.HasPrefix(strings.ToLower(line), "from ") } return false } From 944a70f835ecec250bddd4ef9f590277a938ebe6 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Tue, 17 Mar 2026 12:45:11 +0000 Subject: [PATCH 18/84] fix previous commit --- pkg/utils/get_extension.go | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/pkg/utils/get_extension.go b/pkg/utils/get_extension.go index 45073ecb2a0..fa189d37746 100644 --- a/pkg/utils/get_extension.go +++ b/pkg/utils/get_extension.go @@ -16,7 +16,6 @@ import ( func GetExtension(path string) (string, error) { extDockerfile := ".dockerfile" fileInfo, err := os.Stat(path) - if err != nil { return "", fmt.Errorf("file %s not found", path) } @@ -89,11 +88,15 @@ func readPossibleDockerFile(path string) bool { scanner := bufio.NewScanner(file) // Read lines from the file for scanner.Scan() { - line := strings.TrimSpace(scanner.Text()) - if line == "" || line[0] == '#' || strings.HasPrefix(strings.ToLower(line), "arg") { + if strings.HasPrefix(scanner.Text(), "#") || strings.HasPrefix(strings.ToLower(scanner.Text()), "arg") || scanner.Text() == "" { continue + } else { + if strings.HasPrefix(strings.ToLower(scanner.Text()), "from ") { + return true + } else { + return false + } } - return strings.HasPrefix(strings.ToLower(line), "from ") } return false } From 3d5c2c91521bf0a124a99453d65875eafb74ff01 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Tue, 17 Mar 2026 13:02:13 +0000 Subject: [PATCH 19/84] fix analyzer uni tests --- pkg/analyzer/analyzer.go | 4 +++- pkg/utils/get_extension.go | 3 --- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/pkg/analyzer/analyzer.go b/pkg/analyzer/analyzer.go index f5fc6804ac8..6e21776fbb5 100644 --- a/pkg/analyzer/analyzer.go +++ b/pkg/analyzer/analyzer.go @@ -840,7 +840,9 @@ func (a *Analyzer) checkIgnore(fileSize int64, hasGitIgnoreFile bool, fullPath string, trimmedPath string, ignoreFiles []string) []string { exceededFileSize := a.MaxFileSize >= 0 && float64(fileSize)/float64(sizeMb) > float64(a.MaxFileSize) - if (hasGitIgnoreFile && gitIgnore.MatchesPath(trimmedPath)) || isDeadSymlink(fullPath) || exceededFileSize { + isGitIgnoreFile := filepath.Base(fullPath) == ".gitignore" || filepath.Base(fullPath) == "gitignore" + + if (isGitIgnoreFile || hasGitIgnoreFile && gitIgnore.MatchesPath(trimmedPath)) || isDeadSymlink(fullPath) || exceededFileSize { ignoreFiles = append(ignoreFiles, fullPath) a.Exc = append(a.Exc, fullPath) diff --git a/pkg/utils/get_extension.go b/pkg/utils/get_extension.go index fa189d37746..ec1f300cb28 100644 --- a/pkg/utils/get_extension.go +++ b/pkg/utils/get_extension.go @@ -35,9 +35,6 @@ func GetExtension(path string) (string, error) { return extDockerfile, nil } case "": - if strings.HasSuffix(filepath.Clean(path), "gitignore") { - return "", nil - } if filepath.Base(path) == "tfvars" { return ".tfvars", nil } From 6da5da5f34575f46b98e8c177d990cf32d68b8c9 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Tue, 17 Mar 2026 13:17:11 +0000 Subject: [PATCH 20/84] simplified new if condition --- pkg/analyzer/analyzer.go | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/pkg/analyzer/analyzer.go b/pkg/analyzer/analyzer.go index 6e21776fbb5..511f346281f 100644 --- a/pkg/analyzer/analyzer.go +++ b/pkg/analyzer/analyzer.go @@ -840,9 +840,7 @@ func (a *Analyzer) checkIgnore(fileSize int64, hasGitIgnoreFile bool, fullPath string, trimmedPath string, ignoreFiles []string) []string { exceededFileSize := a.MaxFileSize >= 0 && float64(fileSize)/float64(sizeMb) > float64(a.MaxFileSize) - isGitIgnoreFile := filepath.Base(fullPath) == ".gitignore" || filepath.Base(fullPath) == "gitignore" - - if (isGitIgnoreFile || hasGitIgnoreFile && gitIgnore.MatchesPath(trimmedPath)) || isDeadSymlink(fullPath) || exceededFileSize { + if (strings.HasSuffix(filepath.Clean(fullPath), "gitignore") || hasGitIgnoreFile && gitIgnore.MatchesPath(trimmedPath)) || isDeadSymlink(fullPath) || exceededFileSize { ignoreFiles = append(ignoreFiles, fullPath) a.Exc = append(a.Exc, fullPath) From c3c0968ebdbbdce1e255f076f72924140ddbba3a Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Tue, 17 Mar 2026 13:45:17 +0000 Subject: [PATCH 21/84] lint fix --- pkg/analyzer/analyzer.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/analyzer/analyzer.go b/pkg/analyzer/analyzer.go index 511f346281f..13ccc12aceb 100644 --- a/pkg/analyzer/analyzer.go +++ b/pkg/analyzer/analyzer.go @@ -840,7 +840,8 @@ func (a *Analyzer) checkIgnore(fileSize int64, hasGitIgnoreFile bool, fullPath string, trimmedPath string, ignoreFiles []string) []string { exceededFileSize := a.MaxFileSize >= 0 && float64(fileSize)/float64(sizeMb) > float64(a.MaxFileSize) - if (strings.HasSuffix(filepath.Clean(fullPath), "gitignore") || hasGitIgnoreFile && gitIgnore.MatchesPath(trimmedPath)) || isDeadSymlink(fullPath) || exceededFileSize { + if (strings.HasSuffix(filepath.Clean(fullPath), "gitignore") || hasGitIgnoreFile && gitIgnore.MatchesPath(trimmedPath)) || + isDeadSymlink(fullPath) || exceededFileSize { ignoreFiles = append(ignoreFiles, fullPath) a.Exc = append(a.Exc, fullPath) From 194c47f08d6ec6f249188f6525ae0c09d3bce386 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Tue, 17 Mar 2026 14:56:04 +0000 Subject: [PATCH 22/84] fixed analyze unit tests, with names ending in 'gitignore' no longer have to be explicitly set as unwanted to allign with '.gitignore' behaviour --- pkg/analyzer/analyzer.go | 3 +-- pkg/analyzer/analyzer_test.go | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/pkg/analyzer/analyzer.go b/pkg/analyzer/analyzer.go index 13ccc12aceb..f5fc6804ac8 100644 --- a/pkg/analyzer/analyzer.go +++ b/pkg/analyzer/analyzer.go @@ -840,8 +840,7 @@ func (a *Analyzer) checkIgnore(fileSize int64, hasGitIgnoreFile bool, fullPath string, trimmedPath string, ignoreFiles []string) []string { exceededFileSize := a.MaxFileSize >= 0 && float64(fileSize)/float64(sizeMb) > float64(a.MaxFileSize) - if (strings.HasSuffix(filepath.Clean(fullPath), "gitignore") || hasGitIgnoreFile && gitIgnore.MatchesPath(trimmedPath)) || - isDeadSymlink(fullPath) || exceededFileSize { + if (hasGitIgnoreFile && gitIgnore.MatchesPath(trimmedPath)) || isDeadSymlink(fullPath) || exceededFileSize { ignoreFiles = append(ignoreFiles, fullPath) a.Exc = append(a.Exc, fullPath) diff --git a/pkg/analyzer/analyzer_test.go b/pkg/analyzer/analyzer_test.go index 0d245d8c1ef..3323db26ac8 100644 --- a/pkg/analyzer/analyzer_test.go +++ b/pkg/analyzer/analyzer_test.go @@ -151,7 +151,6 @@ func TestAnalyzer_Analyze(t *testing.T) { wantExclude: []string{ filepath.FromSlash("../../test/fixtures/gitignore/positive.dockerfile"), filepath.FromSlash("../../test/fixtures/gitignore/secrets.tf"), - filepath.FromSlash("../../test/fixtures/gitignore/gitignore"), }, typesFromFlag: []string{""}, excludeTypesFromFlag: []string{""}, @@ -167,7 +166,7 @@ func TestAnalyzer_Analyze(t *testing.T) { filepath.FromSlash("../../test/fixtures/gitignore"), }, wantTypes: []string{"dockerfile", "kubernetes", "terraform"}, - wantExclude: []string{filepath.FromSlash("../../test/fixtures/gitignore/gitignore")}, + wantExclude: []string{}, typesFromFlag: []string{""}, excludeTypesFromFlag: []string{""}, wantLOC: 42, From fa26908522a1964b8829b81176c17e5fd403ce9d Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Tue, 17 Mar 2026 17:03:02 +0000 Subject: [PATCH 23/84] Case-insensitive unit tests for dockerfile samples --- pkg/parser/docker/parser_test.go | 34 ++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/pkg/parser/docker/parser_test.go b/pkg/parser/docker/parser_test.go index 2ba37077bdb..c8d9565a050 100644 --- a/pkg/parser/docker/parser_test.go +++ b/pkg/parser/docker/parser_test.go @@ -235,3 +235,37 @@ func TestParser_GetResolvedFiles(t *testing.T) { }) } } + +// TestParser_Parse_CaseInsensitive tests that the parser handles Dockerfile commands +// in a case-insensitive manner +func TestParser_Parse_CaseInsensitive(t *testing.T) { + p := &Parser{} + + lower := ` +from alpine:3.18 +run echo "hello" +` + mixed := ` +fRoM alpine:3.18 +rUn echo "hello" +` + + docUpper, _, err := p.Parse("Dockerfile", []byte(lower)) + require.NoError(t, err) + require.Len(t, docUpper, 1) + require.Contains(t, docUpper[0]["command"], "alpine:3.18") + + docMixed, _, err := p.Parse("Dockerfile", []byte(mixed)) + require.NoError(t, err) + require.Len(t, docMixed, 1) + require.Contains(t, docMixed[0]["command"], "alpine:3.18") + + cmdsUpper := docUpper[0]["command"].(map[string]interface{})["alpine:3.18"].([]interface{}) + cmdsMixed := docMixed[0]["command"].(map[string]interface{})["alpine:3.18"].([]interface{}) + + require.Len(t, cmdsUpper, len(cmdsMixed)) + for i := range cmdsUpper { + require.Equal(t, cmdsUpper[i].(map[string]interface{})["Cmd"], cmdsMixed[i].(map[string]interface{})["Cmd"]) + require.Equal(t, cmdsUpper[i].(map[string]interface{})["Value"], cmdsMixed[i].(map[string]interface{})["Value"]) + } +} From 8355e51748231205621fff4b0ff27c2aeaf4cfb7 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Tue, 17 Mar 2026 17:16:45 +0000 Subject: [PATCH 24/84] Slight changes to new test --- pkg/parser/docker/parser_test.go | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/pkg/parser/docker/parser_test.go b/pkg/parser/docker/parser_test.go index c8d9565a050..abe4b47afb1 100644 --- a/pkg/parser/docker/parser_test.go +++ b/pkg/parser/docker/parser_test.go @@ -240,7 +240,11 @@ func TestParser_GetResolvedFiles(t *testing.T) { // in a case-insensitive manner func TestParser_Parse_CaseInsensitive(t *testing.T) { p := &Parser{} - + // baseline sample + upper := ` +FROM alpine:3.18 +RUN echo "hello" +` lower := ` from alpine:3.18 run echo "hello" @@ -250,22 +254,31 @@ fRoM alpine:3.18 rUn echo "hello" ` - docUpper, _, err := p.Parse("Dockerfile", []byte(lower)) + docUpper, _, err := p.Parse("Dockerfile", []byte(upper)) require.NoError(t, err) require.Len(t, docUpper, 1) require.Contains(t, docUpper[0]["command"], "alpine:3.18") + cmdsUpper := docUpper[0]["command"].(map[string]interface{})["alpine:3.18"].([]interface{}) + + docLower, _, err := p.Parse("Dockerfile", []byte(lower)) + require.NoError(t, err) + require.Len(t, docLower, 1) + require.Contains(t, docLower[0]["command"], "alpine:3.18") + cmdsLower := docLower[0]["command"].(map[string]interface{})["alpine:3.18"].([]interface{}) docMixed, _, err := p.Parse("Dockerfile", []byte(mixed)) require.NoError(t, err) require.Len(t, docMixed, 1) require.Contains(t, docMixed[0]["command"], "alpine:3.18") - - cmdsUpper := docUpper[0]["command"].(map[string]interface{})["alpine:3.18"].([]interface{}) cmdsMixed := docMixed[0]["command"].(map[string]interface{})["alpine:3.18"].([]interface{}) + require.Len(t, cmdsUpper, len(cmdsLower)) require.Len(t, cmdsUpper, len(cmdsMixed)) + for i := range cmdsUpper { require.Equal(t, cmdsUpper[i].(map[string]interface{})["Cmd"], cmdsMixed[i].(map[string]interface{})["Cmd"]) require.Equal(t, cmdsUpper[i].(map[string]interface{})["Value"], cmdsMixed[i].(map[string]interface{})["Value"]) + require.Equal(t, cmdsUpper[i].(map[string]interface{})["Cmd"], cmdsLower[i].(map[string]interface{})["Cmd"]) + require.Equal(t, cmdsUpper[i].(map[string]interface{})["Value"], cmdsLower[i].(map[string]interface{})["Value"]) } } From 50980a76a059fdb044495ea2c499aa36cb84b196 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Tue, 17 Mar 2026 17:33:20 +0000 Subject: [PATCH 25/84] Slight simplification of new docker/parser unit test --- pkg/parser/docker/parser_test.go | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/pkg/parser/docker/parser_test.go b/pkg/parser/docker/parser_test.go index abe4b47afb1..e5bc4d14783 100644 --- a/pkg/parser/docker/parser_test.go +++ b/pkg/parser/docker/parser_test.go @@ -257,22 +257,18 @@ rUn echo "hello" docUpper, _, err := p.Parse("Dockerfile", []byte(upper)) require.NoError(t, err) require.Len(t, docUpper, 1) - require.Contains(t, docUpper[0]["command"], "alpine:3.18") cmdsUpper := docUpper[0]["command"].(map[string]interface{})["alpine:3.18"].([]interface{}) docLower, _, err := p.Parse("Dockerfile", []byte(lower)) require.NoError(t, err) require.Len(t, docLower, 1) - require.Contains(t, docLower[0]["command"], "alpine:3.18") cmdsLower := docLower[0]["command"].(map[string]interface{})["alpine:3.18"].([]interface{}) + require.Len(t, cmdsUpper, len(cmdsLower)) docMixed, _, err := p.Parse("Dockerfile", []byte(mixed)) require.NoError(t, err) require.Len(t, docMixed, 1) - require.Contains(t, docMixed[0]["command"], "alpine:3.18") cmdsMixed := docMixed[0]["command"].(map[string]interface{})["alpine:3.18"].([]interface{}) - - require.Len(t, cmdsUpper, len(cmdsLower)) require.Len(t, cmdsUpper, len(cmdsMixed)) for i := range cmdsUpper { From c538a3897b7218e8a8c567eb7147ce30d9f66a9e Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Thu, 19 Mar 2026 16:20:21 +0000 Subject: [PATCH 26/84] Mini fix on insensitive_sample --- test/fixtures/dockerfile/case_insensitive_tests/file.Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/fixtures/dockerfile/case_insensitive_tests/file.Dockerfile b/test/fixtures/dockerfile/case_insensitive_tests/file.Dockerfile index 66464c06378..b93539d734f 100644 --- a/test/fixtures/dockerfile/case_insensitive_tests/file.Dockerfile +++ b/test/fixtures/dockerfile/case_insensitive_tests/file.Dockerfile @@ -5,6 +5,6 @@ arg BASE_IMAGE=ubuntu:22.04 from alpine:3.19 as builder -copy . . +copy .. . healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ "executable" ] From 051e791e6a175edea66516dffa82fbce71a75dd1 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Thu, 19 Mar 2026 16:33:28 +0000 Subject: [PATCH 27/84] Changed E2E to 106 to fix merge conflict --- ...CLI_105_PAYLOAD.json => E2E_CLI_106_PAYLOAD.json} | 0 ...E_CLI_105_RESULT.json => E2E_CLI_106_RESULT.json} | 0 ...d.go => e2e-cli-106_valid_dockerfile_detected.go} | 12 ++++++------ 3 files changed, 6 insertions(+), 6 deletions(-) rename e2e/fixtures/{E2E_CLI_105_PAYLOAD.json => E2E_CLI_106_PAYLOAD.json} (100%) rename e2e/fixtures/{E2E_CLI_105_RESULT.json => E2E_CLI_106_RESULT.json} (100%) rename e2e/testcases/{e2e-cli-105_valid_dockerfile_detected.go => e2e-cli-106_valid_dockerfile_detected.go} (72%) diff --git a/e2e/fixtures/E2E_CLI_105_PAYLOAD.json b/e2e/fixtures/E2E_CLI_106_PAYLOAD.json similarity index 100% rename from e2e/fixtures/E2E_CLI_105_PAYLOAD.json rename to e2e/fixtures/E2E_CLI_106_PAYLOAD.json diff --git a/e2e/fixtures/E2E_CLI_105_RESULT.json b/e2e/fixtures/E2E_CLI_106_RESULT.json similarity index 100% rename from e2e/fixtures/E2E_CLI_105_RESULT.json rename to e2e/fixtures/E2E_CLI_106_RESULT.json diff --git a/e2e/testcases/e2e-cli-105_valid_dockerfile_detected.go b/e2e/testcases/e2e-cli-106_valid_dockerfile_detected.go similarity index 72% rename from e2e/testcases/e2e-cli-105_valid_dockerfile_detected.go rename to e2e/testcases/e2e-cli-106_valid_dockerfile_detected.go index fdc5b87ecbb..a7d46870aaa 100644 --- a/e2e/testcases/e2e-cli-105_valid_dockerfile_detected.go +++ b/e2e/testcases/e2e-cli-106_valid_dockerfile_detected.go @@ -1,27 +1,27 @@ package testcases -// E2E-CLI-105 - KICS scan +// E2E-CLI-106 - KICS scan // should perform the scan successfully detect all valid dockerfile documents and return result 50 func init() { //nolint testSample := TestCase{ - Name: "should perform a valid scan with all dockerfile documents parsed [E2E-CLI-105]", + Name: "should perform a valid scan with all dockerfile documents parsed [E2E-CLI-106]", Args: args{ Args: []cmdArgs{ []string{"scan", "-o", "/path/e2e/output", - "--output-name", "E2E_CLI_105_RESULT", + "--output-name", "E2E_CLI_106_RESULT", "-p", "/path/test/fixtures/dockerfile", "-p", "/path/test/fixtures/negative_dockerfile", - "--payload-path", "/path/e2e/output/E2E_CLI_105_PAYLOAD.json", + "--payload-path", "/path/e2e/output/E2E_CLI_106_PAYLOAD.json", }, }, ExpectedResult: []ResultsValidation{ { - ResultsFile: "E2E_CLI_105_RESULT", + ResultsFile: "E2E_CLI_106_RESULT", ResultsFormats: []string{"json"}, }, }, ExpectedPayload: []string{ - "E2E_CLI_105_PAYLOAD.json", + "E2E_CLI_106_PAYLOAD.json", }, }, WantStatus: []int{50}, From 3d9d583d0a4f0b9097febd6bfd3f663c48d90242 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Thu, 19 Mar 2026 17:16:44 +0000 Subject: [PATCH 28/84] fix E2E tests --- e2e/fixtures/E2E_CLI_106_PAYLOAD.json | 12 ++++++------ test/fixtures/dockerfile/any_name/file.Dockerfile | 2 +- .../case_insensitive_tests/file.Dockerfile | 2 +- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/e2e/fixtures/E2E_CLI_106_PAYLOAD.json b/e2e/fixtures/E2E_CLI_106_PAYLOAD.json index d48c034cde2..af2b57b0775 100644 --- a/e2e/fixtures/E2E_CLI_106_PAYLOAD.json +++ b/e2e/fixtures/E2E_CLI_106_PAYLOAD.json @@ -437,10 +437,10 @@ "EndLine": 8, "Flags": [], "JSON": false, - "Original": "COPY . .", + "Original": "COPY .. .", "SubCmd": "", "Value": [ - ".", + "..", "." ], "_kics_line": 8 @@ -1008,10 +1008,10 @@ "EndLine": 8, "Flags": [], "JSON": false, - "Original": "copy . .", + "Original": "copy .. .", "SubCmd": "", "Value": [ - ".", + "..", "." ], "_kics_line": 8 @@ -1075,10 +1075,10 @@ "EndLine": 8, "Flags": [], "JSON": false, - "Original": "copy . .", + "Original": "copy .. .", "SubCmd": "", "Value": [ - ".", + "..", "." ], "_kics_line": 8 diff --git a/test/fixtures/dockerfile/any_name/file.Dockerfile b/test/fixtures/dockerfile/any_name/file.Dockerfile index 3a7f648d220..991a057479f 100644 --- a/test/fixtures/dockerfile/any_name/file.Dockerfile +++ b/test/fixtures/dockerfile/any_name/file.Dockerfile @@ -5,6 +5,6 @@ ARG BASE_IMAGE=ubuntu:22.04 FROM alpine:3.19 AS builder -COPY .. . +COPY . . HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ "executable" ] diff --git a/test/fixtures/dockerfile/case_insensitive_tests/file.Dockerfile b/test/fixtures/dockerfile/case_insensitive_tests/file.Dockerfile index b93539d734f..66464c06378 100644 --- a/test/fixtures/dockerfile/case_insensitive_tests/file.Dockerfile +++ b/test/fixtures/dockerfile/case_insensitive_tests/file.Dockerfile @@ -5,6 +5,6 @@ arg BASE_IMAGE=ubuntu:22.04 from alpine:3.19 as builder -copy .. . +copy . . healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ "executable" ] From 1d3bc443fe4cd8f74cb01e898a1c7af91011f7cd Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Thu, 19 Mar 2026 17:53:04 +0000 Subject: [PATCH 29/84] Final E2E fix --- ...06_RESULT.json => E2E_CLI_105_RESULT.json} | 0 e2e/fixtures/E2E_CLI_106_PAYLOAD.json | 3496 ++++++++--------- 2 files changed, 1748 insertions(+), 1748 deletions(-) rename e2e/fixtures/{E2E_CLI_106_RESULT.json => E2E_CLI_105_RESULT.json} (100%) diff --git a/e2e/fixtures/E2E_CLI_106_RESULT.json b/e2e/fixtures/E2E_CLI_105_RESULT.json similarity index 100% rename from e2e/fixtures/E2E_CLI_106_RESULT.json rename to e2e/fixtures/E2E_CLI_105_RESULT.json diff --git a/e2e/fixtures/E2E_CLI_106_PAYLOAD.json b/e2e/fixtures/E2E_CLI_106_PAYLOAD.json index af2b57b0775..9587df8b5a4 100644 --- a/e2e/fixtures/E2E_CLI_106_PAYLOAD.json +++ b/e2e/fixtures/E2E_CLI_106_PAYLOAD.json @@ -1,1750 +1,1750 @@ { - "document": [ - { - "args": [], - "command": { - "openjdk:10-jdk": [ - { - "Cmd": "from", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "FROM openjdk:10-jdk", - "SubCmd": "", - "Value": [ - "openjdk:10-jdk" - ], - "_kics_line": 1 - }, - { - "Cmd": "volume", - "EndLine": 2, - "Flags": [], - "JSON": false, - "Original": "VOLUME /tmp", - "SubCmd": "", - "Value": [ - "/tmp" - ], - "_kics_line": 2 - }, - { - "Cmd": "add", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "ADD http://source.file/package.file.tar.gz /temp", - "SubCmd": "", - "Value": [ - "http://source.file/package.file.tar.gz", - "/temp" - ], - "_kics_line": 3 - }, - { - "Cmd": "run", - "EndLine": 4, - "Flags": [], - "JSON": false, - "Original": "RUN tar -xjf /temp/package.file.tar.gz", - "SubCmd": "", - "Value": [ - "tar -xjf /temp/package.file.tar.gz" - ], - "_kics_line": 4 - }, - { - "Cmd": "arg", - "EndLine": 5, - "Flags": [], - "JSON": false, - "Original": "ARG JAR_FILE", - "SubCmd": "", - "Value": [ - "JAR_FILE" - ], - "_kics_line": 5 - }, - { - "Cmd": "add", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "ADD ${JAR_FILE} app.jar", - "SubCmd": "", - "Value": [ - "${JAR_FILE}", - "app.jar" - ], - "_kics_line": 6 - }, - { - "Cmd": "entrypoint", - "EndLine": 7, - "Flags": [], - "JSON": true, - "Original": "ENTRYPOINT [\"java\",\"-Djava.security.egd=file:/dev/./urandom\",\"-jar\",\"/app.jar\"]", - "SubCmd": "", - "Value": [ - "java", - "-Djava.security.egd=file:/dev/./urandom", - "-jar", - "/app.jar" - ], - "_kics_line": 7 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 13, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 13 - }, - { - "Cmd": "copy", - "EndLine": 15, - "Flags": [], - "JSON": false, - "Original": "COPY . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 15 - }, - { - "Cmd": "healthcheck", - "EndLine": 17, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 17 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "ARG VERSION=1.0", - "SubCmd": "", - "Value": [ - "VERSION=1.0" - ], - "_kics_line": 1 - }, - { - "Cmd": "arg", - "EndLine": 2, - "Flags": [], - "JSON": false, - "Original": "ARG BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 2 - } - ], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 4, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 4 - }, - { - "Cmd": "copy", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "COPY . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 6 - }, - { - "Cmd": "healthcheck", - "EndLine": 8, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 8 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "ARG VERSION=1.0", - "SubCmd": "", - "Value": [ - "VERSION=1.0" - ], - "_kics_line": 1 - }, - { - "Cmd": "arg", - "EndLine": 2, - "Flags": [], - "JSON": false, - "Original": "ARG BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 2 - } - ], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 4, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 4 - }, - { - "Cmd": "copy", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "COPY . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 6 - }, - { - "Cmd": "healthcheck", - "EndLine": 8, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 8 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "ARG VERSION=1.0", - "SubCmd": "", - "Value": [ - "VERSION=1.0" - ], - "_kics_line": 1 - }, - { - "Cmd": "arg", - "EndLine": 2, - "Flags": [], - "JSON": false, - "Original": "ARG BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 2 - } - ], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 4, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 4 - }, - { - "Cmd": "copy", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "COPY . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 6 - }, - { - "Cmd": "healthcheck", - "EndLine": 8, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 8 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "ARG BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 1 - }, - { - "Cmd": "arg", - "EndLine": 4, - "Flags": [], - "JSON": false, - "Original": "ARG JAR_FILE", - "SubCmd": "", - "Value": [ - "JAR_FILE" - ], - "_kics_line": 4 - } - ], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 6 - }, - { - "Cmd": "copy", - "EndLine": 8, - "Flags": [], - "JSON": false, - "Original": "COPY .. .", - "SubCmd": "", - "Value": [ - "..", - "." - ], - "_kics_line": 8 - }, - { - "Cmd": "healthcheck", - "EndLine": 10, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 10 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 2, - "Flags": [], - "JSON": false, - "Original": "ARG BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 2 - } - ], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 6 - }, - { - "Cmd": "copy", - "EndLine": 8, - "Flags": [], - "JSON": false, - "Original": "COPY .. .", - "SubCmd": "", - "Value": [ - "..", - "." - ], - "_kics_line": 8 - }, - { - "Cmd": "healthcheck", - "EndLine": 10, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 10 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "ARG BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 1 - } - ], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 4, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 4 - }, - { - "Cmd": "copy", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "COPY .. .", - "SubCmd": "", - "Value": [ - "..", - "." - ], - "_kics_line": 6 - }, - { - "Cmd": "healthcheck", - "EndLine": 8, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 8 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "ARG BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 1 - } - ], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 3 - }, - { - "Cmd": "copy", - "EndLine": 5, - "Flags": [], - "JSON": false, - "Original": "COPY . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 5 - }, - { - "Cmd": "healthcheck", - "EndLine": 7, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 7 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [], - "command": { - "alpine:3.19 as builder": [ - { - "Cmd": "from", - "EndLine": 13, - "Flags": [], - "JSON": false, - "Original": "from alpine:3.19 as builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "as", - "builder" - ], - "_kics_line": 13 - }, - { - "Cmd": "copy", - "EndLine": 15, - "Flags": [], - "JSON": false, - "Original": "copy . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 15 - }, - { - "Cmd": "healthcheck", - "EndLine": 17, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "cmd", - "executable" - ], - "_kics_line": 17 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "arg VERSION=1.0", - "SubCmd": "", - "Value": [ - "VERSION=1.0" - ], - "_kics_line": 1 - }, - { - "Cmd": "arg", - "EndLine": 2, - "Flags": [], - "JSON": false, - "Original": "arg BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 2 - } - ], - "command": { - "alpine:3.19 as builder": [ - { - "Cmd": "from", - "EndLine": 4, - "Flags": [], - "JSON": false, - "Original": "from alpine:3.19 as builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "as", - "builder" - ], - "_kics_line": 4 - }, - { - "Cmd": "copy", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "copy . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 6 - }, - { - "Cmd": "healthcheck", - "EndLine": 8, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "cmd", - "executable" - ], - "_kics_line": 8 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "arg VERSION=1.0", - "SubCmd": "", - "Value": [ - "VERSION=1.0" - ], - "_kics_line": 1 - }, - { - "Cmd": "arg", - "EndLine": 2, - "Flags": [], - "JSON": false, - "Original": "arg BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 2 - } - ], - "command": { - "alpine:3.19 as builder": [ - { - "Cmd": "from", - "EndLine": 4, - "Flags": [], - "JSON": false, - "Original": "from alpine:3.19 as builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "as", - "builder" - ], - "_kics_line": 4 - }, - { - "Cmd": "copy", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "copy . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 6 - }, - { - "Cmd": "healthcheck", - "EndLine": 8, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "cmd", - "executable" - ], - "_kics_line": 8 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "arg VERSION=1.0", - "SubCmd": "", - "Value": [ - "VERSION=1.0" - ], - "_kics_line": 1 - }, - { - "Cmd": "arg", - "EndLine": 2, - "Flags": [], - "JSON": false, - "Original": "arg BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 2 - } - ], - "command": { - "alpine:3.19 as builder": [ - { - "Cmd": "from", - "EndLine": 4, - "Flags": [], - "JSON": false, - "Original": "from alpine:3.19 as builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "as", - "builder" - ], - "_kics_line": 4 - }, - { - "Cmd": "copy", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "copy . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 6 - }, - { - "Cmd": "healthcheck", - "EndLine": 8, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "cmd", - "executable" - ], - "_kics_line": 8 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "arg BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 1 - }, - { - "Cmd": "arg", - "EndLine": 4, - "Flags": [], - "JSON": false, - "Original": "arg JAR_FILE", - "SubCmd": "", - "Value": [ - "JAR_FILE" - ], - "_kics_line": 4 - } - ], - "command": { - "alpine:3.19 as builder": [ - { - "Cmd": "from", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "from alpine:3.19 as builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "as", - "builder" - ], - "_kics_line": 6 - }, - { - "Cmd": "copy", - "EndLine": 8, - "Flags": [], - "JSON": false, - "Original": "copy .. .", - "SubCmd": "", - "Value": [ - "..", - "." - ], - "_kics_line": 8 - }, - { - "Cmd": "healthcheck", - "EndLine": 10, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "cmd", - "executable" - ], - "_kics_line": 10 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 2, - "Flags": [], - "JSON": false, - "Original": "arg BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 2 - } - ], - "command": { - "alpine:3.19 as builder": [ - { - "Cmd": "from", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "from alpine:3.19 as builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "as", - "builder" - ], - "_kics_line": 6 - }, - { - "Cmd": "copy", - "EndLine": 8, - "Flags": [], - "JSON": false, - "Original": "copy .. .", - "SubCmd": "", - "Value": [ - "..", - "." - ], - "_kics_line": 8 - }, - { - "Cmd": "healthcheck", - "EndLine": 10, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "cmd", - "executable" - ], - "_kics_line": 10 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "arg BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 1 - } - ], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 4, - "Flags": [], - "JSON": false, - "Original": "from alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 4 - }, - { - "Cmd": "copy", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "copy .. .", - "SubCmd": "", - "Value": [ - "..", - "." - ], - "_kics_line": 6 - }, - { - "Cmd": "healthcheck", - "EndLine": 8, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "cmd", - "executable" - ], - "_kics_line": 8 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "arg BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 1 - } - ], - "command": { - "alpine:3.19 as builder": [ - { - "Cmd": "from", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "from alpine:3.19 as builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "as", - "builder" - ], - "_kics_line": 3 - }, - { - "Cmd": "copy", - "EndLine": 5, - "Flags": [], - "JSON": false, - "Original": "copy . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 5 - }, - { - "Cmd": "healthcheck", - "EndLine": 7, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "cmd", - "executable" - ], - "_kics_line": 7 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [], - "command": { - "alpine:latest": [ - { - "Cmd": "from", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:latest", - "SubCmd": "", - "Value": [ - "alpine:latest" - ], - "_kics_line": 1 - }, - { - "Cmd": "copy", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "COPY {{ file_path }} /test", - "SubCmd": "", - "Value": [ - "{{", - "file_path", - "}}", - "/test" - ], - "_kics_line": 3 - }, - { - "Cmd": "run", - "EndLine": 5, - "Flags": [], - "JSON": false, - "Original": "RUN echo \"failure\"", - "SubCmd": "", - "Value": [ - "echo \"failure\"" - ], - "_kics_line": 5 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 1 - }, - { - "Cmd": "copy", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "COPY . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 3 - }, - { - "Cmd": "healthcheck", - "EndLine": 5, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 5 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 1 - }, - { - "Cmd": "copy", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "COPY . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 3 - }, - { - "Cmd": "healthcheck", - "EndLine": 5, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 5 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 1 - }, - { - "Cmd": "copy", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "COPY . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 3 - }, - { - "Cmd": "healthcheck", - "EndLine": 5, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 5 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 1 - }, - { - "Cmd": "copy", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "COPY . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 3 - }, - { - "Cmd": "healthcheck", - "EndLine": 5, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 5 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 1 - }, - { - "Cmd": "copy", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "COPY . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 3 - }, - { - "Cmd": "healthcheck", - "EndLine": 5, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 5 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 1 - }, - { - "Cmd": "copy", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "COPY . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 3 - }, - { - "Cmd": "healthcheck", - "EndLine": 5, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 5 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "package", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "package main", - "SubCmd": "", - "Value": [ - "" - ], - "_kics_line": 1 - }, - { - "Cmd": "import", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "import \"fmt\"", - "SubCmd": "", - "Value": [ - "" - ], - "_kics_line": 3 - }, - { - "Cmd": "func", - "EndLine": 5, - "Flags": [], - "JSON": false, - "Original": "func main() {", - "SubCmd": "", - "Value": [ - "" - ], - "_kics_line": 5 - }, - { - "Cmd": "fmt.println(\"hello,", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "fmt.Println(\"Hello, World!\")", - "SubCmd": "", - "Value": [ - "" - ], - "_kics_line": 6 - }, - { - "Cmd": "}", - "EndLine": 7, - "Flags": null, - "JSON": false, - "Original": "}", - "SubCmd": "", - "Value": [ - "" - ], - "_kics_line": 7 - } - ], - "command": {}, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "public", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "public class HelloWorld {", - "SubCmd": "", - "Value": [ - "" - ], - "_kics_line": 1 - }, - { - "Cmd": "public", - "EndLine": 2, - "Flags": [], - "JSON": false, - "Original": "public static void main(String[] args) {", - "SubCmd": "", - "Value": [ - "" - ], - "_kics_line": 2 - }, - { - "Cmd": "system.out.println(\"hello,", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "System.out.println(\"Hello, World!\");", - "SubCmd": "", - "Value": [ - "" - ], - "_kics_line": 3 - }, - { - "Cmd": "}", - "EndLine": 4, - "Flags": null, - "JSON": false, - "Original": "}", - "SubCmd": "", - "Value": [ - "" - ], - "_kics_line": 4 - }, - { - "Cmd": "}", - "EndLine": 5, - "Flags": null, - "JSON": false, - "Original": "}", - "SubCmd": "", - "Value": [ - "" - ], - "_kics_line": 5 - } - ], - "command": {}, - "file": "file", - "id": "0" - } - ] + "document": [ + { + "args": [], + "command": { + "openjdk:10-jdk": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM openjdk:10-jdk", + "SubCmd": "", + "Value": [ + "openjdk:10-jdk" + ], + "_kics_line": 1 + }, + { + "Cmd": "volume", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "VOLUME /tmp", + "SubCmd": "", + "Value": [ + "/tmp" + ], + "_kics_line": 2 + }, + { + "Cmd": "add", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "ADD http://source.file/package.file.tar.gz /temp", + "SubCmd": "", + "Value": [ + "http://source.file/package.file.tar.gz", + "/temp" + ], + "_kics_line": 3 + }, + { + "Cmd": "run", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "RUN tar -xjf /temp/package.file.tar.gz", + "SubCmd": "", + "Value": [ + "tar -xjf /temp/package.file.tar.gz" + ], + "_kics_line": 4 + }, + { + "Cmd": "arg", + "EndLine": 5, + "Flags": [], + "JSON": false, + "Original": "ARG JAR_FILE", + "SubCmd": "", + "Value": [ + "JAR_FILE" + ], + "_kics_line": 5 + }, + { + "Cmd": "add", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "ADD ${JAR_FILE} app.jar", + "SubCmd": "", + "Value": [ + "${JAR_FILE}", + "app.jar" + ], + "_kics_line": 6 + }, + { + "Cmd": "entrypoint", + "EndLine": 7, + "Flags": [], + "JSON": true, + "Original": "ENTRYPOINT [\"java\",\"-Djava.security.egd=file:/dev/./urandom\",\"-jar\",\"/app.jar\"]", + "SubCmd": "", + "Value": [ + "java", + "-Djava.security.egd=file:/dev/./urandom", + "-jar", + "/app.jar" + ], + "_kics_line": 7 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 13, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 13 + }, + { + "Cmd": "copy", + "EndLine": 15, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 15 + }, + { + "Cmd": "healthcheck", + "EndLine": 17, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 17 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "ARG VERSION=1.0", + "SubCmd": "", + "Value": [ + "VERSION=1.0" + ], + "_kics_line": 1 + }, + { + "Cmd": "arg", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "ARG BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 2 + } + ], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 4 + }, + { + "Cmd": "copy", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 6 + }, + { + "Cmd": "healthcheck", + "EndLine": 8, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 8 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "ARG VERSION=1.0", + "SubCmd": "", + "Value": [ + "VERSION=1.0" + ], + "_kics_line": 1 + }, + { + "Cmd": "arg", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "ARG BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 2 + } + ], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 4 + }, + { + "Cmd": "copy", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 6 + }, + { + "Cmd": "healthcheck", + "EndLine": 8, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 8 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "ARG VERSION=1.0", + "SubCmd": "", + "Value": [ + "VERSION=1.0" + ], + "_kics_line": 1 + }, + { + "Cmd": "arg", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "ARG BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 2 + } + ], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 4 + }, + { + "Cmd": "copy", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 6 + }, + { + "Cmd": "healthcheck", + "EndLine": 8, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 8 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "ARG BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 1 + }, + { + "Cmd": "arg", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "ARG JAR_FILE", + "SubCmd": "", + "Value": [ + "JAR_FILE" + ], + "_kics_line": 4 + } + ], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 6 + }, + { + "Cmd": "copy", + "EndLine": 8, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 8 + }, + { + "Cmd": "healthcheck", + "EndLine": 10, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 10 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "ARG BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 2 + } + ], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 6 + }, + { + "Cmd": "copy", + "EndLine": 8, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 8 + }, + { + "Cmd": "healthcheck", + "EndLine": 10, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 10 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "ARG BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 1 + } + ], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 4 + }, + { + "Cmd": "copy", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "COPY .. .", + "SubCmd": "", + "Value": [ + "..", + "." + ], + "_kics_line": 6 + }, + { + "Cmd": "healthcheck", + "EndLine": 8, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 8 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "ARG BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 1 + } + ], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 3 + }, + { + "Cmd": "copy", + "EndLine": 5, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 5 + }, + { + "Cmd": "healthcheck", + "EndLine": 7, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 7 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "alpine:3.19 as builder": [ + { + "Cmd": "from", + "EndLine": 13, + "Flags": [], + "JSON": false, + "Original": "from alpine:3.19 as builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "as", + "builder" + ], + "_kics_line": 13 + }, + { + "Cmd": "copy", + "EndLine": 15, + "Flags": [], + "JSON": false, + "Original": "copy . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 15 + }, + { + "Cmd": "healthcheck", + "EndLine": 17, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "cmd", + "executable" + ], + "_kics_line": 17 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "arg VERSION=1.0", + "SubCmd": "", + "Value": [ + "VERSION=1.0" + ], + "_kics_line": 1 + }, + { + "Cmd": "arg", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "arg BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 2 + } + ], + "command": { + "alpine:3.19 as builder": [ + { + "Cmd": "from", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "from alpine:3.19 as builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "as", + "builder" + ], + "_kics_line": 4 + }, + { + "Cmd": "copy", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "copy . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 6 + }, + { + "Cmd": "healthcheck", + "EndLine": 8, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "cmd", + "executable" + ], + "_kics_line": 8 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "arg VERSION=1.0", + "SubCmd": "", + "Value": [ + "VERSION=1.0" + ], + "_kics_line": 1 + }, + { + "Cmd": "arg", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "arg BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 2 + } + ], + "command": { + "alpine:3.19 as builder": [ + { + "Cmd": "from", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "from alpine:3.19 as builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "as", + "builder" + ], + "_kics_line": 4 + }, + { + "Cmd": "copy", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "copy . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 6 + }, + { + "Cmd": "healthcheck", + "EndLine": 8, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "cmd", + "executable" + ], + "_kics_line": 8 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "arg VERSION=1.0", + "SubCmd": "", + "Value": [ + "VERSION=1.0" + ], + "_kics_line": 1 + }, + { + "Cmd": "arg", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "arg BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 2 + } + ], + "command": { + "alpine:3.19 as builder": [ + { + "Cmd": "from", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "from alpine:3.19 as builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "as", + "builder" + ], + "_kics_line": 4 + }, + { + "Cmd": "copy", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "copy . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 6 + }, + { + "Cmd": "healthcheck", + "EndLine": 8, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "cmd", + "executable" + ], + "_kics_line": 8 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "arg BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 1 + }, + { + "Cmd": "arg", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "arg JAR_FILE", + "SubCmd": "", + "Value": [ + "JAR_FILE" + ], + "_kics_line": 4 + } + ], + "command": { + "alpine:3.19 as builder": [ + { + "Cmd": "from", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "from alpine:3.19 as builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "as", + "builder" + ], + "_kics_line": 6 + }, + { + "Cmd": "copy", + "EndLine": 8, + "Flags": [], + "JSON": false, + "Original": "copy . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 8 + }, + { + "Cmd": "healthcheck", + "EndLine": 10, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "cmd", + "executable" + ], + "_kics_line": 10 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "arg BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 2 + } + ], + "command": { + "alpine:3.19 as builder": [ + { + "Cmd": "from", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "from alpine:3.19 as builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "as", + "builder" + ], + "_kics_line": 6 + }, + { + "Cmd": "copy", + "EndLine": 8, + "Flags": [], + "JSON": false, + "Original": "copy . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 8 + }, + { + "Cmd": "healthcheck", + "EndLine": 10, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "cmd", + "executable" + ], + "_kics_line": 10 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "arg BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 1 + } + ], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "from alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 4 + }, + { + "Cmd": "copy", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "copy .. .", + "SubCmd": "", + "Value": [ + "..", + "." + ], + "_kics_line": 6 + }, + { + "Cmd": "healthcheck", + "EndLine": 8, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "cmd", + "executable" + ], + "_kics_line": 8 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "arg BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 1 + } + ], + "command": { + "alpine:3.19 as builder": [ + { + "Cmd": "from", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "from alpine:3.19 as builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "as", + "builder" + ], + "_kics_line": 3 + }, + { + "Cmd": "copy", + "EndLine": 5, + "Flags": [], + "JSON": false, + "Original": "copy . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 5 + }, + { + "Cmd": "healthcheck", + "EndLine": 7, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "cmd", + "executable" + ], + "_kics_line": 7 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "alpine:latest": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:latest", + "SubCmd": "", + "Value": [ + "alpine:latest" + ], + "_kics_line": 1 + }, + { + "Cmd": "copy", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "COPY {{ file_path }} /test", + "SubCmd": "", + "Value": [ + "{{", + "file_path", + "}}", + "/test" + ], + "_kics_line": 3 + }, + { + "Cmd": "run", + "EndLine": 5, + "Flags": [], + "JSON": false, + "Original": "RUN echo \"failure\"", + "SubCmd": "", + "Value": [ + "echo \"failure\"" + ], + "_kics_line": 5 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 1 + }, + { + "Cmd": "copy", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 3 + }, + { + "Cmd": "healthcheck", + "EndLine": 5, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 5 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 1 + }, + { + "Cmd": "copy", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 3 + }, + { + "Cmd": "healthcheck", + "EndLine": 5, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 5 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 1 + }, + { + "Cmd": "copy", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 3 + }, + { + "Cmd": "healthcheck", + "EndLine": 5, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 5 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 1 + }, + { + "Cmd": "copy", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 3 + }, + { + "Cmd": "healthcheck", + "EndLine": 5, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 5 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 1 + }, + { + "Cmd": "copy", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 3 + }, + { + "Cmd": "healthcheck", + "EndLine": 5, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 5 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 1 + }, + { + "Cmd": "copy", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 3 + }, + { + "Cmd": "healthcheck", + "EndLine": 5, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 5 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "package", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "package main", + "SubCmd": "", + "Value": [ + "" + ], + "_kics_line": 1 + }, + { + "Cmd": "import", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "import \"fmt\"", + "SubCmd": "", + "Value": [ + "" + ], + "_kics_line": 3 + }, + { + "Cmd": "func", + "EndLine": 5, + "Flags": [], + "JSON": false, + "Original": "func main() {", + "SubCmd": "", + "Value": [ + "" + ], + "_kics_line": 5 + }, + { + "Cmd": "fmt.println(\"hello,", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "fmt.Println(\"Hello, World!\")", + "SubCmd": "", + "Value": [ + "" + ], + "_kics_line": 6 + }, + { + "Cmd": "}", + "EndLine": 7, + "Flags": null, + "JSON": false, + "Original": "}", + "SubCmd": "", + "Value": [ + "" + ], + "_kics_line": 7 + } + ], + "command": {}, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "public", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "public class HelloWorld {", + "SubCmd": "", + "Value": [ + "" + ], + "_kics_line": 1 + }, + { + "Cmd": "public", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "public static void main(String[] args) {", + "SubCmd": "", + "Value": [ + "" + ], + "_kics_line": 2 + }, + { + "Cmd": "system.out.println(\"hello,", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "System.out.println(\"Hello, World!\");", + "SubCmd": "", + "Value": [ + "" + ], + "_kics_line": 3 + }, + { + "Cmd": "}", + "EndLine": 4, + "Flags": null, + "JSON": false, + "Original": "}", + "SubCmd": "", + "Value": [ + "" + ], + "_kics_line": 4 + }, + { + "Cmd": "}", + "EndLine": 5, + "Flags": null, + "JSON": false, + "Original": "}", + "SubCmd": "", + "Value": [ + "" + ], + "_kics_line": 5 + } + ], + "command": {}, + "file": "file", + "id": "0" + } + ] } From c08ad6f8bde28586c5f78486b3e48b7c5e3d1299 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Fri, 20 Mar 2026 11:25:41 +0000 Subject: [PATCH 30/84] Update to 'Docker' related documentation --- docs/platforms.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/platforms.md b/docs/platforms.md index bc4a6c7de7d..302faa278de 100644 --- a/docs/platforms.md +++ b/docs/platforms.md @@ -86,7 +86,9 @@ Note that KICS recognizes this technology as Azure Resource Manager (for queries ## Docker -KICS supports scanning Docker files with any name (but with no extension) and files with `.dockerfile` extension. +KICS supports scanning Dockerfile configurations with any name (but with no extension) and files matched by either name (`Dockerfile`, `Dockerfile.`), extension (`.dockerfile`,`.ubi8`,`.debian`), or by location inside directories named `docker`, `dockerfile`, or `dockerfiles`, where all text files are verified for a valid configuration regardless of extension. + +Note that every check is matched case-insensitively with the exception of the `.ubi8` and `.debian` extensions. ## Docker Compose From ad57a0c5573b6089b47454df1add39344c948dd4 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Mon, 23 Mar 2026 12:12:19 +0000 Subject: [PATCH 31/84] Requested change - made extDockerfile a constant --- pkg/utils/get_extension.go | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/pkg/utils/get_extension.go b/pkg/utils/get_extension.go index ec1f300cb28..0958f158b23 100644 --- a/pkg/utils/get_extension.go +++ b/pkg/utils/get_extension.go @@ -8,13 +8,17 @@ import ( "path/filepath" "strings" + "github.com/Checkmarx/kics/v2/internal/constants" "github.com/rs/zerolog/log" "golang.org/x/tools/godoc/util" ) +const ( + extDockerfile = ".dockerfile" +) + // GetExtension gets the extension of a file path func GetExtension(path string) (string, error) { - extDockerfile := ".dockerfile" fileInfo, err := os.Stat(path) if err != nil { return "", fmt.Errorf("file %s not found", path) @@ -24,7 +28,7 @@ func GetExtension(path string) (string, error) { return "", fmt.Errorf("the path %s is a directory", path) } - if ext, ok := isDockerfileExtension(path, extDockerfile); ok { + if ext, ok := isDockerfileExtension(path); ok { return ext, nil } @@ -49,12 +53,11 @@ func GetExtension(path string) (string, error) { return ext, nil } -func isDockerfileExtension(path, extDockerfile string) (string, bool) { +func isDockerfileExtension(path string) (string, bool) { base := filepath.Base(path) - d := "dockerfile" lower := strings.ToLower(base) - if lower == d || strings.HasPrefix(lower, "dockerfile.") { + if lower == constants.AvailablePlatforms["Dockerfile"] || strings.HasPrefix(lower, "dockerfile.") { return extDockerfile, true } @@ -63,7 +66,7 @@ func isDockerfileExtension(path, extDockerfile string) (string, bool) { } dir := strings.ToLower(filepath.Base(filepath.Dir(path))) - if (dir == "docker" || dir == d || dir == "dockerfiles") && readPossibleDockerFile(path) { + if (dir == "docker" || dir == constants.AvailablePlatforms["Dockerfile"] || dir == "dockerfiles") && readPossibleDockerFile(path) { return extDockerfile, true } @@ -90,9 +93,8 @@ func readPossibleDockerFile(path string) bool { } else { if strings.HasPrefix(strings.ToLower(scanner.Text()), "from ") { return true - } else { - return false } + return false } } return false From e2aefc1c90bdccc0dc7266210890afc8cf4dbdaf Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Mon, 23 Mar 2026 12:17:52 +0000 Subject: [PATCH 32/84] Fixed E2E 106 fixture 'RESULT' file name --- e2e/fixtures/{E2E_CLI_105_RESULT.json => E2E_CLI_106_RESULT.json} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename e2e/fixtures/{E2E_CLI_105_RESULT.json => E2E_CLI_106_RESULT.json} (100%) diff --git a/e2e/fixtures/E2E_CLI_105_RESULT.json b/e2e/fixtures/E2E_CLI_106_RESULT.json similarity index 100% rename from e2e/fixtures/E2E_CLI_105_RESULT.json rename to e2e/fixtures/E2E_CLI_106_RESULT.json From 82c9ebda7b5c4ffd66a2c41d1c8c0061568e713a Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Mon, 23 Mar 2026 15:15:27 +0000 Subject: [PATCH 33/84] Refactor to 'get_extension' and 'analyzer' to reduce redudancy --- pkg/analyzer/analyzer.go | 117 +++++++++++++++++++++---------------- pkg/utils/get_extension.go | 37 +----------- 2 files changed, 68 insertions(+), 86 deletions(-) diff --git a/pkg/analyzer/analyzer.go b/pkg/analyzer/analyzer.go index 901c9b00589..e03606fcab8 100644 --- a/pkg/analyzer/analyzer.go +++ b/pkg/analyzer/analyzer.go @@ -150,9 +150,15 @@ type analyzerInfo struct { typesFlag []string excludeTypesFlag []string filePath string + fileExt string fallbackMinifiedFileLOC int } +type fileExtInfo struct { + path string + ext string +} + // fileTypeInfo contains file path, detected platform type, and LOC count type fileTypeInfo struct { filePath string @@ -326,7 +332,7 @@ func Analyze(a *Analyzer) (model.AnalyzedPaths, error) { FileStats: make(map[string]model.FileStatistics), } - var files []string + var files []fileExtInfo var wg sync.WaitGroup // results is the channel shared by the workers that contains the types found results := make(chan string) @@ -346,19 +352,31 @@ func Analyze(a *Analyzer) (model.AnalyzedPaths, error) { return err } + fileInfo, errFile := os.Stat(path) + if errFile != nil { + errFile = fmt.Errorf("file %s not found", path) + return nil + } + + if fileInfo.IsDir() { + errFile = fmt.Errorf("the path %s is a directory", path) + return nil + } + + trimmedPath := strings.ReplaceAll(path, a.Paths[0], filepath.Base(a.Paths[0])) + ignoreFiles = a.checkIgnore(info.Size(), hasGitIgnoreFile, gitIgnore, path, trimmedPath, ignoreFiles) + ext, errExt := utils.GetExtension(path) if errExt == nil { - trimmedPath := strings.ReplaceAll(path, a.Paths[0], filepath.Base(a.Paths[0])) - ignoreFiles = a.checkIgnore(info.Size(), hasGitIgnoreFile, gitIgnore, path, trimmedPath, ignoreFiles) - if isConfigFile(path, defaultConfigFiles) { projectConfigFiles = append(projectConfigFiles, path) a.Exc = append(a.Exc, path) } if _, ok := possibleFileTypes[ext]; ok && !isExcludedFile(path, a.Exc) { - files = append(files, path) + files = append(files, fileExtInfo{path, ext}) } + } return nil }); err != nil { @@ -378,7 +396,8 @@ func Analyze(a *Analyzer) (model.AnalyzedPaths, error) { a := &analyzerInfo{ typesFlag: a.Types, excludeTypesFlag: a.ExcludeTypes, - filePath: file, + filePath: file.path, + fileExt: file.ext, fallbackMinifiedFileLOC: a.FallbackMinifiedFileLOC, } go a.worker(results, unwanted, locCount, fileInfo, &wg) @@ -427,53 +446,49 @@ func (a *analyzerInfo) worker( //nolint: gocyclo wg.Done() }() - ext, errExt := utils.GetExtension(a.filePath) - - if errExt == nil { - linesCount, _ := utils.LineCounter(a.filePath, a.fallbackMinifiedFileLOC) + linesCount, _ := utils.LineCounter(a.filePath, a.fallbackMinifiedFileLOC) - switch ext { - // Dockerfile - case ".dockerfile": - if a.isAvailableType(dockerfile) { - results <- dockerfile - locCount <- linesCount - fileInfo <- fileTypeInfo{filePath: a.filePath, fileType: dockerfile, locCount: linesCount} - } - // Terraform - case ".tf", "tfvars": - if a.isAvailableType(terraform) { - results <- terraform - locCount <- linesCount - fileInfo <- fileTypeInfo{filePath: a.filePath, fileType: terraform, locCount: linesCount} - } - // Bicep - case ".bicep": - if a.isAvailableType(bicep) { - results <- arm - locCount <- linesCount - fileInfo <- fileTypeInfo{filePath: a.filePath, fileType: arm, locCount: linesCount} - } - // GRPC - case ".proto": - if a.isAvailableType(grpc) { - results <- grpc - locCount <- linesCount - fileInfo <- fileTypeInfo{filePath: a.filePath, fileType: grpc, locCount: linesCount} - } - // It could be Ansible Config or Ansible Inventory - case ".cfg", ".conf", ".ini": - if a.isAvailableType(ansible) { - results <- ansible - locCount <- linesCount - fileInfo <- fileTypeInfo{filePath: a.filePath, fileType: ansible, locCount: linesCount} - } - /* It could be Ansible, Buildah, CICD, CloudFormation, Crossplane, OpenAPI, Azure Resource Manager - Docker Compose, Knative, Kubernetes, Pulumi, ServerlessFW or Google Deployment Manager. - We also have FHIR's case which will be ignored since it's not a platform file.*/ - case yaml, yml, json, sh: - a.checkContent(results, unwanted, locCount, fileInfo, linesCount, ext) + switch a.fileExt { + // Dockerfile + case ".dockerfile": + if a.isAvailableType(dockerfile) { + results <- dockerfile + locCount <- linesCount + fileInfo <- fileTypeInfo{filePath: a.filePath, fileType: dockerfile, locCount: linesCount} + } + // Terraform + case ".tf", "tfvars": + if a.isAvailableType(terraform) { + results <- terraform + locCount <- linesCount + fileInfo <- fileTypeInfo{filePath: a.filePath, fileType: terraform, locCount: linesCount} + } + // Bicep + case ".bicep": + if a.isAvailableType(bicep) { + results <- arm + locCount <- linesCount + fileInfo <- fileTypeInfo{filePath: a.filePath, fileType: arm, locCount: linesCount} + } + // GRPC + case ".proto": + if a.isAvailableType(grpc) { + results <- grpc + locCount <- linesCount + fileInfo <- fileTypeInfo{filePath: a.filePath, fileType: grpc, locCount: linesCount} + } + // It could be Ansible Config or Ansible Inventory + case ".cfg", ".conf", ".ini": + if a.isAvailableType(ansible) { + results <- ansible + locCount <- linesCount + fileInfo <- fileTypeInfo{filePath: a.filePath, fileType: ansible, locCount: linesCount} } + /* It could be Ansible, Buildah, CICD, CloudFormation, Crossplane, OpenAPI, Azure Resource Manager + Docker Compose, Knative, Kubernetes, Pulumi, ServerlessFW or Google Deployment Manager. + We also have FHIR's case which will be ignored since it's not a platform file.*/ + case yaml, yml, json, sh: + a.checkContent(results, unwanted, locCount, fileInfo, linesCount, a.fileExt) } } diff --git a/pkg/utils/get_extension.go b/pkg/utils/get_extension.go index 0958f158b23..eedc0d028a5 100644 --- a/pkg/utils/get_extension.go +++ b/pkg/utils/get_extension.go @@ -2,7 +2,6 @@ package utils import ( "bufio" - "bytes" "fmt" "os" "path/filepath" @@ -10,7 +9,6 @@ import ( "github.com/Checkmarx/kics/v2/internal/constants" "github.com/rs/zerolog/log" - "golang.org/x/tools/godoc/util" ) const ( @@ -42,11 +40,7 @@ func GetExtension(path string) (string, error) { if filepath.Base(path) == "tfvars" { return ".tfvars", nil } - isText, err := isTextFile(path) - if err != nil { - return "", err - } - if isText && readPossibleDockerFile(path) { + if readPossibleDockerFile(path) { return extDockerfile, nil } } @@ -91,35 +85,8 @@ func readPossibleDockerFile(path string) bool { if strings.HasPrefix(scanner.Text(), "#") || strings.HasPrefix(strings.ToLower(scanner.Text()), "arg") || scanner.Text() == "" { continue } else { - if strings.HasPrefix(strings.ToLower(scanner.Text()), "from ") { - return true - } - return false + return strings.HasPrefix(strings.ToLower(scanner.Text()), "from ") } } return false } - -func isTextFile(path string) (bool, error) { - info, err := os.Stat(path) - if err != nil { - log.Error().Msgf("failed to get file info: %s", err) - return false, err - } - - if info.IsDir() { - return false, nil - } - - content, err := os.ReadFile(filepath.Clean(path)) - if err != nil { - log.Error().Msgf("failed to analyze file: %s", err) - return false, err - } - - content = bytes.ReplaceAll(content, []byte("\r"), []byte("")) - - isText := util.IsText(content) - - return isText, nil -} From 1c3f046c0fe6d13a84512649d864d17f10db9a7d Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Mon, 23 Mar 2026 15:26:58 +0000 Subject: [PATCH 34/84] Lint error fix --- pkg/analyzer/analyzer.go | 2 -- 1 file changed, 2 deletions(-) diff --git a/pkg/analyzer/analyzer.go b/pkg/analyzer/analyzer.go index e03606fcab8..26ba4aebca0 100644 --- a/pkg/analyzer/analyzer.go +++ b/pkg/analyzer/analyzer.go @@ -354,12 +354,10 @@ func Analyze(a *Analyzer) (model.AnalyzedPaths, error) { fileInfo, errFile := os.Stat(path) if errFile != nil { - errFile = fmt.Errorf("file %s not found", path) return nil } if fileInfo.IsDir() { - errFile = fmt.Errorf("the path %s is a directory", path) return nil } From 6a786ea17534664bd66d261eda691176bd8bab0e Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Mon, 23 Mar 2026 15:44:28 +0000 Subject: [PATCH 35/84] Newline removed (lint) --- pkg/analyzer/analyzer.go | 1 - 1 file changed, 1 deletion(-) diff --git a/pkg/analyzer/analyzer.go b/pkg/analyzer/analyzer.go index 26ba4aebca0..55424b2c838 100644 --- a/pkg/analyzer/analyzer.go +++ b/pkg/analyzer/analyzer.go @@ -374,7 +374,6 @@ func Analyze(a *Analyzer) (model.AnalyzedPaths, error) { if _, ok := possibleFileTypes[ext]; ok && !isExcludedFile(path, a.Exc) { files = append(files, fileExtInfo{path, ext}) } - } return nil }); err != nil { From 6fae044f824ea3d1a0a5f8739e78f41577c6df95 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Mon, 23 Mar 2026 15:57:14 +0000 Subject: [PATCH 36/84] Renamed variable to prevent confusing shadowing --- pkg/analyzer/analyzer.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pkg/analyzer/analyzer.go b/pkg/analyzer/analyzer.go index 55424b2c838..10dfc5ac138 100644 --- a/pkg/analyzer/analyzer.go +++ b/pkg/analyzer/analyzer.go @@ -154,6 +154,7 @@ type analyzerInfo struct { fallbackMinifiedFileLOC int } +// fileExtInfo contains file path and detected extension type fileExtInfo struct { path string ext string @@ -352,12 +353,12 @@ func Analyze(a *Analyzer) (model.AnalyzedPaths, error) { return err } - fileInfo, errFile := os.Stat(path) + fileData, errFile := os.Stat(path) if errFile != nil { return nil } - if fileInfo.IsDir() { + if fileData.IsDir() { return nil } From 1d2b4f8e9f4e7ba98f4b101c2eef5af08ba46449 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Mon, 23 Mar 2026 16:37:29 +0000 Subject: [PATCH 37/84] First tests --- assets/libraries/dockerfile.rego | 5 +++++ .../queries/dockerfile/missing_user_instruction/query.rego | 6 ++++-- pkg/parser/docker/parser.go | 2 +- 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/assets/libraries/dockerfile.rego b/assets/libraries/dockerfile.rego index 1ef6f6244f2..98990ee5a6e 100644 --- a/assets/libraries/dockerfile.rego +++ b/assets/libraries/dockerfile.rego @@ -70,3 +70,8 @@ check_multi_stage(imageName, images) { sortedIndex := sort(unsortedIndex) imageName == sortedIndex[minus(count(sortedIndex), 1)].Name } + +get_original_from_command(commands) = from_command { + commands[i].Cmd == "from" + from_command := substring(commands[i].Original, 0, 4) +} diff --git a/assets/queries/dockerfile/missing_user_instruction/query.rego b/assets/queries/dockerfile/missing_user_instruction/query.rego index 51913455708..19c41a7312d 100644 --- a/assets/queries/dockerfile/missing_user_instruction/query.rego +++ b/assets/queries/dockerfile/missing_user_instruction/query.rego @@ -9,12 +9,14 @@ CxPolicy[result] { not name == "scratch" not has_user_instruction(resource) + from_command := dockerLib.get_original_from_command(resource) + result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}", [name]), + "searchKey": sprintf("%s={{%s}}", [from_command, name]), "issueType": "MissingAttribute", "keyExpectedValue": "The 'Dockerfile' should contain the 'USER' instruction", - "keyActualValue": "The 'Dockerfile' does not contain any 'USER' instruction", + "keyActualValue": "The 'Dockerfile' does not contain any 'USER' instruction" } } diff --git a/pkg/parser/docker/parser.go b/pkg/parser/docker/parser.go index 7f97835b07e..82b860308e1 100644 --- a/pkg/parser/docker/parser.go +++ b/pkg/parser/docker/parser.go @@ -59,7 +59,7 @@ func (p *Parser) Parse(_ string, fileContent []byte) ([]model.Document, []int, e for _, child := range parsed.AST.Children { child.Value = strings.ToLower(child.Value) if child.Value == "from" { - fromValue = strings.TrimPrefix(child.Original, "FROM ") + fromValue = child.Original[5:] } if ignoreStruct.getIgnoreComments(child) { From 14154b2cdf24f207b6630f5a1aadbc481b86d0d6 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Mon, 23 Mar 2026 18:26:03 +0000 Subject: [PATCH 38/84] First commit with changes to all dockerfile queries for case insesitivity support + tests --- .../dockerfile/add_instead_of_copy/query.rego | 4 +- .../test/negative2.dockerfile | 10 + .../test/positive2.dockerfile | 9 + .../test/positive_expected_result.json | 19 +- .../apk_add_using_local_cache_path/query.rego | 4 +- .../test/negative3.dockerfile | 7 + .../test/positive3.dockerfile | 7 + .../test/positive_expected_result.json | 8 +- .../query.rego | 6 +- .../test/negative3.dockerfile | 15 ++ .../test/positive3.dockerfile | 14 ++ .../test/positive_expected_result.json | 86 +++++--- .../query.rego | 8 +- .../test/negative4.dockerfile | 2 + .../test/positive3.dockerfile | 14 ++ .../test/positive_expected_result.json | 48 +++++ .../query.rego | 6 +- .../test/negative9.dockerfile | 4 + .../test/positive8.dockerfile | 4 + .../test/positive_expected_result.json | 198 ++++++++++-------- .../query.rego | 8 +- .../test/negative2.dockerfile | 4 + .../test/positive2.dockerfile | 3 + .../test/positive_expected_result.json | 20 +- .../query.rego | 9 +- .../test/negative5.dockerfile | 11 + .../test/positive3.dockerfile | 11 + .../test/positive_expected_result.json | 8 +- .../dockerfile/chown_flag_exists/query.rego | 5 +- .../test/negative2.dockerfile | 7 + .../test/positive2.dockerfile | 7 + .../test/positive_expected_result.json | 19 +- .../query.rego | 6 +- .../test/negative2.dockerfile | 12 ++ .../test/positive2.dockerfile | 3 + .../test/positive_expected_result.json | 17 +- .../query.rego | 6 +- .../test/negative3.dockerfile | 2 + .../test/positive2.dockerfile | 2 + .../test/positive_expected_result.json | 18 +- .../curl_or_wget_instead_of_add/query.rego | 6 +- .../test/negative3.dockerfile | 5 + .../test/positive2.dockerfile | 5 + .../test/positive_expected_result.json | 19 +- .../dockerfile/exposing_port_22/query.rego | 6 +- .../test/negative2.dockerfile | 4 + .../test/positive2.dockerfile | 4 + .../test/positive_expected_result.json | 19 +- .../gem_install_without_version/query.rego | 8 +- .../test/negative2.dockerfile | 13 ++ .../test/positive2.dockerfile | 12 ++ .../test/positive_expected_result.json | 53 +++-- .../query.rego | 3 +- .../test/negative3.dockerfile | 8 + .../test/positive3.dockerfile | 7 + .../test/positive_expected_result.json | 8 +- .../image_version_not_explicit/query.rego | 6 +- .../test/negative5.dockerfile | 11 + .../test/positive5.dockerfile | 9 + .../test/positive_expected_result.json | 8 +- .../image_version_using_latest/query.rego | 6 +- .../test/negative2.dockerfile | 9 + .../test/positive2.dockerfile | 9 + .../test/positive_expected_result.json | 11 +- .../dockerfile/last_user_is_root/query.rego | 3 +- .../test/negative3.dockerfile | 4 + .../test/positive2.dockerfile | 3 + .../test/positive_expected_result.json | 17 +- .../query.rego | 6 +- .../test/negative2.dockerfile | 10 + .../test/positive2.dockerfile | 10 + .../test/positive_expected_result.json | 11 +- .../missing_dnf_clean_all/query.rego | 4 +- .../test/negative3.dockerfile | 7 + .../test/positive2.dockerfile | 6 + .../test/positive_expected_result.json | 17 +- .../missing_flag_from_dnf_install/query.rego | 4 +- .../test/negative5.dockerfile | 5 + .../test/positive5.dockerfile | 11 + .../test/positive_expected_result.json | 84 ++++---- .../test/negative4.dockerfile | 14 ++ .../test/positive3.dockerfile | 6 + .../test/positive_expected_result.json | 8 +- .../query.rego | 8 +- .../test/negative2.dockerfile | 6 + .../test/positive2.dockerfile | 6 + .../test/positive_expected_result.json | 30 ++- .../missing_zypper_clean/query.rego | 3 +- .../test/negative3.dockerfile | 3 + .../test/positive2.dockerfile | 3 + .../test/positive_expected_result.json | 17 +- .../query.rego | 3 +- .../test/negative3.dockerfile | 3 + .../test/positive2.dockerfile | 3 + .../test/positive_expected_result.json | 11 +- .../query.rego | 3 +- .../test/negative3.dockerfile | 12 ++ .../test/positive2.dockerfile | 12 ++ .../test/positive_expected_result.json | 18 +- .../query.rego | 3 +- .../test/negative3.dockerfile | 12 ++ .../test/positive2.dockerfile | 12 ++ .../test/positive_expected_result.json | 18 +- .../query.rego | 3 +- .../test/negative6.dockerfile | 2 + .../test/positive4.dockerfile | 6 + .../test/positive_expected_result.json | 44 ++-- .../query.rego | 8 +- .../test/negative3.dockerfile | 11 + .../test/positive2.dockerfile | 11 + .../test/positive_expected_result.json | 20 +- .../query.rego | 6 +- .../test/negative2.dockerfile | 11 + .../test/positive2.dockerfile | 8 + .../test/positive_expected_result.json | 126 +++++++---- .../query.rego | 8 +- .../test/negative2.dockerfile | 7 + .../test/positive2.dockerfile | 12 ++ .../test/positive_expected_result.json | 61 +++--- .../query.rego | 6 +- .../test/negative3.dockerfile | 5 + .../test/positive2.dockerfile | 17 ++ .../test/positive_expected_result.json | 59 ++++-- .../dockerfile/run_using_apt/query.rego | 5 +- .../run_using_apt/test/negative2.dockerfile | 3 + .../run_using_apt/test/positive2.dockerfile | 3 + .../test/positive_expected_result.json | 17 +- .../dockerfile/run_using_sudo/query.rego | 8 +- .../run_using_sudo/test/negative2.dockerfile | 10 + .../run_using_sudo/test/positive2.dockerfile | 9 + .../test/positive_expected_result.json | 17 +- .../run_using_wget_and_curl/query.rego | 3 +- .../test/negative2.dockerfile | 4 + .../test/positive2.dockerfile | 8 + .../test/positive_expected_result.json | 51 +++-- .../query.rego | 6 +- .../test/negative2.dockerfile | 8 + .../test/positive2.dockerfile | 6 + .../test/positive_expected_result.json | 36 +++- .../same_alias_in_different_froms/query.rego | 5 +- .../test/negative2.dockerfile | 5 + .../test/positive2.dockerfile | 8 + .../test/positive_expected_result.json | 16 +- .../query.rego | 7 +- .../test/negative2.dockerfile | 7 + .../test/positive2.dockerfile | 3 + .../test/positive_expected_result.json | 34 ++- .../unix_ports_out_of_range/query.rego | 6 +- .../test/negative2.dockerfile | 4 + .../test/positive2.dockerfile | 4 + .../test/positive_expected_result.json | 17 +- .../query.rego | 16 +- .../test/negative3.dockerfile | 20 ++ .../test/positive2.dockerfile | 25 +++ .../test/positive_expected_result.json | 87 +++++--- .../query.rego | 8 +- .../test/negative4.dockerfile | 20 ++ .../test/positive2.dockerfile | 22 ++ .../test/positive_expected_result.json | 74 ++++--- .../update_instruction_alone/query.rego | 8 +- .../test/negative12.dockerfile | 8 + .../test/positive8.dockerfile | 5 + .../test/positive_expected_result.json | 90 ++++---- .../using_platform_with_from/query.rego | 9 +- .../test/negative2.dockerfile | 6 + .../test/positive2.dockerfile | 6 + .../test/positive_expected_result.json | 18 +- .../using_unnamed_build_stages/query.rego | 6 +- .../test/negative2.dockerfile | 12 ++ .../test/positive2.dockerfile | 11 + .../test/positive_expected_result.json | 8 +- .../workdir_path_not_absolute/query.rego | 6 +- .../test/negative2.dockerfile | 17 ++ .../test/positive2.dockerfile | 11 + .../test/positive_expected_result.json | 17 +- .../yum_clean_all_missing/query.rego | 4 +- .../test/negative3.dockerfile | 14 ++ .../test/positive2.dockerfile | 13 ++ .../test/positive_expected_result.json | 18 +- .../query.rego | 8 +- .../test/negative2.dockerfile | 9 + .../test/positive2.dockerfile | 10 + .../test/positive_expected_result.json | 34 ++- .../yum_install_without_version/query.rego | 8 +- .../test/negative2.dockerfile | 8 + .../test/positive2.dockerfile | 4 + .../test/positive_expected_result.json | 36 +++- .../zypper_install_without_version/query.rego | 8 +- .../test/negative2.dockerfile | 3 + .../test/positive2.dockerfile | 4 + .../test/positive_expected_result.json | 34 ++- 191 files changed, 2150 insertions(+), 632 deletions(-) create mode 100644 assets/queries/dockerfile/add_instead_of_copy/test/negative2.dockerfile create mode 100644 assets/queries/dockerfile/add_instead_of_copy/test/positive2.dockerfile create mode 100644 assets/queries/dockerfile/apk_add_using_local_cache_path/test/negative3.dockerfile create mode 100644 assets/queries/dockerfile/apk_add_using_local_cache_path/test/positive3.dockerfile create mode 100644 assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/test/negative3.dockerfile create mode 100644 assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/test/positive3.dockerfile create mode 100644 assets/queries/dockerfile/apt_get_install_pin_version_not_defined/test/negative4.dockerfile create mode 100644 assets/queries/dockerfile/apt_get_install_pin_version_not_defined/test/positive3.dockerfile create mode 100644 assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/negative9.dockerfile create mode 100644 assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive8.dockerfile create mode 100644 assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/test/negative2.dockerfile create mode 100644 assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/test/positive2.dockerfile create mode 100644 assets/queries/dockerfile/changing_default_shell_using_run_command/test/negative5.dockerfile create mode 100644 assets/queries/dockerfile/changing_default_shell_using_run_command/test/positive3.dockerfile create mode 100644 assets/queries/dockerfile/chown_flag_exists/test/negative2.dockerfile create mode 100644 assets/queries/dockerfile/chown_flag_exists/test/positive2.dockerfile create mode 100644 assets/queries/dockerfile/copy_from_references_current_from_alias/test/negative2.dockerfile create mode 100644 assets/queries/dockerfile/copy_from_references_current_from_alias/test/positive2.dockerfile create mode 100644 assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/test/negative3.dockerfile create mode 100644 assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/test/positive2.dockerfile create mode 100644 assets/queries/dockerfile/curl_or_wget_instead_of_add/test/negative3.dockerfile create mode 100644 assets/queries/dockerfile/curl_or_wget_instead_of_add/test/positive2.dockerfile create mode 100644 assets/queries/dockerfile/exposing_port_22/test/negative2.dockerfile create mode 100644 assets/queries/dockerfile/exposing_port_22/test/positive2.dockerfile create mode 100644 assets/queries/dockerfile/gem_install_without_version/test/negative2.dockerfile create mode 100644 assets/queries/dockerfile/gem_install_without_version/test/positive2.dockerfile create mode 100644 assets/queries/dockerfile/healthcheck_instruction_missing/test/negative3.dockerfile create mode 100644 assets/queries/dockerfile/healthcheck_instruction_missing/test/positive3.dockerfile create mode 100644 assets/queries/dockerfile/image_version_not_explicit/test/negative5.dockerfile create mode 100644 assets/queries/dockerfile/image_version_not_explicit/test/positive5.dockerfile create mode 100644 assets/queries/dockerfile/image_version_using_latest/test/negative2.dockerfile create mode 100644 assets/queries/dockerfile/image_version_using_latest/test/positive2.dockerfile create mode 100644 assets/queries/dockerfile/last_user_is_root/test/negative3.dockerfile create mode 100644 assets/queries/dockerfile/last_user_is_root/test/positive2.dockerfile create mode 100644 assets/queries/dockerfile/maintainer_instruction_being_used/test/negative2.dockerfile create mode 100644 assets/queries/dockerfile/maintainer_instruction_being_used/test/positive2.dockerfile create mode 100644 assets/queries/dockerfile/missing_dnf_clean_all/test/negative3.dockerfile create mode 100644 assets/queries/dockerfile/missing_dnf_clean_all/test/positive2.dockerfile create mode 100644 assets/queries/dockerfile/missing_flag_from_dnf_install/test/negative5.dockerfile create mode 100644 assets/queries/dockerfile/missing_flag_from_dnf_install/test/positive5.dockerfile create mode 100644 assets/queries/dockerfile/missing_user_instruction/test/negative4.dockerfile create mode 100644 assets/queries/dockerfile/missing_user_instruction/test/positive3.dockerfile create mode 100644 assets/queries/dockerfile/missing_version_specification_in_dnf_install/test/negative2.dockerfile create mode 100644 assets/queries/dockerfile/missing_version_specification_in_dnf_install/test/positive2.dockerfile create mode 100644 assets/queries/dockerfile/missing_zypper_clean/test/negative3.dockerfile create mode 100644 assets/queries/dockerfile/missing_zypper_clean/test/positive2.dockerfile create mode 100644 assets/queries/dockerfile/missing_zypper_non_interactive_switch/test/negative3.dockerfile create mode 100644 assets/queries/dockerfile/missing_zypper_non_interactive_switch/test/positive2.dockerfile create mode 100644 assets/queries/dockerfile/multiple_cmd_instructions_listed/test/negative3.dockerfile create mode 100644 assets/queries/dockerfile/multiple_cmd_instructions_listed/test/positive2.dockerfile create mode 100644 assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/negative3.dockerfile create mode 100644 assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/positive2.dockerfile create mode 100644 assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/test/negative6.dockerfile create mode 100644 assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/test/positive4.dockerfile create mode 100644 assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/test/negative3.dockerfile create mode 100644 assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/test/positive2.dockerfile create mode 100644 assets/queries/dockerfile/npm_install_without_pinned_version/test/negative2.dockerfile create mode 100644 assets/queries/dockerfile/npm_install_without_pinned_version/test/positive2.dockerfile create mode 100644 assets/queries/dockerfile/pip_install_keeping_cached_packages/test/negative2.dockerfile create mode 100644 assets/queries/dockerfile/pip_install_keeping_cached_packages/test/positive2.dockerfile create mode 100644 assets/queries/dockerfile/run_command_cd_instead_of_workdir/test/negative3.dockerfile create mode 100644 assets/queries/dockerfile/run_command_cd_instead_of_workdir/test/positive2.dockerfile create mode 100644 assets/queries/dockerfile/run_using_apt/test/negative2.dockerfile create mode 100644 assets/queries/dockerfile/run_using_apt/test/positive2.dockerfile create mode 100644 assets/queries/dockerfile/run_using_sudo/test/negative2.dockerfile create mode 100644 assets/queries/dockerfile/run_using_sudo/test/positive2.dockerfile create mode 100644 assets/queries/dockerfile/run_using_wget_and_curl/test/negative2.dockerfile create mode 100644 assets/queries/dockerfile/run_using_wget_and_curl/test/positive2.dockerfile create mode 100644 assets/queries/dockerfile/run_utilities_and_posix_commands/test/negative2.dockerfile create mode 100644 assets/queries/dockerfile/run_utilities_and_posix_commands/test/positive2.dockerfile create mode 100644 assets/queries/dockerfile/same_alias_in_different_froms/test/negative2.dockerfile create mode 100644 assets/queries/dockerfile/same_alias_in_different_froms/test/positive2.dockerfile create mode 100644 assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/test/negative2.dockerfile create mode 100644 assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/test/positive2.dockerfile create mode 100644 assets/queries/dockerfile/unix_ports_out_of_range/test/negative2.dockerfile create mode 100644 assets/queries/dockerfile/unix_ports_out_of_range/test/positive2.dockerfile create mode 100644 assets/queries/dockerfile/unpinned_package_version_in_apk_add/test/negative3.dockerfile create mode 100644 assets/queries/dockerfile/unpinned_package_version_in_apk_add/test/positive2.dockerfile create mode 100644 assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/negative4.dockerfile create mode 100644 assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/positive2.dockerfile create mode 100644 assets/queries/dockerfile/update_instruction_alone/test/negative12.dockerfile create mode 100644 assets/queries/dockerfile/update_instruction_alone/test/positive8.dockerfile create mode 100644 assets/queries/dockerfile/using_platform_with_from/test/negative2.dockerfile create mode 100644 assets/queries/dockerfile/using_platform_with_from/test/positive2.dockerfile create mode 100644 assets/queries/dockerfile/using_unnamed_build_stages/test/negative2.dockerfile create mode 100644 assets/queries/dockerfile/using_unnamed_build_stages/test/positive2.dockerfile create mode 100644 assets/queries/dockerfile/workdir_path_not_absolute/test/negative2.dockerfile create mode 100644 assets/queries/dockerfile/workdir_path_not_absolute/test/positive2.dockerfile create mode 100644 assets/queries/dockerfile/yum_clean_all_missing/test/negative3.dockerfile create mode 100644 assets/queries/dockerfile/yum_clean_all_missing/test/positive2.dockerfile create mode 100644 assets/queries/dockerfile/yum_install_allows_manual_input/test/negative2.dockerfile create mode 100644 assets/queries/dockerfile/yum_install_allows_manual_input/test/positive2.dockerfile create mode 100644 assets/queries/dockerfile/yum_install_without_version/test/negative2.dockerfile create mode 100644 assets/queries/dockerfile/yum_install_without_version/test/positive2.dockerfile create mode 100644 assets/queries/dockerfile/zypper_install_without_version/test/negative2.dockerfile create mode 100644 assets/queries/dockerfile/zypper_install_without_version/test/positive2.dockerfile diff --git a/assets/queries/dockerfile/add_instead_of_copy/query.rego b/assets/queries/dockerfile/add_instead_of_copy/query.rego index add0d6e9153..509e17f14b6 100644 --- a/assets/queries/dockerfile/add_instead_of_copy/query.rego +++ b/assets/queries/dockerfile/add_instead_of_copy/query.rego @@ -8,9 +8,11 @@ CxPolicy[result] { not dockerLib.arrayContains(resource.Value, {".tar", ".tar."}) + stage := input.document[i].command[name] + from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), + "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'COPY' %s", [resource.Value[0]]), "keyActualValue": sprintf("'ADD' %s", [resource.Value[0]]), diff --git a/assets/queries/dockerfile/add_instead_of_copy/test/negative2.dockerfile b/assets/queries/dockerfile/add_instead_of_copy/test/negative2.dockerfile new file mode 100644 index 00000000000..b9ed2bb2d3a --- /dev/null +++ b/assets/queries/dockerfile/add_instead_of_copy/test/negative2.dockerfile @@ -0,0 +1,10 @@ +from openjdk:10-jdk +volume /tmp +arg JAR_FILE +copy ${JAR_FILE} app.jar +entrypoint ["java","-Djava.security.egd=file:/dev/./urandom","-jar","/app.jar"] +add http://source.file/package.file.tar.gz /temp +run tar -xjf /temp/package.file.tar.gz \ + && make -C /tmp/package.file \ + && rm /tmp/ package.file.tar.gz +# trigger validation diff --git a/assets/queries/dockerfile/add_instead_of_copy/test/positive2.dockerfile b/assets/queries/dockerfile/add_instead_of_copy/test/positive2.dockerfile new file mode 100644 index 00000000000..2f1a27bb786 --- /dev/null +++ b/assets/queries/dockerfile/add_instead_of_copy/test/positive2.dockerfile @@ -0,0 +1,9 @@ +from openjdk:10-jdk +volume /tmp +add http://source.file/package.file.tar.gz /temp +run tar -xjf /temp/package.file.tar.gz \ + && make -C /tmp/package.file \ + && rm /tmp/ package.file.tar.gz +arg JAR_FILE +add ${JAR_FILE} app.jar +entrypoint ["java","-Djava.security.egd=file:/dev/./urandom","-jar","/app.jar"] diff --git a/assets/queries/dockerfile/add_instead_of_copy/test/positive_expected_result.json b/assets/queries/dockerfile/add_instead_of_copy/test/positive_expected_result.json index 7e9efb25dd7..264f5b98a6b 100644 --- a/assets/queries/dockerfile/add_instead_of_copy/test/positive_expected_result.json +++ b/assets/queries/dockerfile/add_instead_of_copy/test/positive_expected_result.json @@ -1,7 +1,14 @@ [ - { - "queryName": "Add Instead of Copy", - "severity": "MEDIUM", - "line": 8 - } -] + { + "queryName": "Add Instead of Copy", + "severity": "MEDIUM", + "line": 8, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Add Instead of Copy", + "severity": "MEDIUM", + "line": 8, + "fileName": "positive2.dockerfile" + } +] \ No newline at end of file diff --git a/assets/queries/dockerfile/apk_add_using_local_cache_path/query.rego b/assets/queries/dockerfile/apk_add_using_local_cache_path/query.rego index 080ce74aab4..07e155d0847 100644 --- a/assets/queries/dockerfile/apk_add_using_local_cache_path/query.rego +++ b/assets/queries/dockerfile/apk_add_using_local_cache_path/query.rego @@ -10,9 +10,11 @@ CxPolicy[result] { runCommands := dockerLib.getCommands(command.Value[0]) containsApkAddWithoutNoCache(runCommands) + stage := input.document[i].command[name] + from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, command.Original]), + "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, command.Original]), "issueType": "IncorrectValue", "keyExpectedValue": "'RUN' should not contain 'apk add' command without '--no-cache' switch", "keyActualValue": "'RUN' contains 'apk add' command without '--no-cache' switch", diff --git a/assets/queries/dockerfile/apk_add_using_local_cache_path/test/negative3.dockerfile b/assets/queries/dockerfile/apk_add_using_local_cache_path/test/negative3.dockerfile new file mode 100644 index 00000000000..0d45df135fd --- /dev/null +++ b/assets/queries/dockerfile/apk_add_using_local_cache_path/test/negative3.dockerfile @@ -0,0 +1,7 @@ +from gliderlabs/alpine:3.3 +run apk add --no-cache python +workdir /app +onbuild COPY . /app +onbuild RUN virtualenv /env && /env/bin/pip install -r /app/requirements.txt +expose 8080 +cmd ["/env/bin/python", "main.py"] \ No newline at end of file diff --git a/assets/queries/dockerfile/apk_add_using_local_cache_path/test/positive3.dockerfile b/assets/queries/dockerfile/apk_add_using_local_cache_path/test/positive3.dockerfile new file mode 100644 index 00000000000..767cb6d1e26 --- /dev/null +++ b/assets/queries/dockerfile/apk_add_using_local_cache_path/test/positive3.dockerfile @@ -0,0 +1,7 @@ +from gliderlabs/alpine:3.3 +run apk add --update-cache python +workdir /app +onbuild COPY . /app +onbuild RUN virtualenv /env && /env/bin/pip install -r /app/requirements.txt +expose 8080 +cmd ["/env/bin/python", "main.py"] \ No newline at end of file diff --git a/assets/queries/dockerfile/apk_add_using_local_cache_path/test/positive_expected_result.json b/assets/queries/dockerfile/apk_add_using_local_cache_path/test/positive_expected_result.json index ab094181dbb..2cf0bb0d814 100644 --- a/assets/queries/dockerfile/apk_add_using_local_cache_path/test/positive_expected_result.json +++ b/assets/queries/dockerfile/apk_add_using_local_cache_path/test/positive_expected_result.json @@ -10,5 +10,11 @@ "severity": "INFO", "line": 2, "fileName": "positive2.dockerfile" + }, + { + "queryName": "Apk Add Using Local Cache Path", + "severity": "INFO", + "line": 2, + "fileName": "positive3.dockerfile" } -] +] \ No newline at end of file diff --git a/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/query.rego b/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/query.rego index f39c4336de0..428a344be3f 100644 --- a/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/query.rego +++ b/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/query.rego @@ -1,5 +1,7 @@ package Cx +import data.generic.dockerfile as dockerLib + CxPolicy[result] { resource := input.document[i].command[name][_] resource.Cmd == "run" @@ -10,9 +12,11 @@ CxPolicy[result] { not hasClean(resource.Value[0], aptGet[0]) + stage := input.document[i].command[name] + from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.RUN={{%s}}", [name, commands]), + "searchKey": sprintf("%s={{%s}}.RUN={{%s}}", [from_command, name, commands]), "issueType": "IncorrectValue", #"MissingAttribute" / "RedundantAttribute" "keyExpectedValue": "After using apt-get install, the apt-get lists should be deleted", "keyActualValue": "After using apt-get install, the apt-get lists were not deleted", diff --git a/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/test/negative3.dockerfile b/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/test/negative3.dockerfile new file mode 100644 index 00000000000..defd66e3610 --- /dev/null +++ b/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/test/negative3.dockerfile @@ -0,0 +1,15 @@ +from busyboxneg1 +run apt-get update && apt-get install --no-install-recommends -y python \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* + +from busyboxneg2 +run apt-get update && apt-get install --no-install-recommends -y python && apt-get clean + +from busyboxneg3 +run apt-get update && apt-get install --no-install-recommends -y python \ + && apt-get clean + +from busyboxneg4 +run apt-get update && apt-get install --no-install-recommends -y python \ + && rm -rf /var/lib/apt/lists/* diff --git a/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/test/positive3.dockerfile b/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/test/positive3.dockerfile new file mode 100644 index 00000000000..bc2347439ef --- /dev/null +++ b/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/test/positive3.dockerfile @@ -0,0 +1,14 @@ +from busybox1 +run apt-get update && apt-get install --no-install-recommends -y python + +from busybox2 +run apt-get install python + +from busybox3 +run apt-get update && apt-get install --no-install-recommends -y python +run rm -rf /var/lib/apt/lists/* + +from busybox4 +run apt-get update && apt-get install --no-install-recommends -y python +run rm -rf /var/lib/apt/lists/* +run apt-get clean diff --git a/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/test/positive_expected_result.json b/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/test/positive_expected_result.json index ab1370df2dd..2428b814a66 100644 --- a/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/test/positive_expected_result.json +++ b/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/test/positive_expected_result.json @@ -1,32 +1,56 @@ [ - { - "queryName": "Apt Get Install Lists Were Not Deleted", - "severity": "INFO", - "line": 2, - "fileName": "positive.dockerfile" - }, - { - "queryName": "Apt Get Install Lists Were Not Deleted", - "severity": "INFO", - "line": 5, - "fileName": "positive.dockerfile" - }, - { - "queryName": "Apt Get Install Lists Were Not Deleted", - "severity": "INFO", - "line": 8, - "fileName": "positive.dockerfile" - }, - { - "queryName": "Apt Get Install Lists Were Not Deleted", - "severity": "INFO", - "line": 12, - "fileName": "positive.dockerfile" - }, - { - "queryName": "Apt Get Install Lists Were Not Deleted", - "severity": "INFO", - "line": 2, - "fileName": "positive2.dockerfile" - } -] + { + "queryName": "Apt Get Install Lists Were Not Deleted", + "severity": "INFO", + "line": 2, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Apt Get Install Lists Were Not Deleted", + "severity": "INFO", + "line": 5, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Apt Get Install Lists Were Not Deleted", + "severity": "INFO", + "line": 8, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Apt Get Install Lists Were Not Deleted", + "severity": "INFO", + "line": 12, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Apt Get Install Lists Were Not Deleted", + "severity": "INFO", + "line": 2, + "fileName": "positive2.dockerfile" + }, + { + "queryName": "Apt Get Install Lists Were Not Deleted", + "severity": "INFO", + "line": 5, + "fileName": "positive2.dockerfile" + }, + { + "queryName": "Apt Get Install Lists Were Not Deleted", + "severity": "INFO", + "line": 8, + "fileName": "positive2.dockerfile" + }, + { + "queryName": "Apt Get Install Lists Were Not Deleted", + "severity": "INFO", + "line": 12, + "fileName": "positive2.dockerfile" + }, + { + "queryName": "Apt Get Install Lists Were Not Deleted", + "severity": "INFO", + "line": 2, + "fileName": "positive3.dockerfile" + } +] \ No newline at end of file diff --git a/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/query.rego b/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/query.rego index f1637cf3309..9c8d8e73543 100644 --- a/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/query.rego +++ b/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/query.rego @@ -18,9 +18,11 @@ CxPolicy[result] { packageName := packages[j] analyzePackages(j, packageName, packages, length) + stage := input.document[i].command[name] + from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.RUN={{%s}}", [name, commands]), + "searchKey": sprintf("%s={{%s}}.RUN={{%s}}", [from_command, name, commands]), "searchValue": packageName, "issueType": "MissingAttribute", "keyExpectedValue": sprintf("Package '%s' has version defined", [packageName]), @@ -44,9 +46,11 @@ CxPolicy[result] { regex.match("^[a-zA-Z]", packageName) == true not dockerLib.withVersion(packageName) + stage := input.document[i].command[name] + from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), + "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), "searchValue": packageName, "issueType": "IncorrectValue", "keyExpectedValue": sprintf("Package '%s' has version defined", [packageName]), diff --git a/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/test/negative4.dockerfile b/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/test/negative4.dockerfile new file mode 100644 index 00000000000..6935edccbec --- /dev/null +++ b/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/test/negative4.dockerfile @@ -0,0 +1,2 @@ +from busybox +run apt-get install python=2.7 \ No newline at end of file diff --git a/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/test/positive3.dockerfile b/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/test/positive3.dockerfile new file mode 100644 index 00000000000..eea397c247c --- /dev/null +++ b/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/test/positive3.dockerfile @@ -0,0 +1,14 @@ +from busybox +run apt-get install python +run ["apt-get", "install", "python"] + +from busybox2 +run apt-get install -y -t python + +from busybox3 +run apt-get update && apt-get install -y \ + python-qt4 \ + python-pyside \ + python-pip \ + python3-pip \ + python3-pyqt5 diff --git a/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/test/positive_expected_result.json b/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/test/positive_expected_result.json index f2afe4b4ae2..e726c0c30ec 100644 --- a/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/test/positive_expected_result.json +++ b/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/test/positive_expected_result.json @@ -94,5 +94,53 @@ "severity": "MEDIUM", "line": 9, "fileName": "positive2.dockerfile" + }, + { + "queryName": "Apt Get Install Pin Version Not Defined", + "severity": "MEDIUM", + "line": 2, + "fileName": "positive3.dockerfile" + }, + { + "queryName": "Apt Get Install Pin Version Not Defined", + "severity": "MEDIUM", + "line": 3, + "fileName": "positive3.dockerfile" + }, + { + "queryName": "Apt Get Install Pin Version Not Defined", + "severity": "MEDIUM", + "line": 6, + "fileName": "positive3.dockerfile" + }, + { + "queryName": "Apt Get Install Pin Version Not Defined", + "severity": "MEDIUM", + "line": 9, + "fileName": "positive3.dockerfile" + }, + { + "queryName": "Apt Get Install Pin Version Not Defined", + "severity": "MEDIUM", + "line": 9, + "fileName": "positive3.dockerfile" + }, + { + "queryName": "Apt Get Install Pin Version Not Defined", + "severity": "MEDIUM", + "line": 9, + "fileName": "positive3.dockerfile" + }, + { + "queryName": "Apt Get Install Pin Version Not Defined", + "severity": "MEDIUM", + "line": 9, + "fileName": "positive3.dockerfile" + }, + { + "queryName": "Apt Get Install Pin Version Not Defined", + "severity": "MEDIUM", + "line": 9, + "fileName": "positive3.dockerfile" } ] diff --git a/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/query.rego b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/query.rego index 251c8de4840..e7755c63964 100644 --- a/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/query.rego +++ b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/query.rego @@ -15,9 +15,11 @@ CxPolicy[result] { not avoidManualInput(command) + stage := input.document[i].command[name] + from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), + "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("{{%s}} should avoid manual input", [resource.Original]), "keyActualValue": sprintf("{{%s}} doesn't avoid manual input", [resource.Original]), @@ -36,7 +38,7 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), + "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("{{%s}} should avoid manual input", [resource.Original]), "keyActualValue": sprintf("{{%s}} doesn't avoid manual input", [resource.Original]), diff --git a/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/negative9.dockerfile b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/negative9.dockerfile new file mode 100644 index 00000000000..6e921a95752 --- /dev/null +++ b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/negative9.dockerfile @@ -0,0 +1,4 @@ +from node:12 +run apt-get -y install apt-utils +run apt-get -qy install git gcc +run ["apt-get", "-y", "install", "apt-utils"] diff --git a/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive8.dockerfile b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive8.dockerfile new file mode 100644 index 00000000000..1bf13042873 --- /dev/null +++ b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive8.dockerfile @@ -0,0 +1,4 @@ +from node:12 +run apt-get install python=2.7 +run apt-get install apt-utils +run ["apt-get", "install", "apt-utils"] diff --git a/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive_expected_result.json b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive_expected_result.json index eb501cf7739..07ff384695a 100644 --- a/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive_expected_result.json +++ b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive_expected_result.json @@ -1,92 +1,110 @@ [ - { - "queryName": "APT-GET Missing Flags To Avoid Manual Input", - "severity": "LOW", - "line": 2, - "filename": "positive1.dockerfile" - }, - { - "queryName": "APT-GET Missing Flags To Avoid Manual Input", - "severity": "LOW", - "line": 3, - "filename": "positive1.dockerfile" - }, - { - "queryName": "APT-GET Missing Flags To Avoid Manual Input", - "severity": "LOW", - "line": 4, - "filename": "positive1.dockerfile" - }, - { - "queryName": "APT-GET Missing Flags To Avoid Manual Input", - "severity": "LOW", - "line": 2, - "filename": "positive2.dockerfile" - }, - { - "queryName": "APT-GET Missing Flags To Avoid Manual Input", - "severity": "LOW", - "line": 3, - "filename": "positive2.dockerfile" - }, - { - "queryName": "APT-GET Missing Flags To Avoid Manual Input", - "severity": "LOW", - "line": 4, - "filename": "positive2.dockerfile" - }, - { - "queryName": "APT-GET Missing Flags To Avoid Manual Input", - "severity": "LOW", - "line": 2, - "filename": "positive3.dockerfile" - }, - { - "queryName": "APT-GET Missing Flags To Avoid Manual Input", - "severity": "LOW", - "line": 2, - "filename": "positive4.dockerfile" - }, - { - "queryName": "APT-GET Missing Flags To Avoid Manual Input", - "severity": "LOW", - "line": 3, - "filename": "positive4.dockerfile" - }, - { - "queryName": "APT-GET Missing Flags To Avoid Manual Input", - "severity": "LOW", - "line": 3, - "filename": "positive5.dockerfile" - }, - { - "queryName": "APT-GET Missing Flags To Avoid Manual Input", - "severity": "LOW", - "line": 2, - "filename": "positive5.dockerfile" - }, - { - "queryName": "APT-GET Missing Flags To Avoid Manual Input", - "severity": "LOW", - "line": 3, - "filename": "positive6.dockerfile" - }, - { - "queryName": "APT-GET Missing Flags To Avoid Manual Input", - "severity": "LOW", - "line": 2, - "filename": "positive6.dockerfile" - }, - { - "queryName": "APT-GET Missing Flags To Avoid Manual Input", - "severity": "LOW", - "line": 3, - "filename": "positive7.dockerfile" - }, - { - "queryName": "APT-GET Missing Flags To Avoid Manual Input", - "severity": "LOW", - "line": 2, - "filename": "positive7.dockerfile" - } + { + "queryName": "APT-GET Missing Flags To Avoid Manual Input", + "severity": "LOW", + "line": 2, + "filename": "positive1.dockerfile" + }, + { + "queryName": "APT-GET Missing Flags To Avoid Manual Input", + "severity": "LOW", + "line": 3, + "filename": "positive1.dockerfile" + }, + { + "queryName": "APT-GET Missing Flags To Avoid Manual Input", + "severity": "LOW", + "line": 4, + "filename": "positive1.dockerfile" + }, + { + "queryName": "APT-GET Missing Flags To Avoid Manual Input", + "severity": "LOW", + "line": 2, + "filename": "positive2.dockerfile" + }, + { + "queryName": "APT-GET Missing Flags To Avoid Manual Input", + "severity": "LOW", + "line": 3, + "filename": "positive2.dockerfile" + }, + { + "queryName": "APT-GET Missing Flags To Avoid Manual Input", + "severity": "LOW", + "line": 4, + "filename": "positive2.dockerfile" + }, + { + "queryName": "APT-GET Missing Flags To Avoid Manual Input", + "severity": "LOW", + "line": 2, + "filename": "positive3.dockerfile" + }, + { + "queryName": "APT-GET Missing Flags To Avoid Manual Input", + "severity": "LOW", + "line": 2, + "filename": "positive4.dockerfile" + }, + { + "queryName": "APT-GET Missing Flags To Avoid Manual Input", + "severity": "LOW", + "line": 3, + "filename": "positive4.dockerfile" + }, + { + "queryName": "APT-GET Missing Flags To Avoid Manual Input", + "severity": "LOW", + "line": 3, + "filename": "positive5.dockerfile" + }, + { + "queryName": "APT-GET Missing Flags To Avoid Manual Input", + "severity": "LOW", + "line": 2, + "filename": "positive5.dockerfile" + }, + { + "queryName": "APT-GET Missing Flags To Avoid Manual Input", + "severity": "LOW", + "line": 3, + "filename": "positive6.dockerfile" + }, + { + "queryName": "APT-GET Missing Flags To Avoid Manual Input", + "severity": "LOW", + "line": 2, + "filename": "positive6.dockerfile" + }, + { + "queryName": "APT-GET Missing Flags To Avoid Manual Input", + "severity": "LOW", + "line": 3, + "filename": "positive7.dockerfile" + }, + { + "queryName": "APT-GET Missing Flags To Avoid Manual Input", + "severity": "LOW", + "line": 2, + "filename": "positive7.dockerfile" + }, + { + "queryName": "APT-GET Missing Flags To Avoid Manual Input", + "severity": "LOW", + "line": 2, + "filename": "positive8.dockerfile" + }, + { + "queryName": "APT-GET Missing Flags To Avoid Manual Input", + "severity": "LOW", + "line": 3, + "filename": "positive8.dockerfile" + }, + { + "queryName": "APT-GET Missing Flags To Avoid Manual Input", + "severity": "LOW", + "line": 4, + "filename": "positive8.dockerfile" + } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/query.rego b/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/query.rego index c405fd7f93c..826186998df 100644 --- a/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/query.rego +++ b/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/query.rego @@ -15,9 +15,11 @@ CxPolicy[result] { regex.match("apt-get (-(-)?[a-zA-Z]+ *)*install", commandsSplit[j]) == true not avoidAdditionalPackages(commandsSplit[j]) + stage := input.document[i].command[name] + from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), + "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'%s' uses '--no-install-recommends' flag to avoid installing additional packages", [resource.Original]), "keyActualValue": sprintf("'%s' does not use '--no-install-recommends' flag to avoid installing additional packages", [resource.Original]), @@ -37,9 +39,11 @@ CxPolicy[result] { not avoidAdditionalPackages(commands) + stage := input.document[i].command[name] + from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), + "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'%s' uses '--no-install-recommends' flag to avoid installing additional packages", [resource.Original]), "keyActualValue": sprintf("'%s' does not use '--no-install-recommends' flag to avoid installing additional packages", [resource.Original]), diff --git a/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/test/negative2.dockerfile b/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/test/negative2.dockerfile new file mode 100644 index 00000000000..f9aafcc4b01 --- /dev/null +++ b/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/test/negative2.dockerfile @@ -0,0 +1,4 @@ +from node:12 +run apt-get --no-install-recommends install apt-utils +run ["apt-get", "apt::install-recommends=false", "install", "apt-utils"] + diff --git a/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/test/positive2.dockerfile b/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/test/positive2.dockerfile new file mode 100644 index 00000000000..216835726a1 --- /dev/null +++ b/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/test/positive2.dockerfile @@ -0,0 +1,3 @@ +from node:12 +run apt-get install apt-utils +run ["apt-get", "install", "apt-utils"] \ No newline at end of file diff --git a/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/test/positive_expected_result.json b/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/test/positive_expected_result.json index 224923adbc5..d8e2514a366 100644 --- a/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/test/positive_expected_result.json +++ b/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "APT-GET Not Avoiding Additional Packages", "severity": "INFO", - "line": 2 + "line": 2, + "fileName": "positive.dockerfile" }, { "queryName": "APT-GET Not Avoiding Additional Packages", "severity": "INFO", - "line": 3 + "line": 3, + "fileName": "positive.dockerfile" + }, + { + "queryName": "APT-GET Not Avoiding Additional Packages", + "severity": "INFO", + "line": 2, + "fileName": "positive2.dockerfile" + }, + { + "queryName": "APT-GET Not Avoiding Additional Packages", + "severity": "INFO", + "line": 3, + "fileName": "positive2.dockerfile" } -] +] \ No newline at end of file diff --git a/assets/queries/dockerfile/changing_default_shell_using_run_command/query.rego b/assets/queries/dockerfile/changing_default_shell_using_run_command/query.rego index 9e602aec2cd..f34397f90ca 100644 --- a/assets/queries/dockerfile/changing_default_shell_using_run_command/query.rego +++ b/assets/queries/dockerfile/changing_default_shell_using_run_command/query.rego @@ -1,6 +1,7 @@ package Cx import data.generic.common as common_lib +import data.generic.dockerfile as dockerLib shell_possibilities := { "/bin/bash", @@ -28,10 +29,12 @@ CxPolicy[result] { command_possibilities := {"mv", "chsh", "usermod", "ln"} command == command_possibilities[cp] + stage := input.document[i].command[name] + from_command := dockerLib.get_original_from_command(stage) result := { "debug": sprintf("%s", [value[v]]), "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), + "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("{{%s}} should use the SHELL command to change the default shell", [resource.Original]), "keyActualValue": sprintf("{{%s}} uses the RUN command to change the default shell", [resource.Original]), @@ -46,9 +49,11 @@ CxPolicy[result] { command := run_values[0] contains(command, "powershell") + stage := input.document[i].command[name] + from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), + "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("{{%s}} should use the SHELL command to change the default shell", [resource.Original]), "keyActualValue": sprintf("{{%s}} uses the RUN command to change the default shell", [resource.Original]), diff --git a/assets/queries/dockerfile/changing_default_shell_using_run_command/test/negative5.dockerfile b/assets/queries/dockerfile/changing_default_shell_using_run_command/test/negative5.dockerfile new file mode 100644 index 00000000000..ea91f7d74d7 --- /dev/null +++ b/assets/queries/dockerfile/changing_default_shell_using_run_command/test/negative5.dockerfile @@ -0,0 +1,11 @@ +from alpine:3.5 +run apk add --update py2-pip +run sudo yum install -y bundler +run yum install +shell ["/bin/bash", "-c"] +copy requirements.txt /usr/src/app/ +run pip install --no-cache-dir -r /usr/src/app/requirements.txt +copy app.py /usr/src/app/ +copy templates/index.html /usr/src/app/templates/ +expose 5000 +cmd ["python", "/usr/src/app/app.py"] diff --git a/assets/queries/dockerfile/changing_default_shell_using_run_command/test/positive3.dockerfile b/assets/queries/dockerfile/changing_default_shell_using_run_command/test/positive3.dockerfile new file mode 100644 index 00000000000..d3ce857b5f9 --- /dev/null +++ b/assets/queries/dockerfile/changing_default_shell_using_run_command/test/positive3.dockerfile @@ -0,0 +1,11 @@ +from alpine:3.5 +run apk add --update py2-pip +run sudo yum install -y bundler +run yum install +run ln -sfv /bin/bash /bin/sh +copy requirements.txt /usr/src/app/ +run pip install --no-cache-dir -r /usr/src/app/requirements.txt +copy app.py /usr/src/app/ +copy templates/index.html /usr/src/app/templates/ +expose 5000 +cmd ["python", "/usr/src/app/app.py"] diff --git a/assets/queries/dockerfile/changing_default_shell_using_run_command/test/positive_expected_result.json b/assets/queries/dockerfile/changing_default_shell_using_run_command/test/positive_expected_result.json index c9854941220..fc1d3dcbf58 100644 --- a/assets/queries/dockerfile/changing_default_shell_using_run_command/test/positive_expected_result.json +++ b/assets/queries/dockerfile/changing_default_shell_using_run_command/test/positive_expected_result.json @@ -10,5 +10,11 @@ "severity": "MEDIUM", "line": 5, "filename": "positive2.dockerfile" + }, + { + "queryName": "Changing Default Shell Using RUN Command", + "severity": "MEDIUM", + "line": 5, + "filename": "positive3.dockerfile" } -] +] \ No newline at end of file diff --git a/assets/queries/dockerfile/chown_flag_exists/query.rego b/assets/queries/dockerfile/chown_flag_exists/query.rego index 622837f5237..f6083662984 100644 --- a/assets/queries/dockerfile/chown_flag_exists/query.rego +++ b/assets/queries/dockerfile/chown_flag_exists/query.rego @@ -1,13 +1,16 @@ package Cx +import data.generic.dockerfile as dockerLib + CxPolicy[result] { resource := input.document[i].command[name] contains(resource[j].Flags[f], "--chown") + from_command := dockerLib.get_original_from_command(resource) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource[j].Original]), + "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource[j].Original]), "category": "Best Practices", "issueType": "IncorrectValue", "keyExpectedValue": "The 'Dockerfile' shouldn´t contain the 'chown' flag", diff --git a/assets/queries/dockerfile/chown_flag_exists/test/negative2.dockerfile b/assets/queries/dockerfile/chown_flag_exists/test/negative2.dockerfile new file mode 100644 index 00000000000..4edd7678daa --- /dev/null +++ b/assets/queries/dockerfile/chown_flag_exists/test/negative2.dockerfile @@ -0,0 +1,7 @@ +from python:3.7 +run pip install Flask==0.11.1 +run useradd -ms /bin/bash patrick +copy app /app +workdir /app +user patrick +cmd ["python", "app.py"] diff --git a/assets/queries/dockerfile/chown_flag_exists/test/positive2.dockerfile b/assets/queries/dockerfile/chown_flag_exists/test/positive2.dockerfile new file mode 100644 index 00000000000..7da67f57278 --- /dev/null +++ b/assets/queries/dockerfile/chown_flag_exists/test/positive2.dockerfile @@ -0,0 +1,7 @@ +from python:3.7 +run pip install Flask==0.11.1 +run useradd -ms /bin/bash patrick +copy --chown=patrick:patrick app /app +workdir /app +user patrick +cmd ["python", "app.py"] diff --git a/assets/queries/dockerfile/chown_flag_exists/test/positive_expected_result.json b/assets/queries/dockerfile/chown_flag_exists/test/positive_expected_result.json index 41cc05a4a3d..fa9e309eba9 100644 --- a/assets/queries/dockerfile/chown_flag_exists/test/positive_expected_result.json +++ b/assets/queries/dockerfile/chown_flag_exists/test/positive_expected_result.json @@ -1,7 +1,14 @@ [ - { - "queryName": "Chown Flag Exists", - "severity": "LOW", - "line": 4 - } -] + { + "queryName": "Chown Flag Exists", + "severity": "LOW", + "line": 4, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Chown Flag Exists", + "severity": "LOW", + "line": 4, + "fileName": "positive2.dockerfile" + } +] \ No newline at end of file diff --git a/assets/queries/dockerfile/copy_from_references_current_from_alias/query.rego b/assets/queries/dockerfile/copy_from_references_current_from_alias/query.rego index 533dcc77be4..63fbfc3417b 100644 --- a/assets/queries/dockerfile/copy_from_references_current_from_alias/query.rego +++ b/assets/queries/dockerfile/copy_from_references_current_from_alias/query.rego @@ -1,5 +1,7 @@ package Cx +import data.generic.dockerfile as dockerLib + CxPolicy[result] { resource := input.document[i].command[name][_] resource.Cmd == "copy" @@ -9,9 +11,11 @@ CxPolicy[result] { isAliasCurrentFromAlias(name, aux_split[1]) + stage := input.document[i].command[name] + from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), + "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), "issueType": "IncorrectValue", "keyExpectedValue": "COPY --from should not reference the current FROM alias", "keyActualValue": "COPY --from references the current FROM alias", diff --git a/assets/queries/dockerfile/copy_from_references_current_from_alias/test/negative2.dockerfile b/assets/queries/dockerfile/copy_from_references_current_from_alias/test/negative2.dockerfile new file mode 100644 index 00000000000..c38778c6031 --- /dev/null +++ b/assets/queries/dockerfile/copy_from_references_current_from_alias/test/negative2.dockerfile @@ -0,0 +1,12 @@ +from golang:1.7.3 AS builder +workdir /go/src/github.com/foo/href-counter/ +run go get -d -v golang.org/x/net/html +copy app.go . +run CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . + +# another dockerfile +from alpine:latest +run apk --no-cache add ca-certificates +workdir /root/ +copy --from=builder /go/src/github.com/foo/href-counter/app . +cmd ["./app"] diff --git a/assets/queries/dockerfile/copy_from_references_current_from_alias/test/positive2.dockerfile b/assets/queries/dockerfile/copy_from_references_current_from_alias/test/positive2.dockerfile new file mode 100644 index 00000000000..1ef6617540f --- /dev/null +++ b/assets/queries/dockerfile/copy_from_references_current_from_alias/test/positive2.dockerfile @@ -0,0 +1,3 @@ +from myimage:tag as dep +copy --from=dep /binary / +run dir c:\ \ No newline at end of file diff --git a/assets/queries/dockerfile/copy_from_references_current_from_alias/test/positive_expected_result.json b/assets/queries/dockerfile/copy_from_references_current_from_alias/test/positive_expected_result.json index 0a577a86177..9e540dc9751 100644 --- a/assets/queries/dockerfile/copy_from_references_current_from_alias/test/positive_expected_result.json +++ b/assets/queries/dockerfile/copy_from_references_current_from_alias/test/positive_expected_result.json @@ -1,7 +1,14 @@ [ - { - "queryName": "COPY '--from' References Current FROM Alias", - "severity": "LOW", - "line": 2 - } + { + "queryName": "COPY '--from' References Current FROM Alias", + "severity": "LOW", + "line": 2, + "fileName": "positive.dockerfile" + }, + { + "queryName": "COPY '--from' References Current FROM Alias", + "severity": "LOW", + "line": 2, + "fileName": "positive2.dockerfile" + } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/query.rego b/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/query.rego index c2ae55008f3..1f8ea2c0157 100644 --- a/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/query.rego +++ b/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/query.rego @@ -1,5 +1,7 @@ package Cx +import data.generic.dockerfile as dockerLib + CxPolicy[result] { resource := input.document[i].command[name][_] @@ -12,9 +14,11 @@ CxPolicy[result] { not endswith(command[minus(numElems, 1)], "/") + stage := input.document[i].command[name] + from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.COPY={{%s}}", [name, resource.Value[0]]), + "searchKey": sprintf("%s={{%s}}.COPY={{%s}}", [from_command, name, resource.Value[0]]), "issueType": "IncorrectValue", #"MissingAttribute" / "RedundantAttribute" "keyExpectedValue": "When COPY command has more than two arguments, the last one should end with a slash", "keyActualValue": "COPY command has more than two arguments and the last one does not end with a slash", diff --git a/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/test/negative3.dockerfile b/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/test/negative3.dockerfile new file mode 100644 index 00000000000..1ed7dd5795b --- /dev/null +++ b/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/test/negative3.dockerfile @@ -0,0 +1,2 @@ +from node:carbon +copy package.json yarn.lock my_app/ diff --git a/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/test/positive2.dockerfile b/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/test/positive2.dockerfile new file mode 100644 index 00000000000..560ad97b040 --- /dev/null +++ b/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/test/positive2.dockerfile @@ -0,0 +1,2 @@ +from node:carbon2 +copy package.json yarn.lock my_app diff --git a/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/test/positive_expected_result.json b/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/test/positive_expected_result.json index 2774ad6013d..3d381bcd233 100644 --- a/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/test/positive_expected_result.json +++ b/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "Copy With More Than Two Arguments Not Ending With Slash", - "severity": "LOW", - "fileName": "positive.dockerfile", - "line": 2 - } + { + "queryName": "Copy With More Than Two Arguments Not Ending With Slash", + "severity": "LOW", + "line": 2, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Copy With More Than Two Arguments Not Ending With Slash", + "severity": "LOW", + "line": 2, + "fileName": "positive2.dockerfile" + } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/curl_or_wget_instead_of_add/query.rego b/assets/queries/dockerfile/curl_or_wget_instead_of_add/query.rego index 7ebf5bccafa..075b290b7c9 100644 --- a/assets/queries/dockerfile/curl_or_wget_instead_of_add/query.rego +++ b/assets/queries/dockerfile/curl_or_wget_instead_of_add/query.rego @@ -1,13 +1,17 @@ package Cx +import data.generic.dockerfile as dockerLib + CxPolicy[result] { resource := input.document[i].command[name][j] resource.Cmd == "add" httpRequestChecker(resource.Value) + stage := input.document[i].command[name] + from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), + "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("Should use 'curl' or 'wget' to download %s", [resource.Value[0]]), "keyActualValue": sprintf("'ADD' %s", [resource.Value[0]]), diff --git a/assets/queries/dockerfile/curl_or_wget_instead_of_add/test/negative3.dockerfile b/assets/queries/dockerfile/curl_or_wget_instead_of_add/test/negative3.dockerfile new file mode 100644 index 00000000000..8e78d88d5ae --- /dev/null +++ b/assets/queries/dockerfile/curl_or_wget_instead_of_add/test/negative3.dockerfile @@ -0,0 +1,5 @@ +from openjdk:10-jdk +run mkdir -p /usr/src/things \ + && curl -SL https://example.com/big.tar.xz \ + | tar -xJC /usr/src/things \ + && make -C /usr/src/things all diff --git a/assets/queries/dockerfile/curl_or_wget_instead_of_add/test/positive2.dockerfile b/assets/queries/dockerfile/curl_or_wget_instead_of_add/test/positive2.dockerfile new file mode 100644 index 00000000000..df5300c56c5 --- /dev/null +++ b/assets/queries/dockerfile/curl_or_wget_instead_of_add/test/positive2.dockerfile @@ -0,0 +1,5 @@ +from openjdk:10-jdk +volume /tmp +add https://example.com/big.tar.xz /usr/src/things/ +run tar -xJf /usr/src/things/big.tar.xz -C /usr/src/things +run make -C /usr/src/things all diff --git a/assets/queries/dockerfile/curl_or_wget_instead_of_add/test/positive_expected_result.json b/assets/queries/dockerfile/curl_or_wget_instead_of_add/test/positive_expected_result.json index 914f34a3b1a..1bca3e91498 100644 --- a/assets/queries/dockerfile/curl_or_wget_instead_of_add/test/positive_expected_result.json +++ b/assets/queries/dockerfile/curl_or_wget_instead_of_add/test/positive_expected_result.json @@ -1,7 +1,14 @@ [ - { - "queryName": "Curl or Wget Instead of Add", - "severity": "LOW", - "line": 3 - } -] + { + "queryName": "Curl or Wget Instead of Add", + "severity": "LOW", + "line": 3, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Curl or Wget Instead of Add", + "severity": "LOW", + "line": 3, + "fileName": "positive2.dockerfile" + } +] \ No newline at end of file diff --git a/assets/queries/dockerfile/exposing_port_22/query.rego b/assets/queries/dockerfile/exposing_port_22/query.rego index c8f8bcd0a95..9f4afdc3037 100644 --- a/assets/queries/dockerfile/exposing_port_22/query.rego +++ b/assets/queries/dockerfile/exposing_port_22/query.rego @@ -1,14 +1,18 @@ package Cx +import data.generic.dockerfile as dockerLib + CxPolicy[result] { command := input.document[i].command[name][_] command.Cmd == "expose" to_number(command.Value[_]) == 22 + stage := input.document[i].command[name] + from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, command.Original]), + "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, command.Original]), "issueType": "IncorrectValue", "keyExpectedValue": "'EXPOSE' shouldn't contain the port 22 ", "keyActualValue": "'EXPOSE' contains the port 22 ", diff --git a/assets/queries/dockerfile/exposing_port_22/test/negative2.dockerfile b/assets/queries/dockerfile/exposing_port_22/test/negative2.dockerfile new file mode 100644 index 00000000000..08e4bcb2593 --- /dev/null +++ b/assets/queries/dockerfile/exposing_port_22/test/negative2.dockerfile @@ -0,0 +1,4 @@ +from gliderlabs/alpine:3.3 +run apk --no-cache add nginx +expose 80 +cmd ["nginx", "-g", "daemon off;"] diff --git a/assets/queries/dockerfile/exposing_port_22/test/positive2.dockerfile b/assets/queries/dockerfile/exposing_port_22/test/positive2.dockerfile new file mode 100644 index 00000000000..328ffa1212b --- /dev/null +++ b/assets/queries/dockerfile/exposing_port_22/test/positive2.dockerfile @@ -0,0 +1,4 @@ +from gliderlabs/alpine:3.3 +run apk --no-cache add nginx +expose 3000 80 443 22 +cmd ["nginx", "-g", "daemon off;"] diff --git a/assets/queries/dockerfile/exposing_port_22/test/positive_expected_result.json b/assets/queries/dockerfile/exposing_port_22/test/positive_expected_result.json index 7c697fbb3e4..c5296736119 100644 --- a/assets/queries/dockerfile/exposing_port_22/test/positive_expected_result.json +++ b/assets/queries/dockerfile/exposing_port_22/test/positive_expected_result.json @@ -1,7 +1,14 @@ [ - { - "queryName": "Exposing Port 22 (SSH)", - "severity": "LOW", - "line": 3 - } -] + { + "queryName": "Exposing Port 22 (SSH)", + "severity": "LOW", + "line": 3, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Exposing Port 22 (SSH)", + "severity": "LOW", + "line": 3, + "fileName": "positive2.dockerfile" + } +] \ No newline at end of file diff --git a/assets/queries/dockerfile/gem_install_without_version/query.rego b/assets/queries/dockerfile/gem_install_without_version/query.rego index c4d76a64232..29f1ae6971e 100644 --- a/assets/queries/dockerfile/gem_install_without_version/query.rego +++ b/assets/queries/dockerfile/gem_install_without_version/query.rego @@ -18,9 +18,11 @@ CxPolicy[result] { some j analyzePackages(j, packages[j], packages, length) + stage := input.document[i].command[name] + from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), + "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("%s is 'gem install :'", [resource.Original]), "keyActualValue": sprintf("%s is 'gem install ', you should use 'gem install :", [resource.Original]), @@ -40,9 +42,11 @@ CxPolicy[result] { regex.match("^[a-zA-Z]", resource.Value[j]) == true not dockerLib.withVersion(resource.Value[j]) + stage := input.document[i].command[name] + from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), + "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("%s is 'gem install :'", [resource.Original]), "keyActualValue": sprintf("%s is 'gem install ', you should use 'gem install :", [resource.Original]), diff --git a/assets/queries/dockerfile/gem_install_without_version/test/negative2.dockerfile b/assets/queries/dockerfile/gem_install_without_version/test/negative2.dockerfile new file mode 100644 index 00000000000..a0b8b9cabb9 --- /dev/null +++ b/assets/queries/dockerfile/gem_install_without_version/test/negative2.dockerfile @@ -0,0 +1,13 @@ +from alpine:3.5 +run apk add --update py2-pip +run gem install bundler:2.0.2 +run bundle install +copy requirements.txt /usr/src/app/ +run pip install --no-cache-dir -r /usr/src/app/requirements.txt +copy app.py /usr/src/app/ +copy templates/index.html /usr/src/app/templates/ +expose 5000 +cmd ["python", "/usr/src/app/app.py"] +env GRPC_VERSION 1.0.0 +run gem install grpc -v ${GRPC_RUBY_VERSION} +run gem install grpc:${GRPC_VERSION} grpc-tools:${GRPC_VERSION} diff --git a/assets/queries/dockerfile/gem_install_without_version/test/positive2.dockerfile b/assets/queries/dockerfile/gem_install_without_version/test/positive2.dockerfile new file mode 100644 index 00000000000..646f822efdb --- /dev/null +++ b/assets/queries/dockerfile/gem_install_without_version/test/positive2.dockerfile @@ -0,0 +1,12 @@ +from alpine:3.5 +run apk add --update py2-pip +run gem install bundler +run ["gem", "install", "blunder"] +run gem install grpc -v ${GRPC_RUBY_VERSION} blunder +run bundle install +copy requirements.txt /usr/src/app/ +run pip install --no-cache-dir -r /usr/src/app/requirements.txt +copy app.py /usr/src/app/ +copy templates/index.html /usr/src/app/templates/ +expose 5000 +cmd ["python", "/usr/src/app/app.py"] diff --git a/assets/queries/dockerfile/gem_install_without_version/test/positive_expected_result.json b/assets/queries/dockerfile/gem_install_without_version/test/positive_expected_result.json index 9e0dc193dc6..d7bd07a860a 100644 --- a/assets/queries/dockerfile/gem_install_without_version/test/positive_expected_result.json +++ b/assets/queries/dockerfile/gem_install_without_version/test/positive_expected_result.json @@ -1,17 +1,38 @@ [ - { - "queryName": "Gem Install Without Version", - "severity": "MEDIUM", - "line": 3 - }, - { - "queryName": "Gem Install Without Version", - "severity": "MEDIUM", - "line": 4 - }, - { - "queryName": "Gem Install Without Version", - "severity": "MEDIUM", - "line": 5 - } -] + { + "queryName": "Gem Install Without Version", + "severity": "MEDIUM", + "line": 3, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Gem Install Without Version", + "severity": "MEDIUM", + "line": 4, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Gem Install Without Version", + "severity": "MEDIUM", + "line": 5, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Gem Install Without Version", + "severity": "MEDIUM", + "line": 3, + "fileName": "positive2.dockerfile" + }, + { + "queryName": "Gem Install Without Version", + "severity": "MEDIUM", + "line": 4, + "fileName": "positive2.dockerfile" + }, + { + "queryName": "Gem Install Without Version", + "severity": "MEDIUM", + "line": 5, + "fileName": "positive2.dockerfile" + } +] \ No newline at end of file diff --git a/assets/queries/dockerfile/healthcheck_instruction_missing/query.rego b/assets/queries/dockerfile/healthcheck_instruction_missing/query.rego index 7ac3f3bb857..fb3cc24e8ca 100644 --- a/assets/queries/dockerfile/healthcheck_instruction_missing/query.rego +++ b/assets/queries/dockerfile/healthcheck_instruction_missing/query.rego @@ -8,9 +8,10 @@ CxPolicy[result] { not contains(resource, "healthcheck") + from_command := dockerLib.get_original_from_command(resource) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}", [name]), + "searchKey": sprintf("%s={{%s}}", [from_command, name]), "issueType": "MissingAttribute", "keyExpectedValue": "Dockerfile should contain instruction 'HEALTHCHECK'", "keyActualValue": "Dockerfile doesn't contain instruction 'HEALTHCHECK'", diff --git a/assets/queries/dockerfile/healthcheck_instruction_missing/test/negative3.dockerfile b/assets/queries/dockerfile/healthcheck_instruction_missing/test/negative3.dockerfile new file mode 100644 index 00000000000..0924f1fdf1d --- /dev/null +++ b/assets/queries/dockerfile/healthcheck_instruction_missing/test/negative3.dockerfile @@ -0,0 +1,8 @@ +from node:alpine +workdir /usr/src/app +copy package*.json ./ +run npm install +copy . . +expose 3000 +healthcheck CMD curl --fail http://localhost:3000 || exit 1 +cmd ["node","app.js"] \ No newline at end of file diff --git a/assets/queries/dockerfile/healthcheck_instruction_missing/test/positive3.dockerfile b/assets/queries/dockerfile/healthcheck_instruction_missing/test/positive3.dockerfile new file mode 100644 index 00000000000..ac28ce39a10 --- /dev/null +++ b/assets/queries/dockerfile/healthcheck_instruction_missing/test/positive3.dockerfile @@ -0,0 +1,7 @@ +from node:alpine +workdir /usr/src/app +copy package*.json ./ +run npm install +copy . . +expose 3000 +cmd ["node","app.js"] \ No newline at end of file diff --git a/assets/queries/dockerfile/healthcheck_instruction_missing/test/positive_expected_result.json b/assets/queries/dockerfile/healthcheck_instruction_missing/test/positive_expected_result.json index 3fff0a3f2f4..355b007dd53 100644 --- a/assets/queries/dockerfile/healthcheck_instruction_missing/test/positive_expected_result.json +++ b/assets/queries/dockerfile/healthcheck_instruction_missing/test/positive_expected_result.json @@ -10,5 +10,11 @@ "severity": "LOW", "line": 7, "fileName": "positive2.dockerfile" + }, + { + "queryName": "Healthcheck Instruction Missing", + "severity": "LOW", + "line": 1, + "fileName": "positive3.dockerfile" } -] +] \ No newline at end of file diff --git a/assets/queries/dockerfile/image_version_not_explicit/query.rego b/assets/queries/dockerfile/image_version_not_explicit/query.rego index 46c74eb9e80..662b7e688a1 100644 --- a/assets/queries/dockerfile/image_version_not_explicit/query.rego +++ b/assets/queries/dockerfile/image_version_not_explicit/query.rego @@ -1,5 +1,7 @@ package Cx +import data.generic.dockerfile as dockerLib + CxPolicy[result] { resource := input.document[i].command[name][_] resource.Cmd == "from" @@ -7,9 +9,11 @@ CxPolicy[result] { versionNotExplicit(resource.Value,resource.EndLine) + stage := input.document[i].command[name] + from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}", [name]), + "searchKey": sprintf("%s={{%s}}", [from_command, name]), "issueType": "MissingAttribute", "keyExpectedValue": sprintf("FROM %s:'version'", [resource.Value[0]]), "keyActualValue": sprintf("FROM %s'", [resource.Value[0]]), diff --git a/assets/queries/dockerfile/image_version_not_explicit/test/negative5.dockerfile b/assets/queries/dockerfile/image_version_not_explicit/test/negative5.dockerfile new file mode 100644 index 00000000000..3e0bf155135 --- /dev/null +++ b/assets/queries/dockerfile/image_version_not_explicit/test/negative5.dockerfile @@ -0,0 +1,11 @@ +from alpine:3.5 +run apk add --update py2-pip +run pip install --upgrade pip +copy requirements.txt /usr/src/app/ +run pip install --no-cache-dir -r /usr/src/app/requirements.txt +copy app.py /usr/src/app/ +copy templates/index.html /usr/src/app/templates/ +expose 5000 +arg IMAGE=alpine:3.12 +from $IMAGE +cmd ["python", "/usr/src/app/app.py"] diff --git a/assets/queries/dockerfile/image_version_not_explicit/test/positive5.dockerfile b/assets/queries/dockerfile/image_version_not_explicit/test/positive5.dockerfile new file mode 100644 index 00000000000..d19a3511d99 --- /dev/null +++ b/assets/queries/dockerfile/image_version_not_explicit/test/positive5.dockerfile @@ -0,0 +1,9 @@ +from alpine +run apk add --update py2-pip +run pip install --upgrade pip +copy requirements.txt /usr/src/app/ +run pip install --no-cache-dir -r /usr/src/app/requirements.txt +copy app.py /usr/src/app/ +copy templates/index.html /usr/src/app/templates/ +expose 5000 +cmd ["python", "/usr/src/app/app.py"] \ No newline at end of file diff --git a/assets/queries/dockerfile/image_version_not_explicit/test/positive_expected_result.json b/assets/queries/dockerfile/image_version_not_explicit/test/positive_expected_result.json index a5cbb7933e2..2e04d53f46c 100644 --- a/assets/queries/dockerfile/image_version_not_explicit/test/positive_expected_result.json +++ b/assets/queries/dockerfile/image_version_not_explicit/test/positive_expected_result.json @@ -34,5 +34,11 @@ "severity": "MEDIUM", "fileName": "positive4.dockerfile", "line": 10 + }, + { + "queryName": "Image Version Not Explicit", + "severity": "MEDIUM", + "fileName": "positive5.dockerfile", + "line": 1 } -] +] \ No newline at end of file diff --git a/assets/queries/dockerfile/image_version_using_latest/query.rego b/assets/queries/dockerfile/image_version_using_latest/query.rego index cbce842332f..bb2edce69d7 100644 --- a/assets/queries/dockerfile/image_version_using_latest/query.rego +++ b/assets/queries/dockerfile/image_version_using_latest/query.rego @@ -1,14 +1,18 @@ package Cx +import data.generic.dockerfile as dockerLib + CxPolicy[result] { resource := input.document[i].command[name][_] resource.Cmd == "from" not resource.Value[0] == "scratch" contains(resource.Value[0], ":latest") + stage := input.document[i].command[name] + from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}", [name]), + "searchKey": sprintf("%s={{%s}}", [from_command, name]), "issueType": "IncorrectValue", #"MissingAttribute" / "RedundantAttribute" "keyExpectedValue": sprintf("FROM %s:'version' where version should not be 'latest'", [resource.Value[0]]), "keyActualValue": sprintf("FROM %s'", [resource.Value[0]]), diff --git a/assets/queries/dockerfile/image_version_using_latest/test/negative2.dockerfile b/assets/queries/dockerfile/image_version_using_latest/test/negative2.dockerfile new file mode 100644 index 00000000000..e7dbf812104 --- /dev/null +++ b/assets/queries/dockerfile/image_version_using_latest/test/negative2.dockerfile @@ -0,0 +1,9 @@ +from alpine:3.5 +run apk add --update py2-pip +run pip install --upgrade pip +copy requirements.txt /usr/src/app/ +run pip install --no-cache-dir -r /usr/src/app/requirements.txt +copy app.py /usr/src/app/ +copy templates/index.html /usr/src/app/templates/ +expose 5000 +cmd ["python", "/usr/src/app/app.py"] \ No newline at end of file diff --git a/assets/queries/dockerfile/image_version_using_latest/test/positive2.dockerfile b/assets/queries/dockerfile/image_version_using_latest/test/positive2.dockerfile new file mode 100644 index 00000000000..d05cf997998 --- /dev/null +++ b/assets/queries/dockerfile/image_version_using_latest/test/positive2.dockerfile @@ -0,0 +1,9 @@ +from alpine:latest +run apk add --update py2-pip +run pip install --upgrade pip +copy requirements.txt /usr/src/app/ +run pip install --no-cache-dir -r /usr/src/app/requirements.txt +copy app.py /usr/src/app/ +copy templates/index.html /usr/src/app/templates/ +expose 5000 +cmd ["python", "/usr/src/app/app.py"] \ No newline at end of file diff --git a/assets/queries/dockerfile/image_version_using_latest/test/positive_expected_result.json b/assets/queries/dockerfile/image_version_using_latest/test/positive_expected_result.json index 54fb27a0982..3e6d61beed8 100644 --- a/assets/queries/dockerfile/image_version_using_latest/test/positive_expected_result.json +++ b/assets/queries/dockerfile/image_version_using_latest/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Image Version Using 'latest'", "severity": "MEDIUM", - "line": 1 + "line": 1, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Image Version Using 'latest'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive2.dockerfile" } -] +] \ No newline at end of file diff --git a/assets/queries/dockerfile/last_user_is_root/query.rego b/assets/queries/dockerfile/last_user_is_root/query.rego index 28e2dca5a04..70e512cf2fb 100644 --- a/assets/queries/dockerfile/last_user_is_root/query.rego +++ b/assets/queries/dockerfile/last_user_is_root/query.rego @@ -9,9 +9,10 @@ CxPolicy[result] { userCmd := [x | resource[j].Cmd == "user"; x := resource[j]] userCmd[minus(count(userCmd), 1)].Value[0] == "root" + from_command := dockerLib.get_original_from_command(resource) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, userCmd[minus(count(userCmd), 1)].Original]), + "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, userCmd[minus(count(userCmd), 1)].Original]), "issueType": "IncorrectValue", "keyExpectedValue": "Last User shouldn't be root", "keyActualValue": "Last User is root", diff --git a/assets/queries/dockerfile/last_user_is_root/test/negative3.dockerfile b/assets/queries/dockerfile/last_user_is_root/test/negative3.dockerfile new file mode 100644 index 00000000000..b1a391b8d5d --- /dev/null +++ b/assets/queries/dockerfile/last_user_is_root/test/negative3.dockerfile @@ -0,0 +1,4 @@ +from alpine:2.6 +user root +run npm install +user guest \ No newline at end of file diff --git a/assets/queries/dockerfile/last_user_is_root/test/positive2.dockerfile b/assets/queries/dockerfile/last_user_is_root/test/positive2.dockerfile new file mode 100644 index 00000000000..7649a2f1ead --- /dev/null +++ b/assets/queries/dockerfile/last_user_is_root/test/positive2.dockerfile @@ -0,0 +1,3 @@ +from alpine:2.6 +user root +run npm install \ No newline at end of file diff --git a/assets/queries/dockerfile/last_user_is_root/test/positive_expected_result.json b/assets/queries/dockerfile/last_user_is_root/test/positive_expected_result.json index 751442ed373..4c836fb90dc 100644 --- a/assets/queries/dockerfile/last_user_is_root/test/positive_expected_result.json +++ b/assets/queries/dockerfile/last_user_is_root/test/positive_expected_result.json @@ -1,7 +1,14 @@ [ - { - "queryName": "Last User Is 'root'", - "severity": "HIGH", - "line": 2 - } + { + "queryName": "Last User Is 'root'", + "severity": "HIGH", + "line": 2, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Last User Is 'root'", + "severity": "HIGH", + "line": 2, + "fileName": "positive2.dockerfile" + } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/maintainer_instruction_being_used/query.rego b/assets/queries/dockerfile/maintainer_instruction_being_used/query.rego index 98973103c4f..264d322f913 100644 --- a/assets/queries/dockerfile/maintainer_instruction_being_used/query.rego +++ b/assets/queries/dockerfile/maintainer_instruction_being_used/query.rego @@ -1,12 +1,16 @@ package Cx +import data.generic.dockerfile as dockerLib + CxPolicy[result] { resource := input.document[i].command[name][_] resource.Cmd == "maintainer" + stage := input.document[i].command[name] + from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.MAINTAINER={{%s}}", [name, resource.Value[0]]), + "searchKey": sprintf("%s={{%s}}.MAINTAINER={{%s}}", [from_command, name, resource.Value[0]]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("Maintainer instruction being used in Label 'LABEL maintainer=%s'", [resource.Value[0]]), "keyActualValue": sprintf("Maintainer instruction not being used in Label 'MAINTAINER %s'", [resource.Value[0]]), diff --git a/assets/queries/dockerfile/maintainer_instruction_being_used/test/negative2.dockerfile b/assets/queries/dockerfile/maintainer_instruction_being_used/test/negative2.dockerfile new file mode 100644 index 00000000000..1678a5950ee --- /dev/null +++ b/assets/queries/dockerfile/maintainer_instruction_being_used/test/negative2.dockerfile @@ -0,0 +1,10 @@ +from alpine:3.5 +run apk add --update py2-pip +run pip install --upgrade pip +label maintainer="SvenDowideit@home.org.au" +copy requirements.txt /usr/src/app/ +run pip install --no-cache-dir -r /usr/src/app/requirements.txt +copy app.py /usr/src/app/ +copy templates/index.html /usr/src/app/templates/ +expose 5000 +cmd ["python", "/usr/src/app/app.py"] \ No newline at end of file diff --git a/assets/queries/dockerfile/maintainer_instruction_being_used/test/positive2.dockerfile b/assets/queries/dockerfile/maintainer_instruction_being_used/test/positive2.dockerfile new file mode 100644 index 00000000000..6c6bd02cc0f --- /dev/null +++ b/assets/queries/dockerfile/maintainer_instruction_being_used/test/positive2.dockerfile @@ -0,0 +1,10 @@ +from alpine:3.5 +run apk add --update py2-pip +run pip install --upgrade pip +maintainer "SvenDowideit@home.org.au" +copy requirements.txt /usr/src/app/ +run pip install --no-cache-dir -r /usr/src/app/requirements.txt +copy app.py /usr/src/app/ +copy templates/index.html /usr/src/app/templates/ +expose 5000 +cmd ["python", "/usr/src/app/app.py"] \ No newline at end of file diff --git a/assets/queries/dockerfile/maintainer_instruction_being_used/test/positive_expected_result.json b/assets/queries/dockerfile/maintainer_instruction_being_used/test/positive_expected_result.json index ae5d0a537f5..ee5d19ab48a 100644 --- a/assets/queries/dockerfile/maintainer_instruction_being_used/test/positive_expected_result.json +++ b/assets/queries/dockerfile/maintainer_instruction_being_used/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "MAINTAINER Instruction Being Used", "severity": "LOW", - "line": 4 + "line": 4, + "fileName": "positive.dockerfile" + }, + { + "queryName": "MAINTAINER Instruction Being Used", + "severity": "LOW", + "line": 4, + "fileName": "positive2.dockerfile" } -] +] \ No newline at end of file diff --git a/assets/queries/dockerfile/missing_dnf_clean_all/query.rego b/assets/queries/dockerfile/missing_dnf_clean_all/query.rego index 982d8117170..3f75383088f 100644 --- a/assets/queries/dockerfile/missing_dnf_clean_all/query.rego +++ b/assets/queries/dockerfile/missing_dnf_clean_all/query.rego @@ -13,9 +13,11 @@ CxPolicy[result] { not containsDnfClean(input.document[i].command[name], resource._kics_line) not containsCleanAfterInstall(command) + stage := input.document[i].command[name] + from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.RUN={{%s}}", [name, resource.Value[0]]), + "searchKey": sprintf("%s={{%s}}.RUN={{%s}}", [from_command, name, resource.Value[0]]), "issueType": "IncorrectValue", "keyExpectedValue": "After installing a package with dnf, command 'dnf clean all' should run.", "keyActualValue": "Command `dnf clean all` is not being run after installing packages.", diff --git a/assets/queries/dockerfile/missing_dnf_clean_all/test/negative3.dockerfile b/assets/queries/dockerfile/missing_dnf_clean_all/test/negative3.dockerfile new file mode 100644 index 00000000000..c06cea0f7b1 --- /dev/null +++ b/assets/queries/dockerfile/missing_dnf_clean_all/test/negative3.dockerfile @@ -0,0 +1,7 @@ +from fedora:27 +run set -uex && \ + dnf config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo && \ + sed -i 's/\$releasever/26/g' /etc/yum.repos.d/docker-ce.repo && \ + dnf install -vy docker-ce && \ + dnf clean all +healthcheck CMD curl --fail http://localhost:3000 || exit 1 diff --git a/assets/queries/dockerfile/missing_dnf_clean_all/test/positive2.dockerfile b/assets/queries/dockerfile/missing_dnf_clean_all/test/positive2.dockerfile new file mode 100644 index 00000000000..49a630da7c2 --- /dev/null +++ b/assets/queries/dockerfile/missing_dnf_clean_all/test/positive2.dockerfile @@ -0,0 +1,6 @@ +from fedora:27 +run set -uex && \ + dnf config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo && \ + sed -i 's/\$releasever/26/g' /etc/yum.repos.d/docker-ce.repo && \ + dnf install -vy docker-ce +healthcheck CMD curl --fail http://localhost:3000 || exit 1 diff --git a/assets/queries/dockerfile/missing_dnf_clean_all/test/positive_expected_result.json b/assets/queries/dockerfile/missing_dnf_clean_all/test/positive_expected_result.json index 0c521996f67..c6d71e5c92c 100644 --- a/assets/queries/dockerfile/missing_dnf_clean_all/test/positive_expected_result.json +++ b/assets/queries/dockerfile/missing_dnf_clean_all/test/positive_expected_result.json @@ -1,7 +1,14 @@ [ - { - "queryName": "Missing Dnf Clean All", - "severity": "LOW", - "line": 2 - } + { + "queryName": "Missing Dnf Clean All", + "severity": "LOW", + "line": 2, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Missing Dnf Clean All", + "severity": "LOW", + "line": 2, + "fileName": "positive2.dockerfile" + } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/missing_flag_from_dnf_install/query.rego b/assets/queries/dockerfile/missing_flag_from_dnf_install/query.rego index f3f1f143c64..ea3dc692ea0 100644 --- a/assets/queries/dockerfile/missing_flag_from_dnf_install/query.rego +++ b/assets/queries/dockerfile/missing_flag_from_dnf_install/query.rego @@ -14,9 +14,11 @@ CxPolicy[result] { not hasYesFlag(c) + stage := input.document[i].command[name] + from_command := docker_lib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.RUN={{%s}}", [name, resource.Value[0]]), + "searchKey": sprintf("%s={{%s}}.RUN={{%s}}", [from_command, name, resource.Value[0]]), "searchValue": trim_space(c), "issueType": "IncorrectValue", "keyExpectedValue": "When running `dnf install`, `-y` or `--assumeyes` switch should be set to avoid build failure ", diff --git a/assets/queries/dockerfile/missing_flag_from_dnf_install/test/negative5.dockerfile b/assets/queries/dockerfile/missing_flag_from_dnf_install/test/negative5.dockerfile new file mode 100644 index 00000000000..0446e79007d --- /dev/null +++ b/assets/queries/dockerfile/missing_flag_from_dnf_install/test/negative5.dockerfile @@ -0,0 +1,5 @@ +from fedora:27 +run set -uex && \ + dnf config-manager --set-enabled docker-ce-test && \ + dnf install -y docker-ce && \ + dnf clean all \ No newline at end of file diff --git a/assets/queries/dockerfile/missing_flag_from_dnf_install/test/positive5.dockerfile b/assets/queries/dockerfile/missing_flag_from_dnf_install/test/positive5.dockerfile new file mode 100644 index 00000000000..396ff2998bd --- /dev/null +++ b/assets/queries/dockerfile/missing_flag_from_dnf_install/test/positive5.dockerfile @@ -0,0 +1,11 @@ +from fedora:27 +run set -uex && \ + dnf config-manager --set-enabled docker-ce-test && \ + dnf install docker-ce && \ + dnf clean all + +from fedora:28 +run set -uex +run dnf config-manager --set-enabled docker-ce-test +run dnf in docker-ce +run dnf clean all \ No newline at end of file diff --git a/assets/queries/dockerfile/missing_flag_from_dnf_install/test/positive_expected_result.json b/assets/queries/dockerfile/missing_flag_from_dnf_install/test/positive_expected_result.json index 8ca30d102d6..f94db540134 100644 --- a/assets/queries/dockerfile/missing_flag_from_dnf_install/test/positive_expected_result.json +++ b/assets/queries/dockerfile/missing_flag_from_dnf_install/test/positive_expected_result.json @@ -1,38 +1,50 @@ [ - { - "queryName": "Missing Flag From Dnf Install", - "severity": "LOW", - "line": 2, - "fileName": "positive.dockerfile" - }, - { - "queryName": "Missing Flag From Dnf Install", - "severity": "LOW", - "line": 10, - "fileName": "positive.dockerfile" - }, - { - "queryName": "Missing Flag From Dnf Install", - "severity": "LOW", - "line": 2, - "fileName": "positive2.dockerfile" - }, - { - "queryName": "Missing Flag From Dnf Install", - "severity": "LOW", - "line": 10, - "fileName": "positive2.dockerfile" - }, - { - "queryName": "Missing Flag From Dnf Install", - "severity": "LOW", - "line": 2, - "fileName": "positive3.dockerfile" - }, - { - "queryName": "Missing Flag From Dnf Install", - "severity": "LOW", - "line": 21, - "fileName": "positive4.dockerfile" - } + { + "queryName": "Missing Flag From Dnf Install", + "severity": "LOW", + "line": 2, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Missing Flag From Dnf Install", + "severity": "LOW", + "line": 10, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Missing Flag From Dnf Install", + "severity": "LOW", + "line": 2, + "fileName": "positive2.dockerfile" + }, + { + "queryName": "Missing Flag From Dnf Install", + "severity": "LOW", + "line": 10, + "fileName": "positive2.dockerfile" + }, + { + "queryName": "Missing Flag From Dnf Install", + "severity": "LOW", + "line": 2, + "fileName": "positive3.dockerfile" + }, + { + "queryName": "Missing Flag From Dnf Install", + "severity": "LOW", + "line": 21, + "fileName": "positive4.dockerfile" + }, + { + "queryName": "Missing Flag From Dnf Install", + "severity": "LOW", + "line": 2, + "fileName": "positive5.dockerfile" + }, + { + "queryName": "Missing Flag From Dnf Install", + "severity": "LOW", + "line": 10, + "fileName": "positive5.dockerfile" + } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/missing_user_instruction/test/negative4.dockerfile b/assets/queries/dockerfile/missing_user_instruction/test/negative4.dockerfile new file mode 100644 index 00000000000..d4bc4f7b01a --- /dev/null +++ b/assets/queries/dockerfile/missing_user_instruction/test/negative4.dockerfile @@ -0,0 +1,14 @@ +from python:2.7 +run pip install Flask==0.11.1 +run useradd -ms /bin/bash patrick +copy --chown=patrick:patrick app /app +workdir /app +user patrick +cmd ["python", "app.py"] + +from scratch +run pip install Flask==0.11.1 +run useradd -ms /bin/bash patrick +copy --chown=patrick:patrick app /app +workdir /app +cmd ["python", "app.py"] diff --git a/assets/queries/dockerfile/missing_user_instruction/test/positive3.dockerfile b/assets/queries/dockerfile/missing_user_instruction/test/positive3.dockerfile new file mode 100644 index 00000000000..81af6f6ec65 --- /dev/null +++ b/assets/queries/dockerfile/missing_user_instruction/test/positive3.dockerfile @@ -0,0 +1,6 @@ +from python:2.7 +run pip install Flask==0.11.1 +run useradd -ms /bin/bash patrick +copy --chown=patrick:patrick app /app +workdir /app +cmd ["python", "app.py"] diff --git a/assets/queries/dockerfile/missing_user_instruction/test/positive_expected_result.json b/assets/queries/dockerfile/missing_user_instruction/test/positive_expected_result.json index 8a0833e1de1..70ddd881925 100644 --- a/assets/queries/dockerfile/missing_user_instruction/test/positive_expected_result.json +++ b/assets/queries/dockerfile/missing_user_instruction/test/positive_expected_result.json @@ -10,5 +10,11 @@ "severity": "HIGH", "line": 7, "fileName": "positive2.dockerfile" - } + }, + { + "queryName": "Missing User Instruction", + "severity": "HIGH", + "line": 1, + "fileName": "positive3.dockerfile" + }, ] diff --git a/assets/queries/dockerfile/missing_version_specification_in_dnf_install/query.rego b/assets/queries/dockerfile/missing_version_specification_in_dnf_install/query.rego index 0d50a1ebde0..ddefb97b7b8 100644 --- a/assets/queries/dockerfile/missing_version_specification_in_dnf_install/query.rego +++ b/assets/queries/dockerfile/missing_version_specification_in_dnf_install/query.rego @@ -19,9 +19,11 @@ CxPolicy[result] { some j analyzePackages(j, packages[j], packages, length) + stage := input.document[i].command[name] + from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), + "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), "issueType": "IncorrectValue", "keyExpectedValue": "Package version should be specified when using 'dnf install'", "keyActualValue": "Package version should be pinned when running ´dnf install´", @@ -42,9 +44,11 @@ CxPolicy[result] { regex.match("^[a-zA-Z]", resource.Value[j]) == true not dockerLib.withVersion(resource.Value[j]) + stage := input.document[i].command[name] + from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), + "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), "issueType": "IncorrectValue", "keyExpectedValue": "Package version should be specified when using 'dnf install'", "keyActualValue": "Package version should be pinned when running ´dnf install´", diff --git a/assets/queries/dockerfile/missing_version_specification_in_dnf_install/test/negative2.dockerfile b/assets/queries/dockerfile/missing_version_specification_in_dnf_install/test/negative2.dockerfile new file mode 100644 index 00000000000..2e494c41782 --- /dev/null +++ b/assets/queries/dockerfile/missing_version_specification_in_dnf_install/test/negative2.dockerfile @@ -0,0 +1,6 @@ +from fedora:latest +run dnf -y update && dnf -y install httpd-2.24.2 && dnf clean all +run ["dnf", "install", "httpd-2.24.2"] +copy index.html /var/www/html/index.html +expose 80 +entrypoint /usr/sbin/httpd -DFOREGROUND diff --git a/assets/queries/dockerfile/missing_version_specification_in_dnf_install/test/positive2.dockerfile b/assets/queries/dockerfile/missing_version_specification_in_dnf_install/test/positive2.dockerfile new file mode 100644 index 00000000000..dba9ef1dee2 --- /dev/null +++ b/assets/queries/dockerfile/missing_version_specification_in_dnf_install/test/positive2.dockerfile @@ -0,0 +1,6 @@ +from fedora:latest +run dnf -y update && dnf -y install httpd && dnf clean all +run ["dnf", "install", "httpd"] +copy index.html /var/www/html/index.html +expose 80 +entrypoint /usr/sbin/httpd -DFOREGROUND diff --git a/assets/queries/dockerfile/missing_version_specification_in_dnf_install/test/positive_expected_result.json b/assets/queries/dockerfile/missing_version_specification_in_dnf_install/test/positive_expected_result.json index 53dca70b9fb..a7f35bc112b 100644 --- a/assets/queries/dockerfile/missing_version_specification_in_dnf_install/test/positive_expected_result.json +++ b/assets/queries/dockerfile/missing_version_specification_in_dnf_install/test/positive_expected_result.json @@ -1,12 +1,20 @@ [ - { - "queryName": "Missing Version Specification In dnf install", - "severity": "MEDIUM", - "line": 2 - }, - { - "queryName": "Missing Version Specification In dnf install", - "severity": "MEDIUM", - "line": 3 - } -] + { + "queryName": "Missing Version Specification In dnf install", + "severity": "MEDIUM", + "line": 2, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Missing Version Specification In dnf install", + "severity": "MEDIUM", + "line": 3, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Missing Version Specification In dnf install", + "severity": "MEDIUM", + "line": 2, + "fileName": "positive2.dockerfile" + } +] \ No newline at end of file diff --git a/assets/queries/dockerfile/missing_zypper_clean/query.rego b/assets/queries/dockerfile/missing_zypper_clean/query.rego index 9b19c044d0f..6f3e38f215f 100644 --- a/assets/queries/dockerfile/missing_zypper_clean/query.rego +++ b/assets/queries/dockerfile/missing_zypper_clean/query.rego @@ -14,9 +14,10 @@ CxPolicy[result] { commandHasZypperUsage(command) not hasCleanAfterInstall(commands[img], c, j) + from_command := dockerLib.get_original_from_command(commands[img]) result := { "documentId": document.id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [img, commands[img][c].Original]), + "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, img, commands[img][c].Original]), "issueType": "MissingAttribute", "keyExpectedValue": "There should be a zypper clean after a zypper usage", "keyActualValue": sprintf("The command '%s' does not have a zypper clean after it", [commands[img][c].Value[j]]), diff --git a/assets/queries/dockerfile/missing_zypper_clean/test/negative3.dockerfile b/assets/queries/dockerfile/missing_zypper_clean/test/negative3.dockerfile new file mode 100644 index 00000000000..ba424b3e2bf --- /dev/null +++ b/assets/queries/dockerfile/missing_zypper_clean/test/negative3.dockerfile @@ -0,0 +1,3 @@ +from busybox:1.0 +run zypper install -y httpd=2.4 && zypper clean +healthcheck CMD curl --fail http://localhost:3000 || exit 1 diff --git a/assets/queries/dockerfile/missing_zypper_clean/test/positive2.dockerfile b/assets/queries/dockerfile/missing_zypper_clean/test/positive2.dockerfile new file mode 100644 index 00000000000..4e774713abf --- /dev/null +++ b/assets/queries/dockerfile/missing_zypper_clean/test/positive2.dockerfile @@ -0,0 +1,3 @@ +from busybox:1.0 +run zypper install +healthcheck CMD curl --fail http://localhost:3000 || exit 1 diff --git a/assets/queries/dockerfile/missing_zypper_clean/test/positive_expected_result.json b/assets/queries/dockerfile/missing_zypper_clean/test/positive_expected_result.json index 5570f022802..203ee10a67d 100644 --- a/assets/queries/dockerfile/missing_zypper_clean/test/positive_expected_result.json +++ b/assets/queries/dockerfile/missing_zypper_clean/test/positive_expected_result.json @@ -1,7 +1,14 @@ [ - { - "queryName": "Missing Zypper Clean", - "severity": "LOW", - "line": 2 - } + { + "queryName": "Missing Zypper Clean", + "severity": "LOW", + "line": 2, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Missing Zypper Clean", + "severity": "LOW", + "line": 2, + "fileName": "positive2.dockerfile" + } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/missing_zypper_non_interactive_switch/query.rego b/assets/queries/dockerfile/missing_zypper_non_interactive_switch/query.rego index 419ef8597a0..a14545cd452 100644 --- a/assets/queries/dockerfile/missing_zypper_non_interactive_switch/query.rego +++ b/assets/queries/dockerfile/missing_zypper_non_interactive_switch/query.rego @@ -14,9 +14,10 @@ CxPolicy[result] { commandHasZypperUsage(command) not commandHasNonInteractiveSwitch(command) + from_command := dockerLib.get_original_from_command(commands[img]) result := { "documentId": document.id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [img, commands[img][c].Original]), + "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, img, commands[img][c].Original]), "issueType": "IncorrectValue", "keyExpectedValue": "zypper usages should have the non-interactive switch activated", "keyActualValue": sprintf("The command '%s' does not have the non-interactive switch activated (-y | --no-confirm)", [commands[img][c].Original]), diff --git a/assets/queries/dockerfile/missing_zypper_non_interactive_switch/test/negative3.dockerfile b/assets/queries/dockerfile/missing_zypper_non_interactive_switch/test/negative3.dockerfile new file mode 100644 index 00000000000..1c4879426a1 --- /dev/null +++ b/assets/queries/dockerfile/missing_zypper_non_interactive_switch/test/negative3.dockerfile @@ -0,0 +1,3 @@ +from busybox:1.0 +run zypper install -y httpd=2.4.46 && zypper clean +healthcheck CMD curl --fail http://localhost:3000 || exit 1 diff --git a/assets/queries/dockerfile/missing_zypper_non_interactive_switch/test/positive2.dockerfile b/assets/queries/dockerfile/missing_zypper_non_interactive_switch/test/positive2.dockerfile new file mode 100644 index 00000000000..5f770109502 --- /dev/null +++ b/assets/queries/dockerfile/missing_zypper_non_interactive_switch/test/positive2.dockerfile @@ -0,0 +1,3 @@ +from busybox:1.0 +run zypper install httpd && zypper clean +healthcheck CMD curl --fail http://localhost:3000 || exit 1 diff --git a/assets/queries/dockerfile/missing_zypper_non_interactive_switch/test/positive_expected_result.json b/assets/queries/dockerfile/missing_zypper_non_interactive_switch/test/positive_expected_result.json index fa3f05610c9..8a654e77bc9 100644 --- a/assets/queries/dockerfile/missing_zypper_non_interactive_switch/test/positive_expected_result.json +++ b/assets/queries/dockerfile/missing_zypper_non_interactive_switch/test/positive_expected_result.json @@ -2,6 +2,13 @@ { "queryName": "Missing Zypper Non-interactive Switch", "severity": "MEDIUM", - "line": 2 + "line": 2, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Missing Zypper Non-interactive Switch", + "severity": "MEDIUM", + "line": 2, + "fileName": "positive2.dockerfile" } -] +] \ No newline at end of file diff --git a/assets/queries/dockerfile/multiple_cmd_instructions_listed/query.rego b/assets/queries/dockerfile/multiple_cmd_instructions_listed/query.rego index 9976a3b449f..e6ee221f7a5 100644 --- a/assets/queries/dockerfile/multiple_cmd_instructions_listed/query.rego +++ b/assets/queries/dockerfile/multiple_cmd_instructions_listed/query.rego @@ -9,9 +9,10 @@ CxPolicy[result] { cmdInst := [x | resource[j].Cmd == "cmd"; x := resource[j]] count(cmdInst) > 1 + from_command := dockerLib.get_original_from_command(resource) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, cmdInst[0].Original]), + "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, cmdInst[0].Original]), "issueType": "RedundantAttribute", #"MissingAttribute" / "RedundantAttribute" "keyExpectedValue": "There should be only one CMD instruction", "keyActualValue": sprintf("There are %d CMD instructions", [count(cmdInst)]), diff --git a/assets/queries/dockerfile/multiple_cmd_instructions_listed/test/negative3.dockerfile b/assets/queries/dockerfile/multiple_cmd_instructions_listed/test/negative3.dockerfile new file mode 100644 index 00000000000..1db23282c4a --- /dev/null +++ b/assets/queries/dockerfile/multiple_cmd_instructions_listed/test/negative3.dockerfile @@ -0,0 +1,12 @@ +from golang:1.7.3 +workdir /go/src/github.com/foo/href-counter/ +run go get -d -v golang.org/x/net/html +copy app.go . +run CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . +cmd ["./app"] + +from alpine:latest +run apk --no-cache add ca-certificates +workdir /root/ +copy --from=0 /go/src/github.com/foo/href-counter/app . +cmd ["./app"] \ No newline at end of file diff --git a/assets/queries/dockerfile/multiple_cmd_instructions_listed/test/positive2.dockerfile b/assets/queries/dockerfile/multiple_cmd_instructions_listed/test/positive2.dockerfile new file mode 100644 index 00000000000..38eef4b6c1b --- /dev/null +++ b/assets/queries/dockerfile/multiple_cmd_instructions_listed/test/positive2.dockerfile @@ -0,0 +1,12 @@ +from golang:1.7.3 +workdir /go/src/github.com/foo/href-counter/ +run go get -d -v golang.org/x/net/html +copy app.go . +run CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . + +from alpine:latest +run apk --no-cache add ca-certificates +workdir /root/ +copy --from=0 /go/src/github.com/foo/href-counter/app . +cmd ["./app"] +cmd ["./apps"] diff --git a/assets/queries/dockerfile/multiple_cmd_instructions_listed/test/positive_expected_result.json b/assets/queries/dockerfile/multiple_cmd_instructions_listed/test/positive_expected_result.json index 5110e6420af..ea8f2844cd3 100644 --- a/assets/queries/dockerfile/multiple_cmd_instructions_listed/test/positive_expected_result.json +++ b/assets/queries/dockerfile/multiple_cmd_instructions_listed/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "Multiple CMD Instructions Listed", - "severity": "LOW", - "line": 11, - "fileName": "positive.dockerfile" - } + { + "queryName": "Multiple CMD Instructions Listed", + "severity": "LOW", + "line": 11, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Multiple CMD Instructions Listed", + "severity": "LOW", + "line": 11, + "fileName": "positive2.dockerfile" + } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/query.rego b/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/query.rego index bc821fe04fa..f7263e21ffc 100644 --- a/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/query.rego +++ b/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/query.rego @@ -9,9 +9,10 @@ CxPolicy[result] { cmdInst := [x | resource[j].Cmd == "entrypoint"; x := resource[j]] count(cmdInst) > 1 + from_command := dockerLib.get_original_from_command(resource) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, cmdInst[0].Original]), + "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, cmdInst[0].Original]), "issueType": "RedundantAttribute", "keyExpectedValue": "There should be only one ENTRYPOINT instruction", "keyActualValue": sprintf("There are %d ENTRYPOINT instructions", [count(cmdInst)]), diff --git a/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/negative3.dockerfile b/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/negative3.dockerfile new file mode 100644 index 00000000000..87709ec452f --- /dev/null +++ b/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/negative3.dockerfile @@ -0,0 +1,12 @@ +from golang:1.7.3 +workdir /go/src/github.com/foo/href-counter/ +run go get -d -v golang.org/x/net/html +copy app.go . +run CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . +entrypoint [ "/opt/app/run.sh", "--port", "8080" ] + +from alpine:latest +run apk --no-cache add ca-certificates +workdir /root/ +copy --from=0 /go/src/github.com/foo/href-counter/app . +entrypoint [ "/opt/app/run.sh", "--port", "8080" ] \ No newline at end of file diff --git a/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/positive2.dockerfile b/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/positive2.dockerfile new file mode 100644 index 00000000000..2a55b12e841 --- /dev/null +++ b/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/positive2.dockerfile @@ -0,0 +1,12 @@ +from golang:1.7.3 +workdir /go/src/github.com/foo/href-counter/ +run go get -d -v golang.org/x/net/html +copy app.go . +run CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . + +from alpine:latest +run apk --no-cache add ca-certificates +workdir /root/ +copy --from=0 /go/src/github.com/foo/href-counter/app . +entrypoint [ "/opt/app/run.sh", "--port", "8080" ] +entrypoint [ "/opt/app/run.sh", "--port", "8000" ] diff --git a/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/positive_expected_result.json b/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/positive_expected_result.json index c1c67a870ea..8096a6b8ad3 100644 --- a/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/positive_expected_result.json +++ b/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "Multiple ENTRYPOINT Instructions Listed", - "severity": "LOW", - "line": 11, - "fileName": "positive.dockerfile" - } + { + "queryName": "Multiple ENTRYPOINT Instructions Listed", + "severity": "LOW", + "line": 11, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Multiple ENTRYPOINT Instructions Listed", + "severity": "LOW", + "line": 11, + "fileName": "positive2.dockerfile" + } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/query.rego b/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/query.rego index 4c07f1660e2..675a2e1e5e9 100644 --- a/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/query.rego +++ b/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/query.rego @@ -22,9 +22,10 @@ CxPolicy[result] { countCmdInst := count(lineCounter) countCmdInst > 0 + from_command := dockerLib.get_original_from_command(resource) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, lineCounter[0].Original]), + "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, lineCounter[0].Original]), "issueType": "RedundantAttribute", "keyExpectedValue": sprintf("There isn´t any %s instruction that could be grouped", [upperName]), "keyActualValue": sprintf("There are %s instructions that could be grouped", [upperName]), diff --git a/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/test/negative6.dockerfile b/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/test/negative6.dockerfile new file mode 100644 index 00000000000..5fb5e41e709 --- /dev/null +++ b/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/test/negative6.dockerfile @@ -0,0 +1,2 @@ +from ubuntu +run apt-get install wget && wget https://…/downloadedfile.tar && tar xvzf downloadedfile.tar && rm downloadedfile.tar && apt-get remove wget diff --git a/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/test/positive4.dockerfile b/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/test/positive4.dockerfile new file mode 100644 index 00000000000..8ffdb7017cc --- /dev/null +++ b/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/test/positive4.dockerfile @@ -0,0 +1,6 @@ +from ubuntu +run apt-get install -y wget +run wget https://…/downloadedfile.tar +run tar xvzf downloadedfile.tar +run rm downloadedfile.tar +run apt-get remove wget diff --git a/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/test/positive_expected_result.json b/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/test/positive_expected_result.json index 7474b74c429..0057ce393cc 100644 --- a/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/test/positive_expected_result.json +++ b/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/test/positive_expected_result.json @@ -1,20 +1,26 @@ [ - { - "queryName": "Multiple RUN, ADD, COPY, Instructions Listed", - "severity": "LOW", - "line": 2, - "fileName": "positive1.dockerfile" - }, - { - "queryName": "Multiple RUN, ADD, COPY, Instructions Listed", - "severity": "LOW", - "line": 2, - "fileName": "positive2.dockerfile" - }, - { - "queryName": "Multiple RUN, ADD, COPY, Instructions Listed", - "severity": "LOW", - "line": 2, - "fileName": "positive3.dockerfile" - } -] + { + "queryName": "Multiple RUN, ADD, COPY, Instructions Listed", + "severity": "LOW", + "line": 2, + "fileName": "positive1.dockerfile" + }, + { + "queryName": "Multiple RUN, ADD, COPY, Instructions Listed", + "severity": "LOW", + "line": 2, + "fileName": "positive2.dockerfile" + }, + { + "queryName": "Multiple RUN, ADD, COPY, Instructions Listed", + "severity": "LOW", + "line": 2, + "fileName": "positive3.dockerfile" + }, + { + "queryName": "Multiple RUN, ADD, COPY, Instructions Listed", + "severity": "LOW", + "line": 2, + "fileName": "positive4.dockerfile" + } +] \ No newline at end of file diff --git a/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/query.rego b/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/query.rego index 2ab522b1177..e60290bfcce 100644 --- a/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/query.rego +++ b/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/query.rego @@ -9,9 +9,11 @@ CxPolicy[result] { resource.Cmd == "cmd" resource.JSON == false + stage := input.document[i].command[name] + from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), + "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("{{%s}} should be in the JSON Notation", [resource.Original]), "keyActualValue": sprintf("{{%s}} isn't in JSON Notation", [resource.Original]), @@ -25,9 +27,11 @@ CxPolicy[result] { resource.Cmd == "entrypoint" resource.JSON == false + stage := input.document[i].command[name] + from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), + "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("{{%s}} should be in the JSON Notation", [resource.Original]), "keyActualValue": sprintf("{{%s}} isn't in JSON Notation", [resource.Original]), diff --git a/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/test/negative3.dockerfile b/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/test/negative3.dockerfile new file mode 100644 index 00000000000..a9084a1cfec --- /dev/null +++ b/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/test/negative3.dockerfile @@ -0,0 +1,11 @@ +from alpine:3.5 +run apk add --update py2-pip +run sudo yum install bundler +run yum install +copy requirements.txt /usr/src/app/ +run pip install --no-cache-dir -r /usr/src/app/requirements.txt +copy app.py /usr/src/app/ +copy templates/index.html /usr/src/app/templates/ +expose 5000 +cmd ["python", "/usr/src/app/app.py"] +entrypoint ["top", "-b"] \ No newline at end of file diff --git a/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/test/positive2.dockerfile b/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/test/positive2.dockerfile new file mode 100644 index 00000000000..217643dd8c2 --- /dev/null +++ b/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/test/positive2.dockerfile @@ -0,0 +1,11 @@ +from alpine:3.5 +run apk add --update py2-pip +run sudo yum install bundler +run yum install +copy requirements.txt /usr/src/app/ +run pip install --no-cache-dir -r /usr/src/app/requirements.txt +copy app.py /usr/src/app/ +copy templates/index.html /usr/src/app/templates/ +expose 5000 +cmd [python, /usr/src/app/app.py] +entrypoint [top, -b] \ No newline at end of file diff --git a/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/test/positive_expected_result.json b/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/test/positive_expected_result.json index 779bfea3ef6..2a3d11dfd6c 100644 --- a/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/test/positive_expected_result.json +++ b/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/test/positive_expected_result.json @@ -2,11 +2,25 @@ { "queryName": "Not Using JSON In CMD And ENTRYPOINT Arguments", "severity": "MEDIUM", - "line": 10 + "line": 10, + "fileName": "positive.dockerfile" }, { "queryName": "Not Using JSON In CMD And ENTRYPOINT Arguments", "severity": "MEDIUM", - "line": 11 + "line": 11, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Not Using JSON In CMD And ENTRYPOINT Arguments", + "severity": "MEDIUM", + "line": 10, + "fileName": "positive2.dockerfile" + }, + { + "queryName": "Not Using JSON In CMD And ENTRYPOINT Arguments", + "severity": "MEDIUM", + "line": 11, + "fileName": "positive2.dockerfile" } -] +] \ No newline at end of file diff --git a/assets/queries/dockerfile/npm_install_without_pinned_version/query.rego b/assets/queries/dockerfile/npm_install_without_pinned_version/query.rego index f5d472adda6..4abd6d7cb54 100644 --- a/assets/queries/dockerfile/npm_install_without_pinned_version/query.rego +++ b/assets/queries/dockerfile/npm_install_without_pinned_version/query.rego @@ -1,5 +1,7 @@ package Cx +import data.generic.dockerfile as dockerLib + CxPolicy[result] { runCmd := input.document[i].command[name][_] is_run_cmd(runCmd) @@ -21,9 +23,11 @@ CxPolicy[result] { token != "install" not valid_match(token) + stage := input.document[i].command[name] + from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, runCmd.Original]), + "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, runCmd.Original]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'%s' uses npm install with a pinned version", [runCmd.Original]), "keyActualValue": sprintf("'%s' does not uses npm install with a pinned version", [runCmd.Original]), diff --git a/assets/queries/dockerfile/npm_install_without_pinned_version/test/negative2.dockerfile b/assets/queries/dockerfile/npm_install_without_pinned_version/test/negative2.dockerfile new file mode 100644 index 00000000000..cb59f7ede0e --- /dev/null +++ b/assets/queries/dockerfile/npm_install_without_pinned_version/test/negative2.dockerfile @@ -0,0 +1,11 @@ +from node:12 +run npm install +run npm install sax@latest +run npm install sax@0.1.1 +run npm install sax@0.1.1 | grep fail && npm install sax@latest +run npm install git://github.com/npm/cli.git +run npm install git+ssh://git@github.com:npm/cli#semver:^5.0 +run npm install --production --no-cache +run npm config set registry && \ + npm install && \ + npx vite build --mode $VITE_MODE \ No newline at end of file diff --git a/assets/queries/dockerfile/npm_install_without_pinned_version/test/positive2.dockerfile b/assets/queries/dockerfile/npm_install_without_pinned_version/test/positive2.dockerfile new file mode 100644 index 00000000000..ea0b3b40465 --- /dev/null +++ b/assets/queries/dockerfile/npm_install_without_pinned_version/test/positive2.dockerfile @@ -0,0 +1,8 @@ +from node:12 +run npm install sax +run npm install sax --no-cache +run npm install sax | grep fail && npm install sax@latest +run npm install sax@latest | grep fail && npm install sax +run npm install sax | grep fail && npm install sax +run npm i -g @angular/cli +run ["npm","add","sax"] diff --git a/assets/queries/dockerfile/npm_install_without_pinned_version/test/positive_expected_result.json b/assets/queries/dockerfile/npm_install_without_pinned_version/test/positive_expected_result.json index ec6862cd11b..563d30702a0 100644 --- a/assets/queries/dockerfile/npm_install_without_pinned_version/test/positive_expected_result.json +++ b/assets/queries/dockerfile/npm_install_without_pinned_version/test/positive_expected_result.json @@ -1,44 +1,86 @@ [ - { - "queryName": "NPM Install Command Without Pinned Version", - "severity": "MEDIUM", - "line": 2, - "filename": "positive1.dockerfile" - }, - { - "queryName": "NPM Install Command Without Pinned Version", - "severity": "MEDIUM", - "line": 3, - "filename": "positive1.dockerfile" - }, - { - "queryName": "NPM Install Command Without Pinned Version", - "severity": "MEDIUM", - "line": 4, - "filename": "positive1.dockerfile" - }, - { - "queryName": "NPM Install Command Without Pinned Version", - "severity": "MEDIUM", - "line": 5, - "filename": "positive1.dockerfile" - }, - { - "queryName": "NPM Install Command Without Pinned Version", - "severity": "MEDIUM", - "line": 6, - "filename": "positive1.dockerfile" - }, - { - "queryName": "NPM Install Command Without Pinned Version", - "severity": "MEDIUM", - "line": 7, - "filename": "positive1.dockerfile" - }, - { - "queryName": "NPM Install Command Without Pinned Version", - "severity": "MEDIUM", - "line": 8, - "filename": "positive1.dockerfile" - } + { + "queryName": "NPM Install Command Without Pinned Version", + "severity": "MEDIUM", + "line": 2, + "filename": "positive1.dockerfile" + }, + { + "queryName": "NPM Install Command Without Pinned Version", + "severity": "MEDIUM", + "line": 3, + "filename": "positive1.dockerfile" + }, + { + "queryName": "NPM Install Command Without Pinned Version", + "severity": "MEDIUM", + "line": 4, + "filename": "positive1.dockerfile" + }, + { + "queryName": "NPM Install Command Without Pinned Version", + "severity": "MEDIUM", + "line": 5, + "filename": "positive1.dockerfile" + }, + { + "queryName": "NPM Install Command Without Pinned Version", + "severity": "MEDIUM", + "line": 6, + "filename": "positive1.dockerfile" + }, + { + "queryName": "NPM Install Command Without Pinned Version", + "severity": "MEDIUM", + "line": 7, + "filename": "positive1.dockerfile" + }, + { + "queryName": "NPM Install Command Without Pinned Version", + "severity": "MEDIUM", + "line": 8, + "filename": "positive1.dockerfile" + }, + { + "queryName": "NPM Install Command Without Pinned Version", + "severity": "MEDIUM", + "line": 2, + "filename": "positive2.dockerfile" + }, + { + "queryName": "NPM Install Command Without Pinned Version", + "severity": "MEDIUM", + "line": 3, + "filename": "positive2.dockerfile" + }, + { + "queryName": "NPM Install Command Without Pinned Version", + "severity": "MEDIUM", + "line": 4, + "filename": "positive2.dockerfile" + }, + { + "queryName": "NPM Install Command Without Pinned Version", + "severity": "MEDIUM", + "line": 5, + "filename": "positive2.dockerfile" + }, + { + "queryName": "NPM Install Command Without Pinned Version", + "severity": "MEDIUM", + "line": 6, + "filename": "positive2.dockerfile" + }, + { + "queryName": "NPM Install Command Without Pinned Version", + "severity": "MEDIUM", + "line": 7, + "filename": "positive2.dockerfile" + }, + { + "queryName": "NPM Install Command Without Pinned Version", + "severity": "MEDIUM", + "line": 8, + "filename": "positive2.dockerfile" + }, ] \ No newline at end of file diff --git a/assets/queries/dockerfile/pip_install_keeping_cached_packages/query.rego b/assets/queries/dockerfile/pip_install_keeping_cached_packages/query.rego index 50eec9a5c4c..1412a5a176c 100644 --- a/assets/queries/dockerfile/pip_install_keeping_cached_packages/query.rego +++ b/assets/queries/dockerfile/pip_install_keeping_cached_packages/query.rego @@ -11,9 +11,11 @@ CxPolicy[result] { hasCacheFlag(values) + stage := input.document[i].command[name] + from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, values]), + "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, values]), "issueType": "IncorrectValue", "keyExpectedValue": "The '--no-cache-dir' flag should be set when running 'pip/pip3 install'", "keyActualValue": "The '--no-cache-dir' flag isn't set when running 'pip/pip3 install'", @@ -30,9 +32,11 @@ CxPolicy[result] { not hasCacheFlagInList(resource.Value) + stage := input.document[i].command[name] + from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), + "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), "issueType": "IncorrectValue", "keyExpectedValue": "The '--no-cache-dir' flag should be set when running 'pip/pip3 install'", "keyActualValue": "The '--no-cache-dir' flag isn't set when running 'pip/pip3 install'", diff --git a/assets/queries/dockerfile/pip_install_keeping_cached_packages/test/negative2.dockerfile b/assets/queries/dockerfile/pip_install_keeping_cached_packages/test/negative2.dockerfile new file mode 100644 index 00000000000..b8fe51dec35 --- /dev/null +++ b/assets/queries/dockerfile/pip_install_keeping_cached_packages/test/negative2.dockerfile @@ -0,0 +1,7 @@ +from python:3 +run pip install --no-cache-dir --upgrade pip && \ + pip install --no-cache-dir nibabel pydicom matplotlib pillow && \ + pip install --no-cache-dir med2image +run pip3 install --no-cache-dir requests=2.7.0 +run ["pip3", "install", "requests=2.7.0", "--no-cache-dir"] +cmd ["cat", "/etc/os-release"] diff --git a/assets/queries/dockerfile/pip_install_keeping_cached_packages/test/positive2.dockerfile b/assets/queries/dockerfile/pip_install_keeping_cached_packages/test/positive2.dockerfile new file mode 100644 index 00000000000..116a81d85ad --- /dev/null +++ b/assets/queries/dockerfile/pip_install_keeping_cached_packages/test/positive2.dockerfile @@ -0,0 +1,12 @@ +from python:3 +run pip install --upgrade pip && \ + pip install nibabel pydicom matplotlib pillow && \ + pip install med2image +cmd ["cat", "/etc/os-release"] + +from python:3.1 +run pip install --upgrade pip +run python -m pip install nibabel pydicom matplotlib pillow +run pip3 install requests=2.7.0 +run ["pip3", "install", "requests=2.7.0"] +cmd ["cat", "/etc/os-release"] diff --git a/assets/queries/dockerfile/pip_install_keeping_cached_packages/test/positive_expected_result.json b/assets/queries/dockerfile/pip_install_keeping_cached_packages/test/positive_expected_result.json index 727c06aeff6..ba31acf207f 100644 --- a/assets/queries/dockerfile/pip_install_keeping_cached_packages/test/positive_expected_result.json +++ b/assets/queries/dockerfile/pip_install_keeping_cached_packages/test/positive_expected_result.json @@ -1,27 +1,38 @@ [ - { - "queryName": "Pip install Keeping Cached Packages", - "severity": "LOW", - "line": 2 - }, - { - "queryName": "Pip install Keeping Cached Packages", - "severity": "LOW", - "line": 8 - }, - { - "queryName": "Pip install Keeping Cached Packages", - "severity": "LOW", - "line": 9 - }, - { - "queryName": "Pip install Keeping Cached Packages", - "severity": "LOW", - "line": 10 - }, - { - "queryName": "Pip install Keeping Cached Packages", - "severity": "LOW", - "line": 11 - } + { + "queryName": "Pip install Keeping Cached Packages", + "severity": "LOW", + "line": 2, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Pip install Keeping Cached Packages", + "severity": "LOW", + "line": 8, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Pip install Keeping Cached Packages", + "severity": "LOW", + "line": 9, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Pip install Keeping Cached Packages", + "severity": "LOW", + "line": 10, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Pip install Keeping Cached Packages", + "severity": "LOW", + "line": 11, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Pip install Keeping Cached Packages", + "severity": "LOW", + "line": 2, + "fileName": "positive2.dockerfile" + } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/run_command_cd_instead_of_workdir/query.rego b/assets/queries/dockerfile/run_command_cd_instead_of_workdir/query.rego index 9a75bbd392b..a1d5aa2fce9 100644 --- a/assets/queries/dockerfile/run_command_cd_instead_of_workdir/query.rego +++ b/assets/queries/dockerfile/run_command_cd_instead_of_workdir/query.rego @@ -1,5 +1,7 @@ package Cx +import data.generic.dockerfile as dockerLib + CxPolicy[result] { resource := input.document[i].command[name][_] resource.Cmd == "run" @@ -10,9 +12,11 @@ CxPolicy[result] { not is_full_path(path) + stage := input.document[i].command[name] + from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.RUN={{%s}}", [name, resource.Value[0]]), + "searchKey": sprintf("%s={{%s}}.RUN={{%s}}", [from_command, name, resource.Value[0]]), "issueType": "IncorrectValue", "keyExpectedValue": "Using WORKDIR to change directory", "keyActualValue": sprintf("RUN %s'", [resource.Value[0]]), diff --git a/assets/queries/dockerfile/run_command_cd_instead_of_workdir/test/negative3.dockerfile b/assets/queries/dockerfile/run_command_cd_instead_of_workdir/test/negative3.dockerfile new file mode 100644 index 00000000000..cfd63dc6a9b --- /dev/null +++ b/assets/queries/dockerfile/run_command_cd_instead_of_workdir/test/negative3.dockerfile @@ -0,0 +1,5 @@ +from nginx +env AUTHOR=Docker +workdir /usr/share/nginx/html +copy Hello_docker.html /usr/share/nginx/html +cmd cd /usr/share/nginx/html && sed -e s/Docker/"$AUTHOR"/ Hello_docker.html > index.html ; nginx -g 'daemon off;' \ No newline at end of file diff --git a/assets/queries/dockerfile/run_command_cd_instead_of_workdir/test/positive2.dockerfile b/assets/queries/dockerfile/run_command_cd_instead_of_workdir/test/positive2.dockerfile new file mode 100644 index 00000000000..8abcf679cba --- /dev/null +++ b/assets/queries/dockerfile/run_command_cd_instead_of_workdir/test/positive2.dockerfile @@ -0,0 +1,17 @@ +from nginx +env AUTHOR=Docker +run cd /../share/nginx/html +copy Hello_docker.html /usr/share/nginx/html +cmd cd /usr/share/nginx/html && sed -e s/Docker/"$AUTHOR"/ Hello_docker.html > index.html ; nginx -g 'daemon off;' + +from nginx +env AUTHOR=Docker +run cd ../share/nginx/html +copy Hello_docker.html /usr/share/nginx/html +cmd cd /usr/share/nginx/html && sed -e s/Docker/"$AUTHOR"/ Hello_docker.html > index.html ; nginx -g 'daemon off;' + +from nginx +env AUTHOR=Docker +run cd /usr/../share/nginx/html +copy Hello_docker.html /usr/share/nginx/html +cmd cd /usr/share/nginx/html && sed -e s/Docker/"$AUTHOR"/ Hello_docker.html > index.html ; nginx -g 'daemon off;' diff --git a/assets/queries/dockerfile/run_command_cd_instead_of_workdir/test/positive_expected_result.json b/assets/queries/dockerfile/run_command_cd_instead_of_workdir/test/positive_expected_result.json index 4cba6c72f3f..6b424f1b2a4 100644 --- a/assets/queries/dockerfile/run_command_cd_instead_of_workdir/test/positive_expected_result.json +++ b/assets/queries/dockerfile/run_command_cd_instead_of_workdir/test/positive_expected_result.json @@ -1,20 +1,43 @@ [ - { - "queryName": "RUN Instruction Using 'cd' Instead of WORKDIR", - "severity": "LOW", - "line": 3, - "fileName": "positive.dockerfile" - }, - { - "queryName": "RUN Instruction Using 'cd' Instead of WORKDIR", - "severity": "LOW", - "line": 9, - "fileName": "positive.dockerfile" - }, - { - "queryName": "RUN Instruction Using 'cd' Instead of WORKDIR", - "severity": "LOW", - "line": 15, - "fileName": "positive.dockerfile" - } + { + "queryName": "RUN Instruction Using 'cd' Instead of WORKDIR", + "severity": "LOW", + "line": 3, + "fileName": "positive.dockerfile" + }, + { + "queryName": "RUN Instruction Using 'cd' Instead of WORKDIR", + "severity": "LOW", + "line": 9, + "fileName": "positive.dockerfile" + }, + { + "queryName": "RUN Instruction Using 'cd' Instead of WORKDIR", + "severity": "LOW", + "line": 15, + "fileName": "positive.dockerfile" + }, + { + "queryName": "RUN Instruction Using 'cd' Instead of WORKDIR", + "severity": "LOW", + "line": 3, + "fileName": "positive2.dockerfile" + }, + { + "queryName": "RUN Instruction Using 'cd' Instead of WORKDIR", + "severity": "LOW", + "line": 9, + "fileName": "positive2.dockerfile" + }, + { + "queryName": "RUN Instruction Using 'cd' Instead of WORKDIR", + "severity": "LOW", + "line": 15, + "fileName": "positive2.dockerfile" + },{ + "queryName": "RUN Instruction Using 'cd' Instead of WORKDIR", + "severity": "LOW", + "line": 3, + "fileName": "positive2.dockerfile" + } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/run_using_apt/query.rego b/assets/queries/dockerfile/run_using_apt/query.rego index b7f210a8805..1976c18bec7 100644 --- a/assets/queries/dockerfile/run_using_apt/query.rego +++ b/assets/queries/dockerfile/run_using_apt/query.rego @@ -1,5 +1,7 @@ package Cx +import data.generic.dockerfile as dockerLib + CxPolicy[result] { document := input.document[i] commands = document.command @@ -9,9 +11,10 @@ CxPolicy[result] { some j contains(commands[img][c].Value[j], "apt ") + from_command := dockerLib.get_original_from_command(commands[img]) result := { "documentId": document.id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [img, commands[img][c].Original]), + "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, img, commands[img][c].Original]), "issueType": "IncorrectValue", "keyExpectedValue": "RUN instructions should not use the 'apt' program", "keyActualValue": "RUN instruction is invoking the 'apt' program", diff --git a/assets/queries/dockerfile/run_using_apt/test/negative2.dockerfile b/assets/queries/dockerfile/run_using_apt/test/negative2.dockerfile new file mode 100644 index 00000000000..0fbb58df873 --- /dev/null +++ b/assets/queries/dockerfile/run_using_apt/test/negative2.dockerfile @@ -0,0 +1,3 @@ +from busybox:1.0 +run apt-get install curl +healthcheck CMD curl --fail http://localhost:3000 || exit 1 diff --git a/assets/queries/dockerfile/run_using_apt/test/positive2.dockerfile b/assets/queries/dockerfile/run_using_apt/test/positive2.dockerfile new file mode 100644 index 00000000000..2c507976add --- /dev/null +++ b/assets/queries/dockerfile/run_using_apt/test/positive2.dockerfile @@ -0,0 +1,3 @@ +from busybox:1.0 +run apt install curl +healthcheck CMD curl --fail http://localhost:3000 || exit 1 diff --git a/assets/queries/dockerfile/run_using_apt/test/positive_expected_result.json b/assets/queries/dockerfile/run_using_apt/test/positive_expected_result.json index c6a5e011847..fdf680af097 100644 --- a/assets/queries/dockerfile/run_using_apt/test/positive_expected_result.json +++ b/assets/queries/dockerfile/run_using_apt/test/positive_expected_result.json @@ -1,7 +1,14 @@ [ - { - "queryName": "Run Using apt", - "severity": "LOW", - "line": 2 - } + { + "queryName": "Run Using apt", + "severity": "LOW", + "line": 2, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Run Using apt", + "severity": "LOW", + "line": 2, + "fileName": "positive2.dockerfile" + } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/run_using_sudo/query.rego b/assets/queries/dockerfile/run_using_sudo/query.rego index 224e4913438..a258365d826 100644 --- a/assets/queries/dockerfile/run_using_sudo/query.rego +++ b/assets/queries/dockerfile/run_using_sudo/query.rego @@ -9,9 +9,11 @@ CxPolicy[result] { hasSudo(resource.Value[0]) + stage := input.document[i].command[name] + from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.RUN={{%s}}", [name, resource.Value[0]]), + "searchKey": sprintf("%s={{%s}}.RUN={{%s}}", [from_command, name, resource.Value[0]]), "issueType": "IncorrectValue", "keyExpectedValue": "RUN instruction shouldn't contain sudo", "keyActualValue": "RUN instruction contains sudo", @@ -25,9 +27,11 @@ CxPolicy[result] { resource.Value[0] == "sudo" + stage := input.document[i].command[name] + from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.RUN={{%s}}", [name, resource.Original]), + "searchKey": sprintf("%s={{%s}}.RUN={{%s}}", [from_command, name, resource.Original]), "issueType": "IncorrectValue", "keyExpectedValue": "RUN instruction shouldn't contain sudo", "keyActualValue": "RUN instruction contains sudo", diff --git a/assets/queries/dockerfile/run_using_sudo/test/negative2.dockerfile b/assets/queries/dockerfile/run_using_sudo/test/negative2.dockerfile new file mode 100644 index 00000000000..7e5ee45d32a --- /dev/null +++ b/assets/queries/dockerfile/run_using_sudo/test/negative2.dockerfile @@ -0,0 +1,10 @@ +from alpine:3.5 +run apk add --update py2-pip +run pip install --upgrade pip +run apt-get install sudo +copy requirements.txt /usr/src/app/ +run pip install --no-cache-dir -r /usr/src/app/requirements.txt +copy app.py /usr/src/app/ +copy templates/index.html /usr/src/app/templates/ +expose 5000 +cmd ["python", "/usr/src/app/app.py"] diff --git a/assets/queries/dockerfile/run_using_sudo/test/positive2.dockerfile b/assets/queries/dockerfile/run_using_sudo/test/positive2.dockerfile new file mode 100644 index 00000000000..650b345cb74 --- /dev/null +++ b/assets/queries/dockerfile/run_using_sudo/test/positive2.dockerfile @@ -0,0 +1,9 @@ +from alpine:3.5 +run apk add --update py2-pip +run sudo pip install --upgrade pip +copy requirements.txt /usr/src/app/ +run pip install --no-cache-dir -r /usr/src/app/requirements.txt +copy app.py /usr/src/app/ +copy templates/index.html /usr/src/app/templates/ +expose 5000 +cmd ["python", "/usr/src/app/app.py"] \ No newline at end of file diff --git a/assets/queries/dockerfile/run_using_sudo/test/positive_expected_result.json b/assets/queries/dockerfile/run_using_sudo/test/positive_expected_result.json index 581fa52051a..da03ae5536a 100644 --- a/assets/queries/dockerfile/run_using_sudo/test/positive_expected_result.json +++ b/assets/queries/dockerfile/run_using_sudo/test/positive_expected_result.json @@ -1,7 +1,14 @@ [ - { - "queryName": "Run Using Sudo", - "severity": "MEDIUM", - "line": 3 - } + { + "queryName": "Run Using Sudo", + "severity": "MEDIUM", + "line": 3, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Run Using Sudo", + "severity": "MEDIUM", + "line": 3, + "fileName": "positive2.dockerfile" + } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/run_using_wget_and_curl/query.rego b/assets/queries/dockerfile/run_using_wget_and_curl/query.rego index 617376f946c..9acf1c45407 100644 --- a/assets/queries/dockerfile/run_using_wget_and_curl/query.rego +++ b/assets/queries/dockerfile/run_using_wget_and_curl/query.rego @@ -11,9 +11,10 @@ CxPolicy[result] { count(curl) > 0 count(wget) > 0 + from_command := dockerLib.get_original_from_command(resource) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, curl[0]]), + "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, curl[0]]), "issueType": "RedundantAttribute", "keyExpectedValue": "Exclusively using 'wget' or 'curl'", "keyActualValue": "Using both 'wget' and 'curl'", diff --git a/assets/queries/dockerfile/run_using_wget_and_curl/test/negative2.dockerfile b/assets/queries/dockerfile/run_using_wget_and_curl/test/negative2.dockerfile new file mode 100644 index 00000000000..d48fe91f7c6 --- /dev/null +++ b/assets/queries/dockerfile/run_using_wget_and_curl/test/negative2.dockerfile @@ -0,0 +1,4 @@ +from debian +run curl http://google.com +run curl http://bing.com +run ["curl", "http://bing.com"] diff --git a/assets/queries/dockerfile/run_using_wget_and_curl/test/positive2.dockerfile b/assets/queries/dockerfile/run_using_wget_and_curl/test/positive2.dockerfile new file mode 100644 index 00000000000..a78eab5ff90 --- /dev/null +++ b/assets/queries/dockerfile/run_using_wget_and_curl/test/positive2.dockerfile @@ -0,0 +1,8 @@ +from debian +run wget http://google.com +run curl http://bing.com + +from baseImage +run wget http://test.com +run curl http://bing.com +run ["curl", "http://bing.com"] diff --git a/assets/queries/dockerfile/run_using_wget_and_curl/test/positive_expected_result.json b/assets/queries/dockerfile/run_using_wget_and_curl/test/positive_expected_result.json index 82340b752d6..704421a805d 100644 --- a/assets/queries/dockerfile/run_using_wget_and_curl/test/positive_expected_result.json +++ b/assets/queries/dockerfile/run_using_wget_and_curl/test/positive_expected_result.json @@ -1,17 +1,38 @@ [ - { - "queryName": "Run Using 'wget' and 'curl'", - "severity": "LOW", - "line": 3 - }, - { - "queryName": "Run Using 'wget' and 'curl'", - "severity": "LOW", - "line": 7 - }, - { - "queryName": "Run Using 'wget' and 'curl'", - "severity": "LOW", - "line": 8 - } + { + "queryName": "Run Using 'wget' and 'curl'", + "severity": "LOW", + "line": 3, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Run Using 'wget' and 'curl'", + "severity": "LOW", + "line": 7, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Run Using 'wget' and 'curl'", + "severity": "LOW", + "line": 8, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Run Using 'wget' and 'curl'", + "severity": "LOW", + "line": 3, + "fileName": "positive2.dockerfile" + }, + { + "queryName": "Run Using 'wget' and 'curl'", + "severity": "LOW", + "line": 7, + "fileName": "positive2.dockerfile" + }, + { + "queryName": "Run Using 'wget' and 'curl'", + "severity": "LOW", + "line": 8, + "fileName": "positive2.dockerfile" + } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/run_utilities_and_posix_commands/query.rego b/assets/queries/dockerfile/run_utilities_and_posix_commands/query.rego index 887ccb0aae6..acdf278b2a6 100644 --- a/assets/queries/dockerfile/run_utilities_and_posix_commands/query.rego +++ b/assets/queries/dockerfile/run_utilities_and_posix_commands/query.rego @@ -1,14 +1,18 @@ package Cx +import data.generic.dockerfile as dockerLib + CxPolicy[result] { resource := input.document[i].command[name][_] resource.Cmd == "run" containsCommand(resource) == true + stage := input.document[i].command[name] + from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), + "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), "issueType": "IncorrectValue", "keyExpectedValue": "There should be no dangerous commands or utilities executed", "keyActualValue": sprintf("Run instruction is executing the %s command", [resource.Value[0]]), diff --git a/assets/queries/dockerfile/run_utilities_and_posix_commands/test/negative2.dockerfile b/assets/queries/dockerfile/run_utilities_and_posix_commands/test/negative2.dockerfile new file mode 100644 index 00000000000..d3aa7e141ae --- /dev/null +++ b/assets/queries/dockerfile/run_utilities_and_posix_commands/test/negative2.dockerfile @@ -0,0 +1,8 @@ +from ubuntu +run apt-get update && apt-get install -y x11vnc xvfb firefox +run mkdir ~/.vnc +run x11vnc -storepasswd 1234 ~/.vnc/passwd +run bash -c 'echo "firefox" >> /.bashrc' +run apt-get install nano vim +expose 5900 +cmd ["x11vnc", "-forever", "-usepw", "-create"] diff --git a/assets/queries/dockerfile/run_utilities_and_posix_commands/test/positive2.dockerfile b/assets/queries/dockerfile/run_utilities_and_posix_commands/test/positive2.dockerfile new file mode 100644 index 00000000000..3b72fdee3ee --- /dev/null +++ b/assets/queries/dockerfile/run_utilities_and_posix_commands/test/positive2.dockerfile @@ -0,0 +1,6 @@ +from golang:1.12.0-stretch +workdir /go +copy . /go +run top +run ["ps", "-d"] +cmd ["go", "run", "main.go"] diff --git a/assets/queries/dockerfile/run_utilities_and_posix_commands/test/positive_expected_result.json b/assets/queries/dockerfile/run_utilities_and_posix_commands/test/positive_expected_result.json index 9f366ada36a..1cccbe4fdac 100644 --- a/assets/queries/dockerfile/run_utilities_and_posix_commands/test/positive_expected_result.json +++ b/assets/queries/dockerfile/run_utilities_and_posix_commands/test/positive_expected_result.json @@ -1,12 +1,26 @@ [ - { - "queryName": "Run Utilities And POSIX Commands", - "severity": "INFO", - "line": 4 - }, - { - "queryName": "Run Utilities And POSIX Commands", - "severity": "INFO", - "line": 5 - } -] + { + "queryName": "Run Utilities And POSIX Commands", + "severity": "INFO", + "line": 4, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Run Utilities And POSIX Commands", + "severity": "INFO", + "line": 5, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Run Utilities And POSIX Commands", + "severity": "INFO", + "line": 4, + "fileName": "positive2.dockerfile" + }, + { + "queryName": "Run Utilities And POSIX Commands", + "severity": "INFO", + "line": 5, + "fileName": "positive2.dockerfile" + } +] \ No newline at end of file diff --git a/assets/queries/dockerfile/same_alias_in_different_froms/query.rego b/assets/queries/dockerfile/same_alias_in_different_froms/query.rego index 933f588f86f..1f3dc599518 100644 --- a/assets/queries/dockerfile/same_alias_in_different_froms/query.rego +++ b/assets/queries/dockerfile/same_alias_in_different_froms/query.rego @@ -1,5 +1,7 @@ package Cx +import data.generic.dockerfile as dockerLib + CxPolicy[result] { resource := input.document[i].command[name][com] resource.Cmd == "from" @@ -14,9 +16,10 @@ CxPolicy[result] { idx_2 := getIndex(aliasResource.Value) aliasResource.Value[idx_2] == nameAlias + from_command := dockerLib.get_original_from_command(input.document[i].command[name2]) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}", [aliasResource.Value[idx_2]]), + "searchKey": sprintf("%s={{%s}}", [from_command, aliasResource.Value[idx_2]]), "issueType": "IncorrectValue", "keyExpectedValue": "Different FROM commands don't have the same alias defined", "keyActualValue": sprintf("Different FROM commands with with the same alias '%s' defined", [aliasResource.Value[idx_2]]), diff --git a/assets/queries/dockerfile/same_alias_in_different_froms/test/negative2.dockerfile b/assets/queries/dockerfile/same_alias_in_different_froms/test/negative2.dockerfile new file mode 100644 index 00000000000..735a723879a --- /dev/null +++ b/assets/queries/dockerfile/same_alias_in_different_froms/test/negative2.dockerfile @@ -0,0 +1,5 @@ +from debian:jesse1 as build +run stuff + +from debian:jesse1 as another-alias +run more_stuff diff --git a/assets/queries/dockerfile/same_alias_in_different_froms/test/positive2.dockerfile b/assets/queries/dockerfile/same_alias_in_different_froms/test/positive2.dockerfile new file mode 100644 index 00000000000..1932587dc3d --- /dev/null +++ b/assets/queries/dockerfile/same_alias_in_different_froms/test/positive2.dockerfile @@ -0,0 +1,8 @@ +from baseImage +run Test + +from debian:jesse2 as build +run stuff + +from debian:jesse1 as build +run more_stuff diff --git a/assets/queries/dockerfile/same_alias_in_different_froms/test/positive_expected_result.json b/assets/queries/dockerfile/same_alias_in_different_froms/test/positive_expected_result.json index 9e65369181b..4f0c09802ac 100644 --- a/assets/queries/dockerfile/same_alias_in_different_froms/test/positive_expected_result.json +++ b/assets/queries/dockerfile/same_alias_in_different_froms/test/positive_expected_result.json @@ -1,7 +1,13 @@ [ - { - "queryName": "Same Alias In Different Froms", - "severity": "LOW", - "line": 4 - } + { + "queryName": "Same Alias In Different Froms", + "severity": "LOW", + "line": 4 + }, + { + "queryName": "Same Alias In Different Froms", + "severity": "LOW", + "line": 4, + "fileName": "positive2.dockerfile" + } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/query.rego b/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/query.rego index 0f0ceedb0a7..5ba93023521 100644 --- a/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/query.rego +++ b/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/query.rego @@ -1,6 +1,7 @@ package Cx import data.generic.common as common_lib +import data.generic.dockerfile as dockerLib CxPolicy[result] { commands := input.document[i].command[name] @@ -19,9 +20,10 @@ CxPolicy[result] { not hasPipefail(commands, match.shell, j) + from_command := dockerLib.get_original_from_command(commands) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, runCmd.Original]), + "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, runCmd.Original]), "searchValue": match.shell, "issueType": "MissingAttribute", "keyExpectedValue": sprintf("'%s' has pipefail option set for pipe command with shell %s.", [runCmd.Original, match.shell]), @@ -47,9 +49,10 @@ CxPolicy[result] { cmdFormatted := replace(runCmd.Original, "\"", "'") + from_command := dockerLib.get_original_from_command(commands) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, runCmd.Original]), + "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, runCmd.Original]), "searchValue": match.shell, "issueType": "MissingAttribute", "keyExpectedValue": sprintf("'%s' has pipefail option set for pipe command with shell %s.", [cmdFormatted, match.shell]), diff --git a/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/test/negative2.dockerfile b/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/test/negative2.dockerfile new file mode 100644 index 00000000000..6a8d174d98d --- /dev/null +++ b/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/test/negative2.dockerfile @@ -0,0 +1,7 @@ +from node:12 +run pwsh SOME_CMD | SOME_OTHER_CMD +shell [ "zsh", "-o","pipefail" ] +run zsh ./some_output | ./some_script +shell [ "/bin/bash", "-o","pipefail" ] +run [ "/bin/bash", "./some_output", "./some_script" ] + diff --git a/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/test/positive2.dockerfile b/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/test/positive2.dockerfile new file mode 100644 index 00000000000..de691928f03 --- /dev/null +++ b/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/test/positive2.dockerfile @@ -0,0 +1,3 @@ +from node:12 +run zsh ./some_output | ./some_script +run [ "/bin/bash", "./some_output", "|", "./some_script" ] \ No newline at end of file diff --git a/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/test/positive_expected_result.json b/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/test/positive_expected_result.json index 66769b07386..5f7aab1d611 100644 --- a/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/test/positive_expected_result.json +++ b/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/test/positive_expected_result.json @@ -1,12 +1,26 @@ [ - { - "queryName": "Shell Running A Pipe Without Pipefail Flag", - "severity": "LOW", - "line": 2 - }, - { - "queryName": "Shell Running A Pipe Without Pipefail Flag", - "severity": "LOW", - "line": 3 - } + { + "queryName": "Shell Running A Pipe Without Pipefail Flag", + "severity": "LOW", + "line": 2, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Shell Running A Pipe Without Pipefail Flag", + "severity": "LOW", + "line": 3, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Shell Running A Pipe Without Pipefail Flag", + "severity": "LOW", + "line": 2, + "fileName": "positive2.dockerfile" + }, + { + "queryName": "Shell Running A Pipe Without Pipefail Flag", + "severity": "LOW", + "line": 3, + "fileName": "positive2.dockerfile" + } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/unix_ports_out_of_range/query.rego b/assets/queries/dockerfile/unix_ports_out_of_range/query.rego index 5278813156e..c4eca8ccc45 100644 --- a/assets/queries/dockerfile/unix_ports_out_of_range/query.rego +++ b/assets/queries/dockerfile/unix_ports_out_of_range/query.rego @@ -1,14 +1,18 @@ package Cx +import data.generic.dockerfile as dockerLib + CxPolicy[result] { command := input.document[i].command[name][_] command.Cmd == "expose" containsPortOutOfRange(command.Value) + stage := input.document[i].command[name] + from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, command.Original]), + "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, command.Original]), "issueType": "IncorrectValue", "keyExpectedValue": "'EXPOSE' should not contain ports out of range [0, 65535]", "keyActualValue": "'EXPOSE' contains ports out of range [0, 65535]", diff --git a/assets/queries/dockerfile/unix_ports_out_of_range/test/negative2.dockerfile b/assets/queries/dockerfile/unix_ports_out_of_range/test/negative2.dockerfile new file mode 100644 index 00000000000..a1d39b6ed5c --- /dev/null +++ b/assets/queries/dockerfile/unix_ports_out_of_range/test/negative2.dockerfile @@ -0,0 +1,4 @@ +from gliderlabs/alpine:3.3 +run apk --no-cache add nginx +expose 3000 80 443 22 +cmd ["nginx", "-g", "daemon off;"] \ No newline at end of file diff --git a/assets/queries/dockerfile/unix_ports_out_of_range/test/positive2.dockerfile b/assets/queries/dockerfile/unix_ports_out_of_range/test/positive2.dockerfile new file mode 100644 index 00000000000..0f1e9c0f7db --- /dev/null +++ b/assets/queries/dockerfile/unix_ports_out_of_range/test/positive2.dockerfile @@ -0,0 +1,4 @@ +from gliderlabs/alpine:3.3 +run apk --no-cache add nginx +expose 65536/tcp 80 443 22 +cmd ["nginx", "-g", "daemon off;"] \ No newline at end of file diff --git a/assets/queries/dockerfile/unix_ports_out_of_range/test/positive_expected_result.json b/assets/queries/dockerfile/unix_ports_out_of_range/test/positive_expected_result.json index 5d57ac73d0c..45a3ec6dce2 100644 --- a/assets/queries/dockerfile/unix_ports_out_of_range/test/positive_expected_result.json +++ b/assets/queries/dockerfile/unix_ports_out_of_range/test/positive_expected_result.json @@ -1,7 +1,14 @@ [ - { - "queryName": "UNIX Ports Out Of Range", - "severity": "INFO", - "line": 3 - } + { + "queryName": "UNIX Ports Out Of Range", + "severity": "INFO", + "line": 3, + "fileName": "positive.dockerfile" + }, + { + "queryName": "UNIX Ports Out Of Range", + "severity": "INFO", + "line": 3, + "fileName": "positive2.dockerfile" + } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/unpinned_package_version_in_apk_add/query.rego b/assets/queries/dockerfile/unpinned_package_version_in_apk_add/query.rego index eed1cad8afc..77212be60e1 100644 --- a/assets/queries/dockerfile/unpinned_package_version_in_apk_add/query.rego +++ b/assets/queries/dockerfile/unpinned_package_version_in_apk_add/query.rego @@ -22,9 +22,11 @@ CxPolicy[result] { some j analyzePackages(j, packages[j], packages, length) + stage := input.document[i].command[name] + from_command := docker_lib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), + "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), "issueType": "IncorrectValue", "keyExpectedValue": "RUN instruction with 'apk add ' should use package pinning form 'apk add ='", "keyActualValue": sprintf("RUN instruction %s does not use package pinning form", [resource.Value[0]]), @@ -51,9 +53,11 @@ CxPolicy[result] { some j analyzePackages(j, packages[j], packages, length) + stage := input.document[i].command[name] + from_command := docker_lib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), + "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), "issueType": "IncorrectValue", "keyExpectedValue": "RUN instruction with 'apk add ' should use package pinning form 'apk add ='", "keyActualValue": sprintf("RUN instruction %s does not use package pinning form", [resource.Value[0]]), @@ -79,9 +83,11 @@ CxPolicy[result] { some j analyzePackages(j, packages[j], packages, length) + stage := input.document[i].command[name] + from_command := docker_lib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), + "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), "issueType": "IncorrectValue", "keyExpectedValue": "RUN instruction with 'apk add ' should use package pinning form 'apk add ='", "keyActualValue": sprintf("RUN instruction %s does not use package pinning form", [resource.Value[0]]), @@ -103,9 +109,11 @@ CxPolicy[result] { regex.match("^[a-zA-Z]", resource.Value[j]) not docker_lib.withVersion(resource.Value[j]) + stage := input.document[i].command[name] + from_command := docker_lib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), + "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), "searchValue": resource.Value[j], "issueType": "IncorrectValue", "keyExpectedValue": "RUN instruction with 'apk add ' should use package pinning form 'apk add ='", diff --git a/assets/queries/dockerfile/unpinned_package_version_in_apk_add/test/negative3.dockerfile b/assets/queries/dockerfile/unpinned_package_version_in_apk_add/test/negative3.dockerfile new file mode 100644 index 00000000000..7e7f239eea8 --- /dev/null +++ b/assets/queries/dockerfile/unpinned_package_version_in_apk_add/test/negative3.dockerfile @@ -0,0 +1,20 @@ +from alpine:3.4 +run apk add --update py-pip=7.1.2-r0 +run sudo pip install --upgrade pip +copy requirements.txt /usr/src/app/ +run pip install --no-cache-dir -r /usr/src/app/requirements.txt +copy app.py /usr/src/app/ +copy templates/index.html /usr/src/app/templates/ +expose 5000 +cmd ["python", "/usr/src/app/app.py"] + +from alpine:3.1 +run apk add py-pip=7.1.2-r0 +run ["apk", "add", "py-pip=7.1.2-r0"] +run sudo pip install --upgrade pip +copy requirements.txt /usr/src/app/ +run pip install --no-cache-dir -r /usr/src/app/requirements.txt +copy app.py /usr/src/app/ +copy templates/index.html /usr/src/app/templates/ +expose 5000 +cmd ["python", "/usr/src/app/app.py"] diff --git a/assets/queries/dockerfile/unpinned_package_version_in_apk_add/test/positive2.dockerfile b/assets/queries/dockerfile/unpinned_package_version_in_apk_add/test/positive2.dockerfile new file mode 100644 index 00000000000..d0356a93875 --- /dev/null +++ b/assets/queries/dockerfile/unpinned_package_version_in_apk_add/test/positive2.dockerfile @@ -0,0 +1,25 @@ +from alpine:3.9 +run apk add --update py-pip +run sudo pip install --upgrade pip +copy requirements.txt /usr/src/app/ +run pip install --no-cache-dir -r /usr/src/app/requirements.txt +copy app.py /usr/src/app/ +copy templates/index.html /usr/src/app/templates/ +expose 5000 +env TEST="test" +cmd ["python", "/usr/src/app/app.py"] + +from alpine:3.7 +run apk add py-pip && apk add tea +run apk add py-pip \ + && rm -rf /tmp/* +run apk add --dir /dir libimagequant \ + && minidlna +run ["apk", "add", "py-pip"] +run sudo pip install --upgrade pip +copy requirements.txt /usr/src/app/ +run pip install --no-cache-dir -r /usr/src/app/requirements.txt +copy app.py /usr/src/app/ +copy templates/index.html /usr/src/app/templates/ +expose 5000 +cmd ["python"] diff --git a/assets/queries/dockerfile/unpinned_package_version_in_apk_add/test/positive_expected_result.json b/assets/queries/dockerfile/unpinned_package_version_in_apk_add/test/positive_expected_result.json index 9f377d63c28..12d14d397df 100644 --- a/assets/queries/dockerfile/unpinned_package_version_in_apk_add/test/positive_expected_result.json +++ b/assets/queries/dockerfile/unpinned_package_version_in_apk_add/test/positive_expected_result.json @@ -1,27 +1,62 @@ [ - { - "queryName": "Unpinned Package Version in Apk Add", - "severity": "MEDIUM", - "line": 2 - }, - { - "queryName": "Unpinned Package Version in Apk Add", - "severity": "MEDIUM", - "line": 13 - }, - { - "queryName": "Unpinned Package Version in Apk Add", - "severity": "MEDIUM", - "line": 14 - }, - { - "queryName": "Unpinned Package Version in Apk Add", - "severity": "MEDIUM", - "line": 16 - }, - { - "queryName": "Unpinned Package Version in Apk Add", - "severity": "MEDIUM", - "line": 18 - } -] + { + "queryName": "Unpinned Package Version in Apk Add", + "severity": "MEDIUM", + "line": 2, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Unpinned Package Version in Apk Add", + "severity": "MEDIUM", + "line": 13, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Unpinned Package Version in Apk Add", + "severity": "MEDIUM", + "line": 14, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Unpinned Package Version in Apk Add", + "severity": "MEDIUM", + "line": 16, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Unpinned Package Version in Apk Add", + "severity": "MEDIUM", + "line": 18, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Unpinned Package Version in Apk Add", + "severity": "MEDIUM", + "line": 2, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Unpinned Package Version in Apk Add", + "severity": "MEDIUM", + "line": 13, + "fileName": "positive2.dockerfile" + }, + { + "queryName": "Unpinned Package Version in Apk Add", + "severity": "MEDIUM", + "line": 14, + "fileName": "positive2.dockerfile" + }, + { + "queryName": "Unpinned Package Version in Apk Add", + "severity": "MEDIUM", + "line": 16, + "fileName": "positive2.dockerfile" + }, + { + "queryName": "Unpinned Package Version in Apk Add", + "severity": "MEDIUM", + "line": 18, + "fileName": "positive2.dockerfile" + } +] \ No newline at end of file diff --git a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego index 268199179fb..2a07790d9a0 100644 --- a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego +++ b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego @@ -23,9 +23,11 @@ CxPolicy[result] { some j analyzePackages(j, refactorPackages[j], packages, length) + stage := input.document[i].command[name] + from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), + "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), "issueType": "IncorrectValue", "keyExpectedValue": "RUN instruction with 'pip/pip3 install ' should use package pinning form 'pip/pip3 install ='", "keyActualValue": sprintf("RUN instruction %s does not use package pinning form", [commands]), @@ -47,9 +49,11 @@ CxPolicy[result] { regex.match("^[a-zA-Z]", resource.Value[j]) == true not dockerLib.withVersion(resource.Value[j]) + stage := input.document[i].command[name] + from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), + "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), "issueType": "IncorrectValue", "keyExpectedValue": "RUN instruction with 'pip/pip3 install ' should use package pinning form 'pip/pip3 install ='", "keyActualValue": sprintf("RUN instruction %s does not use package pinning form", [resource.Value[j]]), diff --git a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/negative4.dockerfile b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/negative4.dockerfile new file mode 100644 index 00000000000..0ab18ef4643 --- /dev/null +++ b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/negative4.dockerfile @@ -0,0 +1,20 @@ +from alpine:3.4 +run apk add --update py-pip=7.1.2-r0 +run sudo pip install --upgrade pip=20.3 connexion=2.7.0 +copy requirements.txt /usr/src/app/ +run pip install --no-cache-dir -r /usr/src/app/requirements.txt +copy app.py /usr/src/app/ +copy templates/index.html /usr/src/app/templates/ +expose 5000 +cmd ["python", "/usr/src/app/app.py"] + +from alpine:3.1 +run apk add py-pip=7.1.2-r0 +run sudo pip install --upgrade pip=20.3 connexion=2.7.0 +copy requirements.txt /usr/src/app/ +run pip install --no-cache-dir -r /usr/src/app/requirements.txt +run pip3 install requests=2.7.0 +copy app.py /usr/src/app/ +copy templates/index.html /usr/src/app/templates/ +expose 5000 +cmd ["python", "/usr/src/app/app.py"] diff --git a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/positive2.dockerfile b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/positive2.dockerfile new file mode 100644 index 00000000000..d60c4c736af --- /dev/null +++ b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/positive2.dockerfile @@ -0,0 +1,22 @@ +from alpine:3.9 +run apk add --update py-pip=7.1.2-r0 +run pip install --user pip +run ["pip", "install", "connexion"] +copy requirements.txt /usr/src/app/ +run pip install --no-cache-dir -r /usr/src/app/requirements.txt +copy app.py /usr/src/app/ +copy templates/index.html /usr/src/app/templates/ +expose 5000 +env TEST="test" +cmd ["python", "/usr/src/app/app.py"] + +from alpine:3.7 +run apk add --update py-pip=7.1.2-r0 +run pip install connexion +copy requirements.txt /usr/src/app/ +run pip install --no-cache-dir -r /usr/src/app/requirements.txt +run pip3 install requests +copy app.py /usr/src/app/ +copy templates/index.html /usr/src/app/templates/ +expose 5000 +cmd ["python"] diff --git a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/positive_expected_result.json b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/positive_expected_result.json index 4ffe50570bf..9c3e92bb647 100644 --- a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/positive_expected_result.json +++ b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/positive_expected_result.json @@ -1,26 +1,50 @@ [ - { - "queryName": "Unpinned Package Version in Pip Install", - "severity": "MEDIUM", - "line": 3, - "filename": "positive1.dockerfile" - }, - { - "queryName": "Unpinned Package Version in Pip Install", - "severity": "MEDIUM", - "line": 4, - "filename": "positive1.dockerfile" - }, - { - "queryName": "Unpinned Package Version in Pip Install", - "severity": "MEDIUM", - "line": 15, - "filename": "positive1.dockerfile" - }, - { - "queryName": "Unpinned Package Version in Pip Install", - "severity": "MEDIUM", - "line": 18, - "filename": "positive1.dockerfile" - } -] + { + "queryName": "Unpinned Package Version in Pip Install", + "severity": "MEDIUM", + "line": 3, + "filename": "positive1.dockerfile" + }, + { + "queryName": "Unpinned Package Version in Pip Install", + "severity": "MEDIUM", + "line": 4, + "filename": "positive1.dockerfile" + }, + { + "queryName": "Unpinned Package Version in Pip Install", + "severity": "MEDIUM", + "line": 15, + "filename": "positive1.dockerfile" + }, + { + "queryName": "Unpinned Package Version in Pip Install", + "severity": "MEDIUM", + "line": 18, + "filename": "positive1.dockerfile" + }, + { + "queryName": "Unpinned Package Version in Pip Install", + "severity": "MEDIUM", + "line": 3, + "filename": "positive2.dockerfile" + }, + { + "queryName": "Unpinned Package Version in Pip Install", + "severity": "MEDIUM", + "line": 4, + "filename": "positive2.dockerfile" + }, + { + "queryName": "Unpinned Package Version in Pip Install", + "severity": "MEDIUM", + "line": 15, + "filename": "positive2.dockerfile" + }, + { + "queryName": "Unpinned Package Version in Pip Install", + "severity": "MEDIUM", + "line": 18, + "filename": "positive2.dockerfile" + } +] \ No newline at end of file diff --git a/assets/queries/dockerfile/update_instruction_alone/query.rego b/assets/queries/dockerfile/update_instruction_alone/query.rego index 9bf0c5837c4..391e7a712db 100644 --- a/assets/queries/dockerfile/update_instruction_alone/query.rego +++ b/assets/queries/dockerfile/update_instruction_alone/query.rego @@ -1,5 +1,7 @@ package Cx +import data.generic.dockerfile as dockerLib + CxPolicy[result] { # Check if there is a command that runs install before update resource := input.document[i].command[name][_] @@ -20,9 +22,11 @@ CxPolicy[result] { not checkFollowedBy(update, install) + stage := input.document[i].command[name] + from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.RUN={{%s}}", [name, resource.Value[0]]), + "searchKey": sprintf("%s={{%s}}.RUN={{%s}}", [from_command, name, resource.Value[0]]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("Instruction 'RUN %s %s' should be followed by 'RUN %s %s' in the same 'RUN' statement", [packageManager, pkg_installer[packageManager], packageManager, pkg_updater[packageManager]]), "keyActualValue": sprintf("Instruction 'RUN %s %s' isn't followed by 'RUN %s %s in the same 'RUN' statement", [packageManager, pkg_installer[packageManager], packageManager, pkg_updater[packageManager]]), @@ -60,7 +64,7 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.RUN={{%s}}", [name, nextResource.Value[0]]), + "searchKey": sprintf("%s={{%s}}.RUN={{%s}}", [from_command, name, nextResource.Value[0]]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("Instruction 'RUN %s %s' should be combined with 'RUN %s %s' in the same 'RUN' statement", [nextPackageManager, pkg_installer[nextPackageManager], nextPackageManager, pkg_updater[nextPackageManager]]), "keyActualValue": sprintf("Instruction 'RUN %s %s' isn't combined with 'RUN %s %s in the same 'RUN' statement", [nextPackageManager, pkg_installer[nextPackageManager], nextPackageManager, pkg_updater[nextPackageManager]]), diff --git a/assets/queries/dockerfile/update_instruction_alone/test/negative12.dockerfile b/assets/queries/dockerfile/update_instruction_alone/test/negative12.dockerfile new file mode 100644 index 00000000000..ad75faf9819 --- /dev/null +++ b/assets/queries/dockerfile/update_instruction_alone/test/negative12.dockerfile @@ -0,0 +1,8 @@ +from ubuntu:18.04 +run apt-get update \ + && apt-get install -y --no-install-recommends mysql-client \ + && rm -rf /var/lib/apt/lists/* +run apk update \ + && apk add --no-cache git ca-certificates +run apk --update add easy-rsa +entrypoint ["mysql"] diff --git a/assets/queries/dockerfile/update_instruction_alone/test/positive8.dockerfile b/assets/queries/dockerfile/update_instruction_alone/test/positive8.dockerfile new file mode 100644 index 00000000000..4b49de8c58a --- /dev/null +++ b/assets/queries/dockerfile/update_instruction_alone/test/positive8.dockerfile @@ -0,0 +1,5 @@ +from alpine:latest +run apk update +run apk add nginx + +cmd ["nginx", "-g", "daemon off;"] \ No newline at end of file diff --git a/assets/queries/dockerfile/update_instruction_alone/test/positive_expected_result.json b/assets/queries/dockerfile/update_instruction_alone/test/positive_expected_result.json index 64b7e65cd1f..568f9337486 100644 --- a/assets/queries/dockerfile/update_instruction_alone/test/positive_expected_result.json +++ b/assets/queries/dockerfile/update_instruction_alone/test/positive_expected_result.json @@ -1,44 +1,50 @@ [ - { - "queryName": "Update Instruction Alone", - "severity": "LOW", - "line": 3, - "fileName": "positive1.dockerfile" - }, - { - "queryName": "Update Instruction Alone", - "severity": "LOW", - "line": 3, - "fileName": "positive2.dockerfile" - }, - { - "queryName": "Update Instruction Alone", - "severity": "LOW", - "line": 3, - "fileName": "positive3.dockerfile" - }, - { - "queryName": "Update Instruction Alone", - "severity": "LOW", - "line": 3, - "fileName": "positive4.dockerfile" - }, - { - "queryName": "Update Instruction Alone", - "severity": "LOW", - "line": 3, - "fileName": "positive5.dockerfile" - }, - { - "queryName": "Update Instruction Alone", - "severity": "LOW", - "line": 3, - "fileName": "positive6.dockerfile" - }, - { - "queryName": "Update Instruction Alone", - "severity": "LOW", - "line": 3, - "fileName": "positive7.dockerfile" - } + { + "queryName": "Update Instruction Alone", + "severity": "LOW", + "line": 3, + "fileName": "positive1.dockerfile" + }, + { + "queryName": "Update Instruction Alone", + "severity": "LOW", + "line": 3, + "fileName": "positive2.dockerfile" + }, + { + "queryName": "Update Instruction Alone", + "severity": "LOW", + "line": 3, + "fileName": "positive3.dockerfile" + }, + { + "queryName": "Update Instruction Alone", + "severity": "LOW", + "line": 3, + "fileName": "positive4.dockerfile" + }, + { + "queryName": "Update Instruction Alone", + "severity": "LOW", + "line": 3, + "fileName": "positive5.dockerfile" + }, + { + "queryName": "Update Instruction Alone", + "severity": "LOW", + "line": 3, + "fileName": "positive6.dockerfile" + }, + { + "queryName": "Update Instruction Alone", + "severity": "LOW", + "line": 3, + "fileName": "positive7.dockerfile" + }, + { + "queryName": "Update Instruction Alone", + "severity": "LOW", + "line": 3, + "fileName": "positive8.dockerfile" + } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/using_platform_with_from/query.rego b/assets/queries/dockerfile/using_platform_with_from/query.rego index 8e133aece1e..2496fb1baba 100644 --- a/assets/queries/dockerfile/using_platform_with_from/query.rego +++ b/assets/queries/dockerfile/using_platform_with_from/query.rego @@ -1,6 +1,7 @@ package Cx import data.generic.common as common_lib +import data.generic.dockerfile as dockerLib CxPolicy[result] { resource := input.document[i].command[name][_] @@ -8,11 +9,13 @@ CxPolicy[result] { contains(resource.Flags[j], "--platform") contains(resource.Cmd, "from") + stage := input.document[i].command[name] + from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), + "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("FROM={{%s}}.{{%s}} should not use the '--platform' flag", [name, resource.Original]), - "keyActualValue": sprintf("FROM={{%s}}.{{%s}} is using the '--platform' flag", [name, resource.Original]), + "keyExpectedValue": sprintf("%s={{%s}}.{{%s}} should not use the '--platform' flag", [from_command, name, resource.Original]), + "keyActualValue": sprintf("%s={{%s}}.{{%s}} is using the '--platform' flag", [from_command, name, resource.Original]), } } diff --git a/assets/queries/dockerfile/using_platform_with_from/test/negative2.dockerfile b/assets/queries/dockerfile/using_platform_with_from/test/negative2.dockerfile new file mode 100644 index 00000000000..04dc547bc08 --- /dev/null +++ b/assets/queries/dockerfile/using_platform_with_from/test/negative2.dockerfile @@ -0,0 +1,6 @@ +from alpine:3.5 +run apk add --update py2-pip +run pip install --upgrade pip +label maintainer="SvenDowideit@home.org.au" +copy requirements.txt /usr/src/app/ +from baseimage as baseimage-build diff --git a/assets/queries/dockerfile/using_platform_with_from/test/positive2.dockerfile b/assets/queries/dockerfile/using_platform_with_from/test/positive2.dockerfile new file mode 100644 index 00000000000..c0529ec2a65 --- /dev/null +++ b/assets/queries/dockerfile/using_platform_with_from/test/positive2.dockerfile @@ -0,0 +1,6 @@ +from alpine:3.5 +run apk add --update py2-pip +run pip install --upgrade pip +label maintainer="SvenDowideit@home.org.au" +copy requirements.txt /usr/src/app/ +from --platform=arm64 baseimage as baseimage-build diff --git a/assets/queries/dockerfile/using_platform_with_from/test/positive_expected_result.json b/assets/queries/dockerfile/using_platform_with_from/test/positive_expected_result.json index 17bce5638c8..21a2a3f1b72 100644 --- a/assets/queries/dockerfile/using_platform_with_from/test/positive_expected_result.json +++ b/assets/queries/dockerfile/using_platform_with_from/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "Using Platform Flag with FROM Command", - "severity": "INFO", - "line": 6, - "fileName": "positive1.dockerfile" - } + { + "queryName": "Using Platform Flag with FROM Command", + "severity": "INFO", + "line": 6, + "fileName": "positive1.dockerfile" + }, + { + "queryName": "Using Platform Flag with FROM Command", + "severity": "INFO", + "line": 6, + "fileName": "positive2.dockerfile" + } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/using_unnamed_build_stages/query.rego b/assets/queries/dockerfile/using_unnamed_build_stages/query.rego index ff621dc15f8..df91819abb7 100644 --- a/assets/queries/dockerfile/using_unnamed_build_stages/query.rego +++ b/assets/queries/dockerfile/using_unnamed_build_stages/query.rego @@ -1,5 +1,7 @@ package Cx +import data.generic.dockerfile as dockerLib + CxPolicy[result] { commands := input.document[i].command[name][_] @@ -11,9 +13,11 @@ CxPolicy[result] { to_number(flag_split[1]) > -1 + stage := input.document[i].command[name] + from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, commands.Original]), + "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, commands.Original]), "issueType": "IncorrectValue", "keyExpectedValue": "COPY '--from' should reference a previously defined FROM alias", "keyActualValue": "COPY '--from' does not reference a previously defined FROM alias", diff --git a/assets/queries/dockerfile/using_unnamed_build_stages/test/negative2.dockerfile b/assets/queries/dockerfile/using_unnamed_build_stages/test/negative2.dockerfile new file mode 100644 index 00000000000..c38778c6031 --- /dev/null +++ b/assets/queries/dockerfile/using_unnamed_build_stages/test/negative2.dockerfile @@ -0,0 +1,12 @@ +from golang:1.7.3 AS builder +workdir /go/src/github.com/foo/href-counter/ +run go get -d -v golang.org/x/net/html +copy app.go . +run CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . + +# another dockerfile +from alpine:latest +run apk --no-cache add ca-certificates +workdir /root/ +copy --from=builder /go/src/github.com/foo/href-counter/app . +cmd ["./app"] diff --git a/assets/queries/dockerfile/using_unnamed_build_stages/test/positive2.dockerfile b/assets/queries/dockerfile/using_unnamed_build_stages/test/positive2.dockerfile new file mode 100644 index 00000000000..b96bdaac1c7 --- /dev/null +++ b/assets/queries/dockerfile/using_unnamed_build_stages/test/positive2.dockerfile @@ -0,0 +1,11 @@ +from golang:1.16 +workdir /go/src/github.com/foo/href-counter/ +run go get -d -v golang.org/x/net/html +copy app.go ./ +run CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . + +from alpine:latest +run apk --no-cache add ca-certificates +workdir /root/ +copy --from=0 /go/src/github.com/foo/href-counter/app ./ +cmd ["./app"] diff --git a/assets/queries/dockerfile/using_unnamed_build_stages/test/positive_expected_result.json b/assets/queries/dockerfile/using_unnamed_build_stages/test/positive_expected_result.json index d0e9eb1f3db..72b72f46fb2 100644 --- a/assets/queries/dockerfile/using_unnamed_build_stages/test/positive_expected_result.json +++ b/assets/queries/dockerfile/using_unnamed_build_stages/test/positive_expected_result.json @@ -4,5 +4,11 @@ "severity": "LOW", "line": 10, "filename": "positive1.dockerfile" + }, + { + "queryName": "Using Unnamed Build Stages", + "severity": "LOW", + "line": 10, + "filename": "positive2.dockerfile" } -] +] \ No newline at end of file diff --git a/assets/queries/dockerfile/workdir_path_not_absolute/query.rego b/assets/queries/dockerfile/workdir_path_not_absolute/query.rego index a6d8fbeabf3..f6505433c57 100644 --- a/assets/queries/dockerfile/workdir_path_not_absolute/query.rego +++ b/assets/queries/dockerfile/workdir_path_not_absolute/query.rego @@ -1,13 +1,17 @@ package Cx +import data.generic.dockerfile as dockerLib + CxPolicy[result] { resource := input.document[i].command[name][_] resource.Cmd == "workdir" not regex.match("(^\"?/[A-z0-9-_+]*)|(^\"?[A-z0-9-_+]:\\\\.*)|(^\"?\\$[{}A-z0-9-_+].*)", resource.Value[0]) + stage := input.document[i].command[name] + from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.WORKDIR={{%s}}", [name, resource.Value[0]]), + "searchKey": sprintf("%s={{%s}}.WORKDIR={{%s}}", [from_command, name, resource.Value[0]]), "issueType": "IncorrectValue", #"MissingAttribute" / "RedundantAttribute" "keyExpectedValue": "'WORKDIR' Command has absolute path", "keyActualValue": "'WORKDIR' Command doesn't have absolute path", diff --git a/assets/queries/dockerfile/workdir_path_not_absolute/test/negative2.dockerfile b/assets/queries/dockerfile/workdir_path_not_absolute/test/negative2.dockerfile new file mode 100644 index 00000000000..aa660c1b737 --- /dev/null +++ b/assets/queries/dockerfile/workdir_path_not_absolute/test/negative2.dockerfile @@ -0,0 +1,17 @@ +from alpine:3.5 +run apk add --update py2-pip +run pip install --upgrade pip +workdir /path/to/workdir +workdir "/path/to/workdir" +workdir / +workdir c:\\windows +env DIRPATH=/path +env GLASSFISH_ARCHIVE glassfish5 +workdir $DIRPATH/$DIRNAME +workdir ${GLASSFISH_HOME}/bin +copy requirements.txt /usr/src/app/ +run pip install --no-cache-dir -r /usr/src/app/requirements.txt +copy app.py /usr/src/app/ +copy templates/index.html /usr/src/app/templates/ +expose 5000 +cmd ["python", "/usr/src/app/app.py"] diff --git a/assets/queries/dockerfile/workdir_path_not_absolute/test/positive2.dockerfile b/assets/queries/dockerfile/workdir_path_not_absolute/test/positive2.dockerfile new file mode 100644 index 00000000000..bc3c52343fc --- /dev/null +++ b/assets/queries/dockerfile/workdir_path_not_absolute/test/positive2.dockerfile @@ -0,0 +1,11 @@ +from alpine:3.5 +run apk add --update py2-pip +run pip install --upgrade pip +workdir /path/to/workdir +workdir workdir +copy requirements.txt /usr/src/app/ +run pip install --no-cache-dir -r /usr/src/app/requirements.txt +copy app.py /usr/src/app/ +copy templates/index.html /usr/src/app/templates/ +expose 5000 +cmd ["python", "/usr/src/app/app.py"] \ No newline at end of file diff --git a/assets/queries/dockerfile/workdir_path_not_absolute/test/positive_expected_result.json b/assets/queries/dockerfile/workdir_path_not_absolute/test/positive_expected_result.json index ece07faaf7f..bd94ad4b78f 100644 --- a/assets/queries/dockerfile/workdir_path_not_absolute/test/positive_expected_result.json +++ b/assets/queries/dockerfile/workdir_path_not_absolute/test/positive_expected_result.json @@ -1,7 +1,14 @@ [ - { - "queryName": "WORKDIR Path Not Absolute", - "severity": "LOW", - "line": 5 - } + { + "queryName": "WORKDIR Path Not Absolute", + "severity": "LOW", + "line": 5, + "fileName": "positive.dockerfile" + }, + { + "queryName": "WORKDIR Path Not Absolute", + "severity": "LOW", + "line": 5, + "fileName": "positive2.dockerfile" + } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/yum_clean_all_missing/query.rego b/assets/queries/dockerfile/yum_clean_all_missing/query.rego index 556f93f16b5..2cea845cf5c 100644 --- a/assets/queries/dockerfile/yum_clean_all_missing/query.rego +++ b/assets/queries/dockerfile/yum_clean_all_missing/query.rego @@ -15,9 +15,11 @@ CxPolicy[result] { not containsCleanAfterYum(command) + stage := input.document[i].command[name] + from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), + "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("{{%s}} should have 'yum clean all' after 'yum install' command", [resource.Original]), "keyActualValue": sprintf("{{%s}} doesn't have 'yum clean all' after 'yum install' command", [resource.Original]), diff --git a/assets/queries/dockerfile/yum_clean_all_missing/test/negative3.dockerfile b/assets/queries/dockerfile/yum_clean_all_missing/test/negative3.dockerfile new file mode 100644 index 00000000000..a3fcb3e7a29 --- /dev/null +++ b/assets/queries/dockerfile/yum_clean_all_missing/test/negative3.dockerfile @@ -0,0 +1,14 @@ +from alpine:3.5 +run apk add --update py2-pip +run yum install \ + yum clean all +copy requirements.txt /usr/src/app/ +run pip install --no-cache-dir -r /usr/src/app/requirements.txt +copy app.py /usr/src/app/ +copy templates/index.html /usr/src/app/templates/ +expose 5000 +cmd ["python", "/usr/src/app/app.py"] + +from alpine:3.4 +run yum -y install \ + yum clean all diff --git a/assets/queries/dockerfile/yum_clean_all_missing/test/positive2.dockerfile b/assets/queries/dockerfile/yum_clean_all_missing/test/positive2.dockerfile new file mode 100644 index 00000000000..a38c8a8f68b --- /dev/null +++ b/assets/queries/dockerfile/yum_clean_all_missing/test/positive2.dockerfile @@ -0,0 +1,13 @@ +from alpine:3.5 +run apk add --update py2-pip +run yum install +copy requirements.txt /usr/src/app/ +run pip install --no-cache-dir -r /usr/src/app/requirements.txt +copy app.py /usr/src/app/ +copy templates/index.html /usr/src/app/templates/ +expose 5000 +cmd ["python", "/usr/src/app/app.py"] + +from alpine:3.4 +run yum clean all \ + yum -y install diff --git a/assets/queries/dockerfile/yum_clean_all_missing/test/positive_expected_result.json b/assets/queries/dockerfile/yum_clean_all_missing/test/positive_expected_result.json index f4e28bb33cf..100dd704469 100644 --- a/assets/queries/dockerfile/yum_clean_all_missing/test/positive_expected_result.json +++ b/assets/queries/dockerfile/yum_clean_all_missing/test/positive_expected_result.json @@ -1,8 +1,14 @@ [ - { - "queryName": "Yum Clean All Missing", - "severity": "LOW", - "line": 12, - "fileName": "positive.dockerfile" - } + { + "queryName": "Yum Clean All Missing", + "severity": "LOW", + "line": 12, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Yum Clean All Missing", + "severity": "LOW", + "line": 12, + "fileName": "positive2.dockerfile" + } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/yum_install_allows_manual_input/query.rego b/assets/queries/dockerfile/yum_install_allows_manual_input/query.rego index 1c7fb4f21b6..b5b3a6a9e70 100644 --- a/assets/queries/dockerfile/yum_install_allows_manual_input/query.rego +++ b/assets/queries/dockerfile/yum_install_allows_manual_input/query.rego @@ -12,9 +12,11 @@ CxPolicy[result] { not avoidManualInput(command) + stage := input.document[i].command[name] + from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), + "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("{{%s}} should avoid manual input", [resource.Original]), "keyActualValue": sprintf("{{%s}} doesn't avoid manual input", [resource.Original]), @@ -30,9 +32,11 @@ CxPolicy[result] { not avoidManualInputInList(resource.Value) + stage := input.document[i].command[name] + from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), + "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("{{%s}} should avoid manual input", [resource.Original]), "keyActualValue": sprintf("{{%s}} doesn't avoid manual input", [resource.Original]), diff --git a/assets/queries/dockerfile/yum_install_allows_manual_input/test/negative2.dockerfile b/assets/queries/dockerfile/yum_install_allows_manual_input/test/negative2.dockerfile new file mode 100644 index 00000000000..6cb32a326e6 --- /dev/null +++ b/assets/queries/dockerfile/yum_install_allows_manual_input/test/negative2.dockerfile @@ -0,0 +1,9 @@ +from alpine:3.5 +run apk add --update py2-pip +run sudo yum install -y bundler +copy requirements.txt /usr/src/app/ +run pip install --no-cache-dir -r /usr/src/app/requirements.txt +copy app.py /usr/src/app/ +copy templates/index.html /usr/src/app/templates/ +expose 5000 +cmd ["python", "/usr/src/app/app.py"] \ No newline at end of file diff --git a/assets/queries/dockerfile/yum_install_allows_manual_input/test/positive2.dockerfile b/assets/queries/dockerfile/yum_install_allows_manual_input/test/positive2.dockerfile new file mode 100644 index 00000000000..6fe942813de --- /dev/null +++ b/assets/queries/dockerfile/yum_install_allows_manual_input/test/positive2.dockerfile @@ -0,0 +1,10 @@ +from alpine:3.5 +run apk add --update py2-pip +run sudo yum install bundler +run ["sudo yum", "install", "bundler"] +copy requirements.txt /usr/src/app/ +run pip install --no-cache-dir -r /usr/src/app/requirements.txt +copy app.py /usr/src/app/ +copy templates/index.html /usr/src/app/templates/ +expose 5000 +cmd ["python", "/usr/src/app/app.py"] diff --git a/assets/queries/dockerfile/yum_install_allows_manual_input/test/positive_expected_result.json b/assets/queries/dockerfile/yum_install_allows_manual_input/test/positive_expected_result.json index c6fa582d3aa..ed762eee0d3 100644 --- a/assets/queries/dockerfile/yum_install_allows_manual_input/test/positive_expected_result.json +++ b/assets/queries/dockerfile/yum_install_allows_manual_input/test/positive_expected_result.json @@ -1,12 +1,26 @@ [ - { - "queryName": "Yum Install Allows Manual Input", - "severity": "LOW", - "line": 3 - }, - { - "queryName": "Yum Install Allows Manual Input", - "severity": "LOW", - "line": 4 - } + { + "queryName": "Yum Install Allows Manual Input", + "severity": "LOW", + "line": 3, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Yum Install Allows Manual Input", + "severity": "LOW", + "line": 4, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Yum Install Allows Manual Input", + "severity": "LOW", + "line": 3, + "fileName": "positive2.dockerfile" + }, + { + "queryName": "Yum Install Allows Manual Input", + "severity": "LOW", + "line": 4, + "fileName": "positive2.dockerfile" + } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/yum_install_without_version/query.rego b/assets/queries/dockerfile/yum_install_without_version/query.rego index fbc9c0bf295..1e51dc24f57 100644 --- a/assets/queries/dockerfile/yum_install_without_version/query.rego +++ b/assets/queries/dockerfile/yum_install_without_version/query.rego @@ -19,9 +19,11 @@ CxPolicy[result] { some j analyzePackages(j, packages[j], packages, length) + stage := input.document[i].command[name] + from_command := docker_lib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), + "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), "searchValue": packages[j], "issueType": "IncorrectValue", "keyExpectedValue": "The package version should always be specified when using yum install", @@ -43,9 +45,11 @@ CxPolicy[result] { regex.match("^[a-zA-Z]", resource.Value[j]) == true not docker_lib.withVersion(resource.Value[j]) + stage := input.document[i].command[name] + from_command := docker_lib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), + "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), "searchValue": resource.Value[j], "issueType": "IncorrectValue", "keyExpectedValue": "The package version should always be specified when using yum install", diff --git a/assets/queries/dockerfile/yum_install_without_version/test/negative2.dockerfile b/assets/queries/dockerfile/yum_install_without_version/test/negative2.dockerfile new file mode 100644 index 00000000000..ba8e3557b85 --- /dev/null +++ b/assets/queries/dockerfile/yum_install_without_version/test/negative2.dockerfile @@ -0,0 +1,8 @@ +from opensuse/leap:15.2 +run yum install -y httpd-2.24.2 && yum clean all +healthcheck CMD curl --fail http://localhost:3000 || exit 1 + + +from opensuse/leap:15.3 +env RETHINKDB_PACKAGE_VERSION 2.4.0~0trusty +run yum install -y rethinkdb-$RETHINKDB_PACKAGE_VERSION && yum clean all diff --git a/assets/queries/dockerfile/yum_install_without_version/test/positive2.dockerfile b/assets/queries/dockerfile/yum_install_without_version/test/positive2.dockerfile new file mode 100644 index 00000000000..7cc1025defd --- /dev/null +++ b/assets/queries/dockerfile/yum_install_without_version/test/positive2.dockerfile @@ -0,0 +1,4 @@ +from opensuse/leap:15.2 +run yum install -y httpd && yum clean all +run ["yum", "install", "httpd"] +healthcheck CMD curl --fail http://localhost:3000 || exit 1 diff --git a/assets/queries/dockerfile/yum_install_without_version/test/positive_expected_result.json b/assets/queries/dockerfile/yum_install_without_version/test/positive_expected_result.json index 2ed431a5849..b7670737f6c 100644 --- a/assets/queries/dockerfile/yum_install_without_version/test/positive_expected_result.json +++ b/assets/queries/dockerfile/yum_install_without_version/test/positive_expected_result.json @@ -1,12 +1,26 @@ [ - { - "queryName": "Yum install Without Version", - "severity": "MEDIUM", - "line": 2 - }, - { - "queryName": "Yum install Without Version", - "severity": "MEDIUM", - "line": 3 - } -] + { + "queryName": "Yum install Without Version", + "severity": "MEDIUM", + "line": 2, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Yum install Without Version", + "severity": "MEDIUM", + "line": 3, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Yum install Without Version", + "severity": "MEDIUM", + "line": 2, + "fileName": "positive2.dockerfile" + }, + { + "queryName": "Yum install Without Version", + "severity": "MEDIUM", + "line": 3, + "fileName": "positive2.dockerfile" + } +] \ No newline at end of file diff --git a/assets/queries/dockerfile/zypper_install_without_version/query.rego b/assets/queries/dockerfile/zypper_install_without_version/query.rego index 92ed90a266b..95a90e1a05b 100644 --- a/assets/queries/dockerfile/zypper_install_without_version/query.rego +++ b/assets/queries/dockerfile/zypper_install_without_version/query.rego @@ -19,9 +19,11 @@ CxPolicy[result] { some j analyzePackages(j, packages[j], packages, length) + stage := input.document[i].command[name] + from_command := docker_lib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), + "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), "searchValue": packages[j], "issueType": "IncorrectValue", "keyExpectedValue": "The package version should always be specified when using zypper install", @@ -43,9 +45,11 @@ CxPolicy[result] { regex.match("^[a-zA-Z]", resource.Value[j]) == true not docker_lib.withVersion(resource.Value[j]) + stage := input.document[i].command[name] + from_command := docker_lib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]), + "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), "searchValue": resource.Value[j], "issueType": "IncorrectValue", "keyExpectedValue": "The package version should always be specified when using zypper install", diff --git a/assets/queries/dockerfile/zypper_install_without_version/test/negative2.dockerfile b/assets/queries/dockerfile/zypper_install_without_version/test/negative2.dockerfile new file mode 100644 index 00000000000..d9fbcfc5dbb --- /dev/null +++ b/assets/queries/dockerfile/zypper_install_without_version/test/negative2.dockerfile @@ -0,0 +1,3 @@ +from opensuse/leap:15.2 +run zypper install -y httpd=2.4.46 && zypper clean +healthcheck CMD curl --fail http://localhost:3000 || exit 1 diff --git a/assets/queries/dockerfile/zypper_install_without_version/test/positive2.dockerfile b/assets/queries/dockerfile/zypper_install_without_version/test/positive2.dockerfile new file mode 100644 index 00000000000..8a17fc54f81 --- /dev/null +++ b/assets/queries/dockerfile/zypper_install_without_version/test/positive2.dockerfile @@ -0,0 +1,4 @@ +from opensuse/leap:15.2 +run zypper install -y httpd && zypper clean +run ["zypper", "install", "http"] +healthcheck CMD curl --fail http://localhost:3000 || exit 1 diff --git a/assets/queries/dockerfile/zypper_install_without_version/test/positive_expected_result.json b/assets/queries/dockerfile/zypper_install_without_version/test/positive_expected_result.json index 7d64d6a1109..5ffc570d5da 100644 --- a/assets/queries/dockerfile/zypper_install_without_version/test/positive_expected_result.json +++ b/assets/queries/dockerfile/zypper_install_without_version/test/positive_expected_result.json @@ -1,12 +1,26 @@ [ - { - "queryName": "Zypper Install Without Version", - "severity": "LOW", - "line": 2 - }, - { - "queryName": "Zypper Install Without Version", - "severity": "LOW", - "line": 3 - } + { + "queryName": "Zypper Install Without Version", + "severity": "LOW", + "line": 2, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Zypper Install Without Version", + "severity": "LOW", + "line": 3, + "fileName": "positive.dockerfile" + }, + { + "queryName": "Zypper Install Without Version", + "severity": "LOW", + "line": 2, + "fileName": "positive2.dockerfile" + }, + { + "queryName": "Zypper Install Without Version", + "severity": "LOW", + "line": 3, + "fileName": "positive2.dockerfile" + } ] \ No newline at end of file From c356b4d4e133884b9d15584074a8d58f490ac8a7 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Tue, 24 Mar 2026 11:34:27 +0000 Subject: [PATCH 39/84] Fixes for queries that require extra commands and some expected results fixed --- assets/libraries/dockerfile.rego | 1 + .../query.rego | 3 ++- .../test/positive_expected_result.json | 14 +++++------ .../query.rego | 3 ++- .../query.rego | 4 +++- .../query.rego | 3 ++- .../query.rego | 3 ++- .../missing_dnf_clean_all/query.rego | 3 ++- .../missing_flag_from_dnf_install/query.rego | 9 +++---- .../missing_user_instruction/query.rego | 1 + .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 6 +++++ .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 24 +++++++++++++++++++ .../query.rego | 7 +++--- .../test/positive_expected_result.json | 5 ---- .../dockerfile/run_using_sudo/query.rego | 6 +++-- .../test/positive_expected_result.json | 3 ++- .../test/positive_expected_result.json | 2 +- .../update_instruction_alone/query.rego | 10 +++++--- .../workdir_path_not_absolute/query.rego | 3 ++- 21 files changed, 79 insertions(+), 35 deletions(-) diff --git a/assets/libraries/dockerfile.rego b/assets/libraries/dockerfile.rego index 98990ee5a6e..4cdb0068c6e 100644 --- a/assets/libraries/dockerfile.rego +++ b/assets/libraries/dockerfile.rego @@ -75,3 +75,4 @@ get_original_from_command(commands) = from_command { commands[i].Cmd == "from" from_command := substring(commands[i].Original, 0, 4) } + diff --git a/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/query.rego b/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/query.rego index 428a344be3f..33b5dcc9797 100644 --- a/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/query.rego +++ b/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/query.rego @@ -14,9 +14,10 @@ CxPolicy[result] { stage := input.document[i].command[name] from_command := dockerLib.get_original_from_command(stage) + run_command := substring(resource.Original, 0, 3) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.RUN={{%s}}", [from_command, name, commands]), + "searchKey": sprintf("%s={{%s}}.%s={{%s}}", [from_command, name, run_command, commands]), "issueType": "IncorrectValue", #"MissingAttribute" / "RedundantAttribute" "keyExpectedValue": "After using apt-get install, the apt-get lists should be deleted", "keyActualValue": "After using apt-get install, the apt-get lists were not deleted", diff --git a/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/test/positive_expected_result.json b/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/test/positive_expected_result.json index 2428b814a66..4c73167b481 100644 --- a/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/test/positive_expected_result.json +++ b/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/test/positive_expected_result.json @@ -32,25 +32,25 @@ { "queryName": "Apt Get Install Lists Were Not Deleted", "severity": "INFO", - "line": 5, - "fileName": "positive2.dockerfile" + "line": 2, + "fileName": "positive3.dockerfile" }, { "queryName": "Apt Get Install Lists Were Not Deleted", "severity": "INFO", - "line": 8, - "fileName": "positive2.dockerfile" + "line": 5, + "fileName": "positive3.dockerfile" }, { "queryName": "Apt Get Install Lists Were Not Deleted", "severity": "INFO", - "line": 12, - "fileName": "positive2.dockerfile" + "line": 8, + "fileName": "positive3.dockerfile" }, { "queryName": "Apt Get Install Lists Were Not Deleted", "severity": "INFO", - "line": 2, + "line": 12, "fileName": "positive3.dockerfile" } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/query.rego b/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/query.rego index 9c8d8e73543..df82349be49 100644 --- a/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/query.rego +++ b/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/query.rego @@ -20,9 +20,10 @@ CxPolicy[result] { stage := input.document[i].command[name] from_command := dockerLib.get_original_from_command(stage) + run_command := substring(resource.Original, 0, 3) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.RUN={{%s}}", [from_command, name, commands]), + "searchKey": sprintf("%s={{%s}}.%s={{%s}}", [from_command, name, run_command, commands]), "searchValue": packageName, "issueType": "MissingAttribute", "keyExpectedValue": sprintf("Package '%s' has version defined", [packageName]), diff --git a/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/query.rego b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/query.rego index e7755c63964..17d31483c19 100644 --- a/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/query.rego +++ b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/query.rego @@ -35,7 +35,9 @@ CxPolicy[result] { dockerLib.arrayContains(resource.Value, {"apt-get", "install"}) not avoidManualInputInList(resource.Value) - + + stage := input.document[i].command[name] + from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), diff --git a/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/query.rego b/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/query.rego index 1f8ea2c0157..f10c9603314 100644 --- a/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/query.rego +++ b/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/query.rego @@ -16,9 +16,10 @@ CxPolicy[result] { stage := input.document[i].command[name] from_command := dockerLib.get_original_from_command(stage) + copy_command := substring(resource.Original, 0, 3) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.COPY={{%s}}", [from_command, name, resource.Value[0]]), + "searchKey": sprintf("%s={{%s}}.%s={{%s}}", [from_command, name, copy_command, resource.Value[0]]), "issueType": "IncorrectValue", #"MissingAttribute" / "RedundantAttribute" "keyExpectedValue": "When COPY command has more than two arguments, the last one should end with a slash", "keyActualValue": "COPY command has more than two arguments and the last one does not end with a slash", diff --git a/assets/queries/dockerfile/maintainer_instruction_being_used/query.rego b/assets/queries/dockerfile/maintainer_instruction_being_used/query.rego index 264d322f913..51b7a11bb7d 100644 --- a/assets/queries/dockerfile/maintainer_instruction_being_used/query.rego +++ b/assets/queries/dockerfile/maintainer_instruction_being_used/query.rego @@ -8,9 +8,10 @@ CxPolicy[result] { stage := input.document[i].command[name] from_command := dockerLib.get_original_from_command(stage) + maintainer_command := substring(resource.Original, 0, 10) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.MAINTAINER={{%s}}", [from_command, name, resource.Value[0]]), + "searchKey": sprintf("%s={{%s}}.%s={{%s}}", [from_command, name, maintainer_command, resource.Value[0]]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("Maintainer instruction being used in Label 'LABEL maintainer=%s'", [resource.Value[0]]), "keyActualValue": sprintf("Maintainer instruction not being used in Label 'MAINTAINER %s'", [resource.Value[0]]), diff --git a/assets/queries/dockerfile/missing_dnf_clean_all/query.rego b/assets/queries/dockerfile/missing_dnf_clean_all/query.rego index 3f75383088f..dc8a5e0f820 100644 --- a/assets/queries/dockerfile/missing_dnf_clean_all/query.rego +++ b/assets/queries/dockerfile/missing_dnf_clean_all/query.rego @@ -15,9 +15,10 @@ CxPolicy[result] { stage := input.document[i].command[name] from_command := dockerLib.get_original_from_command(stage) + run_command := substring(resource.Original, 0, 3) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.RUN={{%s}}", [from_command, name, resource.Value[0]]), + "searchKey": sprintf("%s={{%s}}.%s={{%s}}", [from_command, name, run_command, resource.Value[0]]), "issueType": "IncorrectValue", "keyExpectedValue": "After installing a package with dnf, command 'dnf clean all' should run.", "keyActualValue": "Command `dnf clean all` is not being run after installing packages.", diff --git a/assets/queries/dockerfile/missing_flag_from_dnf_install/query.rego b/assets/queries/dockerfile/missing_flag_from_dnf_install/query.rego index ea3dc692ea0..22b14366e5f 100644 --- a/assets/queries/dockerfile/missing_flag_from_dnf_install/query.rego +++ b/assets/queries/dockerfile/missing_flag_from_dnf_install/query.rego @@ -1,13 +1,13 @@ package Cx import data.generic.common as common_lib -import data.generic.dockerfile as docker_lib +import data.generic.dockerfile as dockerLib CxPolicy[result] { resource := input.document[i].command[name][cmd] resource.Cmd == "run" values := resource.Value[0] - commands = docker_lib.getCommands(values) + commands = dockerLib.getCommands(values) some k c := hasInstallCommandWithoutFlag(commands[k]) @@ -15,10 +15,11 @@ CxPolicy[result] { not hasYesFlag(c) stage := input.document[i].command[name] - from_command := docker_lib.get_original_from_command(stage) + from_command := dockerLib.get_original_from_command(stage) + run_command := substring(resource.Original, 0, 3) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.RUN={{%s}}", [from_command, name, resource.Value[0]]), + "searchKey": sprintf("%s={{%s}}.%s={{%s}}", [from_command, name, run_command, resource.Value[0]]), "searchValue": trim_space(c), "issueType": "IncorrectValue", "keyExpectedValue": "When running `dnf install`, `-y` or `--assumeyes` switch should be set to avoid build failure ", diff --git a/assets/queries/dockerfile/missing_user_instruction/query.rego b/assets/queries/dockerfile/missing_user_instruction/query.rego index 19c41a7312d..87e69b12978 100644 --- a/assets/queries/dockerfile/missing_user_instruction/query.rego +++ b/assets/queries/dockerfile/missing_user_instruction/query.rego @@ -21,5 +21,6 @@ CxPolicy[result] { } has_user_instruction(resource) { + resource[_].Cmd == "user" } diff --git a/assets/queries/dockerfile/missing_user_instruction/test/positive_expected_result.json b/assets/queries/dockerfile/missing_user_instruction/test/positive_expected_result.json index 70ddd881925..c6f89f7b14f 100644 --- a/assets/queries/dockerfile/missing_user_instruction/test/positive_expected_result.json +++ b/assets/queries/dockerfile/missing_user_instruction/test/positive_expected_result.json @@ -16,5 +16,5 @@ "severity": "HIGH", "line": 1, "fileName": "positive3.dockerfile" - }, + } ] diff --git a/assets/queries/dockerfile/missing_version_specification_in_dnf_install/test/positive_expected_result.json b/assets/queries/dockerfile/missing_version_specification_in_dnf_install/test/positive_expected_result.json index a7f35bc112b..5e939155d07 100644 --- a/assets/queries/dockerfile/missing_version_specification_in_dnf_install/test/positive_expected_result.json +++ b/assets/queries/dockerfile/missing_version_specification_in_dnf_install/test/positive_expected_result.json @@ -16,5 +16,11 @@ "severity": "MEDIUM", "line": 2, "fileName": "positive2.dockerfile" + }, + { + "queryName": "Missing Version Specification In dnf install", + "severity": "MEDIUM", + "line": 3, + "fileName": "positive2.dockerfile" } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/npm_install_without_pinned_version/test/positive_expected_result.json b/assets/queries/dockerfile/npm_install_without_pinned_version/test/positive_expected_result.json index 563d30702a0..b65937068ba 100644 --- a/assets/queries/dockerfile/npm_install_without_pinned_version/test/positive_expected_result.json +++ b/assets/queries/dockerfile/npm_install_without_pinned_version/test/positive_expected_result.json @@ -82,5 +82,5 @@ "severity": "MEDIUM", "line": 8, "filename": "positive2.dockerfile" - }, + } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/pip_install_keeping_cached_packages/test/positive_expected_result.json b/assets/queries/dockerfile/pip_install_keeping_cached_packages/test/positive_expected_result.json index ba31acf207f..01668bfd73b 100644 --- a/assets/queries/dockerfile/pip_install_keeping_cached_packages/test/positive_expected_result.json +++ b/assets/queries/dockerfile/pip_install_keeping_cached_packages/test/positive_expected_result.json @@ -34,5 +34,29 @@ "severity": "LOW", "line": 2, "fileName": "positive2.dockerfile" + }, + { + "queryName": "Pip install Keeping Cached Packages", + "severity": "LOW", + "line": 8, + "fileName": "positive2.dockerfile" + }, + { + "queryName": "Pip install Keeping Cached Packages", + "severity": "LOW", + "line": 9, + "fileName": "positive2.dockerfile" + }, + { + "queryName": "Pip install Keeping Cached Packages", + "severity": "LOW", + "line": 10, + "fileName": "positive2.dockerfile" + }, + { + "queryName": "Pip install Keeping Cached Packages", + "severity": "LOW", + "line": 11, + "fileName": "positive2.dockerfile" } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/run_command_cd_instead_of_workdir/query.rego b/assets/queries/dockerfile/run_command_cd_instead_of_workdir/query.rego index a1d5aa2fce9..da557956b2d 100644 --- a/assets/queries/dockerfile/run_command_cd_instead_of_workdir/query.rego +++ b/assets/queries/dockerfile/run_command_cd_instead_of_workdir/query.rego @@ -5,8 +5,8 @@ import data.generic.dockerfile as dockerLib CxPolicy[result] { resource := input.document[i].command[name][_] resource.Cmd == "run" - run_command := resource.Value[_] - values := split(run_command, " ") + run_command_value := resource.Value[_] + values := split(run_command_value, " ") trim_space(values[index]) == "cd" path := trim_space(values[index+1]) not is_full_path(path) @@ -14,9 +14,10 @@ CxPolicy[result] { stage := input.document[i].command[name] from_command := dockerLib.get_original_from_command(stage) + run_command := substring(resource.Original, 0, 3) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.RUN={{%s}}", [from_command, name, resource.Value[0]]), + "searchKey": sprintf("%s={{%s}}.%s={{%s}}", [from_command, name, run_command, resource.Value[0]]), "issueType": "IncorrectValue", "keyExpectedValue": "Using WORKDIR to change directory", "keyActualValue": sprintf("RUN %s'", [resource.Value[0]]), diff --git a/assets/queries/dockerfile/run_command_cd_instead_of_workdir/test/positive_expected_result.json b/assets/queries/dockerfile/run_command_cd_instead_of_workdir/test/positive_expected_result.json index 6b424f1b2a4..6c533054a7f 100644 --- a/assets/queries/dockerfile/run_command_cd_instead_of_workdir/test/positive_expected_result.json +++ b/assets/queries/dockerfile/run_command_cd_instead_of_workdir/test/positive_expected_result.json @@ -34,10 +34,5 @@ "severity": "LOW", "line": 15, "fileName": "positive2.dockerfile" - },{ - "queryName": "RUN Instruction Using 'cd' Instead of WORKDIR", - "severity": "LOW", - "line": 3, - "fileName": "positive2.dockerfile" } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/run_using_sudo/query.rego b/assets/queries/dockerfile/run_using_sudo/query.rego index a258365d826..94d474711b7 100644 --- a/assets/queries/dockerfile/run_using_sudo/query.rego +++ b/assets/queries/dockerfile/run_using_sudo/query.rego @@ -11,9 +11,10 @@ CxPolicy[result] { stage := input.document[i].command[name] from_command := dockerLib.get_original_from_command(stage) + run_command := substring(resource.Original, 0, 3) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.RUN={{%s}}", [from_command, name, resource.Value[0]]), + "searchKey": sprintf("%s={{%s}}.%s={{%s}}", [from_command, name, run_command, resource.Value[0]]), "issueType": "IncorrectValue", "keyExpectedValue": "RUN instruction shouldn't contain sudo", "keyActualValue": "RUN instruction contains sudo", @@ -29,9 +30,10 @@ CxPolicy[result] { stage := input.document[i].command[name] from_command := dockerLib.get_original_from_command(stage) + run_command := substring(resource.Original, 0, 3) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.RUN={{%s}}", [from_command, name, resource.Original]), + "searchKey": sprintf("%s={{%s}}.%s={{%s}}", [from_command, name, run_command, resource.Value[0]]), "issueType": "IncorrectValue", "keyExpectedValue": "RUN instruction shouldn't contain sudo", "keyActualValue": "RUN instruction contains sudo", diff --git a/assets/queries/dockerfile/same_alias_in_different_froms/test/positive_expected_result.json b/assets/queries/dockerfile/same_alias_in_different_froms/test/positive_expected_result.json index 4f0c09802ac..515f03d0102 100644 --- a/assets/queries/dockerfile/same_alias_in_different_froms/test/positive_expected_result.json +++ b/assets/queries/dockerfile/same_alias_in_different_froms/test/positive_expected_result.json @@ -2,7 +2,8 @@ { "queryName": "Same Alias In Different Froms", "severity": "LOW", - "line": 4 + "line": 4, + "fileName": "positive.dockerfile" }, { "queryName": "Same Alias In Different Froms", diff --git a/assets/queries/dockerfile/unpinned_package_version_in_apk_add/test/positive_expected_result.json b/assets/queries/dockerfile/unpinned_package_version_in_apk_add/test/positive_expected_result.json index 12d14d397df..c1e87f5d252 100644 --- a/assets/queries/dockerfile/unpinned_package_version_in_apk_add/test/positive_expected_result.json +++ b/assets/queries/dockerfile/unpinned_package_version_in_apk_add/test/positive_expected_result.json @@ -33,7 +33,7 @@ "queryName": "Unpinned Package Version in Apk Add", "severity": "MEDIUM", "line": 2, - "fileName": "positive.dockerfile" + "fileName": "positive2.dockerfile" }, { "queryName": "Unpinned Package Version in Apk Add", diff --git a/assets/queries/dockerfile/update_instruction_alone/query.rego b/assets/queries/dockerfile/update_instruction_alone/query.rego index 391e7a712db..52f77a0d09b 100644 --- a/assets/queries/dockerfile/update_instruction_alone/query.rego +++ b/assets/queries/dockerfile/update_instruction_alone/query.rego @@ -24,9 +24,10 @@ CxPolicy[result] { stage := input.document[i].command[name] from_command := dockerLib.get_original_from_command(stage) + run_command := substring(resource.Original, 0, 3) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.RUN={{%s}}", [from_command, name, resource.Value[0]]), + "searchKey": sprintf("%s={{%s}}.%s={{%s}}", [from_command, name, run_command, resource.Value[0]]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("Instruction 'RUN %s %s' should be followed by 'RUN %s %s' in the same 'RUN' statement", [packageManager, pkg_installer[packageManager], packageManager, pkg_updater[packageManager]]), "keyActualValue": sprintf("Instruction 'RUN %s %s' isn't followed by 'RUN %s %s in the same 'RUN' statement", [packageManager, pkg_installer[packageManager], packageManager, pkg_updater[packageManager]]), @@ -62,9 +63,12 @@ CxPolicy[result] { nextUpdate := [x | x := getDetail(nextCommandRefactor, pkg_updater[nextPackageManager][_]); count(x) > 0] count(nextUpdate) == 0 - result := { + stage := input.document[i].command[name] + from_command := dockerLib.get_original_from_command(stage) + run_command := substring(resource.Original, 0, 3) + result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.RUN={{%s}}", [from_command, name, nextResource.Value[0]]), + "searchKey": sprintf("%s={{%s}}.%s={{%s}}", [from_command, name, run_command, resource.Value[0]]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("Instruction 'RUN %s %s' should be combined with 'RUN %s %s' in the same 'RUN' statement", [nextPackageManager, pkg_installer[nextPackageManager], nextPackageManager, pkg_updater[nextPackageManager]]), "keyActualValue": sprintf("Instruction 'RUN %s %s' isn't combined with 'RUN %s %s in the same 'RUN' statement", [nextPackageManager, pkg_installer[nextPackageManager], nextPackageManager, pkg_updater[nextPackageManager]]), diff --git a/assets/queries/dockerfile/workdir_path_not_absolute/query.rego b/assets/queries/dockerfile/workdir_path_not_absolute/query.rego index f6505433c57..d7d00a8de1d 100644 --- a/assets/queries/dockerfile/workdir_path_not_absolute/query.rego +++ b/assets/queries/dockerfile/workdir_path_not_absolute/query.rego @@ -9,9 +9,10 @@ CxPolicy[result] { stage := input.document[i].command[name] from_command := dockerLib.get_original_from_command(stage) + workdir_command := substring(resource.Original, 0, 7) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.WORKDIR={{%s}}", [from_command, name, resource.Value[0]]), + "searchKey": sprintf("%s={{%s}}.%s={{%s}}", [from_command, name, workdir_command, resource.Value[0]]), "issueType": "IncorrectValue", #"MissingAttribute" / "RedundantAttribute" "keyExpectedValue": "'WORKDIR' Command has absolute path", "keyActualValue": "'WORKDIR' Command doesn't have absolute path", From 1eb54999f83b7574c61257b86834a9dcdc0ef89a Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Tue, 24 Mar 2026 11:56:14 +0000 Subject: [PATCH 40/84] Small fix to update instruction alone query --- assets/queries/dockerfile/update_instruction_alone/query.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/dockerfile/update_instruction_alone/query.rego b/assets/queries/dockerfile/update_instruction_alone/query.rego index 52f77a0d09b..8fc0fd03c64 100644 --- a/assets/queries/dockerfile/update_instruction_alone/query.rego +++ b/assets/queries/dockerfile/update_instruction_alone/query.rego @@ -68,7 +68,7 @@ CxPolicy[result] { run_command := substring(resource.Original, 0, 3) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.%s={{%s}}", [from_command, name, run_command, resource.Value[0]]), + "searchKey": sprintf("%s={{%s}}.%s={{%s}}", [from_command, name, run_command, nextResource.Value[0]]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("Instruction 'RUN %s %s' should be combined with 'RUN %s %s' in the same 'RUN' statement", [nextPackageManager, pkg_installer[nextPackageManager], nextPackageManager, pkg_updater[nextPackageManager]]), "keyActualValue": sprintf("Instruction 'RUN %s %s' isn't combined with 'RUN %s %s in the same 'RUN' statement", [nextPackageManager, pkg_installer[nextPackageManager], nextPackageManager, pkg_updater[nextPackageManager]]), From 4af5804f8121bfc607791258c9741101a8958682 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Thu, 26 Mar 2026 11:55:48 +0000 Subject: [PATCH 41/84] Requested E2E change --- e2e/testcases/e2e-cli-106_valid_dockerfile_detected.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/e2e/testcases/e2e-cli-106_valid_dockerfile_detected.go b/e2e/testcases/e2e-cli-106_valid_dockerfile_detected.go index a7d46870aaa..14577ced017 100644 --- a/e2e/testcases/e2e-cli-106_valid_dockerfile_detected.go +++ b/e2e/testcases/e2e-cli-106_valid_dockerfile_detected.go @@ -1,10 +1,10 @@ package testcases // E2E-CLI-106 - KICS scan -// should perform the scan successfully detect all valid dockerfile documents and return result 50 +// should perform the scan successfully detecting all valid dockerfile files and return result 50 func init() { //nolint testSample := TestCase{ - Name: "should perform a valid scan with all dockerfile documents parsed [E2E-CLI-106]", + Name: "should perform a valid scan with all dockerfile files parsed [E2E-CLI-106]", Args: args{ Args: []cmdArgs{ []string{"scan", "-o", "/path/e2e/output", From 7ee77cc0601c68824e9f1ccc8cf033a1dba74053 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Mon, 30 Mar 2026 17:16:48 +0100 Subject: [PATCH 42/84] Removed .ubi8 and .debian extensions checks --- pkg/parser/docker/parser.go | 2 +- pkg/parser/docker/parser_test.go | 2 +- pkg/remediation/scan.go | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/parser/docker/parser.go b/pkg/parser/docker/parser.go index a676b1cfee7..333db689198 100644 --- a/pkg/parser/docker/parser.go +++ b/pkg/parser/docker/parser.go @@ -133,7 +133,7 @@ func (p *Parser) GetKind() model.FileKind { // SupportedExtensions returns Dockerfile extensions func (p *Parser) SupportedExtensions() []string { - return []string{".dockerfile", ".ubi8", ".debian"} + return []string{".dockerfile"} } // SupportedTypes returns types supported by this parser, which are dockerfile diff --git a/pkg/parser/docker/parser_test.go b/pkg/parser/docker/parser_test.go index e5bc4d14783..15b67d2ede5 100644 --- a/pkg/parser/docker/parser_test.go +++ b/pkg/parser/docker/parser_test.go @@ -17,7 +17,7 @@ func TestParser_GetKind(t *testing.T) { // TestParser_SupportedExtensions tests the functions [SupportedExtensions()] and all the methods called by them func TestParser_SupportedExtensions(t *testing.T) { p := &Parser{} - require.Equal(t, []string{".dockerfile", ".ubi8", ".debian"}, p.SupportedExtensions()) + require.Equal(t, []string{".dockerfile"}, p.SupportedExtensions()) } // TestParser_SupportedExtensions tests the functions [SupportedTypes()] and all the methods called by them diff --git a/pkg/remediation/scan.go b/pkg/remediation/scan.go index b95ebfb65b2..ffd04fc5656 100644 --- a/pkg/remediation/scan.go +++ b/pkg/remediation/scan.go @@ -95,7 +95,7 @@ func getPayload(filePath string, content []byte, openAPIResolveReferences bool, var err error switch ext { - case ".dockerfile", ".ubi8", ".debian": + case ".dockerfile": p, err = parser.NewBuilder().Add(&dockerParser.Parser{}).Build([]string{""}, []string{""}) case terraformExtension: From 606bd5c423ea0fe50c00eeececa0b07390691af2 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Tue, 31 Mar 2026 11:28:07 +0100 Subject: [PATCH 43/84] Fallback on debian and ubi removal from docker/parser to test E2E --- pkg/parser/docker/parser.go | 2 +- pkg/parser/docker/parser_test.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/parser/docker/parser.go b/pkg/parser/docker/parser.go index 333db689198..a676b1cfee7 100644 --- a/pkg/parser/docker/parser.go +++ b/pkg/parser/docker/parser.go @@ -133,7 +133,7 @@ func (p *Parser) GetKind() model.FileKind { // SupportedExtensions returns Dockerfile extensions func (p *Parser) SupportedExtensions() []string { - return []string{".dockerfile"} + return []string{".dockerfile", ".ubi8", ".debian"} } // SupportedTypes returns types supported by this parser, which are dockerfile diff --git a/pkg/parser/docker/parser_test.go b/pkg/parser/docker/parser_test.go index 15b67d2ede5..e5bc4d14783 100644 --- a/pkg/parser/docker/parser_test.go +++ b/pkg/parser/docker/parser_test.go @@ -17,7 +17,7 @@ func TestParser_GetKind(t *testing.T) { // TestParser_SupportedExtensions tests the functions [SupportedExtensions()] and all the methods called by them func TestParser_SupportedExtensions(t *testing.T) { p := &Parser{} - require.Equal(t, []string{".dockerfile"}, p.SupportedExtensions()) + require.Equal(t, []string{".dockerfile", ".ubi8", ".debian"}, p.SupportedExtensions()) } // TestParser_SupportedExtensions tests the functions [SupportedTypes()] and all the methods called by them From 3d585bacfb5ae202c836487a606e516a7c6d2971 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Tue, 31 Mar 2026 12:04:39 +0100 Subject: [PATCH 44/84] E2E test 2 --- pkg/parser/docker/parser.go | 2 +- pkg/parser/docker/parser_test.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/parser/docker/parser.go b/pkg/parser/docker/parser.go index a676b1cfee7..333db689198 100644 --- a/pkg/parser/docker/parser.go +++ b/pkg/parser/docker/parser.go @@ -133,7 +133,7 @@ func (p *Parser) GetKind() model.FileKind { // SupportedExtensions returns Dockerfile extensions func (p *Parser) SupportedExtensions() []string { - return []string{".dockerfile", ".ubi8", ".debian"} + return []string{".dockerfile"} } // SupportedTypes returns types supported by this parser, which are dockerfile diff --git a/pkg/parser/docker/parser_test.go b/pkg/parser/docker/parser_test.go index e5bc4d14783..15b67d2ede5 100644 --- a/pkg/parser/docker/parser_test.go +++ b/pkg/parser/docker/parser_test.go @@ -17,7 +17,7 @@ func TestParser_GetKind(t *testing.T) { // TestParser_SupportedExtensions tests the functions [SupportedExtensions()] and all the methods called by them func TestParser_SupportedExtensions(t *testing.T) { p := &Parser{} - require.Equal(t, []string{".dockerfile", ".ubi8", ".debian"}, p.SupportedExtensions()) + require.Equal(t, []string{".dockerfile"}, p.SupportedExtensions()) } // TestParser_SupportedExtensions tests the functions [SupportedTypes()] and all the methods called by them From d13e41f187c75c487e7e8c0e1cd449876aa9e498 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Tue, 31 Mar 2026 17:32:07 +0100 Subject: [PATCH 45/84] Final fix E2E, the E2E itself was incorrect, payload included invalid .debian and .ubi8 files since they were still considered supported even though now .dockerfile is the only valid dockerfile extension resulting from the 'GetExtension' function --- e2e/fixtures/E2E_CLI_106_PAYLOAD.json | 136 +------------------------- 1 file changed, 1 insertion(+), 135 deletions(-) diff --git a/e2e/fixtures/E2E_CLI_106_PAYLOAD.json b/e2e/fixtures/E2E_CLI_106_PAYLOAD.json index 9587df8b5a4..8a142fb5baf 100644 --- a/e2e/fixtures/E2E_CLI_106_PAYLOAD.json +++ b/e2e/fixtures/E2E_CLI_106_PAYLOAD.json @@ -1611,140 +1611,6 @@ }, "file": "file", "id": "0" - }, - { - "args": [ - { - "Cmd": "package", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "package main", - "SubCmd": "", - "Value": [ - "" - ], - "_kics_line": 1 - }, - { - "Cmd": "import", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "import \"fmt\"", - "SubCmd": "", - "Value": [ - "" - ], - "_kics_line": 3 - }, - { - "Cmd": "func", - "EndLine": 5, - "Flags": [], - "JSON": false, - "Original": "func main() {", - "SubCmd": "", - "Value": [ - "" - ], - "_kics_line": 5 - }, - { - "Cmd": "fmt.println(\"hello,", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "fmt.Println(\"Hello, World!\")", - "SubCmd": "", - "Value": [ - "" - ], - "_kics_line": 6 - }, - { - "Cmd": "}", - "EndLine": 7, - "Flags": null, - "JSON": false, - "Original": "}", - "SubCmd": "", - "Value": [ - "" - ], - "_kics_line": 7 - } - ], - "command": {}, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "public", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "public class HelloWorld {", - "SubCmd": "", - "Value": [ - "" - ], - "_kics_line": 1 - }, - { - "Cmd": "public", - "EndLine": 2, - "Flags": [], - "JSON": false, - "Original": "public static void main(String[] args) {", - "SubCmd": "", - "Value": [ - "" - ], - "_kics_line": 2 - }, - { - "Cmd": "system.out.println(\"hello,", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "System.out.println(\"Hello, World!\");", - "SubCmd": "", - "Value": [ - "" - ], - "_kics_line": 3 - }, - { - "Cmd": "}", - "EndLine": 4, - "Flags": null, - "JSON": false, - "Original": "}", - "SubCmd": "", - "Value": [ - "" - ], - "_kics_line": 4 - }, - { - "Cmd": "}", - "EndLine": 5, - "Flags": null, - "JSON": false, - "Original": "}", - "SubCmd": "", - "Value": [ - "" - ], - "_kics_line": 5 - } - ], - "command": {}, - "file": "file", - "id": "0" } - ] + ] } From 886d539d7f1329c8e1c7e16242019c085c7c018b Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Tue, 7 Apr 2026 09:59:04 +0100 Subject: [PATCH 46/84] Test changes for payload compatibility --- assets/libraries/dockerfile.rego | 9 ++++++++- .../dockerfile/add_instead_of_copy/query.rego | 20 +++++++++++++------ .../missing_user_instruction/query.rego | 2 +- 3 files changed, 23 insertions(+), 8 deletions(-) diff --git a/assets/libraries/dockerfile.rego b/assets/libraries/dockerfile.rego index 4cdb0068c6e..9e2b239f88e 100644 --- a/assets/libraries/dockerfile.rego +++ b/assets/libraries/dockerfile.rego @@ -69,10 +69,17 @@ check_multi_stage(imageName, images) { sortedIndex := sort(unsortedIndex) imageName == sortedIndex[minus(count(sortedIndex), 1)].Name -} +} get_original_from_command(commands) = from_command { commands[i].Cmd == "from" from_command := substring(commands[i].Original, 0, 4) } +get_original_from_commands(commands) = from_commands { + from_commands = [from_command| + commands[i].Cmd == "from" + from_command := commands[i] + ] +} + diff --git a/assets/queries/dockerfile/add_instead_of_copy/query.rego b/assets/queries/dockerfile/add_instead_of_copy/query.rego index 509e17f14b6..abb9412936a 100644 --- a/assets/queries/dockerfile/add_instead_of_copy/query.rego +++ b/assets/queries/dockerfile/add_instead_of_copy/query.rego @@ -3,18 +3,26 @@ package Cx import data.generic.dockerfile as dockerLib CxPolicy[result] { - resource := input.document[i].command[name][_] - resource.Cmd == "add" + stage := input.document[i].command[name] - not dockerLib.arrayContains(resource.Value, {".tar", ".tar."}) + resource = stage[s] + stage[s].Cmd = "add" + not dockerLib.arrayContains(stage[s].Value, {".tar", ".tar."}) - stage := input.document[i].command[name] - from_command := dockerLib.get_original_from_command(stage) + from_commands := dockerLib.get_original_from_commands(stage) + from_command := get_from_command(from_commands, resource) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), + "searchKey": sprintf("%s={{%s}}.{{%s}}", [substring(from_command.Original, 0, 4), name, resource.Original]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'COPY' %s", [resource.Value[0]]), "keyActualValue": sprintf("'ADD' %s", [resource.Value[0]]), } } + +get_from_command(from_commands, resource) = cmd { + closest_endline := max([cmd.EndLine | cmd := from_commands[_]; cmd.EndLine < resource.EndLine]) + cmd := from_commands[_] + cmd.EndLine == closest_endline +} + diff --git a/assets/queries/dockerfile/missing_user_instruction/query.rego b/assets/queries/dockerfile/missing_user_instruction/query.rego index 87e69b12978..ac94270aa2f 100644 --- a/assets/queries/dockerfile/missing_user_instruction/query.rego +++ b/assets/queries/dockerfile/missing_user_instruction/query.rego @@ -21,6 +21,6 @@ CxPolicy[result] { } has_user_instruction(resource) { - + resource[_].Cmd == "user" } From 182245930d37d50fa234781eb3219fc8be224206 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Tue, 7 Apr 2026 12:55:39 +0100 Subject: [PATCH 47/84] Testings possible fix for parsing issue (multiple From statements) --- .../dockerfile/add_instead_of_copy/query.rego | 2 +- pkg/detector/docker/docker_detect.go | 16 ++++++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/assets/queries/dockerfile/add_instead_of_copy/query.rego b/assets/queries/dockerfile/add_instead_of_copy/query.rego index abb9412936a..2bf1a7869d1 100644 --- a/assets/queries/dockerfile/add_instead_of_copy/query.rego +++ b/assets/queries/dockerfile/add_instead_of_copy/query.rego @@ -13,7 +13,7 @@ CxPolicy[result] { from_command := get_from_command(from_commands, resource) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.{{%s}}", [substring(from_command.Original, 0, 4), name, resource.Original]), + "searchKey": sprintf("%s={{%s}}.{{%s}}--%d", [substring(from_command.Original, 0, 4), name, resource.Original, resource.EndLine-1]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'COPY' %s", [resource.Value[0]]), "keyActualValue": sprintf("'ADD' %s", [resource.Value[0]]), diff --git a/pkg/detector/docker/docker_detect.go b/pkg/detector/docker/docker_detect.go index 5b6a7ea7231..ebeaf92293a 100644 --- a/pkg/detector/docker/docker_detect.go +++ b/pkg/detector/docker/docker_detect.go @@ -35,6 +35,11 @@ func (d DetectKindLine) DetectLine(file *model.FileMetadata, searchKey string, ResolvedFiles: make(map[string]model.ResolvedFileSplit), } + searchKey, startLine := extractLineHint(searchKey) + if startLine > 0 { + det.CurrentLine = startLine - 1 // convert to 0-based + } + var extractedString [][]string extractedString = detector.GetBracketValues(searchKey, extractedString, "") sKey := searchKey @@ -72,6 +77,17 @@ func (d DetectKindLine) DetectLine(file *model.FileMetadata, searchKey string, } } +func extractLineHint(value string) (string, int) { + idx := strings.LastIndex(value, "--") + if idx == -1 { + return value, 0 + } + if n, err := strconv.Atoi(value[idx+len("--"):]); err == nil { + return value[:idx], n + } + return value, 0 +} + func prepareDockerFileLines(text []string) []string { for idx, key := range text { if !commentRegex.MatchString(key) { From 10af967ef95a532f77b1f6d2ad9eed9de4ec86ea Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Tue, 7 Apr 2026 13:03:43 +0100 Subject: [PATCH 48/84] Removed needless check --- pkg/detector/docker/docker_detect.go | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/pkg/detector/docker/docker_detect.go b/pkg/detector/docker/docker_detect.go index ebeaf92293a..6a569c101c4 100644 --- a/pkg/detector/docker/docker_detect.go +++ b/pkg/detector/docker/docker_detect.go @@ -37,7 +37,7 @@ func (d DetectKindLine) DetectLine(file *model.FileMetadata, searchKey string, searchKey, startLine := extractLineHint(searchKey) if startLine > 0 { - det.CurrentLine = startLine - 1 // convert to 0-based + det.CurrentLine = startLine - 1 } var extractedString [][]string @@ -79,9 +79,6 @@ func (d DetectKindLine) DetectLine(file *model.FileMetadata, searchKey string, func extractLineHint(value string) (string, int) { idx := strings.LastIndex(value, "--") - if idx == -1 { - return value, 0 - } if n, err := strconv.Atoi(value[idx+len("--"):]); err == nil { return value[:idx], n } From 16284d620391134fb8f0148559d208c74421e1d4 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Tue, 7 Apr 2026 13:35:53 +0100 Subject: [PATCH 49/84] Fixes --- assets/queries/dockerfile/add_instead_of_copy/query.rego | 2 +- pkg/detector/docker/docker_detect.go | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/assets/queries/dockerfile/add_instead_of_copy/query.rego b/assets/queries/dockerfile/add_instead_of_copy/query.rego index 2bf1a7869d1..eddf7759dee 100644 --- a/assets/queries/dockerfile/add_instead_of_copy/query.rego +++ b/assets/queries/dockerfile/add_instead_of_copy/query.rego @@ -13,7 +13,7 @@ CxPolicy[result] { from_command := get_from_command(from_commands, resource) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.{{%s}}--%d", [substring(from_command.Original, 0, 4), name, resource.Original, resource.EndLine-1]), + "searchKey": sprintf("%s={{%s}}.{{%s}}--%d", [substring(from_command.Original, 0, 4), name, resource.Original, from_command.EndLine-1]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'COPY' %s", [resource.Value[0]]), "keyActualValue": sprintf("'ADD' %s", [resource.Value[0]]), diff --git a/pkg/detector/docker/docker_detect.go b/pkg/detector/docker/docker_detect.go index 6a569c101c4..bfa9612517b 100644 --- a/pkg/detector/docker/docker_detect.go +++ b/pkg/detector/docker/docker_detect.go @@ -37,7 +37,7 @@ func (d DetectKindLine) DetectLine(file *model.FileMetadata, searchKey string, searchKey, startLine := extractLineHint(searchKey) if startLine > 0 { - det.CurrentLine = startLine - 1 + det.CurrentLine = startLine } var extractedString [][]string @@ -77,7 +77,7 @@ func (d DetectKindLine) DetectLine(file *model.FileMetadata, searchKey string, } } -func extractLineHint(value string) (string, int) { +func extractLineHint(value string) (TrimmedValue string, EndLine int) { idx := strings.LastIndex(value, "--") if n, err := strconv.Atoi(value[idx+len("--"):]); err == nil { return value[:idx], n From 45d062846d45cc142973c9571dab4b4be23d29f7 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Tue, 7 Apr 2026 13:55:45 +0100 Subject: [PATCH 50/84] Mini fix for linting --- pkg/detector/docker/docker_detect.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/detector/docker/docker_detect.go b/pkg/detector/docker/docker_detect.go index bfa9612517b..0e3a39a03c4 100644 --- a/pkg/detector/docker/docker_detect.go +++ b/pkg/detector/docker/docker_detect.go @@ -77,7 +77,7 @@ func (d DetectKindLine) DetectLine(file *model.FileMetadata, searchKey string, } } -func extractLineHint(value string) (TrimmedValue string, EndLine int) { +func extractLineHint(value string) (trimmedValue string, EndLine int) { idx := strings.LastIndex(value, "--") if n, err := strconv.Atoi(value[idx+len("--"):]); err == nil { return value[:idx], n From 775db75ed6a7288da771fb3ea15f32d900fef87c Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Tue, 7 Apr 2026 14:26:04 +0100 Subject: [PATCH 51/84] Added id to distinguish repeated FROM statements on the same image (lower query overhead) --- .../dockerfile/add_instead_of_copy/query.rego | 18 +++++++++--------- pkg/detector/docker/docker_detect.go | 2 ++ pkg/parser/docker/parser.go | 5 +++++ 3 files changed, 16 insertions(+), 9 deletions(-) diff --git a/assets/queries/dockerfile/add_instead_of_copy/query.rego b/assets/queries/dockerfile/add_instead_of_copy/query.rego index eddf7759dee..537185bc41e 100644 --- a/assets/queries/dockerfile/add_instead_of_copy/query.rego +++ b/assets/queries/dockerfile/add_instead_of_copy/query.rego @@ -9,20 +9,20 @@ CxPolicy[result] { stage[s].Cmd = "add" not dockerLib.arrayContains(stage[s].Value, {".tar", ".tar."}) - from_commands := dockerLib.get_original_from_commands(stage) - from_command := get_from_command(from_commands, resource) + from_command := get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.{{%s}}--%d", [substring(from_command.Original, 0, 4), name, resource.Original, from_command.EndLine-1]), + "searchKey": sprintf("%s={{%s}}.{{%s}}--%d", [from_command.value, name, resource.Original, from_command.EndLine-1]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'COPY' %s", [resource.Value[0]]), "keyActualValue": sprintf("'ADD' %s", [resource.Value[0]]), } } -get_from_command(from_commands, resource) = cmd { - closest_endline := max([cmd.EndLine | cmd := from_commands[_]; cmd.EndLine < resource.EndLine]) - cmd := from_commands[_] - cmd.EndLine == closest_endline -} - +get_original_from_command(commands) = from_command { + commands[i].Cmd == "from" + from_command := { + "value": substring(commands[i].Original, 0, 4), + "EndLine" : commands[i].EndLine + } +} \ No newline at end of file diff --git a/pkg/detector/docker/docker_detect.go b/pkg/detector/docker/docker_detect.go index 0e3a39a03c4..b343b8d5f1a 100644 --- a/pkg/detector/docker/docker_detect.go +++ b/pkg/detector/docker/docker_detect.go @@ -47,6 +47,8 @@ func (d DetectKindLine) DetectLine(file *model.FileMetadata, searchKey string, sKey = strings.ReplaceAll(sKey, str[0], `{{`+strconv.Itoa(idx)+`}}`) } + extractedString[0][1], _, _ = strings.Cut(extractedString[0][1], "-kics-id-") //removes id from image_reference + unchangedText := make([]string, len(*file.LinesOriginalData)) copy(unchangedText, *file.LinesOriginalData) diff --git a/pkg/parser/docker/parser.go b/pkg/parser/docker/parser.go index 82b860308e1..286dd00da17 100644 --- a/pkg/parser/docker/parser.go +++ b/pkg/parser/docker/parser.go @@ -50,6 +50,7 @@ func (p *Parser) Parse(_ string, fileContent []byte) ([]model.Document, []int, e fromValue := "" from := make(map[string][]Command) + fromCount := make(map[string]int) arguments := make([]Command, 0) ignoreStruct := newIgnore() @@ -60,6 +61,10 @@ func (p *Parser) Parse(_ string, fileContent []byte) ([]model.Document, []int, e child.Value = strings.ToLower(child.Value) if child.Value == "from" { fromValue = child.Original[5:] + fromCount[fromValue]++ + if fromCount[fromValue] > 1 { + fromValue = fmt.Sprintf("%s-kics-id-%d", fromValue, fromCount[fromValue]-1) + } } if ignoreStruct.getIgnoreComments(child) { From 47b647eb7e921ef92454102f1fd7988cb837fbe5 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Tue, 7 Apr 2026 14:31:16 +0100 Subject: [PATCH 52/84] Linting fix 2 --- pkg/detector/docker/docker_detect.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/detector/docker/docker_detect.go b/pkg/detector/docker/docker_detect.go index b343b8d5f1a..27dd8878928 100644 --- a/pkg/detector/docker/docker_detect.go +++ b/pkg/detector/docker/docker_detect.go @@ -47,7 +47,7 @@ func (d DetectKindLine) DetectLine(file *model.FileMetadata, searchKey string, sKey = strings.ReplaceAll(sKey, str[0], `{{`+strconv.Itoa(idx)+`}}`) } - extractedString[0][1], _, _ = strings.Cut(extractedString[0][1], "-kics-id-") //removes id from image_reference + extractedString[0][1], _, _ = strings.Cut(extractedString[0][1], "-kics-id-") unchangedText := make([]string, len(*file.LinesOriginalData)) copy(unchangedText, *file.LinesOriginalData) @@ -79,7 +79,7 @@ func (d DetectKindLine) DetectLine(file *model.FileMetadata, searchKey string, } } -func extractLineHint(value string) (trimmedValue string, EndLine int) { +func extractLineHint(value string) (trimmedValue string, endLine int) { idx := strings.LastIndex(value, "--") if n, err := strconv.Atoi(value[idx+len("--"):]); err == nil { return value[:idx], n From 877366ab7237452d02d2d8b9bd5b07a94b7e7b8b Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Tue, 7 Apr 2026 23:51:56 +0100 Subject: [PATCH 53/84] Best of both worlds solution, fallback to the implementation that changes searchKey but now only changes if warranted, simplified distinction between identical FROM statements in the payload with a Endline-1 in brackets, SimId will vary if lines shift (exclusively on duplicate FROM statements that flag) --- .../dockerfile/add_instead_of_copy/query.rego | 15 ++++++++++++++- pkg/detector/docker/docker_detect.go | 6 +++--- pkg/parser/docker/parser.go | 2 +- 3 files changed, 18 insertions(+), 5 deletions(-) diff --git a/assets/queries/dockerfile/add_instead_of_copy/query.rego b/assets/queries/dockerfile/add_instead_of_copy/query.rego index 537185bc41e..8978da9ca76 100644 --- a/assets/queries/dockerfile/add_instead_of_copy/query.rego +++ b/assets/queries/dockerfile/add_instead_of_copy/query.rego @@ -12,7 +12,7 @@ CxPolicy[result] { from_command := get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.{{%s}}--%d", [from_command.value, name, resource.Original, from_command.EndLine-1]), + "searchKey": get_search_key(from_command, name, resource), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'COPY' %s", [resource.Value[0]]), "keyActualValue": sprintf("'ADD' %s", [resource.Value[0]]), @@ -25,4 +25,17 @@ get_original_from_command(commands) = from_command { "value": substring(commands[i].Original, 0, 4), "EndLine" : commands[i].EndLine } +} + +get_search_key(from_command, name, resource) = searchKey { + indexof(name, "(") == -1 + searchKey := sprintf("%s={{%s}}.{{%s}}", [from_command.value, name, resource.Original]) +} else = searchKey { + searchKey := sprintf("%s={{%s}}.{{%s}}#%d", [from_command.value, get_name(name), resource.Original, from_command.EndLine-1]) +} + +get_name(raw_image) = name { + idx := indexof(raw_image, "(") + idx >= 0 + name := substring(raw_image, 0, idx) } \ No newline at end of file diff --git a/pkg/detector/docker/docker_detect.go b/pkg/detector/docker/docker_detect.go index 27dd8878928..90e44c8b616 100644 --- a/pkg/detector/docker/docker_detect.go +++ b/pkg/detector/docker/docker_detect.go @@ -47,7 +47,7 @@ func (d DetectKindLine) DetectLine(file *model.FileMetadata, searchKey string, sKey = strings.ReplaceAll(sKey, str[0], `{{`+strconv.Itoa(idx)+`}}`) } - extractedString[0][1], _, _ = strings.Cut(extractedString[0][1], "-kics-id-") + extractedString[0][1], _, _ = strings.Cut(extractedString[0][1], "(") unchangedText := make([]string, len(*file.LinesOriginalData)) copy(unchangedText, *file.LinesOriginalData) @@ -80,8 +80,8 @@ func (d DetectKindLine) DetectLine(file *model.FileMetadata, searchKey string, } func extractLineHint(value string) (trimmedValue string, endLine int) { - idx := strings.LastIndex(value, "--") - if n, err := strconv.Atoi(value[idx+len("--"):]); err == nil { + idx := strings.LastIndex(value, "#") + if n, err := strconv.Atoi(value[idx+len("#"):]); err == nil { return value[:idx], n } return value, 0 diff --git a/pkg/parser/docker/parser.go b/pkg/parser/docker/parser.go index 286dd00da17..a83af2e8a96 100644 --- a/pkg/parser/docker/parser.go +++ b/pkg/parser/docker/parser.go @@ -63,7 +63,7 @@ func (p *Parser) Parse(_ string, fileContent []byte) ([]model.Document, []int, e fromValue = child.Original[5:] fromCount[fromValue]++ if fromCount[fromValue] > 1 { - fromValue = fmt.Sprintf("%s-kics-id-%d", fromValue, fromCount[fromValue]-1) + fromValue = fmt.Sprintf("%s(%d)", fromValue, child.StartLine) } } From 6a4b0caf39580bdeb4dc0643a4f14cff14cb338b Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Wed, 8 Apr 2026 12:05:26 +0100 Subject: [PATCH 54/84] slight changes to query --- .../dockerfile/add_instead_of_copy/query.rego | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/assets/queries/dockerfile/add_instead_of_copy/query.rego b/assets/queries/dockerfile/add_instead_of_copy/query.rego index 8978da9ca76..5258188ec03 100644 --- a/assets/queries/dockerfile/add_instead_of_copy/query.rego +++ b/assets/queries/dockerfile/add_instead_of_copy/query.rego @@ -19,6 +19,13 @@ CxPolicy[result] { } } +get_search_key(from_command, name, resource) = searchKey { + indexof(name, "(") == -1 + searchKey := sprintf("%s={{%s}}.{{%s}}", [from_command.value, name, resource.Original]) +} else = searchKey { + searchKey := sprintf("%s={{%s}}.{{%s}}#%d", [from_command.value, get_name(name), resource.Original, from_command.EndLine-1]) +} + get_original_from_command(commands) = from_command { commands[i].Cmd == "from" from_command := { @@ -27,13 +34,6 @@ get_original_from_command(commands) = from_command { } } -get_search_key(from_command, name, resource) = searchKey { - indexof(name, "(") == -1 - searchKey := sprintf("%s={{%s}}.{{%s}}", [from_command.value, name, resource.Original]) -} else = searchKey { - searchKey := sprintf("%s={{%s}}.{{%s}}#%d", [from_command.value, get_name(name), resource.Original, from_command.EndLine-1]) -} - get_name(raw_image) = name { idx := indexof(raw_image, "(") idx >= 0 From d0c49fb5711a8a6fb182e8f9408b8ee25ab6382d Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Wed, 8 Apr 2026 15:18:33 +0100 Subject: [PATCH 55/84] SimID now depends on number of duplicate FROM statements prior to the one being evaluared, searchKey include number of duplicate and linehint (as before) in that order, latter is extracted before simID calculation --- .../dockerfile/add_instead_of_copy/query.rego | 13 ++++++------- .../{negative.dockerfile => negative1.dockerfile} | 0 .../{positive.dockerfile => positive1.dockerfile} | 0 .../add_instead_of_copy/test/positive3.dockerfile | 8 ++++++++ .../test/positive_expected_result.json | 14 +++++++++++++- pkg/engine/vulnerability_builder.go | 9 +++++++++ pkg/parser/docker/parser.go | 2 +- 7 files changed, 37 insertions(+), 9 deletions(-) rename assets/queries/dockerfile/add_instead_of_copy/test/{negative.dockerfile => negative1.dockerfile} (100%) rename assets/queries/dockerfile/add_instead_of_copy/test/{positive.dockerfile => positive1.dockerfile} (100%) create mode 100644 assets/queries/dockerfile/add_instead_of_copy/test/positive3.dockerfile diff --git a/assets/queries/dockerfile/add_instead_of_copy/query.rego b/assets/queries/dockerfile/add_instead_of_copy/query.rego index 5258188ec03..d4eec32b4c7 100644 --- a/assets/queries/dockerfile/add_instead_of_copy/query.rego +++ b/assets/queries/dockerfile/add_instead_of_copy/query.rego @@ -12,18 +12,18 @@ CxPolicy[result] { from_command := get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": get_search_key(from_command, name, resource), + "searchKey": get_search_key(from_command, name, resource, indexof(name, "(")), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'COPY' %s", [resource.Value[0]]), "keyActualValue": sprintf("'ADD' %s", [resource.Value[0]]), } } -get_search_key(from_command, name, resource) = searchKey { - indexof(name, "(") == -1 +get_search_key(from_command, name, resource, indexof) = searchKey { + indexof == -1 searchKey := sprintf("%s={{%s}}.{{%s}}", [from_command.value, name, resource.Original]) } else = searchKey { - searchKey := sprintf("%s={{%s}}.{{%s}}#%d", [from_command.value, get_name(name), resource.Original, from_command.EndLine-1]) + searchKey := sprintf("%s={{%s}}.{{%s}}#%s#%d", [from_command.value, name, resource.Original, get_index(name, indexof), from_command.EndLine-1]) } get_original_from_command(commands) = from_command { @@ -34,8 +34,7 @@ get_original_from_command(commands) = from_command { } } -get_name(raw_image) = name { - idx := indexof(raw_image, "(") +get_index(raw_image_name, idx) = name { idx >= 0 - name := substring(raw_image, 0, idx) + name := substring(raw_image_name, idx + 1 , count(raw_image_name) - idx - 2) } \ No newline at end of file diff --git a/assets/queries/dockerfile/add_instead_of_copy/test/negative.dockerfile b/assets/queries/dockerfile/add_instead_of_copy/test/negative1.dockerfile similarity index 100% rename from assets/queries/dockerfile/add_instead_of_copy/test/negative.dockerfile rename to assets/queries/dockerfile/add_instead_of_copy/test/negative1.dockerfile diff --git a/assets/queries/dockerfile/add_instead_of_copy/test/positive.dockerfile b/assets/queries/dockerfile/add_instead_of_copy/test/positive1.dockerfile similarity index 100% rename from assets/queries/dockerfile/add_instead_of_copy/test/positive.dockerfile rename to assets/queries/dockerfile/add_instead_of_copy/test/positive1.dockerfile diff --git a/assets/queries/dockerfile/add_instead_of_copy/test/positive3.dockerfile b/assets/queries/dockerfile/add_instead_of_copy/test/positive3.dockerfile new file mode 100644 index 00000000000..672262a4f6c --- /dev/null +++ b/assets/queries/dockerfile/add_instead_of_copy/test/positive3.dockerfile @@ -0,0 +1,8 @@ +FROM openjdk:10-jdk +ADD ${JAR_FILE} app.jar + + + + +FROM openjdk:10-jdk +ADD ${JAR_FILE} app.jar \ No newline at end of file diff --git a/assets/queries/dockerfile/add_instead_of_copy/test/positive_expected_result.json b/assets/queries/dockerfile/add_instead_of_copy/test/positive_expected_result.json index 264f5b98a6b..f49e8b9f6f8 100644 --- a/assets/queries/dockerfile/add_instead_of_copy/test/positive_expected_result.json +++ b/assets/queries/dockerfile/add_instead_of_copy/test/positive_expected_result.json @@ -3,12 +3,24 @@ "queryName": "Add Instead of Copy", "severity": "MEDIUM", "line": 8, - "fileName": "positive.dockerfile" + "fileName": "positive1.dockerfile" }, { "queryName": "Add Instead of Copy", "severity": "MEDIUM", "line": 8, "fileName": "positive2.dockerfile" + }, + { + "queryName": "Add Instead of Copy", + "severity": "MEDIUM", + "line": 2, + "fileName": "positive3.dockerfile" + }, + { + "queryName": "Add Instead of Copy", + "severity": "MEDIUM", + "line": 7, + "fileName": "positive3.dockerfile" } ] \ No newline at end of file diff --git a/pkg/engine/vulnerability_builder.go b/pkg/engine/vulnerability_builder.go index a1a9a64659d..965344611c1 100644 --- a/pkg/engine/vulnerability_builder.go +++ b/pkg/engine/vulnerability_builder.go @@ -175,6 +175,15 @@ var DefaultVulnerabilityBuilder = func(ctx *QueryContext, issueType = model.IssueType(*v) } + if file.Kind == model.KindDOCKER { + if idx := strings.LastIndex(oldSearchLineOutput, "#"); idx != -1 { + oldSearchLineOutput = oldSearchLineOutput[:idx] + } + if idx := strings.LastIndex(newSearchLineOutput, "#"); idx != -1 { + newSearchLineOutput = newSearchLineOutput[:idx] + } + } + similarityID, oldSimilarityID := generateSimilaritiesID(ctx, linesVulne.ResolvedFile, strconv.Itoa(file.SubDocumentIndex), queryID, newSearchLineOutput, searchValue, searchKey, oldSearchLineOutput, kicsComputeNewSimID, &logWithFields, tracker, kicsMigrationQueryInfo) diff --git a/pkg/parser/docker/parser.go b/pkg/parser/docker/parser.go index a83af2e8a96..3fb784a681e 100644 --- a/pkg/parser/docker/parser.go +++ b/pkg/parser/docker/parser.go @@ -63,7 +63,7 @@ func (p *Parser) Parse(_ string, fileContent []byte) ([]model.Document, []int, e fromValue = child.Original[5:] fromCount[fromValue]++ if fromCount[fromValue] > 1 { - fromValue = fmt.Sprintf("%s(%d)", fromValue, child.StartLine) + fromValue = fmt.Sprintf("%s(%d)", fromValue, fromCount[fromValue]-1) } } From bcf0055047caf6b4e6757c91de5578def420e4b4 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Wed, 8 Apr 2026 17:40:15 +0100 Subject: [PATCH 56/84] If it is decided that altered image name can be kept queries can stay simplified since the simID will be distict already --- assets/queries/dockerfile/add_instead_of_copy/query.rego | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/assets/queries/dockerfile/add_instead_of_copy/query.rego b/assets/queries/dockerfile/add_instead_of_copy/query.rego index d4eec32b4c7..efc327e9b2a 100644 --- a/assets/queries/dockerfile/add_instead_of_copy/query.rego +++ b/assets/queries/dockerfile/add_instead_of_copy/query.rego @@ -23,7 +23,7 @@ get_search_key(from_command, name, resource, indexof) = searchKey { indexof == -1 searchKey := sprintf("%s={{%s}}.{{%s}}", [from_command.value, name, resource.Original]) } else = searchKey { - searchKey := sprintf("%s={{%s}}.{{%s}}#%s#%d", [from_command.value, name, resource.Original, get_index(name, indexof), from_command.EndLine-1]) + searchKey := sprintf("%s={{%s}}.{{%s}}#%d", [from_command.value, name, resource.Original, from_command.EndLine-1]) } get_original_from_command(commands) = from_command { @@ -32,9 +32,4 @@ get_original_from_command(commands) = from_command { "value": substring(commands[i].Original, 0, 4), "EndLine" : commands[i].EndLine } -} - -get_index(raw_image_name, idx) = name { - idx >= 0 - name := substring(raw_image_name, idx + 1 , count(raw_image_name) - idx - 2) } \ No newline at end of file From 2bafc9ab044c45ca1026f93d349851ae1398dec2 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Wed, 8 Apr 2026 18:27:21 +0100 Subject: [PATCH 57/84] Revert accidental line change in positive3 --- .../dockerfile/add_instead_of_copy/test/positive3.dockerfile | 1 - 1 file changed, 1 deletion(-) diff --git a/assets/queries/dockerfile/add_instead_of_copy/test/positive3.dockerfile b/assets/queries/dockerfile/add_instead_of_copy/test/positive3.dockerfile index 672262a4f6c..aa23b2d496e 100644 --- a/assets/queries/dockerfile/add_instead_of_copy/test/positive3.dockerfile +++ b/assets/queries/dockerfile/add_instead_of_copy/test/positive3.dockerfile @@ -3,6 +3,5 @@ ADD ${JAR_FILE} app.jar - FROM openjdk:10-jdk ADD ${JAR_FILE} app.jar \ No newline at end of file From 2b61e99cf92060443f1a3e6a84664e550b6068af Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Wed, 8 Apr 2026 22:57:26 +0100 Subject: [PATCH 58/84] Small fix unit test --- pkg/engine/provider/filesystem_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/engine/provider/filesystem_test.go b/pkg/engine/provider/filesystem_test.go index c20163c3765..d0f2169d787 100644 --- a/pkg/engine/provider/filesystem_test.go +++ b/pkg/engine/provider/filesystem_test.go @@ -128,7 +128,7 @@ func TestFileSystemSourceProvider_GetSources(t *testing.T) { //nolint { name: "get_sources_file", fields: fields{ - paths: []string{"assets/queries/dockerfile/add_instead_of_copy/test/positive.dockerfile"}, + paths: []string{"assets/queries/dockerfile/add_instead_of_copy/test/positive1.dockerfile"}, excludes: map[string][]os.FileInfo{}, }, args: args{ From a358331c37b2e3dc7a9ddb229a4baf89d62183b0 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Wed, 8 Apr 2026 23:17:03 +0100 Subject: [PATCH 59/84] SearchKey values in results are now sanitized of extra ^hintLine added, the value is used for search purposes and then stripped --- .../dockerfile/add_instead_of_copy/query.rego | 2 +- pkg/detector/docker/docker_detect.go | 4 ++-- pkg/engine/vulnerability_builder.go | 15 ++++++--------- 3 files changed, 9 insertions(+), 12 deletions(-) diff --git a/assets/queries/dockerfile/add_instead_of_copy/query.rego b/assets/queries/dockerfile/add_instead_of_copy/query.rego index efc327e9b2a..c5cbcf2e0f5 100644 --- a/assets/queries/dockerfile/add_instead_of_copy/query.rego +++ b/assets/queries/dockerfile/add_instead_of_copy/query.rego @@ -23,7 +23,7 @@ get_search_key(from_command, name, resource, indexof) = searchKey { indexof == -1 searchKey := sprintf("%s={{%s}}.{{%s}}", [from_command.value, name, resource.Original]) } else = searchKey { - searchKey := sprintf("%s={{%s}}.{{%s}}#%d", [from_command.value, name, resource.Original, from_command.EndLine-1]) + searchKey := sprintf("%s={{%s}}.{{%s}}^%d", [from_command.value, name, resource.Original, from_command.EndLine-1]) } get_original_from_command(commands) = from_command { diff --git a/pkg/detector/docker/docker_detect.go b/pkg/detector/docker/docker_detect.go index 90e44c8b616..103f5318460 100644 --- a/pkg/detector/docker/docker_detect.go +++ b/pkg/detector/docker/docker_detect.go @@ -80,8 +80,8 @@ func (d DetectKindLine) DetectLine(file *model.FileMetadata, searchKey string, } func extractLineHint(value string) (trimmedValue string, endLine int) { - idx := strings.LastIndex(value, "#") - if n, err := strconv.Atoi(value[idx+len("#"):]); err == nil { + idx := strings.LastIndex(value, "^") + if n, err := strconv.Atoi(value[idx+len("^"):]); err == nil { return value[:idx], n } return value, 0 diff --git a/pkg/engine/vulnerability_builder.go b/pkg/engine/vulnerability_builder.go index 965344611c1..166d7dea5ed 100644 --- a/pkg/engine/vulnerability_builder.go +++ b/pkg/engine/vulnerability_builder.go @@ -125,6 +125,12 @@ var DefaultVulnerabilityBuilder = func(ctx *QueryContext, searchKey, _ = modifyVulSearchKeyReference(intDoc, searchKey, vulsSplit) vObj["searchKey"] = searchKey linesVulne = detector.DetectLine(&file, searchKey, &logWithFields) + if file.Kind == model.KindDOCKER { + if idx := strings.LastIndex(searchKey, "^"); idx != -1 { + searchKey = searchKey[:idx] + initialSearchKeyValue = searchKey + } + } } else { logWithFields.Error().Msg("Saving result. failed to detect line") } @@ -175,15 +181,6 @@ var DefaultVulnerabilityBuilder = func(ctx *QueryContext, issueType = model.IssueType(*v) } - if file.Kind == model.KindDOCKER { - if idx := strings.LastIndex(oldSearchLineOutput, "#"); idx != -1 { - oldSearchLineOutput = oldSearchLineOutput[:idx] - } - if idx := strings.LastIndex(newSearchLineOutput, "#"); idx != -1 { - newSearchLineOutput = newSearchLineOutput[:idx] - } - } - similarityID, oldSimilarityID := generateSimilaritiesID(ctx, linesVulne.ResolvedFile, strconv.Itoa(file.SubDocumentIndex), queryID, newSearchLineOutput, searchValue, searchKey, oldSearchLineOutput, kicsComputeNewSimID, &logWithFields, tracker, kicsMigrationQueryInfo) From 3082fdf604cd7ac4e76341dfc2f13ae99cfad20e Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Thu, 9 Apr 2026 15:07:11 +0100 Subject: [PATCH 60/84] Moved auxiliary functions to common library and adjusted all queries to use the lineHint, added new E2E test on new multistage sample (note test is 107 because 106 should be added by another PR) --- e2e/fixtures/E2E_CLI_107_PAYLOAD.json | 143 +++++++++++++++ e2e/fixtures/E2E_CLI_107_RESULT.json | 172 ++++++++++++++++++ .../e2e-cli-107_dockerfile_multistage_scan.go | 31 ++++ 3 files changed, 346 insertions(+) create mode 100644 e2e/fixtures/E2E_CLI_107_PAYLOAD.json create mode 100644 e2e/fixtures/E2E_CLI_107_RESULT.json create mode 100644 e2e/testcases/e2e-cli-107_dockerfile_multistage_scan.go diff --git a/e2e/fixtures/E2E_CLI_107_PAYLOAD.json b/e2e/fixtures/E2E_CLI_107_PAYLOAD.json new file mode 100644 index 00000000000..1d86f2f3256 --- /dev/null +++ b/e2e/fixtures/E2E_CLI_107_PAYLOAD.json @@ -0,0 +1,143 @@ +{ + "document": [ + { + "args": [], + "command": { + "ubuntu:latestnightly": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM ubuntu:latestnightly", + "SubCmd": "", + "Value": [ + "ubuntu:latestnightly" + ], + "_kics_line": 1 + }, + { + "Cmd": "volume", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "VOLUME /tmp", + "SubCmd": "", + "Value": [ + "/tmp" + ], + "_kics_line": 2 + }, + { + "Cmd": "entrypoint", + "EndLine": 3, + "Flags": [], + "JSON": true, + "Original": "ENTRYPOINT [\"java\",\"-Djava.security.egd=file:/dev/./urandom\",\"-jar\",\"/app.jar\"]", + "SubCmd": "", + "Value": [ + "java", + "-Djava.security.egd=file:/dev/./urandom", + "-jar", + "/app.jar" + ], + "_kics_line": 3 + } + ], + "ubuntu:latestnightly(1)": [ + { + "Cmd": "from", + "EndLine": 5, + "Flags": [], + "JSON": false, + "Original": "FROM ubuntu:latestnightly", + "SubCmd": "", + "Value": [ + "ubuntu:latestnightly" + ], + "_kics_line": 5 + }, + { + "Cmd": "volume", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "VOLUME /tmp", + "SubCmd": "", + "Value": [ + "/tmp" + ], + "_kics_line": 6 + }, + { + "Cmd": "add", + "EndLine": 7, + "Flags": [], + "JSON": false, + "Original": "ADD http://source.file/package.file.tar.gz /temp", + "SubCmd": "", + "Value": [ + "http://source.file/package.file.tar.gz", + "/temp" + ], + "_kics_line": 7 + }, + { + "Cmd": "run", + "EndLine": 8, + "Flags": [], + "JSON": false, + "Original": "RUN tar -xjf /temp/package.file.tar.gz", + "SubCmd": "", + "Value": [ + "tar -xjf /temp/package.file.tar.gz" + ], + "_kics_line": 8 + }, + { + "Cmd": "arg", + "EndLine": 9, + "Flags": [], + "JSON": false, + "Original": "ARG JAR_FILE", + "SubCmd": "", + "Value": [ + "JAR_FILE" + ], + "_kics_line": 9 + }, + { + "Cmd": "add", + "EndLine": 10, + "Flags": [], + "JSON": false, + "Original": "ADD ${JAR_FILE} app.jar", + "SubCmd": "", + "Value": [ + "${JAR_FILE}", + "app.jar" + ], + "_kics_line": 10 + }, + { + "Cmd": "entrypoint", + "EndLine": 11, + "Flags": [], + "JSON": true, + "Original": "ENTRYPOINT [\"java\",\"-Djava.security.egd=file:/dev/./urandom\",\"-jar\",\"/app.jar\"]", + "SubCmd": "", + "Value": [ + "java", + "-Djava.security.egd=file:/dev/./urandom", + "-jar", + "/app.jar" + ], + "_kics_line": 11 + } + ] + }, + "file": "file", + "id": "0" + } + ] +} diff --git a/e2e/fixtures/E2E_CLI_107_RESULT.json b/e2e/fixtures/E2E_CLI_107_RESULT.json new file mode 100644 index 00000000000..66b05f97837 --- /dev/null +++ b/e2e/fixtures/E2E_CLI_107_RESULT.json @@ -0,0 +1,172 @@ +{ + "kics_version": "development", + "files_scanned": 1, + "lines_scanned": 12, + "files_parsed": 1, + "lines_parsed": 12, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 48, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 1, + "INFO": 0, + "LOW": 2, + "MEDIUM": 3, + "TRACE": 0 + }, + "total_counter": 6, + "total_bom_resources": 0, + "start": "2026-04-09T14:58:58.1938463+01:00", + "end": "2026-04-09T14:59:10.5630691+01:00", + "paths": [ + "path/test/fixtures/dockerfile/Dockerfile-multistage" + ], + "queries": [ + { + "query_name": "Missing User Instruction", + "query_id": "fd54f200-402c-4333-a5a4-36ef6709af2f", + "query_url": "https://docs.docker.com/engine/reference/builder/#user", + "severity": "HIGH", + "platform": "Dockerfile", + "cwe": "250", + "risk_score": "7.7", + "cloud_provider": "COMMON", + "category": "Build Process", + "experimental": false, + "description": "Always set a user in the runtime stage of your Dockerfile. Without it, the container defaults to root, even if earlier build stages define a user.", + "description_id": "eb49caf6", + "files": [ + { + "file_name": "path/test/fixtures/dockerfile/Dockerfile-multistage", + "similarity_id": "d39796b9bbf6b6b45774ce1a7aea11e5ef87c9c24cd7fd5b99c4595cb2b510d3", + "line": 5, + "issue_type": "MissingAttribute", + "search_key": "FROM={{ubuntu:latestnightly(1)}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + } + ] + }, + { + "query_name": "Add Instead of Copy", + "query_id": "9513a694-aa0d-41d8-be61-3271e056f36b", + "query_url": "https://docs.docker.com/engine/reference/builder/#add", + "severity": "MEDIUM", + "platform": "Dockerfile", + "cwe": "610", + "risk_score": "5.2", + "category": "Supply-Chain", + "experimental": false, + "description": "Using ADD to load external installation scripts could lead to an evil web server leveraging this and loading a malicious script.", + "description_id": "0aedd324", + "files": [ + { + "file_name": "path/test/fixtures/dockerfile/Dockerfile-multistage", + "similarity_id": "8a77052e7fe9677bd371c5a652763f6d4edcb6ef3ece7b2574a37de1e532870c", + "line": 10, + "issue_type": "IncorrectValue", + "search_key": "FROM={{ubuntu:latestnightly(1)}}.{{ADD ${JAR_FILE} app.jar}}", + "search_line": -1, + "search_value": "", + "expected_value": "'COPY' ${JAR_FILE}", + "actual_value": "'ADD' ${JAR_FILE}" + } + ] + }, + { + "query_name": "Image Version Using 'latest'", + "query_id": "f45ea400-6bbe-4501-9fc7-1c3d75c32067", + "query_url": "https://docs.docker.com/develop/dev-best-practices/", + "severity": "MEDIUM", + "platform": "Dockerfile", + "cwe": "1357", + "risk_score": "5.1", + "category": "Best Practices", + "experimental": false, + "description": "When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag", + "description_id": "22f535ec", + "files": [ + { + "file_name": "path/test/fixtures/dockerfile/Dockerfile-multistage", + "similarity_id": "7cd0ad90e5f32a85978dbfa12788d4098d089c58464d0206b3686a24c0401a0f", + "line": 5, + "issue_type": "IncorrectValue", + "search_key": "FROM={{ubuntu:latestnightly(1)}}", + "search_line": -1, + "search_value": "", + "expected_value": "FROM ubuntu:latestnightly:'version' where version should not be 'latest'", + "actual_value": "FROM ubuntu:latestnightly'" + }, + { + "file_name": "path/test/fixtures/dockerfile/Dockerfile-multistage", + "similarity_id": "61497abefc29818ee73a40c7bd0c69f67c83e20279fbd89fbe69e7f6eac4e71c", + "line": 1, + "issue_type": "IncorrectValue", + "search_key": "FROM={{ubuntu:latestnightly}}", + "search_line": -1, + "search_value": "", + "expected_value": "FROM ubuntu:latestnightly:'version' where version should not be 'latest'", + "actual_value": "FROM ubuntu:latestnightly'" + } + ] + }, + { + "query_name": "Curl or Wget Instead of Add", + "query_id": "4b410d24-1cbe-4430-a632-62c9a931cf1c", + "query_url": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", + "severity": "LOW", + "platform": "Dockerfile", + "cwe": "610", + "risk_score": "2.8", + "category": "Best Practices", + "experimental": false, + "description": "Use of Curl or Wget should be done instead of Add to fetch packages from remote URLs due to the use of Add being strongly discouraged", + "description_id": "29e8216b", + "files": [ + { + "file_name": "path/test/fixtures/dockerfile/Dockerfile-multistage", + "similarity_id": "dfcf010141323091aa3e4594c429c4fa9c9c9e3ac1baa0bc553772e6cc5efafc", + "line": 7, + "issue_type": "IncorrectValue", + "search_key": "FROM={{ubuntu:latestnightly(1)}}.{{ADD http://source.file/package.file.tar.gz /temp}}", + "search_line": -1, + "search_value": "", + "expected_value": "Should use 'curl' or 'wget' to download http://source.file/package.file.tar.gz", + "actual_value": "'ADD' http://source.file/package.file.tar.gz" + } + ] + }, + { + "query_name": "Healthcheck Instruction Missing", + "query_id": "b03a748a-542d-44f4-bb86-9199ab4fd2d5", + "query_url": "https://docs.docker.com/engine/reference/builder/#healthcheck", + "severity": "LOW", + "platform": "Dockerfile", + "cwe": "710", + "risk_score": "3.6", + "category": "Insecure Configurations", + "experimental": false, + "description": "Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working", + "description_id": "426121ee", + "files": [ + { + "file_name": "path/test/fixtures/dockerfile/Dockerfile-multistage", + "similarity_id": "d2274cbdc91a3888d9efcf4241ef4acf2da0ac270d9bf6066f6bf37d6e99616c", + "line": 5, + "issue_type": "MissingAttribute", + "search_key": "FROM={{ubuntu:latestnightly(1)}}", + "search_line": -1, + "search_value": "", + "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", + "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" + } + ] + } + ] +} diff --git a/e2e/testcases/e2e-cli-107_dockerfile_multistage_scan.go b/e2e/testcases/e2e-cli-107_dockerfile_multistage_scan.go new file mode 100644 index 00000000000..165d54ad2d7 --- /dev/null +++ b/e2e/testcases/e2e-cli-107_dockerfile_multistage_scan.go @@ -0,0 +1,31 @@ +package testcases + +// E2E-CLI-107 - KICS scan +// should perform the scan successfully detecting all dockerfile vulnerabilities on sample with 2 "FROM" +// statements on a single image +func init() { //nolint + testSample := TestCase{ + Name: "should perform a valid scan on dockerfile multistage sample [E2E-CLI-107]", + Args: args{ + Args: []cmdArgs{ + []string{"scan", "-o", "/path/e2e/output2", + "--output-name", "E2E_CLI_107_RESULT", + "-p", "/path/test/fixtures/dockerfile/Dockerfile-multistage", + "--payload-path", "/path/e2e/output2/E2E_CLI_107_PAYLOAD.json", + }, + }, + ExpectedResult: []ResultsValidation{ + { + ResultsFile: "E2E_CLI_107_RESULT", + ResultsFormats: []string{"json"}, + }, + }, + ExpectedPayload: []string{ + "E2E_CLI_107_PAYLOAD.json", + }, + }, + WantStatus: []int{50}, + } + + Tests = append(Tests, testSample) +} From 6808ee9878f1e5066552a47f2f11937e717592bf Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Thu, 9 Apr 2026 15:08:23 +0100 Subject: [PATCH 61/84] Files that should have been in previous commit --- assets/libraries/dockerfile.rego | 15 ++++----- .../dockerfile/add_instead_of_copy/query.rego | 19 ++--------- .../test/positive3.dockerfile | 7 ---- .../test/positive_expected_result.json | 12 ------- .../apk_add_using_local_cache_path/query.rego | 2 +- .../query.rego | 2 +- .../query.rego | 4 +-- .../query.rego | 4 +-- .../query.rego | 4 +-- .../query.rego | 4 +-- .../dockerfile/chown_flag_exists/query.rego | 2 +- .../query.rego | 2 +- .../query.rego | 2 +- .../curl_or_wget_instead_of_add/query.rego | 2 +- .../dockerfile/exposing_port_22/query.rego | 2 +- .../gem_install_without_version/query.rego | 4 +-- .../query.rego | 2 +- .../image_version_not_explicit/query.rego | 2 +- .../image_version_using_latest/query.rego | 2 +- .../dockerfile/last_user_is_root/query.rego | 2 +- .../query.rego | 2 +- .../missing_dnf_clean_all/query.rego | 2 +- .../missing_flag_from_dnf_install/query.rego | 2 +- .../missing_user_instruction/query.rego | 2 +- .../query.rego | 4 +-- .../missing_zypper_clean/query.rego | 2 +- .../query.rego | 2 +- .../query.rego | 2 +- .../query.rego | 2 +- .../query.rego | 2 +- .../query.rego | 4 +-- .../query.rego | 2 +- .../query.rego | 4 +-- .../query.rego | 2 +- .../dockerfile/run_using_apt/query.rego | 2 +- .../dockerfile/run_using_sudo/query.rego | 4 +-- .../run_using_wget_and_curl/query.rego | 2 +- .../query.rego | 2 +- .../same_alias_in_different_froms/query.rego | 2 +- .../query.rego | 4 +-- .../unix_ports_out_of_range/query.rego | 2 +- .../query.rego | 32 +++++++++---------- .../query.rego | 4 +-- .../update_instruction_alone/query.rego | 4 +-- .../using_platform_with_from/query.rego | 2 +- .../using_unnamed_build_stages/query.rego | 2 +- .../workdir_path_not_absolute/query.rego | 2 +- .../yum_clean_all_missing/query.rego | 2 +- .../query.rego | 4 +-- .../yum_install_without_version/query.rego | 20 ++++++------ .../zypper_install_without_version/query.rego | 20 ++++++------ .../fixtures/dockerfile/Dockerfile-multistage | 11 +++++++ 52 files changed, 113 insertions(+), 137 deletions(-) delete mode 100644 assets/queries/dockerfile/add_instead_of_copy/test/positive3.dockerfile create mode 100644 test/fixtures/dockerfile/Dockerfile-multistage diff --git a/assets/libraries/dockerfile.rego b/assets/libraries/dockerfile.rego index 9e2b239f88e..5c3f7d27c6d 100644 --- a/assets/libraries/dockerfile.rego +++ b/assets/libraries/dockerfile.rego @@ -73,13 +73,12 @@ check_multi_stage(imageName, images) { get_original_from_command(commands) = from_command { commands[i].Cmd == "from" - from_command := substring(commands[i].Original, 0, 4) -} - -get_original_from_commands(commands) = from_commands { - from_commands = [from_command| - commands[i].Cmd == "from" - from_command := commands[i] - ] + from_command := { + "Value": substring(commands[i].Original, 0, 4), + "EndLine" : commands[i].EndLine + } } +add_line_hint(raw_search_key, lineHint) = searchKey { + searchKey := sprintf("%s^%d", [raw_search_key, lineHint]) +} \ No newline at end of file diff --git a/assets/queries/dockerfile/add_instead_of_copy/query.rego b/assets/queries/dockerfile/add_instead_of_copy/query.rego index c5cbcf2e0f5..48251a88717 100644 --- a/assets/queries/dockerfile/add_instead_of_copy/query.rego +++ b/assets/queries/dockerfile/add_instead_of_copy/query.rego @@ -9,27 +9,12 @@ CxPolicy[result] { stage[s].Cmd = "add" not dockerLib.arrayContains(stage[s].Value, {".tar", ".tar."}) - from_command := get_original_from_command(stage) + from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": get_search_key(from_command, name, resource, indexof(name, "(")), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'COPY' %s", [resource.Value[0]]), "keyActualValue": sprintf("'ADD' %s", [resource.Value[0]]), } -} - -get_search_key(from_command, name, resource, indexof) = searchKey { - indexof == -1 - searchKey := sprintf("%s={{%s}}.{{%s}}", [from_command.value, name, resource.Original]) -} else = searchKey { - searchKey := sprintf("%s={{%s}}.{{%s}}^%d", [from_command.value, name, resource.Original, from_command.EndLine-1]) -} - -get_original_from_command(commands) = from_command { - commands[i].Cmd == "from" - from_command := { - "value": substring(commands[i].Original, 0, 4), - "EndLine" : commands[i].EndLine - } } \ No newline at end of file diff --git a/assets/queries/dockerfile/add_instead_of_copy/test/positive3.dockerfile b/assets/queries/dockerfile/add_instead_of_copy/test/positive3.dockerfile deleted file mode 100644 index aa23b2d496e..00000000000 --- a/assets/queries/dockerfile/add_instead_of_copy/test/positive3.dockerfile +++ /dev/null @@ -1,7 +0,0 @@ -FROM openjdk:10-jdk -ADD ${JAR_FILE} app.jar - - - -FROM openjdk:10-jdk -ADD ${JAR_FILE} app.jar \ No newline at end of file diff --git a/assets/queries/dockerfile/add_instead_of_copy/test/positive_expected_result.json b/assets/queries/dockerfile/add_instead_of_copy/test/positive_expected_result.json index f49e8b9f6f8..f67956ae373 100644 --- a/assets/queries/dockerfile/add_instead_of_copy/test/positive_expected_result.json +++ b/assets/queries/dockerfile/add_instead_of_copy/test/positive_expected_result.json @@ -10,17 +10,5 @@ "severity": "MEDIUM", "line": 8, "fileName": "positive2.dockerfile" - }, - { - "queryName": "Add Instead of Copy", - "severity": "MEDIUM", - "line": 2, - "fileName": "positive3.dockerfile" - }, - { - "queryName": "Add Instead of Copy", - "severity": "MEDIUM", - "line": 7, - "fileName": "positive3.dockerfile" } ] \ No newline at end of file diff --git a/assets/queries/dockerfile/apk_add_using_local_cache_path/query.rego b/assets/queries/dockerfile/apk_add_using_local_cache_path/query.rego index 07e155d0847..b891d2ad2de 100644 --- a/assets/queries/dockerfile/apk_add_using_local_cache_path/query.rego +++ b/assets/queries/dockerfile/apk_add_using_local_cache_path/query.rego @@ -14,7 +14,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, command.Original]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, command.Original]), from_command.EndLine-1), "issueType": "IncorrectValue", "keyExpectedValue": "'RUN' should not contain 'apk add' command without '--no-cache' switch", "keyActualValue": "'RUN' contains 'apk add' command without '--no-cache' switch", diff --git a/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/query.rego b/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/query.rego index 33b5dcc9797..43fce443258 100644 --- a/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/query.rego +++ b/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/query.rego @@ -17,7 +17,7 @@ CxPolicy[result] { run_command := substring(resource.Original, 0, 3) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.%s={{%s}}", [from_command, name, run_command, commands]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.%s={{%s}}", [from_command.Value, name, run_command, commands]), from_command.EndLine-1), "issueType": "IncorrectValue", #"MissingAttribute" / "RedundantAttribute" "keyExpectedValue": "After using apt-get install, the apt-get lists should be deleted", "keyActualValue": "After using apt-get install, the apt-get lists were not deleted", diff --git a/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/query.rego b/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/query.rego index df82349be49..db3eb40787b 100644 --- a/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/query.rego +++ b/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/query.rego @@ -23,7 +23,7 @@ CxPolicy[result] { run_command := substring(resource.Original, 0, 3) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.%s={{%s}}", [from_command, name, run_command, commands]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.%s={{%s}}", [from_command.Value, name, run_command, commands]), from_command.EndLine-1), "searchValue": packageName, "issueType": "MissingAttribute", "keyExpectedValue": sprintf("Package '%s' has version defined", [packageName]), @@ -51,7 +51,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), "searchValue": packageName, "issueType": "IncorrectValue", "keyExpectedValue": sprintf("Package '%s' has version defined", [packageName]), diff --git a/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/query.rego b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/query.rego index 17d31483c19..0d22ae6f581 100644 --- a/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/query.rego +++ b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/query.rego @@ -19,7 +19,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("{{%s}} should avoid manual input", [resource.Original]), "keyActualValue": sprintf("{{%s}} doesn't avoid manual input", [resource.Original]), @@ -40,7 +40,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("{{%s}} should avoid manual input", [resource.Original]), "keyActualValue": sprintf("{{%s}} doesn't avoid manual input", [resource.Original]), diff --git a/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/query.rego b/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/query.rego index 826186998df..da6940c61c8 100644 --- a/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/query.rego +++ b/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/query.rego @@ -19,7 +19,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'%s' uses '--no-install-recommends' flag to avoid installing additional packages", [resource.Original]), "keyActualValue": sprintf("'%s' does not use '--no-install-recommends' flag to avoid installing additional packages", [resource.Original]), @@ -43,7 +43,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'%s' uses '--no-install-recommends' flag to avoid installing additional packages", [resource.Original]), "keyActualValue": sprintf("'%s' does not use '--no-install-recommends' flag to avoid installing additional packages", [resource.Original]), diff --git a/assets/queries/dockerfile/changing_default_shell_using_run_command/query.rego b/assets/queries/dockerfile/changing_default_shell_using_run_command/query.rego index f34397f90ca..fc0af057426 100644 --- a/assets/queries/dockerfile/changing_default_shell_using_run_command/query.rego +++ b/assets/queries/dockerfile/changing_default_shell_using_run_command/query.rego @@ -34,7 +34,7 @@ CxPolicy[result] { result := { "debug": sprintf("%s", [value[v]]), "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("{{%s}} should use the SHELL command to change the default shell", [resource.Original]), "keyActualValue": sprintf("{{%s}} uses the RUN command to change the default shell", [resource.Original]), @@ -53,7 +53,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("{{%s}} should use the SHELL command to change the default shell", [resource.Original]), "keyActualValue": sprintf("{{%s}} uses the RUN command to change the default shell", [resource.Original]), diff --git a/assets/queries/dockerfile/chown_flag_exists/query.rego b/assets/queries/dockerfile/chown_flag_exists/query.rego index f6083662984..8109adc132a 100644 --- a/assets/queries/dockerfile/chown_flag_exists/query.rego +++ b/assets/queries/dockerfile/chown_flag_exists/query.rego @@ -10,7 +10,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(resource) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource[j].Original]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource[j].Original]), from_command.EndLine-1), "category": "Best Practices", "issueType": "IncorrectValue", "keyExpectedValue": "The 'Dockerfile' shouldn´t contain the 'chown' flag", diff --git a/assets/queries/dockerfile/copy_from_references_current_from_alias/query.rego b/assets/queries/dockerfile/copy_from_references_current_from_alias/query.rego index 63fbfc3417b..bf0ad854ab5 100644 --- a/assets/queries/dockerfile/copy_from_references_current_from_alias/query.rego +++ b/assets/queries/dockerfile/copy_from_references_current_from_alias/query.rego @@ -15,7 +15,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), "issueType": "IncorrectValue", "keyExpectedValue": "COPY --from should not reference the current FROM alias", "keyActualValue": "COPY --from references the current FROM alias", diff --git a/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/query.rego b/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/query.rego index f10c9603314..ef9331e30b5 100644 --- a/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/query.rego +++ b/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/query.rego @@ -19,7 +19,7 @@ CxPolicy[result] { copy_command := substring(resource.Original, 0, 3) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.%s={{%s}}", [from_command, name, copy_command, resource.Value[0]]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.%s={{%s}}", [from_command.Value, name, copy_command, resource.Value[0]]), from_command.EndLine-1), "issueType": "IncorrectValue", #"MissingAttribute" / "RedundantAttribute" "keyExpectedValue": "When COPY command has more than two arguments, the last one should end with a slash", "keyActualValue": "COPY command has more than two arguments and the last one does not end with a slash", diff --git a/assets/queries/dockerfile/curl_or_wget_instead_of_add/query.rego b/assets/queries/dockerfile/curl_or_wget_instead_of_add/query.rego index 075b290b7c9..c8cfd2cc1a9 100644 --- a/assets/queries/dockerfile/curl_or_wget_instead_of_add/query.rego +++ b/assets/queries/dockerfile/curl_or_wget_instead_of_add/query.rego @@ -11,7 +11,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("Should use 'curl' or 'wget' to download %s", [resource.Value[0]]), "keyActualValue": sprintf("'ADD' %s", [resource.Value[0]]), diff --git a/assets/queries/dockerfile/exposing_port_22/query.rego b/assets/queries/dockerfile/exposing_port_22/query.rego index 9f4afdc3037..e00a912b938 100644 --- a/assets/queries/dockerfile/exposing_port_22/query.rego +++ b/assets/queries/dockerfile/exposing_port_22/query.rego @@ -12,7 +12,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, command.Original]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, command.Original]), from_command.EndLine-1), "issueType": "IncorrectValue", "keyExpectedValue": "'EXPOSE' shouldn't contain the port 22 ", "keyActualValue": "'EXPOSE' contains the port 22 ", diff --git a/assets/queries/dockerfile/gem_install_without_version/query.rego b/assets/queries/dockerfile/gem_install_without_version/query.rego index 29f1ae6971e..c0e798821ff 100644 --- a/assets/queries/dockerfile/gem_install_without_version/query.rego +++ b/assets/queries/dockerfile/gem_install_without_version/query.rego @@ -22,7 +22,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("%s is 'gem install :'", [resource.Original]), "keyActualValue": sprintf("%s is 'gem install ', you should use 'gem install :", [resource.Original]), @@ -46,7 +46,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("%s is 'gem install :'", [resource.Original]), "keyActualValue": sprintf("%s is 'gem install ', you should use 'gem install :", [resource.Original]), diff --git a/assets/queries/dockerfile/healthcheck_instruction_missing/query.rego b/assets/queries/dockerfile/healthcheck_instruction_missing/query.rego index fb3cc24e8ca..4196c5a48cc 100644 --- a/assets/queries/dockerfile/healthcheck_instruction_missing/query.rego +++ b/assets/queries/dockerfile/healthcheck_instruction_missing/query.rego @@ -11,7 +11,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(resource) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}", [from_command, name]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}", [from_command.Value, name]), from_command.EndLine-1), "issueType": "MissingAttribute", "keyExpectedValue": "Dockerfile should contain instruction 'HEALTHCHECK'", "keyActualValue": "Dockerfile doesn't contain instruction 'HEALTHCHECK'", diff --git a/assets/queries/dockerfile/image_version_not_explicit/query.rego b/assets/queries/dockerfile/image_version_not_explicit/query.rego index 662b7e688a1..96dbbc78660 100644 --- a/assets/queries/dockerfile/image_version_not_explicit/query.rego +++ b/assets/queries/dockerfile/image_version_not_explicit/query.rego @@ -13,7 +13,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}", [from_command, name]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}", [from_command.Value, name]), from_command.EndLine-1), "issueType": "MissingAttribute", "keyExpectedValue": sprintf("FROM %s:'version'", [resource.Value[0]]), "keyActualValue": sprintf("FROM %s'", [resource.Value[0]]), diff --git a/assets/queries/dockerfile/image_version_using_latest/query.rego b/assets/queries/dockerfile/image_version_using_latest/query.rego index bb2edce69d7..85f53ddab8f 100644 --- a/assets/queries/dockerfile/image_version_using_latest/query.rego +++ b/assets/queries/dockerfile/image_version_using_latest/query.rego @@ -12,7 +12,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}", [from_command, name]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}", [from_command.Value, name]), from_command.EndLine-1), "issueType": "IncorrectValue", #"MissingAttribute" / "RedundantAttribute" "keyExpectedValue": sprintf("FROM %s:'version' where version should not be 'latest'", [resource.Value[0]]), "keyActualValue": sprintf("FROM %s'", [resource.Value[0]]), diff --git a/assets/queries/dockerfile/last_user_is_root/query.rego b/assets/queries/dockerfile/last_user_is_root/query.rego index 70e512cf2fb..b227577ccb6 100644 --- a/assets/queries/dockerfile/last_user_is_root/query.rego +++ b/assets/queries/dockerfile/last_user_is_root/query.rego @@ -12,7 +12,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(resource) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, userCmd[minus(count(userCmd), 1)].Original]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, userCmd[minus(count(userCmd), 1)].Original]), from_command.EndLine-1), "issueType": "IncorrectValue", "keyExpectedValue": "Last User shouldn't be root", "keyActualValue": "Last User is root", diff --git a/assets/queries/dockerfile/maintainer_instruction_being_used/query.rego b/assets/queries/dockerfile/maintainer_instruction_being_used/query.rego index 51b7a11bb7d..817b4dceffc 100644 --- a/assets/queries/dockerfile/maintainer_instruction_being_used/query.rego +++ b/assets/queries/dockerfile/maintainer_instruction_being_used/query.rego @@ -11,7 +11,7 @@ CxPolicy[result] { maintainer_command := substring(resource.Original, 0, 10) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.%s={{%s}}", [from_command, name, maintainer_command, resource.Value[0]]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.%s={{%s}}", [from_command.Value, name, maintainer_command, resource.Value[0]]), from_command.EndLine-1), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("Maintainer instruction being used in Label 'LABEL maintainer=%s'", [resource.Value[0]]), "keyActualValue": sprintf("Maintainer instruction not being used in Label 'MAINTAINER %s'", [resource.Value[0]]), diff --git a/assets/queries/dockerfile/missing_dnf_clean_all/query.rego b/assets/queries/dockerfile/missing_dnf_clean_all/query.rego index dc8a5e0f820..0a2a0e0da9e 100644 --- a/assets/queries/dockerfile/missing_dnf_clean_all/query.rego +++ b/assets/queries/dockerfile/missing_dnf_clean_all/query.rego @@ -18,7 +18,7 @@ CxPolicy[result] { run_command := substring(resource.Original, 0, 3) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.%s={{%s}}", [from_command, name, run_command, resource.Value[0]]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.%s={{%s}}", [from_command.Value, name, run_command, resource.Value[0]]), from_command.EndLine-1), "issueType": "IncorrectValue", "keyExpectedValue": "After installing a package with dnf, command 'dnf clean all' should run.", "keyActualValue": "Command `dnf clean all` is not being run after installing packages.", diff --git a/assets/queries/dockerfile/missing_flag_from_dnf_install/query.rego b/assets/queries/dockerfile/missing_flag_from_dnf_install/query.rego index 22b14366e5f..5985e91433a 100644 --- a/assets/queries/dockerfile/missing_flag_from_dnf_install/query.rego +++ b/assets/queries/dockerfile/missing_flag_from_dnf_install/query.rego @@ -19,7 +19,7 @@ CxPolicy[result] { run_command := substring(resource.Original, 0, 3) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.%s={{%s}}", [from_command, name, run_command, resource.Value[0]]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.%s={{%s}}", [from_command.Value, name, run_command, resource.Value[0]]), from_command.EndLine-1), "searchValue": trim_space(c), "issueType": "IncorrectValue", "keyExpectedValue": "When running `dnf install`, `-y` or `--assumeyes` switch should be set to avoid build failure ", diff --git a/assets/queries/dockerfile/missing_user_instruction/query.rego b/assets/queries/dockerfile/missing_user_instruction/query.rego index ac94270aa2f..721948d9853 100644 --- a/assets/queries/dockerfile/missing_user_instruction/query.rego +++ b/assets/queries/dockerfile/missing_user_instruction/query.rego @@ -13,7 +13,7 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}", [from_command, name]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}", [from_command.Value, name]), from_command.EndLine-1), "issueType": "MissingAttribute", "keyExpectedValue": "The 'Dockerfile' should contain the 'USER' instruction", "keyActualValue": "The 'Dockerfile' does not contain any 'USER' instruction" diff --git a/assets/queries/dockerfile/missing_version_specification_in_dnf_install/query.rego b/assets/queries/dockerfile/missing_version_specification_in_dnf_install/query.rego index ddefb97b7b8..c60defded39 100644 --- a/assets/queries/dockerfile/missing_version_specification_in_dnf_install/query.rego +++ b/assets/queries/dockerfile/missing_version_specification_in_dnf_install/query.rego @@ -23,7 +23,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), "issueType": "IncorrectValue", "keyExpectedValue": "Package version should be specified when using 'dnf install'", "keyActualValue": "Package version should be pinned when running ´dnf install´", @@ -48,7 +48,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), "issueType": "IncorrectValue", "keyExpectedValue": "Package version should be specified when using 'dnf install'", "keyActualValue": "Package version should be pinned when running ´dnf install´", diff --git a/assets/queries/dockerfile/missing_zypper_clean/query.rego b/assets/queries/dockerfile/missing_zypper_clean/query.rego index 6f3e38f215f..1d4fc292bb7 100644 --- a/assets/queries/dockerfile/missing_zypper_clean/query.rego +++ b/assets/queries/dockerfile/missing_zypper_clean/query.rego @@ -17,7 +17,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(commands[img]) result := { "documentId": document.id, - "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, img, commands[img][c].Original]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, img, commands[img][c].Original]), from_command.EndLine-1), "issueType": "MissingAttribute", "keyExpectedValue": "There should be a zypper clean after a zypper usage", "keyActualValue": sprintf("The command '%s' does not have a zypper clean after it", [commands[img][c].Value[j]]), diff --git a/assets/queries/dockerfile/missing_zypper_non_interactive_switch/query.rego b/assets/queries/dockerfile/missing_zypper_non_interactive_switch/query.rego index a14545cd452..8ce0d5ff14a 100644 --- a/assets/queries/dockerfile/missing_zypper_non_interactive_switch/query.rego +++ b/assets/queries/dockerfile/missing_zypper_non_interactive_switch/query.rego @@ -17,7 +17,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(commands[img]) result := { "documentId": document.id, - "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, img, commands[img][c].Original]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, img, commands[img][c].Original]), from_command.EndLine-1), "issueType": "IncorrectValue", "keyExpectedValue": "zypper usages should have the non-interactive switch activated", "keyActualValue": sprintf("The command '%s' does not have the non-interactive switch activated (-y | --no-confirm)", [commands[img][c].Original]), diff --git a/assets/queries/dockerfile/multiple_cmd_instructions_listed/query.rego b/assets/queries/dockerfile/multiple_cmd_instructions_listed/query.rego index e6ee221f7a5..e2edd94417f 100644 --- a/assets/queries/dockerfile/multiple_cmd_instructions_listed/query.rego +++ b/assets/queries/dockerfile/multiple_cmd_instructions_listed/query.rego @@ -12,7 +12,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(resource) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, cmdInst[0].Original]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, cmdInst[0].Original]), from_command.EndLine-1), "issueType": "RedundantAttribute", #"MissingAttribute" / "RedundantAttribute" "keyExpectedValue": "There should be only one CMD instruction", "keyActualValue": sprintf("There are %d CMD instructions", [count(cmdInst)]), diff --git a/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/query.rego b/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/query.rego index f7263e21ffc..8cf1f46744e 100644 --- a/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/query.rego +++ b/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/query.rego @@ -12,7 +12,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(resource) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, cmdInst[0].Original]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, cmdInst[0].Original]), from_command.EndLine-1), "issueType": "RedundantAttribute", "keyExpectedValue": "There should be only one ENTRYPOINT instruction", "keyActualValue": sprintf("There are %d ENTRYPOINT instructions", [count(cmdInst)]), diff --git a/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/query.rego b/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/query.rego index 675a2e1e5e9..4e8f92e68db 100644 --- a/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/query.rego +++ b/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/query.rego @@ -25,7 +25,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(resource) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, lineCounter[0].Original]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, lineCounter[0].Original]), from_command.EndLine-1), "issueType": "RedundantAttribute", "keyExpectedValue": sprintf("There isn´t any %s instruction that could be grouped", [upperName]), "keyActualValue": sprintf("There are %s instructions that could be grouped", [upperName]), diff --git a/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/query.rego b/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/query.rego index e60290bfcce..e22391c70c6 100644 --- a/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/query.rego +++ b/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/query.rego @@ -13,7 +13,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("{{%s}} should be in the JSON Notation", [resource.Original]), "keyActualValue": sprintf("{{%s}} isn't in JSON Notation", [resource.Original]), @@ -31,7 +31,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("{{%s}} should be in the JSON Notation", [resource.Original]), "keyActualValue": sprintf("{{%s}} isn't in JSON Notation", [resource.Original]), diff --git a/assets/queries/dockerfile/npm_install_without_pinned_version/query.rego b/assets/queries/dockerfile/npm_install_without_pinned_version/query.rego index 4abd6d7cb54..26d196281f1 100644 --- a/assets/queries/dockerfile/npm_install_without_pinned_version/query.rego +++ b/assets/queries/dockerfile/npm_install_without_pinned_version/query.rego @@ -27,7 +27,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, runCmd.Original]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, runCmd.Original]), from_command.EndLine-1), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'%s' uses npm install with a pinned version", [runCmd.Original]), "keyActualValue": sprintf("'%s' does not uses npm install with a pinned version", [runCmd.Original]), diff --git a/assets/queries/dockerfile/pip_install_keeping_cached_packages/query.rego b/assets/queries/dockerfile/pip_install_keeping_cached_packages/query.rego index 1412a5a176c..2a14856977f 100644 --- a/assets/queries/dockerfile/pip_install_keeping_cached_packages/query.rego +++ b/assets/queries/dockerfile/pip_install_keeping_cached_packages/query.rego @@ -15,7 +15,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, values]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, values]), from_command.EndLine-1), "issueType": "IncorrectValue", "keyExpectedValue": "The '--no-cache-dir' flag should be set when running 'pip/pip3 install'", "keyActualValue": "The '--no-cache-dir' flag isn't set when running 'pip/pip3 install'", @@ -36,7 +36,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), "issueType": "IncorrectValue", "keyExpectedValue": "The '--no-cache-dir' flag should be set when running 'pip/pip3 install'", "keyActualValue": "The '--no-cache-dir' flag isn't set when running 'pip/pip3 install'", diff --git a/assets/queries/dockerfile/run_command_cd_instead_of_workdir/query.rego b/assets/queries/dockerfile/run_command_cd_instead_of_workdir/query.rego index da557956b2d..2e7ac4462d8 100644 --- a/assets/queries/dockerfile/run_command_cd_instead_of_workdir/query.rego +++ b/assets/queries/dockerfile/run_command_cd_instead_of_workdir/query.rego @@ -17,7 +17,7 @@ CxPolicy[result] { run_command := substring(resource.Original, 0, 3) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.%s={{%s}}", [from_command, name, run_command, resource.Value[0]]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.%s={{%s}}", [from_command.Value, name, run_command, resource.Value[0]]), from_command.EndLine-1), "issueType": "IncorrectValue", "keyExpectedValue": "Using WORKDIR to change directory", "keyActualValue": sprintf("RUN %s'", [resource.Value[0]]), diff --git a/assets/queries/dockerfile/run_using_apt/query.rego b/assets/queries/dockerfile/run_using_apt/query.rego index 1976c18bec7..6d1a448fe45 100644 --- a/assets/queries/dockerfile/run_using_apt/query.rego +++ b/assets/queries/dockerfile/run_using_apt/query.rego @@ -14,7 +14,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(commands[img]) result := { "documentId": document.id, - "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, img, commands[img][c].Original]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, img, commands[img][c].Original]), from_command.EndLine-1), "issueType": "IncorrectValue", "keyExpectedValue": "RUN instructions should not use the 'apt' program", "keyActualValue": "RUN instruction is invoking the 'apt' program", diff --git a/assets/queries/dockerfile/run_using_sudo/query.rego b/assets/queries/dockerfile/run_using_sudo/query.rego index 94d474711b7..250095fb69c 100644 --- a/assets/queries/dockerfile/run_using_sudo/query.rego +++ b/assets/queries/dockerfile/run_using_sudo/query.rego @@ -14,7 +14,7 @@ CxPolicy[result] { run_command := substring(resource.Original, 0, 3) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.%s={{%s}}", [from_command, name, run_command, resource.Value[0]]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.%s={{%s}}", [from_command.Value, name, run_command, resource.Value[0]]), from_command.EndLine-1), "issueType": "IncorrectValue", "keyExpectedValue": "RUN instruction shouldn't contain sudo", "keyActualValue": "RUN instruction contains sudo", @@ -33,7 +33,7 @@ CxPolicy[result] { run_command := substring(resource.Original, 0, 3) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.%s={{%s}}", [from_command, name, run_command, resource.Value[0]]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.%s={{%s}}", [from_command.Value, name, run_command, resource.Value[0]]), from_command.EndLine-1), "issueType": "IncorrectValue", "keyExpectedValue": "RUN instruction shouldn't contain sudo", "keyActualValue": "RUN instruction contains sudo", diff --git a/assets/queries/dockerfile/run_using_wget_and_curl/query.rego b/assets/queries/dockerfile/run_using_wget_and_curl/query.rego index 9acf1c45407..450878a9cf5 100644 --- a/assets/queries/dockerfile/run_using_wget_and_curl/query.rego +++ b/assets/queries/dockerfile/run_using_wget_and_curl/query.rego @@ -14,7 +14,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(resource) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, curl[0]]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, curl[0]]), from_command.EndLine-1), "issueType": "RedundantAttribute", "keyExpectedValue": "Exclusively using 'wget' or 'curl'", "keyActualValue": "Using both 'wget' and 'curl'", diff --git a/assets/queries/dockerfile/run_utilities_and_posix_commands/query.rego b/assets/queries/dockerfile/run_utilities_and_posix_commands/query.rego index acdf278b2a6..2e045fda70e 100644 --- a/assets/queries/dockerfile/run_utilities_and_posix_commands/query.rego +++ b/assets/queries/dockerfile/run_utilities_and_posix_commands/query.rego @@ -12,7 +12,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), "issueType": "IncorrectValue", "keyExpectedValue": "There should be no dangerous commands or utilities executed", "keyActualValue": sprintf("Run instruction is executing the %s command", [resource.Value[0]]), diff --git a/assets/queries/dockerfile/same_alias_in_different_froms/query.rego b/assets/queries/dockerfile/same_alias_in_different_froms/query.rego index 1f3dc599518..79f53fb2acb 100644 --- a/assets/queries/dockerfile/same_alias_in_different_froms/query.rego +++ b/assets/queries/dockerfile/same_alias_in_different_froms/query.rego @@ -19,7 +19,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(input.document[i].command[name2]) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}", [from_command, aliasResource.Value[idx_2]]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}", [from_command.Value, aliasResource.Value[idx_2]]), from_command.EndLine-1), "issueType": "IncorrectValue", "keyExpectedValue": "Different FROM commands don't have the same alias defined", "keyActualValue": sprintf("Different FROM commands with with the same alias '%s' defined", [aliasResource.Value[idx_2]]), diff --git a/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/query.rego b/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/query.rego index 5ba93023521..47f45ca06b4 100644 --- a/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/query.rego +++ b/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/query.rego @@ -23,7 +23,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(commands) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, runCmd.Original]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, runCmd.Original]), from_command.EndLine-1), "searchValue": match.shell, "issueType": "MissingAttribute", "keyExpectedValue": sprintf("'%s' has pipefail option set for pipe command with shell %s.", [runCmd.Original, match.shell]), @@ -52,7 +52,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(commands) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, runCmd.Original]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, runCmd.Original]), from_command.EndLine-1), "searchValue": match.shell, "issueType": "MissingAttribute", "keyExpectedValue": sprintf("'%s' has pipefail option set for pipe command with shell %s.", [cmdFormatted, match.shell]), diff --git a/assets/queries/dockerfile/unix_ports_out_of_range/query.rego b/assets/queries/dockerfile/unix_ports_out_of_range/query.rego index c4eca8ccc45..2fc1695c6e1 100644 --- a/assets/queries/dockerfile/unix_ports_out_of_range/query.rego +++ b/assets/queries/dockerfile/unix_ports_out_of_range/query.rego @@ -12,7 +12,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, command.Original]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, command.Original]), from_command.EndLine-1), "issueType": "IncorrectValue", "keyExpectedValue": "'EXPOSE' should not contain ports out of range [0, 65535]", "keyActualValue": "'EXPOSE' contains ports out of range [0, 65535]", diff --git a/assets/queries/dockerfile/unpinned_package_version_in_apk_add/query.rego b/assets/queries/dockerfile/unpinned_package_version_in_apk_add/query.rego index 77212be60e1..29de624bcf5 100644 --- a/assets/queries/dockerfile/unpinned_package_version_in_apk_add/query.rego +++ b/assets/queries/dockerfile/unpinned_package_version_in_apk_add/query.rego @@ -1,7 +1,7 @@ package Cx import data.generic.common as common_lib -import data.generic.dockerfile as docker_lib +import data.generic.dockerfile as dockerLib CxPolicy[result] { resource := input.document[i].command[name][cmd] @@ -15,7 +15,7 @@ CxPolicy[result] { apk := regex.find_n("apk (-(-)?[a-zA-Z]+ *)*add", commands_trim, -1) apk != null - packages = docker_lib.getPackages(commands_trim, apk) + packages = dockerLib.getPackages(commands_trim, apk) length := count(packages) @@ -23,10 +23,10 @@ CxPolicy[result] { analyzePackages(j, packages[j], packages, length) stage := input.document[i].command[name] - from_command := docker_lib.get_original_from_command(stage) + from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), "issueType": "IncorrectValue", "keyExpectedValue": "RUN instruction with 'apk add ' should use package pinning form 'apk add ='", "keyActualValue": sprintf("RUN instruction %s does not use package pinning form", [resource.Value[0]]), @@ -46,7 +46,7 @@ CxPolicy[result] { apk := regex.find_n("apk (-(-)?[a-zA-Z]+ *)*add", commands_trim, -1) apk != null - packages = docker_lib.getPackages(commands_trim, apk) + packages = dockerLib.getPackages(commands_trim, apk) length := count(packages) @@ -54,10 +54,10 @@ CxPolicy[result] { analyzePackages(j, packages[j], packages, length) stage := input.document[i].command[name] - from_command := docker_lib.get_original_from_command(stage) + from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), "issueType": "IncorrectValue", "keyExpectedValue": "RUN instruction with 'apk add ' should use package pinning form 'apk add ='", "keyActualValue": sprintf("RUN instruction %s does not use package pinning form", [resource.Value[0]]), @@ -76,7 +76,7 @@ CxPolicy[result] { apk := regex.find_n("apk (-(-)?[a-zA-Z]+ *)*add", commands, -1) apk != null - packages = docker_lib.getPackages(commands, apk) + packages = dockerLib.getPackages(commands, apk) length := count(packages) @@ -84,10 +84,10 @@ CxPolicy[result] { analyzePackages(j, packages[j], packages, length) stage := input.document[i].command[name] - from_command := docker_lib.get_original_from_command(stage) + from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), "issueType": "IncorrectValue", "keyExpectedValue": "RUN instruction with 'apk add ' should use package pinning form 'apk add ='", "keyActualValue": sprintf("RUN instruction %s does not use package pinning form", [resource.Value[0]]), @@ -101,19 +101,19 @@ CxPolicy[result] { count(resource.Value) > 1 - docker_lib.arrayContains(resource.Value, {"apk", "add"}) + dockerLib.arrayContains(resource.Value, {"apk", "add"}) resource.Value[j] != "apk" resource.Value[j] != "add" regex.match("^[a-zA-Z]", resource.Value[j]) - not docker_lib.withVersion(resource.Value[j]) + not dockerLib.withVersion(resource.Value[j]) stage := input.document[i].command[name] - from_command := docker_lib.get_original_from_command(stage) + from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), "searchValue": resource.Value[j], "issueType": "IncorrectValue", "keyExpectedValue": "RUN instruction with 'apk add ' should use package pinning form 'apk add ='", @@ -125,12 +125,12 @@ CxPolicy[result] { analyzePackages(j, currentPackage, packages, length) { j == length - 1 regex.match("^[a-zA-Z]", currentPackage) - not docker_lib.withVersion(currentPackage) + not dockerLib.withVersion(currentPackage) } analyzePackages(j, currentPackage, packages, length) { j != length - 1 regex.match("^[a-zA-Z]", currentPackage) packages[plus(j, 1)] != "-v" - not docker_lib.withVersion(currentPackage) + not dockerLib.withVersion(currentPackage) } diff --git a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego index 2a07790d9a0..59f109e0c34 100644 --- a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego +++ b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego @@ -27,7 +27,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), "issueType": "IncorrectValue", "keyExpectedValue": "RUN instruction with 'pip/pip3 install ' should use package pinning form 'pip/pip3 install ='", "keyActualValue": sprintf("RUN instruction %s does not use package pinning form", [commands]), @@ -53,7 +53,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), "issueType": "IncorrectValue", "keyExpectedValue": "RUN instruction with 'pip/pip3 install ' should use package pinning form 'pip/pip3 install ='", "keyActualValue": sprintf("RUN instruction %s does not use package pinning form", [resource.Value[j]]), diff --git a/assets/queries/dockerfile/update_instruction_alone/query.rego b/assets/queries/dockerfile/update_instruction_alone/query.rego index 8fc0fd03c64..4332c639886 100644 --- a/assets/queries/dockerfile/update_instruction_alone/query.rego +++ b/assets/queries/dockerfile/update_instruction_alone/query.rego @@ -27,7 +27,7 @@ CxPolicy[result] { run_command := substring(resource.Original, 0, 3) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.%s={{%s}}", [from_command, name, run_command, resource.Value[0]]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.%s={{%s}}", [from_command.Value, name, run_command, resource.Value[0]]), from_command.EndLine-1), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("Instruction 'RUN %s %s' should be followed by 'RUN %s %s' in the same 'RUN' statement", [packageManager, pkg_installer[packageManager], packageManager, pkg_updater[packageManager]]), "keyActualValue": sprintf("Instruction 'RUN %s %s' isn't followed by 'RUN %s %s in the same 'RUN' statement", [packageManager, pkg_installer[packageManager], packageManager, pkg_updater[packageManager]]), @@ -68,7 +68,7 @@ CxPolicy[result] { run_command := substring(resource.Original, 0, 3) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.%s={{%s}}", [from_command, name, run_command, nextResource.Value[0]]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.%s={{%s}}", [from_command.Value, name, run_command, nextResource.Value[0]]), from_command.EndLine-1), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("Instruction 'RUN %s %s' should be combined with 'RUN %s %s' in the same 'RUN' statement", [nextPackageManager, pkg_installer[nextPackageManager], nextPackageManager, pkg_updater[nextPackageManager]]), "keyActualValue": sprintf("Instruction 'RUN %s %s' isn't combined with 'RUN %s %s in the same 'RUN' statement", [nextPackageManager, pkg_installer[nextPackageManager], nextPackageManager, pkg_updater[nextPackageManager]]), diff --git a/assets/queries/dockerfile/using_platform_with_from/query.rego b/assets/queries/dockerfile/using_platform_with_from/query.rego index 2496fb1baba..3a826e0f08a 100644 --- a/assets/queries/dockerfile/using_platform_with_from/query.rego +++ b/assets/queries/dockerfile/using_platform_with_from/query.rego @@ -13,7 +13,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("%s={{%s}}.{{%s}} should not use the '--platform' flag", [from_command, name, resource.Original]), "keyActualValue": sprintf("%s={{%s}}.{{%s}} is using the '--platform' flag", [from_command, name, resource.Original]), diff --git a/assets/queries/dockerfile/using_unnamed_build_stages/query.rego b/assets/queries/dockerfile/using_unnamed_build_stages/query.rego index df91819abb7..d1cc26de6b8 100644 --- a/assets/queries/dockerfile/using_unnamed_build_stages/query.rego +++ b/assets/queries/dockerfile/using_unnamed_build_stages/query.rego @@ -17,7 +17,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, commands.Original]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, commands.Original]), from_command.EndLine-1), "issueType": "IncorrectValue", "keyExpectedValue": "COPY '--from' should reference a previously defined FROM alias", "keyActualValue": "COPY '--from' does not reference a previously defined FROM alias", diff --git a/assets/queries/dockerfile/workdir_path_not_absolute/query.rego b/assets/queries/dockerfile/workdir_path_not_absolute/query.rego index d7d00a8de1d..18f5ea77418 100644 --- a/assets/queries/dockerfile/workdir_path_not_absolute/query.rego +++ b/assets/queries/dockerfile/workdir_path_not_absolute/query.rego @@ -12,7 +12,7 @@ CxPolicy[result] { workdir_command := substring(resource.Original, 0, 7) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.%s={{%s}}", [from_command, name, workdir_command, resource.Value[0]]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.%s={{%s}}", [from_command.Value, name, workdir_command, resource.Value[0]]), from_command.EndLine-1), "issueType": "IncorrectValue", #"MissingAttribute" / "RedundantAttribute" "keyExpectedValue": "'WORKDIR' Command has absolute path", "keyActualValue": "'WORKDIR' Command doesn't have absolute path", diff --git a/assets/queries/dockerfile/yum_clean_all_missing/query.rego b/assets/queries/dockerfile/yum_clean_all_missing/query.rego index 2cea845cf5c..d88898a46f6 100644 --- a/assets/queries/dockerfile/yum_clean_all_missing/query.rego +++ b/assets/queries/dockerfile/yum_clean_all_missing/query.rego @@ -19,7 +19,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("{{%s}} should have 'yum clean all' after 'yum install' command", [resource.Original]), "keyActualValue": sprintf("{{%s}} doesn't have 'yum clean all' after 'yum install' command", [resource.Original]), diff --git a/assets/queries/dockerfile/yum_install_allows_manual_input/query.rego b/assets/queries/dockerfile/yum_install_allows_manual_input/query.rego index b5b3a6a9e70..1919ee73834 100644 --- a/assets/queries/dockerfile/yum_install_allows_manual_input/query.rego +++ b/assets/queries/dockerfile/yum_install_allows_manual_input/query.rego @@ -16,7 +16,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("{{%s}} should avoid manual input", [resource.Original]), "keyActualValue": sprintf("{{%s}} doesn't avoid manual input", [resource.Original]), @@ -36,7 +36,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("{{%s}} should avoid manual input", [resource.Original]), "keyActualValue": sprintf("{{%s}} doesn't avoid manual input", [resource.Original]), diff --git a/assets/queries/dockerfile/yum_install_without_version/query.rego b/assets/queries/dockerfile/yum_install_without_version/query.rego index 1e51dc24f57..7bbdf85bd54 100644 --- a/assets/queries/dockerfile/yum_install_without_version/query.rego +++ b/assets/queries/dockerfile/yum_install_without_version/query.rego @@ -1,7 +1,7 @@ package Cx import data.generic.common as common_lib -import data.generic.dockerfile as docker_lib +import data.generic.dockerfile as dockerLib CxPolicy[result] { resource := input.document[i].command[name][cmd] @@ -13,17 +13,17 @@ CxPolicy[result] { yum := regex.find_n("yum (-(-)?[a-zA-Z]+ *)*(group|local)?install", commands, -1) yum != null - packages = docker_lib.getPackages(commands, yum) + packages = dockerLib.getPackages(commands, yum) length := count(packages) some j analyzePackages(j, packages[j], packages, length) stage := input.document[i].command[name] - from_command := docker_lib.get_original_from_command(stage) + from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), "searchValue": packages[j], "issueType": "IncorrectValue", "keyExpectedValue": "The package version should always be specified when using yum install", @@ -38,18 +38,18 @@ CxPolicy[result] { count(resource.Value) > 1 - docker_lib.arrayContains(resource.Value, {"yum", "install"}) + dockerLib.arrayContains(resource.Value, {"yum", "install"}) resource.Value[j] != "install" resource.Value[j] != "yum" regex.match("^[a-zA-Z]", resource.Value[j]) == true - not docker_lib.withVersion(resource.Value[j]) + not dockerLib.withVersion(resource.Value[j]) stage := input.document[i].command[name] - from_command := docker_lib.get_original_from_command(stage) + from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), "searchValue": resource.Value[j], "issueType": "IncorrectValue", "keyExpectedValue": "The package version should always be specified when using yum install", @@ -61,12 +61,12 @@ CxPolicy[result] { analyzePackages(j, currentPackage, packages, length) { j == length - 1 regex.match("^[a-zA-Z]", currentPackage) == true - not docker_lib.withVersion(currentPackage) + not dockerLib.withVersion(currentPackage) } analyzePackages(j, currentPackage, packages, length) { j != length - 1 regex.match("^[a-zA-Z]", currentPackage) == true packages[plus(j, 1)] != "-v" - not docker_lib.withVersion(currentPackage) + not dockerLib.withVersion(currentPackage) } diff --git a/assets/queries/dockerfile/zypper_install_without_version/query.rego b/assets/queries/dockerfile/zypper_install_without_version/query.rego index 95a90e1a05b..4a907aeaae5 100644 --- a/assets/queries/dockerfile/zypper_install_without_version/query.rego +++ b/assets/queries/dockerfile/zypper_install_without_version/query.rego @@ -1,7 +1,7 @@ package Cx import data.generic.common as common_lib -import data.generic.dockerfile as docker_lib +import data.generic.dockerfile as dockerLib CxPolicy[result] { resource := input.document[i].command[name][cmd] @@ -13,17 +13,17 @@ CxPolicy[result] { zypper := regex.find_n("zypper (-(-)?[a-zA-Z]+ *)*in(stall)?", commands, -1) zypper != null - packages = docker_lib.getPackages(commands, zypper) + packages = dockerLib.getPackages(commands, zypper) length := count(packages) some j analyzePackages(j, packages[j], packages, length) stage := input.document[i].command[name] - from_command := docker_lib.get_original_from_command(stage) + from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), "searchValue": packages[j], "issueType": "IncorrectValue", "keyExpectedValue": "The package version should always be specified when using zypper install", @@ -38,18 +38,18 @@ CxPolicy[result] { count(resource.Value) > 1 - docker_lib.arrayContains(resource.Value, {"zypper", "install"}) + dockerLib.arrayContains(resource.Value, {"zypper", "install"}) resource.Value[j] != "install" resource.Value[j] != "zypper" regex.match("^[a-zA-Z]", resource.Value[j]) == true - not docker_lib.withVersion(resource.Value[j]) + not dockerLib.withVersion(resource.Value[j]) stage := input.document[i].command[name] - from_command := docker_lib.get_original_from_command(stage) + from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s={{%s}}.{{%s}}", [from_command, name, resource.Original]), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), "searchValue": resource.Value[j], "issueType": "IncorrectValue", "keyExpectedValue": "The package version should always be specified when using zypper install", @@ -61,12 +61,12 @@ CxPolicy[result] { analyzePackages(j, currentPackage, packages, length) { j == length - 1 regex.match("^[a-zA-Z]", currentPackage) == true - not docker_lib.withVersion(currentPackage) + not dockerLib.withVersion(currentPackage) } analyzePackages(j, currentPackage, packages, length) { j != length - 1 regex.match("^[a-zA-Z]", currentPackage) == true packages[plus(j, 1)] != "-v" - not docker_lib.withVersion(currentPackage) + not dockerLib.withVersion(currentPackage) } diff --git a/test/fixtures/dockerfile/Dockerfile-multistage b/test/fixtures/dockerfile/Dockerfile-multistage new file mode 100644 index 00000000000..ff222325319 --- /dev/null +++ b/test/fixtures/dockerfile/Dockerfile-multistage @@ -0,0 +1,11 @@ +FROM ubuntu:latestnightly +VOLUME /tmp +ENTRYPOINT ["java","-Djava.security.egd=file:/dev/./urandom","-jar","/app.jar"] + +FROM ubuntu:latestnightly +VOLUME /tmp +ADD http://source.file/package.file.tar.gz /temp +RUN tar -xjf /temp/package.file.tar.gz +ARG JAR_FILE +ADD ${JAR_FILE} app.jar +ENTRYPOINT ["java","-Djava.security.egd=file:/dev/./urandom","-jar","/app.jar"] From 60b2df75011774702e16f37cc1f273ae0c236024 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Thu, 9 Apr 2026 15:31:11 +0100 Subject: [PATCH 62/84] Fix E2E testcase --- e2e/testcases/e2e-cli-107_dockerfile_multistage_scan.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/e2e/testcases/e2e-cli-107_dockerfile_multistage_scan.go b/e2e/testcases/e2e-cli-107_dockerfile_multistage_scan.go index 165d54ad2d7..4e80cbadfa8 100644 --- a/e2e/testcases/e2e-cli-107_dockerfile_multistage_scan.go +++ b/e2e/testcases/e2e-cli-107_dockerfile_multistage_scan.go @@ -8,10 +8,10 @@ func init() { //nolint Name: "should perform a valid scan on dockerfile multistage sample [E2E-CLI-107]", Args: args{ Args: []cmdArgs{ - []string{"scan", "-o", "/path/e2e/output2", + []string{"scan", "-o", "/path/e2e/output", "--output-name", "E2E_CLI_107_RESULT", "-p", "/path/test/fixtures/dockerfile/Dockerfile-multistage", - "--payload-path", "/path/e2e/output2/E2E_CLI_107_PAYLOAD.json", + "--payload-path", "/path/e2e/output/E2E_CLI_107_PAYLOAD.json", }, }, ExpectedResult: []ResultsValidation{ From 1a6b160786a3769730f549b861db4049f0080119 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Thu, 9 Apr 2026 15:39:04 +0100 Subject: [PATCH 63/84] Adjusted expected results for same alias in different forms query --- .../test/positive_expected_result.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/assets/queries/dockerfile/same_alias_in_different_froms/test/positive_expected_result.json b/assets/queries/dockerfile/same_alias_in_different_froms/test/positive_expected_result.json index 515f03d0102..89041ad6f99 100644 --- a/assets/queries/dockerfile/same_alias_in_different_froms/test/positive_expected_result.json +++ b/assets/queries/dockerfile/same_alias_in_different_froms/test/positive_expected_result.json @@ -5,10 +5,22 @@ "line": 4, "fileName": "positive.dockerfile" }, + { + "queryName": "Same Alias In Different Froms", + "severity": "LOW", + "line": 7, + "fileName": "positive.dockerfile" + }, { "queryName": "Same Alias In Different Froms", "severity": "LOW", "line": 4, "fileName": "positive2.dockerfile" + }, + { + "queryName": "Same Alias In Different Froms", + "severity": "LOW", + "line": 7, + "fileName": "positive2.dockerfile" } ] \ No newline at end of file From ab836fb7c32060e08a2a3b07d3407a13813decfa Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Thu, 9 Apr 2026 15:53:21 +0100 Subject: [PATCH 64/84] E2E fixture fix and typo fix --- .../dockerfile/same_alias_in_different_froms/query.rego | 4 ++-- e2e/fixtures/E2E_CLI_107_RESULT.json | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/assets/queries/dockerfile/same_alias_in_different_froms/query.rego b/assets/queries/dockerfile/same_alias_in_different_froms/query.rego index 79f53fb2acb..ee084a53c34 100644 --- a/assets/queries/dockerfile/same_alias_in_different_froms/query.rego +++ b/assets/queries/dockerfile/same_alias_in_different_froms/query.rego @@ -20,9 +20,9 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}", [from_command.Value, aliasResource.Value[idx_2]]), from_command.EndLine-1), - "issueType": "IncorrectValue", + "issueType": "IncorrectValue", "keyExpectedValue": "Different FROM commands don't have the same alias defined", - "keyActualValue": sprintf("Different FROM commands with with the same alias '%s' defined", [aliasResource.Value[idx_2]]), + "keyActualValue": sprintf("Different FROM commands with the same alias '%s' defined", [aliasResource.Value[idx_2]]), } } diff --git a/e2e/fixtures/E2E_CLI_107_RESULT.json b/e2e/fixtures/E2E_CLI_107_RESULT.json index 66b05f97837..b9e89e0bbc3 100644 --- a/e2e/fixtures/E2E_CLI_107_RESULT.json +++ b/e2e/fixtures/E2E_CLI_107_RESULT.json @@ -23,7 +23,7 @@ "start": "2026-04-09T14:58:58.1938463+01:00", "end": "2026-04-09T14:59:10.5630691+01:00", "paths": [ - "path/test/fixtures/dockerfile/Dockerfile-multistage" + "/path/test/fixtures/dockerfile/Dockerfile-multistage" ], "queries": [ { From 84e4cb20df44f43bf1530283828a994ce980282f Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Fri, 10 Apr 2026 10:46:05 +0100 Subject: [PATCH 65/84] Unit test to ensure line hint is being used on docker_detect --- pkg/detector/docker/docker_detect_test.go | 48 ++++++++++++++++++++++- 1 file changed, 47 insertions(+), 1 deletion(-) diff --git a/pkg/detector/docker/docker_detect_test.go b/pkg/detector/docker/docker_detect_test.go index 5492ea32d62..b9b7cf87de8 100644 --- a/pkg/detector/docker/docker_detect_test.go +++ b/pkg/detector/docker/docker_detect_test.go @@ -49,6 +49,25 @@ RUN apk update \ && rm -rf /var/cache/apk/* ENTRYPOINT ["kubectl"]` +var OriginalData4 = `FROM openjdk:10-jdk +VOLUME /tmp +ADD http://source.file/package.file.tar.gz /temp +RUN tar -xjf /temp/package.file.tar.gz \ + && make -C /tmp/package.file \ + && rm /tmp/ package.file.tar.gz +ARG JAR_FILE +ADD ${JAR_FILE} apps.jar + +FROM openjdk:10-jdk +VOLUME /tmp +ADD http://source.file/package.file.tar.gz /temp +RUN tar -xjf /temp/package.file.tar.gz \ + && make -C /tmp/package.file \ + && rm /tmp/ package.file.tar.gz +ARG JAR_FILE +ADD ${JAR_FILE} apps.jar +` + // TestDetectDockerLine tests the functions [DetectDockerLine()] and all the methods called by them func TestDetectDockerLine(t *testing.T) { //nolint testCases := []struct { @@ -101,7 +120,7 @@ func TestDetectDockerLine(t *testing.T) { //nolint }, }, }, - searchKey: "FROM=openjdk:11-jdk.{{ADD ${JAR_FILE} apps.jar}}", + searchKey: "FROM={{openjdk:11-jdk}}.{{ADD ${JAR_FILE} apps.jar}}", file: &model.FileMetadata{ ScanID: "Test3", ID: "Test3", @@ -137,6 +156,33 @@ func TestDetectDockerLine(t *testing.T) { //nolint LinesOriginalData: utils.SplitLines(OriginalData3), }, }, + { + expected: model.VulnerabilityLines{ + Line: 17, + VulnLines: &[]model.CodeLine{ + { + Position: 16, + Line: "ARG JAR_FILE", + }, + { + Position: 17, + Line: "ADD ${JAR_FILE} apps.jar", + }, + { + Position: 18, + Line: "", + }, + }, + }, + searchKey: "FROM={{openjdk:10-jdk(1)}}.{{ADD ${JAR_FILE} apps.jar}}^8", + file: &model.FileMetadata{ + ScanID: "Test4", + ID: "Test4", + Kind: model.KindDOCKER, + OriginalData: OriginalData4, + LinesOriginalData: utils.SplitLines(OriginalData4), + }, + }, } for i, testCase := range testCases { From 5edd3d6a6bdebc80effc5edf23435095fd41491c Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Fri, 10 Apr 2026 10:57:25 +0100 Subject: [PATCH 66/84] Added unit test to docker parser to ensure duplicate FROMs are distinct commands in payload --- pkg/parser/docker/parser_test.go | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/pkg/parser/docker/parser_test.go b/pkg/parser/docker/parser_test.go index 3f6d6076ba9..8d161a53bf2 100644 --- a/pkg/parser/docker/parser_test.go +++ b/pkg/parser/docker/parser_test.go @@ -216,6 +216,26 @@ ENTRYPOINT ["java","-Djava.security.egd=file:/dev/./urandom","-jar","/app.jar"] } } +// TestParser_Parse_DuplicateFROM tests that two FROM statements referencing the same image +// produce two distinct command groups in the parsed output +func TestParser_Parse_DuplicateFROM(t *testing.T) { + p := &Parser{} + sample := `FROM alpine:3.14 +RUN echo "stage1" +FROM alpine:3.14 +RUN echo "stage2" +` + doc, _, err := p.Parse("Dockerfile", []byte(sample)) + require.NoError(t, err) + require.Len(t, doc, 1) + + commands := doc[0]["command"].(map[string]interface{}) + + require.Len(t, commands, 2) + require.Contains(t, commands, "alpine:3.14") + require.Contains(t, commands, "alpine:3.14(1)") +} + func TestParser_GetResolvedFiles(t *testing.T) { tests := []struct { name string From 4cfb9605808f786f4a50bbd3e6c391090edef986 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Fri, 10 Apr 2026 11:05:45 +0100 Subject: [PATCH 67/84] Added unit test to vulnerability builder to ensure line hint is removed from searchKey --- pkg/engine/vulnerability_builder_test.go | 50 ++++++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/pkg/engine/vulnerability_builder_test.go b/pkg/engine/vulnerability_builder_test.go index cb34ba9b135..5d04bef3117 100644 --- a/pkg/engine/vulnerability_builder_test.go +++ b/pkg/engine/vulnerability_builder_test.go @@ -814,6 +814,56 @@ func TestEngine_calculate(t *testing.T) { //nolint } } +// TestDockerSearchKeyLineHintRemoval tests that the line hint (^suffix) is stripped +// from the searchKey +func TestDockerSearchKeyLineHintRemoval(t *testing.T) { + insDetector := detector.NewDetectLine(3). + Add(docker.DetectKindLine{}, model.KindDOCKER) + + tt := struct { + name string + searchKey string + wantSearchKey string + }{ + name: "searchKey with line hint is stripped", + searchKey: "command.alpine:3.14.run^3", + wantSearchKey: "command.alpine:3.14.run", + } + + t.Run(tt.name, func(t *testing.T) { + args := vbArgs{ + tracker: &tracker.CITracker{}, + ctx: &QueryContext{ + scanID: "ScanID", + Query: &PreparedQuery{ + Metadata: model.QueryMetadata{ + Metadata: map[string]interface{}{ + "id": "test-docker-query", + "severity": model.SeverityHigh, + "issueType": "IncorrectValue", + "searchKey": tt.searchKey, + }, + Query: "TestDockerQuery", + }, + }, + Files: map[string]model.FileMetadata{ + "dockerFileID": { + Kind: model.KindDOCKER, + LinesOriginalData: &[]string{}, + }, + }, + }, + v: map[string]interface{}{ + "documentId": "dockerFileID", + }, + } + + got, err := DefaultVulnerabilityBuilder(args.ctx, args.tracker, args.v, insDetector, false, false, map[string]TransitionQueryInfo{}) + require.NoError(t, err) + require.Equal(t, tt.wantSearchKey, got.SearchKey) + }) +} + func TestSanitize(t *testing.T) { tests := []struct { searchKey string From 5944797a318d82a060547e9b7accee75e7bd8761 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Mon, 13 Apr 2026 18:27:54 +0100 Subject: [PATCH 68/84] New 'python' samples to test for edge case 'from' statements on files without extension or within docker folder, adjusted readPossibleDockerfile to an improved regex based logic, adjusted file.Dockerfile to test for whitespaces before a from statement --- pkg/utils/get_extension.go | 4 +++- .../dockerfile/case_insensitive_tests/file.Dockerfile | 2 +- test/fixtures/dockerfile/dockerfiles/python_sample.py | 4 ++++ test/fixtures/dockerfile/python_sample | 7 +++++++ 4 files changed, 15 insertions(+), 2 deletions(-) create mode 100644 test/fixtures/dockerfile/dockerfiles/python_sample.py create mode 100644 test/fixtures/dockerfile/python_sample diff --git a/pkg/utils/get_extension.go b/pkg/utils/get_extension.go index eedc0d028a5..b845a0cbcc4 100644 --- a/pkg/utils/get_extension.go +++ b/pkg/utils/get_extension.go @@ -5,6 +5,7 @@ import ( "fmt" "os" "path/filepath" + "regexp" "strings" "github.com/Checkmarx/kics/v2/internal/constants" @@ -85,7 +86,8 @@ func readPossibleDockerFile(path string) bool { if strings.HasPrefix(scanner.Text(), "#") || strings.HasPrefix(strings.ToLower(scanner.Text()), "arg") || scanner.Text() == "" { continue } else { - return strings.HasPrefix(strings.ToLower(scanner.Text()), "from ") + matched, _ := regexp.MatchString(`(?i)FROM\s+\S+(\s*$|\s+AS\s+\S+\s*$)`, scanner.Text()) + return matched } } return false diff --git a/test/fixtures/dockerfile/case_insensitive_tests/file.Dockerfile b/test/fixtures/dockerfile/case_insensitive_tests/file.Dockerfile index 66464c06378..8850eed9d72 100644 --- a/test/fixtures/dockerfile/case_insensitive_tests/file.Dockerfile +++ b/test/fixtures/dockerfile/case_insensitive_tests/file.Dockerfile @@ -3,7 +3,7 @@ arg BASE_IMAGE=ubuntu:22.04 # Comments after arg -from alpine:3.19 as builder + from alpine:3.19 as builder copy . . diff --git a/test/fixtures/dockerfile/dockerfiles/python_sample.py b/test/fixtures/dockerfile/dockerfiles/python_sample.py new file mode 100644 index 00000000000..1a5f2c4cc4e --- /dev/null +++ b/test/fixtures/dockerfile/dockerfiles/python_sample.py @@ -0,0 +1,4 @@ +from urllib import request + +def main(): + print("coiso") \ No newline at end of file diff --git a/test/fixtures/dockerfile/python_sample b/test/fixtures/dockerfile/python_sample new file mode 100644 index 00000000000..9ff07a2e724 --- /dev/null +++ b/test/fixtures/dockerfile/python_sample @@ -0,0 +1,7 @@ +from urllib import request + +def main(): + print("coiso") + # I love the RUN docker funtion and the FROM too + + From f02ed8af7be17feb2967009954bb0039e0b4532e Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Tue, 14 Apr 2026 16:42:59 +0100 Subject: [PATCH 69/84] New samples and improved, tailored regex for dockerfile FROM statement identification - E2E test should break --- pkg/utils/get_extension.go | 4 +++- test/fixtures/dockerfile/python_sample | 7 ------- .../dockerfile/should_generate_payload/sample1 | 4 ++++ .../dockerfile/should_generate_payload/sample2 | 5 +++++ .../dockerfile/should_generate_payload/sample3 | 4 ++++ .../dockerfile/should_generate_payload/sample4 | 4 ++++ .../dockerfile/should_generate_payload/sample5 | 7 +++++++ .../dockerfile/should_generate_payload/sample6 | 3 +++ .../dockerfile/should_generate_payload/sample7 | 3 +++ .../dockerfile/should_generate_payload/sample8 | 3 +++ .../should_not_generate_payload/negative_email | 6 ++++++ .../should_not_generate_payload/negative_hiveql | 10 ++++++++++ .../should_not_generate_payload/negative_python | 6 ++++++ .../should_not_generate_payload/negative_sparql | 5 +++++ .../should_not_generate_payload/negative_sql | 6 ++++++ 15 files changed, 69 insertions(+), 8 deletions(-) delete mode 100644 test/fixtures/dockerfile/python_sample create mode 100644 test/fixtures/dockerfile/should_generate_payload/sample1 create mode 100644 test/fixtures/dockerfile/should_generate_payload/sample2 create mode 100644 test/fixtures/dockerfile/should_generate_payload/sample3 create mode 100644 test/fixtures/dockerfile/should_generate_payload/sample4 create mode 100644 test/fixtures/dockerfile/should_generate_payload/sample5 create mode 100644 test/fixtures/dockerfile/should_generate_payload/sample6 create mode 100644 test/fixtures/dockerfile/should_generate_payload/sample7 create mode 100644 test/fixtures/dockerfile/should_generate_payload/sample8 create mode 100644 test/fixtures/negative_dockerfile/should_not_generate_payload/negative_email create mode 100644 test/fixtures/negative_dockerfile/should_not_generate_payload/negative_hiveql create mode 100644 test/fixtures/negative_dockerfile/should_not_generate_payload/negative_python create mode 100644 test/fixtures/negative_dockerfile/should_not_generate_payload/negative_sparql create mode 100644 test/fixtures/negative_dockerfile/should_not_generate_payload/negative_sql diff --git a/pkg/utils/get_extension.go b/pkg/utils/get_extension.go index b845a0cbcc4..9647bd04fb3 100644 --- a/pkg/utils/get_extension.go +++ b/pkg/utils/get_extension.go @@ -86,7 +86,9 @@ func readPossibleDockerFile(path string) bool { if strings.HasPrefix(scanner.Text(), "#") || strings.HasPrefix(strings.ToLower(scanner.Text()), "arg") || scanner.Text() == "" { continue } else { - matched, _ := regexp.MatchString(`(?i)FROM\s+\S+(\s*$|\s+AS\s+\S+\s*$)`, scanner.Text()) + UrlRegex := `[-a-zA-Z0-9@:%._\+~#=]{2,256}\.[a-z]{2,6}\b([-a-zA-Z0-9@:%_\+.~#?&//=]*)` + pattern := `(?i)^\s*FROM\s+(--platform=\S+\s+)?(` + UrlRegex + `:[0-9]+)?[a-zA-Z0-9.\-/]+(:[a-zA-Z0-9.\-_]+)?(\s*$|\s+AS\s+\S+\s*$)` + matched, _ := regexp.MatchString(pattern, scanner.Text()) return matched } } diff --git a/test/fixtures/dockerfile/python_sample b/test/fixtures/dockerfile/python_sample deleted file mode 100644 index 9ff07a2e724..00000000000 --- a/test/fixtures/dockerfile/python_sample +++ /dev/null @@ -1,7 +0,0 @@ -from urllib import request - -def main(): - print("coiso") - # I love the RUN docker funtion and the FROM too - - diff --git a/test/fixtures/dockerfile/should_generate_payload/sample1 b/test/fixtures/dockerfile/should_generate_payload/sample1 new file mode 100644 index 00000000000..e01804be298 --- /dev/null +++ b/test/fixtures/dockerfile/should_generate_payload/sample1 @@ -0,0 +1,4 @@ +FROM --platform=linux/arm64 scratch +COPY myapp / +ENTRYPOINT ["/myapp"] +ADD ${JAR_FILE} app.jar diff --git a/test/fixtures/dockerfile/should_generate_payload/sample2 b/test/fixtures/dockerfile/should_generate_payload/sample2 new file mode 100644 index 00000000000..05995cd46b0 --- /dev/null +++ b/test/fixtures/dockerfile/should_generate_payload/sample2 @@ -0,0 +1,5 @@ +FROM --platform=linux/amd64 ubuntu:latest AS builder +RUN apt-get update && apt-get install -y gcc +COPY . /src +RUN make /src +ADD ${JAR_FILE} app.jar \ No newline at end of file diff --git a/test/fixtures/dockerfile/should_generate_payload/sample3 b/test/fixtures/dockerfile/should_generate_payload/sample3 new file mode 100644 index 00000000000..17b821aaf81 --- /dev/null +++ b/test/fixtures/dockerfile/should_generate_payload/sample3 @@ -0,0 +1,4 @@ +FROM --platform=linux/amd64 alpine:latest +COPY --from=builder /src/bin /usr/local/bin/ +CMD ["/usr/local/bin/app"] +ADD ${JAR_FILE} app.jar diff --git a/test/fixtures/dockerfile/should_generate_payload/sample4 b/test/fixtures/dockerfile/should_generate_payload/sample4 new file mode 100644 index 00000000000..041cefc4a50 --- /dev/null +++ b/test/fixtures/dockerfile/should_generate_payload/sample4 @@ -0,0 +1,4 @@ +FROM --platform=linux/amd64 ubuntu:latest +RUN apt-get update && apt-get install -y curl +CMD ["/bin/bash"] +ADD ${JAR_FILE} app.jar \ No newline at end of file diff --git a/test/fixtures/dockerfile/should_generate_payload/sample5 b/test/fixtures/dockerfile/should_generate_payload/sample5 new file mode 100644 index 00000000000..41c3caeb340 --- /dev/null +++ b/test/fixtures/dockerfile/should_generate_payload/sample5 @@ -0,0 +1,7 @@ +ARG BUILDPLATFORM +FROM --platform=$BUILDPLATFORM golang:1.21 +WORKDIR /src +COPY . . +RUN go build -o /app +CMD ["/app"] +ADD ${JAR_FILE} app.jar \ No newline at end of file diff --git a/test/fixtures/dockerfile/should_generate_payload/sample6 b/test/fixtures/dockerfile/should_generate_payload/sample6 new file mode 100644 index 00000000000..c0349d7a372 --- /dev/null +++ b/test/fixtures/dockerfile/should_generate_payload/sample6 @@ -0,0 +1,3 @@ +FROM --platform=linux/amd64 ubuntu +RUN echo "hello" +ADD ${JAR_FILE} app.jar \ No newline at end of file diff --git a/test/fixtures/dockerfile/should_generate_payload/sample7 b/test/fixtures/dockerfile/should_generate_payload/sample7 new file mode 100644 index 00000000000..82ce75f9502 --- /dev/null +++ b/test/fixtures/dockerfile/should_generate_payload/sample7 @@ -0,0 +1,3 @@ +FROM example.com:5000/team/my-app:2.0 +RUN echo "hello" +ADD ${JAR_FILE} app.jar \ No newline at end of file diff --git a/test/fixtures/dockerfile/should_generate_payload/sample8 b/test/fixtures/dockerfile/should_generate_payload/sample8 new file mode 100644 index 00000000000..f48911c6989 --- /dev/null +++ b/test/fixtures/dockerfile/should_generate_payload/sample8 @@ -0,0 +1,3 @@ +FROM bighostnameusedasasample.example.com:4903/team/my-app:2.0 +RUN echo "hello" +ADD ${JAR_FILE} app.jar \ No newline at end of file diff --git a/test/fixtures/negative_dockerfile/should_not_generate_payload/negative_email b/test/fixtures/negative_dockerfile/should_not_generate_payload/negative_email new file mode 100644 index 00000000000..6e97e688a7b --- /dev/null +++ b/test/fixtures/negative_dockerfile/should_not_generate_payload/negative_email @@ -0,0 +1,6 @@ +From user@example.com +# "@" is not allowed +Subject: Test email +Date: Thu, 1 Jan 2024 00:00:00 +0000 + +This is the body of the email. diff --git a/test/fixtures/negative_dockerfile/should_not_generate_payload/negative_hiveql b/test/fixtures/negative_dockerfile/should_not_generate_payload/negative_hiveql new file mode 100644 index 00000000000..c74992bd9df --- /dev/null +++ b/test/fixtures/negative_dockerfile/should_not_generate_payload/negative_hiveql @@ -0,0 +1,10 @@ +# HiveQL - FROM before SELECT is valid syntax +FROM table_name +# "_" is not allowed outside of image tag +SELECT col1, col2, col3 +WHERE partition_date = '2024-01-01' + +# HiveQL with database-qualified table +FROM database.table_name +SELECT * +LIMIT 100 \ No newline at end of file diff --git a/test/fixtures/negative_dockerfile/should_not_generate_payload/negative_python b/test/fixtures/negative_dockerfile/should_not_generate_payload/negative_python new file mode 100644 index 00000000000..04d8bf2ca65 --- /dev/null +++ b/test/fixtures/negative_dockerfile/should_not_generate_payload/negative_python @@ -0,0 +1,6 @@ +from urllib import request + +def main(): + print("Dockerfile sample") + + diff --git a/test/fixtures/negative_dockerfile/should_not_generate_payload/negative_sparql b/test/fixtures/negative_dockerfile/should_not_generate_payload/negative_sparql new file mode 100644 index 00000000000..157cddd825b --- /dev/null +++ b/test/fixtures/negative_dockerfile/should_not_generate_payload/negative_sparql @@ -0,0 +1,5 @@ +# SPARQL query with named graph +FROM +# "<" and ">" are not allowed +SELECT ?subject ?predicate ?object +WHERE { ?subject ?predicate ?object } diff --git a/test/fixtures/negative_dockerfile/should_not_generate_payload/negative_sql b/test/fixtures/negative_dockerfile/should_not_generate_payload/negative_sql new file mode 100644 index 00000000000..95c0b246f22 --- /dev/null +++ b/test/fixtures/negative_dockerfile/should_not_generate_payload/negative_sql @@ -0,0 +1,6 @@ +# SQL with subquery alias +FROM (SELECT * FROM t) AS sub +# Note the double FROM +# 1 - "(" and "*" are not not alowed +# 2 - anything other than whitespaces before a FROM is not allowed + ")" is not alowed +WHERE sub.status = 'active' \ No newline at end of file From 11193bdd8a048f39010a730519002783eb0ee377 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Tue, 14 Apr 2026 17:37:07 +0100 Subject: [PATCH 70/84] Removed duplicated sample(negative) that was in positive test fixture dockerfile folder, updated E2E results --- e2e/fixtures/E2E_CLI_106_PAYLOAD.json | 3723 ++++++++++++++----------- e2e/fixtures/E2E_CLI_106_RESULT.json | 656 ++++- 2 files changed, 2696 insertions(+), 1683 deletions(-) diff --git a/e2e/fixtures/E2E_CLI_106_PAYLOAD.json b/e2e/fixtures/E2E_CLI_106_PAYLOAD.json index 8a142fb5baf..f6e54c4ea43 100644 --- a/e2e/fixtures/E2E_CLI_106_PAYLOAD.json +++ b/e2e/fixtures/E2E_CLI_106_PAYLOAD.json @@ -1,1616 +1,2113 @@ { - "document": [ - { - "args": [], - "command": { - "openjdk:10-jdk": [ - { - "Cmd": "from", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "FROM openjdk:10-jdk", - "SubCmd": "", - "Value": [ - "openjdk:10-jdk" - ], - "_kics_line": 1 - }, - { - "Cmd": "volume", - "EndLine": 2, - "Flags": [], - "JSON": false, - "Original": "VOLUME /tmp", - "SubCmd": "", - "Value": [ - "/tmp" - ], - "_kics_line": 2 - }, - { - "Cmd": "add", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "ADD http://source.file/package.file.tar.gz /temp", - "SubCmd": "", - "Value": [ - "http://source.file/package.file.tar.gz", - "/temp" - ], - "_kics_line": 3 - }, - { - "Cmd": "run", - "EndLine": 4, - "Flags": [], - "JSON": false, - "Original": "RUN tar -xjf /temp/package.file.tar.gz", - "SubCmd": "", - "Value": [ - "tar -xjf /temp/package.file.tar.gz" - ], - "_kics_line": 4 - }, - { - "Cmd": "arg", - "EndLine": 5, - "Flags": [], - "JSON": false, - "Original": "ARG JAR_FILE", - "SubCmd": "", - "Value": [ - "JAR_FILE" - ], - "_kics_line": 5 - }, - { - "Cmd": "add", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "ADD ${JAR_FILE} app.jar", - "SubCmd": "", - "Value": [ - "${JAR_FILE}", - "app.jar" - ], - "_kics_line": 6 - }, - { - "Cmd": "entrypoint", - "EndLine": 7, - "Flags": [], - "JSON": true, - "Original": "ENTRYPOINT [\"java\",\"-Djava.security.egd=file:/dev/./urandom\",\"-jar\",\"/app.jar\"]", - "SubCmd": "", - "Value": [ - "java", - "-Djava.security.egd=file:/dev/./urandom", - "-jar", - "/app.jar" - ], - "_kics_line": 7 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 13, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 13 - }, - { - "Cmd": "copy", - "EndLine": 15, - "Flags": [], - "JSON": false, - "Original": "COPY . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 15 - }, - { - "Cmd": "healthcheck", - "EndLine": 17, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 17 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "ARG VERSION=1.0", - "SubCmd": "", - "Value": [ - "VERSION=1.0" - ], - "_kics_line": 1 - }, - { - "Cmd": "arg", - "EndLine": 2, - "Flags": [], - "JSON": false, - "Original": "ARG BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 2 - } - ], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 4, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 4 - }, - { - "Cmd": "copy", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "COPY . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 6 - }, - { - "Cmd": "healthcheck", - "EndLine": 8, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 8 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "ARG VERSION=1.0", - "SubCmd": "", - "Value": [ - "VERSION=1.0" - ], - "_kics_line": 1 - }, - { - "Cmd": "arg", - "EndLine": 2, - "Flags": [], - "JSON": false, - "Original": "ARG BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 2 - } - ], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 4, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 4 - }, - { - "Cmd": "copy", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "COPY . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 6 - }, - { - "Cmd": "healthcheck", - "EndLine": 8, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 8 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "ARG VERSION=1.0", - "SubCmd": "", - "Value": [ - "VERSION=1.0" - ], - "_kics_line": 1 - }, - { - "Cmd": "arg", - "EndLine": 2, - "Flags": [], - "JSON": false, - "Original": "ARG BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 2 - } - ], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 4, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 4 - }, - { - "Cmd": "copy", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "COPY . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 6 - }, - { - "Cmd": "healthcheck", - "EndLine": 8, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 8 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "ARG BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 1 - }, - { - "Cmd": "arg", - "EndLine": 4, - "Flags": [], - "JSON": false, - "Original": "ARG JAR_FILE", - "SubCmd": "", - "Value": [ - "JAR_FILE" - ], - "_kics_line": 4 - } - ], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 6 - }, - { - "Cmd": "copy", - "EndLine": 8, - "Flags": [], - "JSON": false, - "Original": "COPY . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 8 - }, - { - "Cmd": "healthcheck", - "EndLine": 10, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 10 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 2, - "Flags": [], - "JSON": false, - "Original": "ARG BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 2 - } - ], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 6 - }, - { - "Cmd": "copy", - "EndLine": 8, - "Flags": [], - "JSON": false, - "Original": "COPY . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 8 - }, - { - "Cmd": "healthcheck", - "EndLine": 10, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 10 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "ARG BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 1 - } - ], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 4, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 4 - }, - { - "Cmd": "copy", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "COPY .. .", - "SubCmd": "", - "Value": [ - "..", - "." - ], - "_kics_line": 6 - }, - { - "Cmd": "healthcheck", - "EndLine": 8, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 8 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "ARG BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 1 - } - ], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 3 - }, - { - "Cmd": "copy", - "EndLine": 5, - "Flags": [], - "JSON": false, - "Original": "COPY . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 5 - }, - { - "Cmd": "healthcheck", - "EndLine": 7, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 7 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [], - "command": { - "alpine:3.19 as builder": [ - { - "Cmd": "from", - "EndLine": 13, - "Flags": [], - "JSON": false, - "Original": "from alpine:3.19 as builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "as", - "builder" - ], - "_kics_line": 13 - }, - { - "Cmd": "copy", - "EndLine": 15, - "Flags": [], - "JSON": false, - "Original": "copy . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 15 - }, - { - "Cmd": "healthcheck", - "EndLine": 17, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "cmd", - "executable" - ], - "_kics_line": 17 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "arg VERSION=1.0", - "SubCmd": "", - "Value": [ - "VERSION=1.0" - ], - "_kics_line": 1 - }, - { - "Cmd": "arg", - "EndLine": 2, - "Flags": [], - "JSON": false, - "Original": "arg BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 2 - } - ], - "command": { - "alpine:3.19 as builder": [ - { - "Cmd": "from", - "EndLine": 4, - "Flags": [], - "JSON": false, - "Original": "from alpine:3.19 as builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "as", - "builder" - ], - "_kics_line": 4 - }, - { - "Cmd": "copy", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "copy . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 6 - }, - { - "Cmd": "healthcheck", - "EndLine": 8, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "cmd", - "executable" - ], - "_kics_line": 8 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "arg VERSION=1.0", - "SubCmd": "", - "Value": [ - "VERSION=1.0" - ], - "_kics_line": 1 - }, - { - "Cmd": "arg", - "EndLine": 2, - "Flags": [], - "JSON": false, - "Original": "arg BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 2 - } - ], - "command": { - "alpine:3.19 as builder": [ - { - "Cmd": "from", - "EndLine": 4, - "Flags": [], - "JSON": false, - "Original": "from alpine:3.19 as builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "as", - "builder" - ], - "_kics_line": 4 - }, - { - "Cmd": "copy", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "copy . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 6 - }, - { - "Cmd": "healthcheck", - "EndLine": 8, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "cmd", - "executable" - ], - "_kics_line": 8 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "arg VERSION=1.0", - "SubCmd": "", - "Value": [ - "VERSION=1.0" - ], - "_kics_line": 1 - }, - { - "Cmd": "arg", - "EndLine": 2, - "Flags": [], - "JSON": false, - "Original": "arg BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 2 - } - ], - "command": { - "alpine:3.19 as builder": [ - { - "Cmd": "from", - "EndLine": 4, - "Flags": [], - "JSON": false, - "Original": "from alpine:3.19 as builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "as", - "builder" - ], - "_kics_line": 4 - }, - { - "Cmd": "copy", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "copy . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 6 - }, - { - "Cmd": "healthcheck", - "EndLine": 8, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "cmd", - "executable" - ], - "_kics_line": 8 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "arg BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 1 - }, - { - "Cmd": "arg", - "EndLine": 4, - "Flags": [], - "JSON": false, - "Original": "arg JAR_FILE", - "SubCmd": "", - "Value": [ - "JAR_FILE" - ], - "_kics_line": 4 - } - ], - "command": { - "alpine:3.19 as builder": [ - { - "Cmd": "from", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "from alpine:3.19 as builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "as", - "builder" - ], - "_kics_line": 6 - }, - { - "Cmd": "copy", - "EndLine": 8, - "Flags": [], - "JSON": false, - "Original": "copy . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 8 - }, - { - "Cmd": "healthcheck", - "EndLine": 10, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "cmd", - "executable" - ], - "_kics_line": 10 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 2, - "Flags": [], - "JSON": false, - "Original": "arg BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 2 - } - ], - "command": { - "alpine:3.19 as builder": [ - { - "Cmd": "from", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "from alpine:3.19 as builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "as", - "builder" - ], - "_kics_line": 6 - }, - { - "Cmd": "copy", - "EndLine": 8, - "Flags": [], - "JSON": false, - "Original": "copy . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 8 - }, - { - "Cmd": "healthcheck", - "EndLine": 10, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "cmd", - "executable" - ], - "_kics_line": 10 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "arg BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 1 - } - ], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 4, - "Flags": [], - "JSON": false, - "Original": "from alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 4 - }, - { - "Cmd": "copy", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "copy .. .", - "SubCmd": "", - "Value": [ - "..", - "." - ], - "_kics_line": 6 - }, - { - "Cmd": "healthcheck", - "EndLine": 8, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "cmd", - "executable" - ], - "_kics_line": 8 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "arg BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 1 - } - ], - "command": { - "alpine:3.19 as builder": [ - { - "Cmd": "from", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "from alpine:3.19 as builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "as", - "builder" - ], - "_kics_line": 3 - }, - { - "Cmd": "copy", - "EndLine": 5, - "Flags": [], - "JSON": false, - "Original": "copy . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 5 - }, - { - "Cmd": "healthcheck", - "EndLine": 7, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "cmd", - "executable" - ], - "_kics_line": 7 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [], - "command": { - "alpine:latest": [ - { - "Cmd": "from", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:latest", - "SubCmd": "", - "Value": [ - "alpine:latest" - ], - "_kics_line": 1 - }, - { - "Cmd": "copy", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "COPY {{ file_path }} /test", - "SubCmd": "", - "Value": [ - "{{", - "file_path", - "}}", - "/test" - ], - "_kics_line": 3 - }, - { - "Cmd": "run", - "EndLine": 5, - "Flags": [], - "JSON": false, - "Original": "RUN echo \"failure\"", - "SubCmd": "", - "Value": [ - "echo \"failure\"" - ], - "_kics_line": 5 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 1 - }, - { - "Cmd": "copy", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "COPY . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 3 - }, - { - "Cmd": "healthcheck", - "EndLine": 5, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 5 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 1 - }, - { - "Cmd": "copy", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "COPY . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 3 - }, - { - "Cmd": "healthcheck", - "EndLine": 5, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 5 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 1 - }, - { - "Cmd": "copy", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "COPY . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 3 - }, - { - "Cmd": "healthcheck", - "EndLine": 5, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 5 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 1 - }, - { - "Cmd": "copy", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "COPY . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 3 - }, - { - "Cmd": "healthcheck", - "EndLine": 5, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 5 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 1 - }, - { - "Cmd": "copy", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "COPY . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 3 - }, - { - "Cmd": "healthcheck", - "EndLine": 5, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 5 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 1 - }, - { - "Cmd": "copy", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "COPY . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 3 - }, - { - "Cmd": "healthcheck", - "EndLine": 5, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 5 - } - ] - }, - "file": "file", - "id": "0" - } + "document": [ + { + "args": [], + "command": { + "openjdk:10-jdk": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM openjdk:10-jdk", + "SubCmd": "", + "Value": [ + "openjdk:10-jdk" + ], + "_kics_line": 1 + }, + { + "Cmd": "volume", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "VOLUME /tmp", + "SubCmd": "", + "Value": [ + "/tmp" + ], + "_kics_line": 2 + }, + { + "Cmd": "add", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "ADD http://source.file/package.file.tar.gz /temp", + "SubCmd": "", + "Value": [ + "http://source.file/package.file.tar.gz", + "/temp" + ], + "_kics_line": 3 + }, + { + "Cmd": "run", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "RUN tar -xjf /temp/package.file.tar.gz", + "SubCmd": "", + "Value": [ + "tar -xjf /temp/package.file.tar.gz" + ], + "_kics_line": 4 + }, + { + "Cmd": "arg", + "EndLine": 5, + "Flags": [], + "JSON": false, + "Original": "ARG JAR_FILE", + "SubCmd": "", + "Value": [ + "JAR_FILE" + ], + "_kics_line": 5 + }, + { + "Cmd": "add", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "ADD ${JAR_FILE} app.jar", + "SubCmd": "", + "Value": [ + "${JAR_FILE}", + "app.jar" + ], + "_kics_line": 6 + }, + { + "Cmd": "entrypoint", + "EndLine": 7, + "Flags": [], + "JSON": true, + "Original": "ENTRYPOINT [\"java\",\"-Djava.security.egd=file:/dev/./urandom\",\"-jar\",\"/app.jar\"]", + "SubCmd": "", + "Value": [ + "java", + "-Djava.security.egd=file:/dev/./urandom", + "-jar", + "/app.jar" + ], + "_kics_line": 7 + } + ] + }, + "file": "../test/fixtures/dockerfile/Dockerfile-example", + "id": "642ad448-baac-4d93-a84a-03cd1dc3838d" + }, + { + "args": [], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 13, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 13 + }, + { + "Cmd": "copy", + "EndLine": 15, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 15 + }, + { + "Cmd": "healthcheck", + "EndLine": 17, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 17 + } + ] + }, + "file": "../test/fixtures/dockerfile/any_name/DOCKERfile.txt", + "id": "473ae0ea-61c1-4b4e-b60d-1788f4ffa4ac" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "ARG VERSION=1.0", + "SubCmd": "", + "Value": [ + "VERSION=1.0" + ], + "_kics_line": 1 + }, + { + "Cmd": "arg", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "ARG BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 2 + } + ], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 4 + }, + { + "Cmd": "copy", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 6 + }, + { + "Cmd": "healthcheck", + "EndLine": 8, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 8 + } + ] + }, + "file": "../test/fixtures/dockerfile/any_name/Dockerfile.something", + "id": "67c9db37-1f48-465b-bd63-e092bcdda028" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "ARG VERSION=1.0", + "SubCmd": "", + "Value": [ + "VERSION=1.0" + ], + "_kics_line": 1 + }, + { + "Cmd": "arg", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "ARG BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 2 + } + ], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 4 + }, + { + "Cmd": "copy", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 6 + }, + { + "Cmd": "healthcheck", + "EndLine": 8, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 8 + } + ] + }, + "file": "../test/fixtures/dockerfile/any_name/any_name.debian", + "id": "c3867724-c34f-439a-9e60-ae3478c03912" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "ARG VERSION=1.0", + "SubCmd": "", + "Value": [ + "VERSION=1.0" + ], + "_kics_line": 1 + }, + { + "Cmd": "arg", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "ARG BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 2 + } + ], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 4 + }, + { + "Cmd": "copy", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 6 + }, + { + "Cmd": "healthcheck", + "EndLine": 8, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 8 + } + ] + }, + "file": "../test/fixtures/dockerfile/any_name/any_name.ubi8", + "id": "f75b700b-983e-4448-b4f0-5dafb6f702bd" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "ARG BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 1 + }, + { + "Cmd": "arg", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "ARG JAR_FILE", + "SubCmd": "", + "Value": [ + "JAR_FILE" + ], + "_kics_line": 4 + } + ], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 6 + }, + { + "Cmd": "copy", + "EndLine": 8, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 8 + }, + { + "Cmd": "healthcheck", + "EndLine": 10, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 10 + } + ] + }, + "file": "../test/fixtures/dockerfile/any_name/dockerFILE", + "id": "93231545-8aa9-4c86-b1a5-aeb72ed75013" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "ARG BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 2 + } + ], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 6 + }, + { + "Cmd": "copy", + "EndLine": 8, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 8 + }, + { + "Cmd": "healthcheck", + "EndLine": 10, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 10 + } + ] + }, + "file": "../test/fixtures/dockerfile/any_name/file.Dockerfile", + "id": "5b574486-7742-47ea-95c8-64a12a014c7d" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "ARG BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 1 + } + ], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 4 + }, + { + "Cmd": "copy", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "COPY .. .", + "SubCmd": "", + "Value": [ + "..", + "." + ], + "_kics_line": 6 + }, + { + "Cmd": "healthcheck", + "EndLine": 8, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 8 + } + ] + }, + "file": "../test/fixtures/dockerfile/any_name/file_2.DOCKERfile", + "id": "68ab189b-439b-4e6f-907d-5e518b162941" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "ARG BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 1 + } + ], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 3 + }, + { + "Cmd": "copy", + "EndLine": 5, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 5 + }, + { + "Cmd": "healthcheck", + "EndLine": 7, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 7 + } + ] + }, + "file": "../test/fixtures/dockerfile/any_name/random_name", + "id": "1974d0b3-0bf0-45dc-80c3-e7533dc0cf81" + }, + { + "args": [], + "command": { + "alpine:3.19 as builder": [ + { + "Cmd": "from", + "EndLine": 13, + "Flags": [], + "JSON": false, + "Original": "from alpine:3.19 as builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "as", + "builder" + ], + "_kics_line": 13 + }, + { + "Cmd": "copy", + "EndLine": 15, + "Flags": [], + "JSON": false, + "Original": "copy . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 15 + }, + { + "Cmd": "healthcheck", + "EndLine": 17, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "cmd", + "executable" + ], + "_kics_line": 17 + } + ] + }, + "file": "../test/fixtures/dockerfile/case_insensitive_tests/DOCKERfile.txt", + "id": "ea99ceac-12a4-4672-9282-e34336d48ad8" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "arg VERSION=1.0", + "SubCmd": "", + "Value": [ + "VERSION=1.0" + ], + "_kics_line": 1 + }, + { + "Cmd": "arg", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "arg BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 2 + } + ], + "command": { + "alpine:3.19 as builder": [ + { + "Cmd": "from", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "from alpine:3.19 as builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "as", + "builder" + ], + "_kics_line": 4 + }, + { + "Cmd": "copy", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "copy . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 6 + }, + { + "Cmd": "healthcheck", + "EndLine": 8, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "cmd", + "executable" + ], + "_kics_line": 8 + } + ] + }, + "file": "../test/fixtures/dockerfile/case_insensitive_tests/Dockerfile.something", + "id": "fc3fa3c3-ef24-4032-bde8-7215870a1064" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "arg VERSION=1.0", + "SubCmd": "", + "Value": [ + "VERSION=1.0" + ], + "_kics_line": 1 + }, + { + "Cmd": "arg", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "arg BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 2 + } + ], + "command": { + "alpine:3.19 as builder": [ + { + "Cmd": "from", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "from alpine:3.19 as builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "as", + "builder" + ], + "_kics_line": 4 + }, + { + "Cmd": "copy", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "copy . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 6 + }, + { + "Cmd": "healthcheck", + "EndLine": 8, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "cmd", + "executable" + ], + "_kics_line": 8 + } + ] + }, + "file": "../test/fixtures/dockerfile/case_insensitive_tests/any_name.debian", + "id": "82d4be70-fc35-4869-b1b2-3a7af63eaefe" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "arg VERSION=1.0", + "SubCmd": "", + "Value": [ + "VERSION=1.0" + ], + "_kics_line": 1 + }, + { + "Cmd": "arg", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "arg BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 2 + } + ], + "command": { + "alpine:3.19 as builder": [ + { + "Cmd": "from", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "from alpine:3.19 as builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "as", + "builder" + ], + "_kics_line": 4 + }, + { + "Cmd": "copy", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "copy . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 6 + }, + { + "Cmd": "healthcheck", + "EndLine": 8, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "cmd", + "executable" + ], + "_kics_line": 8 + } + ] + }, + "file": "../test/fixtures/dockerfile/case_insensitive_tests/any_name.ubi8", + "id": "2bdab0c9-53c3-4fad-8fae-6431682d9752" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "arg BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 1 + }, + { + "Cmd": "arg", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "arg JAR_FILE", + "SubCmd": "", + "Value": [ + "JAR_FILE" + ], + "_kics_line": 4 + } + ], + "command": { + "alpine:3.19 as builder": [ + { + "Cmd": "from", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "from alpine:3.19 as builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "as", + "builder" + ], + "_kics_line": 6 + }, + { + "Cmd": "copy", + "EndLine": 8, + "Flags": [], + "JSON": false, + "Original": "copy . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 8 + }, + { + "Cmd": "healthcheck", + "EndLine": 10, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "cmd", + "executable" + ], + "_kics_line": 10 + } + ] + }, + "file": "../test/fixtures/dockerfile/case_insensitive_tests/dockerFILE", + "id": "9756f049-fa73-4004-abfc-30447d8f9daa" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "arg BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 2 + } + ], + "command": { + "alpine:3.19 as builder": [ + { + "Cmd": "from", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "from alpine:3.19 as builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "as", + "builder" + ], + "_kics_line": 6 + }, + { + "Cmd": "copy", + "EndLine": 8, + "Flags": [], + "JSON": false, + "Original": "copy . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 8 + }, + { + "Cmd": "healthcheck", + "EndLine": 10, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "cmd", + "executable" + ], + "_kics_line": 10 + } + ] + }, + "file": "../test/fixtures/dockerfile/case_insensitive_tests/file.Dockerfile", + "id": "7fa06995-2b59-4a58-b3aa-ec2fd81e3e7b" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "arg BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 1 + } + ], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "from alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 4 + }, + { + "Cmd": "copy", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "copy .. .", + "SubCmd": "", + "Value": [ + "..", + "." + ], + "_kics_line": 6 + }, + { + "Cmd": "healthcheck", + "EndLine": 8, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "cmd", + "executable" + ], + "_kics_line": 8 + } + ] + }, + "file": "../test/fixtures/dockerfile/case_insensitive_tests/file_2.DOCKERfile", + "id": "56c3ad64-8527-48f5-87ef-6c1049bda118" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "arg BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 1 + } + ], + "command": { + "alpine:3.19 as builder": [ + { + "Cmd": "from", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "from alpine:3.19 as builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "as", + "builder" + ], + "_kics_line": 3 + }, + { + "Cmd": "copy", + "EndLine": 5, + "Flags": [], + "JSON": false, + "Original": "copy . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 5 + }, + { + "Cmd": "healthcheck", + "EndLine": 7, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "cmd", + "executable" + ], + "_kics_line": 7 + } + ] + }, + "file": "../test/fixtures/dockerfile/case_insensitive_tests/random_name", + "id": "adbb6d2b-d2dc-4d65-8994-d57a73e05035" + }, + { + "args": [], + "command": { + "alpine:latest": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:latest", + "SubCmd": "", + "Value": [ + "alpine:latest" + ], + "_kics_line": 1 + }, + { + "Cmd": "copy", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "COPY {{ file_path }} /test", + "SubCmd": "", + "Value": [ + "{{", + "file_path", + "}}", + "/test" + ], + "_kics_line": 3 + }, + { + "Cmd": "run", + "EndLine": 5, + "Flags": [], + "JSON": false, + "Original": "RUN echo \"failure\"", + "SubCmd": "", + "Value": [ + "echo \"failure\"" + ], + "_kics_line": 5 + } + ] + }, + "file": "../test/fixtures/dockerfile/corrupted_dockerfile", + "id": "a4fba452-33cb-4802-8e99-1de54bc8a814" + }, + { + "args": [], + "command": { + "--platform=linux/arm64 scratch": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [ + "--platform=linux/arm64" + ], + "JSON": false, + "Original": "FROM --platform=linux/arm64 scratch", + "SubCmd": "", + "Value": [ + "scratch" + ], + "_kics_line": 1 + }, + { + "Cmd": "copy", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "COPY myapp /", + "SubCmd": "", + "Value": [ + "myapp", + "/" + ], + "_kics_line": 2 + }, + { + "Cmd": "entrypoint", + "EndLine": 3, + "Flags": [], + "JSON": true, + "Original": "ENTRYPOINT [\"/myapp\"]", + "SubCmd": "", + "Value": [ + "/myapp" + ], + "_kics_line": 3 + }, + { + "Cmd": "add", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "ADD ${JAR_FILE} app.jar", + "SubCmd": "", + "Value": [ + "${JAR_FILE}", + "app.jar" + ], + "_kics_line": 4 + } + ] + }, + "file": "../test/fixtures/dockerfile/should_generate_payload/sample1", + "id": "63b92b43-2d56-4602-af11-5c5d544f91b0" + }, + { + "args": [], + "command": { + "--platform=linux/amd64 ubuntu:latest AS builder": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [ + "--platform=linux/amd64" + ], + "JSON": false, + "Original": "FROM --platform=linux/amd64 ubuntu:latest AS builder", + "SubCmd": "", + "Value": [ + "ubuntu:latest", + "AS", + "builder" + ], + "_kics_line": 1 + }, + { + "Cmd": "run", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "RUN apt-get update \u0026\u0026 apt-get install -y gcc", + "SubCmd": "", + "Value": [ + "apt-get update \u0026\u0026 apt-get install -y gcc" + ], + "_kics_line": 2 + }, + { + "Cmd": "copy", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "COPY . /src", + "SubCmd": "", + "Value": [ + ".", + "/src" + ], + "_kics_line": 3 + }, + { + "Cmd": "run", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "RUN make /src", + "SubCmd": "", + "Value": [ + "make /src" + ], + "_kics_line": 4 + }, + { + "Cmd": "add", + "EndLine": 5, + "Flags": [], + "JSON": false, + "Original": "ADD ${JAR_FILE} app.jar", + "SubCmd": "", + "Value": [ + "${JAR_FILE}", + "app.jar" + ], + "_kics_line": 5 + } + ] + }, + "file": "../test/fixtures/dockerfile/should_generate_payload/sample2", + "id": "8e7173a5-eb7f-4b72-9124-504498687f6b" + }, + { + "args": [], + "command": { + "--platform=linux/amd64 alpine:latest": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [ + "--platform=linux/amd64" + ], + "JSON": false, + "Original": "FROM --platform=linux/amd64 alpine:latest", + "SubCmd": "", + "Value": [ + "alpine:latest" + ], + "_kics_line": 1 + }, + { + "Cmd": "copy", + "EndLine": 2, + "Flags": [ + "--from=builder" + ], + "JSON": false, + "Original": "COPY --from=builder /src/bin /usr/local/bin/", + "SubCmd": "", + "Value": [ + "/src/bin", + "/usr/local/bin/" + ], + "_kics_line": 2 + }, + { + "Cmd": "cmd", + "EndLine": 3, + "Flags": [], + "JSON": true, + "Original": "CMD [\"/usr/local/bin/app\"]", + "SubCmd": "", + "Value": [ + "/usr/local/bin/app" + ], + "_kics_line": 3 + }, + { + "Cmd": "add", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "ADD ${JAR_FILE} app.jar", + "SubCmd": "", + "Value": [ + "${JAR_FILE}", + "app.jar" + ], + "_kics_line": 4 + } + ] + }, + "file": "../test/fixtures/dockerfile/should_generate_payload/sample3", + "id": "9e309d8f-9236-4320-aeb5-e6338afad188" + }, + { + "args": [], + "command": { + "--platform=linux/amd64 ubuntu:latest": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [ + "--platform=linux/amd64" + ], + "JSON": false, + "Original": "FROM --platform=linux/amd64 ubuntu:latest", + "SubCmd": "", + "Value": [ + "ubuntu:latest" + ], + "_kics_line": 1 + }, + { + "Cmd": "run", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "RUN apt-get update \u0026\u0026 apt-get install -y curl", + "SubCmd": "", + "Value": [ + "apt-get update \u0026\u0026 apt-get install -y curl" + ], + "_kics_line": 2 + }, + { + "Cmd": "cmd", + "EndLine": 3, + "Flags": [], + "JSON": true, + "Original": "CMD [\"/bin/bash\"]", + "SubCmd": "", + "Value": [ + "/bin/bash" + ], + "_kics_line": 3 + }, + { + "Cmd": "add", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "ADD ${JAR_FILE} app.jar", + "SubCmd": "", + "Value": [ + "${JAR_FILE}", + "app.jar" + ], + "_kics_line": 4 + } + ] + }, + "file": "../test/fixtures/dockerfile/should_generate_payload/sample4", + "id": "5d4a9144-c86e-4bed-a018-03d93120cd77" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "ARG BUILDPLATFORM", + "SubCmd": "", + "Value": [ + "BUILDPLATFORM" + ], + "_kics_line": 1 + } + ], + "command": { + "--platform=$BUILDPLATFORM golang:1.21": [ + { + "Cmd": "from", + "EndLine": 2, + "Flags": [ + "--platform=$BUILDPLATFORM" + ], + "JSON": false, + "Original": "FROM --platform=$BUILDPLATFORM golang:1.21", + "SubCmd": "", + "Value": [ + "golang:1.21" + ], + "_kics_line": 2 + }, + { + "Cmd": "workdir", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "WORKDIR /src", + "SubCmd": "", + "Value": [ + "/src" + ], + "_kics_line": 3 + }, + { + "Cmd": "copy", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 4 + }, + { + "Cmd": "run", + "EndLine": 5, + "Flags": [], + "JSON": false, + "Original": "RUN go build -o /app", + "SubCmd": "", + "Value": [ + "go build -o /app" + ], + "_kics_line": 5 + }, + { + "Cmd": "cmd", + "EndLine": 6, + "Flags": [], + "JSON": true, + "Original": "CMD [\"/app\"]", + "SubCmd": "", + "Value": [ + "/app" + ], + "_kics_line": 6 + }, + { + "Cmd": "add", + "EndLine": 7, + "Flags": [], + "JSON": false, + "Original": "ADD ${JAR_FILE} app.jar", + "SubCmd": "", + "Value": [ + "${JAR_FILE}", + "app.jar" + ], + "_kics_line": 7 + } + ] + }, + "file": "../test/fixtures/dockerfile/should_generate_payload/sample5", + "id": "53169e02-57cb-4930-9f6a-9e83afaf30b6" + }, + { + "args": [], + "command": { + "--platform=linux/amd64 ubuntu": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [ + "--platform=linux/amd64" + ], + "JSON": false, + "Original": "FROM --platform=linux/amd64 ubuntu", + "SubCmd": "", + "Value": [ + "ubuntu" + ], + "_kics_line": 1 + }, + { + "Cmd": "run", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "RUN echo \"hello\"", + "SubCmd": "", + "Value": [ + "echo \"hello\"" + ], + "_kics_line": 2 + }, + { + "Cmd": "add", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "ADD ${JAR_FILE} app.jar", + "SubCmd": "", + "Value": [ + "${JAR_FILE}", + "app.jar" + ], + "_kics_line": 3 + } + ] + }, + "file": "../test/fixtures/dockerfile/should_generate_payload/sample6", + "id": "2c80b3a1-57f5-4f73-91bb-19e2174beb01" + }, + { + "args": [], + "command": { + "example.com:5000/team/my-app:2.0": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM example.com:5000/team/my-app:2.0", + "SubCmd": "", + "Value": [ + "example.com:5000/team/my-app:2.0" + ], + "_kics_line": 1 + }, + { + "Cmd": "run", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "RUN echo \"hello\"", + "SubCmd": "", + "Value": [ + "echo \"hello\"" + ], + "_kics_line": 2 + }, + { + "Cmd": "add", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "ADD ${JAR_FILE} app.jar", + "SubCmd": "", + "Value": [ + "${JAR_FILE}", + "app.jar" + ], + "_kics_line": 3 + } + ] + }, + "file": "../test/fixtures/dockerfile/should_generate_payload/sample7", + "id": "d2b0dd02-9e09-4723-94d3-b71065c2b669" + }, + { + "args": [], + "command": { + "bighostnameusedasasample.example.com:4903/team/my-app:2.0": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM bighostnameusedasasample.example.com:4903/team/my-app:2.0", + "SubCmd": "", + "Value": [ + "bighostnameusedasasample.example.com:4903/team/my-app:2.0" + ], + "_kics_line": 1 + }, + { + "Cmd": "run", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "RUN echo \"hello\"", + "SubCmd": "", + "Value": [ + "echo \"hello\"" + ], + "_kics_line": 2 + }, + { + "Cmd": "add", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "ADD ${JAR_FILE} app.jar", + "SubCmd": "", + "Value": [ + "${JAR_FILE}", + "app.jar" + ], + "_kics_line": 3 + } + ] + }, + "file": "../test/fixtures/dockerfile/should_generate_payload/sample8", + "id": "df6865bc-6af6-450d-9e82-5002f02b1077" + }, + { + "args": [], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 1 + }, + { + "Cmd": "copy", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 3 + }, + { + "Cmd": "healthcheck", + "EndLine": 5, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 5 + } + ] + }, + "file": "../test/fixtures/dockerfile/test_folder_names/docker/any_file.txt", + "id": "5a51adb1-fe50-4830-9fb3-de1e78c78bba" + }, + { + "args": [], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 1 + }, + { + "Cmd": "copy", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 3 + }, + { + "Cmd": "healthcheck", + "EndLine": 5, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 5 + } + ] + }, + "file": "../test/fixtures/dockerfile/test_folder_names/dockerfile/any_file.txt", + "id": "32a0c395-eb13-4bd9-a7f0-1ce1c8d50746" + }, + { + "args": [], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 1 + }, + { + "Cmd": "copy", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 3 + }, + { + "Cmd": "healthcheck", + "EndLine": 5, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 5 + } + ] + }, + "file": "../test/fixtures/dockerfile/test_folder_names/dockerfiles/any_file.txt", + "id": "61f901f7-fc3f-4e57-9fcd-1e22a5b43a5a" + }, + { + "args": [], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 1 + }, + { + "Cmd": "copy", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 3 + }, + { + "Cmd": "healthcheck", + "EndLine": 5, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 5 + } + ] + }, + "file": "../test/fixtures/dockerfile/test_folder_names_case/Docker/any_file.txt", + "id": "c693ecb3-eefa-4eb6-b331-456a4acf27d4" + }, + { + "args": [], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 1 + }, + { + "Cmd": "copy", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 3 + }, + { + "Cmd": "healthcheck", + "EndLine": 5, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 5 + } + ] + }, + "file": "../test/fixtures/dockerfile/test_folder_names_case/Dockerfile/any_file.txt", + "id": "6d418be9-9293-4cfa-9076-def24bad356d" + }, + { + "args": [], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 1 + }, + { + "Cmd": "copy", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 3 + }, + { + "Cmd": "healthcheck", + "EndLine": 5, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 5 + } + ] + }, + "file": "../test/fixtures/dockerfile/test_folder_names_case/Dockerfiles/any_file.txt", + "id": "2097b474-af54-4b09-b64d-52e58a01e25c" + } ] } diff --git a/e2e/fixtures/E2E_CLI_106_RESULT.json b/e2e/fixtures/E2E_CLI_106_RESULT.json index 5c4c55498d8..7a2be2a9361 100644 --- a/e2e/fixtures/E2E_CLI_106_RESULT.json +++ b/e2e/fixtures/E2E_CLI_106_RESULT.json @@ -1,9 +1,9 @@ { "kics_version": "development", - "files_scanned": 26, - "lines_scanned": 212, - "files_parsed": 26, - "lines_parsed": 204, + "files_scanned": 32, + "lines_scanned": 235, + "files_parsed": 32, + "lines_parsed": 227, "lines_ignored": 8, "files_failed_to_scan": 0, "queries_total": 48, @@ -12,16 +12,16 @@ "scan_id": "console", "severity_counters": { "CRITICAL": 0, - "HIGH": 23, - "INFO": 0, - "LOW": 3, - "MEDIUM": 2, + "HIGH": 31, + "INFO": 10, + "LOW": 11, + "MEDIUM": 16, "TRACE": 0 }, - "total_counter": 28, + "total_counter": 68, "total_bom_resources": 0, - "start": "2026-03-13T16:37:29.4562916Z", - "end": "2026-03-13T16:37:30.3687083Z", + "start": "2026-04-14T17:33:16.2521898+01:00", + "end": "2026-04-14T17:33:27.3968601+01:00", "paths": [ "/path/test/fixtures/dockerfile", "/path/test/fixtures/negative_dockerfile" @@ -42,41 +42,41 @@ "description_id": "eb49caf6", "files": [ { - "file_name": "path/test/fixtures/dockerfile/any_name/file.Dockerfile", - "similarity_id": "1d972910b640dfb968ab630847182b4a19f44b78aeeaa0ef93c96c7e27aa8b6a", - "line": 6, + "file_name": "path/test/fixtures/dockerfile/Dockerfile-example", + "similarity_id": "aeaf42752011d846797cea09ce1a0eb5457673c67b0fb16914a0c639a253e5c7", + "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_key": "FROM={{openjdk:10-jdk}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/test_folder_names_case/Docker/any_file.txt", - "similarity_id": "6da391b0e3e24d85f72b3ace5db0569be32ef11e6f9a433b138ae4e0b004df58", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample7", + "similarity_id": "03992dd5495adf4a9c4440fd1e116bb35670d88e71341f062410bc0da96f4f6e", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_key": "FROM={{example.com:5000/team/my-app:2.0}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/corrupted_dockerfile", - "similarity_id": "558c83370b9fc9e230035e00ff7b5302cd64c16f700e73c830579947e250a381", + "file_name": "path/test/fixtures/dockerfile/test_folder_names_case/Docker/any_file.txt", + "similarity_id": "6da391b0e3e24d85f72b3ace5db0569be32ef11e6f9a433b138ae4e0b004df58", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:latest}}", + "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/random_name", - "similarity_id": "4df62f3dddaa0fe84e53c387514ff1ffb2405fb47a80011271dfc6742078a0e8", + "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/any_name.ubi8", + "similarity_id": "ce95928798897e3f22c2677202d38812030cc2dfb5cf0470d397d7baaf8c1de1", "line": 1, "issue_type": "MissingAttribute", "search_key": "FROM={{alpine:3.19 as builder}}", @@ -86,30 +86,30 @@ "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/test_folder_names/dockerfiles/any_file.txt", - "similarity_id": "e150676345e87674484ea970ca810125007b743069646ac448feaba242b7211f", + "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/any_name.debian", + "similarity_id": "c949a1c23fe7c61dea7daac22ce6a13ffb8dec65b4bcbeacc76bf295518e72ef", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_key": "FROM={{alpine:3.19 as builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/DOCKERfile.txt", - "similarity_id": "f9caf5d57d5872073bc7b7a555a3283708f72c9990689c8d4e6b3ce1957b496a", - "line": 1, + "file_name": "path/test/fixtures/dockerfile/any_name/dockerFILE", + "similarity_id": "e97a5ec241eb063c5757aed13a666c8126e4375ac9aed300cdc72d4ae883dfdc", + "line": 6, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 as builder}}", + "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/test_folder_names/dockerfile/any_file.txt", - "similarity_id": "c2e7f0c0c566a723ff253f4a95e837749faba964ec008551c1f87a7faa476110", + "file_name": "path/test/fixtures/dockerfile/test_folder_names_case/Dockerfile/any_file.txt", + "similarity_id": "47d6f707c904f56fe3ca1cc7bce1d2e0ae41d421da983110a5c15fc7e48105df", "line": 1, "issue_type": "MissingAttribute", "search_key": "FROM={{alpine:3.19 AS builder}}", @@ -119,19 +119,19 @@ "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/any_name/random_name", - "similarity_id": "ee3531797486eec98e3dd28ec8cc5f7f6f00743d1cf79cd47f6859df87026f59", - "line": 3, + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample5", + "similarity_id": "39dca689cbc39cfa0a74e0c08328183a511cbcb074518aa2abac6a45bb842bd3", + "line": 2, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_key": "FROM={{--platform=$BUILDPLATFORM golang:1.21}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/test_folder_names_case/Dockerfile/any_file.txt", - "similarity_id": "47d6f707c904f56fe3ca1cc7bce1d2e0ae41d421da983110a5c15fc7e48105df", + "file_name": "path/test/fixtures/dockerfile/test_folder_names_case/Dockerfiles/any_file.txt", + "similarity_id": "b58c4c4ed6c88b82fdf62608154342a31a2de95eaae39716ff4f6ccf1a5bcdda", "line": 1, "issue_type": "MissingAttribute", "search_key": "FROM={{alpine:3.19 AS builder}}", @@ -141,11 +141,11 @@ "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/any_name.ubi8", - "similarity_id": "ce95928798897e3f22c2677202d38812030cc2dfb5cf0470d397d7baaf8c1de1", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample1", + "similarity_id": "7375fc702e9b59cf845aac25968ab2926b5919806a6d739527f70a2727a6ec99", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 as builder}}", + "search_key": "FROM={{--platform=linux/arm64 scratch}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", @@ -163,8 +163,8 @@ "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/any_name.debian", - "similarity_id": "c949a1c23fe7c61dea7daac22ce6a13ffb8dec65b4bcbeacc76bf295518e72ef", + "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/random_name", + "similarity_id": "4df62f3dddaa0fe84e53c387514ff1ffb2405fb47a80011271dfc6742078a0e8", "line": 1, "issue_type": "MissingAttribute", "search_key": "FROM={{alpine:3.19 as builder}}", @@ -174,8 +174,8 @@ "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/any_name/file_2.DOCKERfile", - "similarity_id": "29858cfa69a98973cc1ae10f84e66267240bd630126eba2ba15e58a7aa2dd54d", + "file_name": "path/test/fixtures/dockerfile/any_name/any_name.debian", + "similarity_id": "ef335c394fbaebc802c99ba59b1b3ec830043ac020b711efc7cf497752b73429", "line": 4, "issue_type": "MissingAttribute", "search_key": "FROM={{alpine:3.19 AS builder}}", @@ -185,20 +185,20 @@ "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/Dockerfile.something", - "similarity_id": "2b1d191f474528c93b66c1f5f891efd3763834725ed4008cbd216702f576ef20", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample8", + "similarity_id": "c35ae31bc00e26a4fd27b0605e5c4d84c5ae683b1354a7e7bc1917ab0f3a428e", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 as builder}}", + "search_key": "FROM={{bighostnameusedasasample.example.com:4903/team/my-app:2.0}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/any_name/any_name.debian", - "similarity_id": "ef335c394fbaebc802c99ba59b1b3ec830043ac020b711efc7cf497752b73429", - "line": 4, + "file_name": "path/test/fixtures/dockerfile/any_name/file.Dockerfile", + "similarity_id": "1d972910b640dfb968ab630847182b4a19f44b78aeeaa0ef93c96c7e27aa8b6a", + "line": 6, "issue_type": "MissingAttribute", "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, @@ -207,20 +207,31 @@ "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/Dockerfile-example", - "similarity_id": "aeaf42752011d846797cea09ce1a0eb5457673c67b0fb16914a0c639a253e5c7", + "file_name": "path/test/fixtures/dockerfile/test_folder_names/dockerfiles/any_file.txt", + "similarity_id": "e150676345e87674484ea970ca810125007b743069646ac448feaba242b7211f", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{openjdk:10-jdk}}", + "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/file_2.DOCKERfile", - "similarity_id": "b0694a2913d293ea034d0fe62bd549aed2dd316a81fb82b611a7ab901e32b1b6", - "line": 1, + "file_name": "path/test/fixtures/dockerfile/any_name/file_2.DOCKERfile", + "similarity_id": "29858cfa69a98973cc1ae10f84e66267240bd630126eba2ba15e58a7aa2dd54d", + "line": 4, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "path/test/fixtures/dockerfile/any_name/random_name", + "similarity_id": "ee3531797486eec98e3dd28ec8cc5f7f6f00743d1cf79cd47f6859df87026f59", + "line": 3, "issue_type": "MissingAttribute", "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, @@ -240,9 +251,9 @@ "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/any_name/dockerFILE", - "similarity_id": "e97a5ec241eb063c5757aed13a666c8126e4375ac9aed300cdc72d4ae883dfdc", - "line": 6, + "file_name": "path/test/fixtures/dockerfile/test_folder_names/dockerfile/any_file.txt", + "similarity_id": "c2e7f0c0c566a723ff253f4a95e837749faba964ec008551c1f87a7faa476110", + "line": 1, "issue_type": "MissingAttribute", "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, @@ -251,8 +262,8 @@ "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/test_folder_names/docker/any_file.txt", - "similarity_id": "9d78b93c92fe63c29dec006a12993b74dc6c6fbf29ae295ff7c6e19136657e2d", + "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/file_2.DOCKERfile", + "similarity_id": "b0694a2913d293ea034d0fe62bd549aed2dd316a81fb82b611a7ab901e32b1b6", "line": 1, "issue_type": "MissingAttribute", "search_key": "FROM={{alpine:3.19 AS builder}}", @@ -262,10 +273,43 @@ "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/test_folder_names_case/Dockerfiles/any_file.txt", - "similarity_id": "b58c4c4ed6c88b82fdf62608154342a31a2de95eaae39716ff4f6ccf1a5bcdda", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample4", + "similarity_id": "f6839684a157b7e9f44f88c6dcd262b4e4552eddc24e108e8b2555c6885c1853", "line": 1, "issue_type": "MissingAttribute", + "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/Dockerfile.something", + "similarity_id": "2b1d191f474528c93b66c1f5f891efd3763834725ed4008cbd216702f576ef20", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.19 as builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample6", + "similarity_id": "f96970fdf815bc9bb95fef94b7e461be0c8a6014c66765a36c46168348d5015f", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{--platform=linux/amd64 ubuntu}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "path/test/fixtures/dockerfile/any_name/any_name.ubi8", + "similarity_id": "4d64348b27180d867de9cf04a51db582786ea6622adb94fb54fdbac03b284769", + "line": 4, + "issue_type": "MissingAttribute", "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, "search_value": "", @@ -284,15 +328,59 @@ "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/any_name/any_name.ubi8", - "similarity_id": "4d64348b27180d867de9cf04a51db582786ea6622adb94fb54fdbac03b284769", - "line": 4, + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample3", + "similarity_id": "da5779454881d9f844e67f2a537820d144c7271fcac24d429583f826c393386e", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{--platform=linux/amd64 alpine:latest}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "path/test/fixtures/dockerfile/corrupted_dockerfile", + "similarity_id": "558c83370b9fc9e230035e00ff7b5302cd64c16f700e73c830579947e250a381", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:latest}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/DOCKERfile.txt", + "similarity_id": "f9caf5d57d5872073bc7b7a555a3283708f72c9990689c8d4e6b3ce1957b496a", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.19 as builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "path/test/fixtures/dockerfile/test_folder_names/docker/any_file.txt", + "similarity_id": "9d78b93c92fe63c29dec006a12993b74dc6c6fbf29ae295ff7c6e19136657e2d", + "line": 1, "issue_type": "MissingAttribute", "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample2", + "similarity_id": "1e7b96b468341de289759fa97fb78d3c3ff3f7eec6b8ab23d3afd9b7c1bc5104", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" } ] }, @@ -309,6 +397,72 @@ "description": "Using ADD to load external installation scripts could lead to an evil web server leveraging this and loading a malicious script.", "description_id": "0aedd324", "files": [ + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample5", + "similarity_id": "7858145601685ba90f4181fd4186ab8cabab8912e16d9a819b46955a7c53369a", + "line": 7, + "issue_type": "IncorrectValue", + "search_key": "FROM={{--platform=$BUILDPLATFORM golang:1.21}}.{{ADD ${JAR_FILE} app.jar}}", + "search_line": -1, + "search_value": "", + "expected_value": "'COPY' ${JAR_FILE}", + "actual_value": "'ADD' ${JAR_FILE}" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample2", + "similarity_id": "c2087c8c5c4fe143dc0ee2644b74ded89979db4380fef678ff4a520355ff30de", + "line": 5, + "issue_type": "IncorrectValue", + "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}.{{ADD ${JAR_FILE} app.jar}}", + "search_line": -1, + "search_value": "", + "expected_value": "'COPY' ${JAR_FILE}", + "actual_value": "'ADD' ${JAR_FILE}" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample8", + "similarity_id": "548e63b12a9ed4e2f9f07975ec535c6bdaee35075207d0c927eab288096fec81", + "line": 3, + "issue_type": "IncorrectValue", + "search_key": "FROM={{bighostnameusedasasample.example.com:4903/team/my-app:2.0}}.{{ADD ${JAR_FILE} app.jar}}", + "search_line": -1, + "search_value": "", + "expected_value": "'COPY' ${JAR_FILE}", + "actual_value": "'ADD' ${JAR_FILE}" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample1", + "similarity_id": "7442e1998c8ab26068c3a53221ea6499416a92416c7721796c140d20f59c67d4", + "line": 4, + "issue_type": "IncorrectValue", + "search_key": "FROM={{--platform=linux/arm64 scratch}}.{{ADD ${JAR_FILE} app.jar}}", + "search_line": -1, + "search_value": "", + "expected_value": "'COPY' ${JAR_FILE}", + "actual_value": "'ADD' ${JAR_FILE}" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample3", + "similarity_id": "bb1c9e972be6ffcd7d45ee396fb8fea5e8cd942f65ce28e92504ae07bbb1cde2", + "line": 4, + "issue_type": "IncorrectValue", + "search_key": "FROM={{--platform=linux/amd64 alpine:latest}}.{{ADD ${JAR_FILE} app.jar}}", + "search_line": -1, + "search_value": "", + "expected_value": "'COPY' ${JAR_FILE}", + "actual_value": "'ADD' ${JAR_FILE}" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample6", + "similarity_id": "ad808a777684d1993fbaa775aa514c4334e1949e1a18bd4047d1e257fd24e402", + "line": 3, + "issue_type": "IncorrectValue", + "search_key": "FROM={{--platform=linux/amd64 ubuntu}}.{{ADD ${JAR_FILE} app.jar}}", + "search_line": -1, + "search_value": "", + "expected_value": "'COPY' ${JAR_FILE}", + "actual_value": "'ADD' ${JAR_FILE}" + }, { "file_name": "path/test/fixtures/dockerfile/Dockerfile-example", "similarity_id": "9d6bb1f4ca1093d79890b1b24b00dbb2e8fa60ca0df6b2ba391db348256eec6f", @@ -319,6 +473,91 @@ "search_value": "", "expected_value": "'COPY' ${JAR_FILE}", "actual_value": "'ADD' ${JAR_FILE}" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample4", + "similarity_id": "de7635eaa00ecfd9f126b5d020ba38c55b36aef6673a4656308f683fabd999cc", + "line": 4, + "issue_type": "IncorrectValue", + "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest}}.{{ADD ${JAR_FILE} app.jar}}", + "search_line": -1, + "search_value": "", + "expected_value": "'COPY' ${JAR_FILE}", + "actual_value": "'ADD' ${JAR_FILE}" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample7", + "similarity_id": "ac33450fdf5546f7017cb4137d2c42e4bab228ac2d19bb5b04b3d71f0440b786", + "line": 3, + "issue_type": "IncorrectValue", + "search_key": "FROM={{example.com:5000/team/my-app:2.0}}.{{ADD ${JAR_FILE} app.jar}}", + "search_line": -1, + "search_value": "", + "expected_value": "'COPY' ${JAR_FILE}", + "actual_value": "'ADD' ${JAR_FILE}" + } + ] + }, + { + "query_name": "Apt Get Install Pin Version Not Defined", + "query_id": "965a08d7-ef86-4f14-8792-4a3b2098937e", + "query_url": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", + "severity": "MEDIUM", + "platform": "Dockerfile", + "cwe": "1357", + "risk_score": "5.7", + "category": "Supply-Chain", + "experimental": false, + "description": "When installing a package, its pin version should be defined", + "description_id": "e0e1edad", + "files": [ + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample2", + "similarity_id": "c6cf3b49153bb6dcd4adc45c5aa9d50c4e4cd32e84562182d1aca7683d3b0027", + "line": 2, + "issue_type": "MissingAttribute", + "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}.RUN={{apt-get update \u0026\u0026 apt-get install -y gcc}}", + "search_line": -1, + "search_value": "gcc", + "expected_value": "Package 'gcc' has version defined", + "actual_value": "Package 'gcc' does not have version defined" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample4", + "similarity_id": "4b9d23dc01eea21711278e609dfb25ba41563568125ee505d995c1888c7bdff7", + "line": 2, + "issue_type": "MissingAttribute", + "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest}}.RUN={{apt-get update \u0026\u0026 apt-get install -y curl}}", + "search_line": -1, + "search_value": "curl", + "expected_value": "Package 'curl' has version defined", + "actual_value": "Package 'curl' does not have version defined" + } + ] + }, + { + "query_name": "Image Version Not Explicit", + "query_id": "9efb0b2d-89c9-41a3-91ca-dcc0aec911fd", + "query_url": "https://docs.docker.com/engine/reference/builder/#from", + "severity": "MEDIUM", + "platform": "Dockerfile", + "cwe": "1357", + "risk_score": "6.4", + "category": "Supply-Chain", + "experimental": false, + "description": "Always tag the version of an image explicitly", + "description_id": "4f469f06", + "files": [ + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample6", + "similarity_id": "4115302289fdd8823e1e65125035c7b26ce305abea4ddbb2803a967ba326fc94", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{--platform=linux/amd64 ubuntu}}", + "search_line": -1, + "search_value": "", + "expected_value": "FROM ubuntu:'version'", + "actual_value": "FROM ubuntu'" } ] }, @@ -345,6 +584,39 @@ "search_value": "", "expected_value": "FROM alpine:latest:'version' where version should not be 'latest'", "actual_value": "FROM alpine:latest'" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample2", + "similarity_id": "57a39816dc53307dd637cfd04019f480144a85881ea41111523d6a0c1c7443db", + "line": 1, + "issue_type": "IncorrectValue", + "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "FROM ubuntu:latest:'version' where version should not be 'latest'", + "actual_value": "FROM ubuntu:latest'" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample4", + "similarity_id": "9ad08db04cbefba3b4ba6e3f740c3f96df285f51223faff802429fe6df561505", + "line": 1, + "issue_type": "IncorrectValue", + "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest}}", + "search_line": -1, + "search_value": "", + "expected_value": "FROM ubuntu:latest:'version' where version should not be 'latest'", + "actual_value": "FROM ubuntu:latest'" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample3", + "similarity_id": "471d11a25255b3b36ed1e24e4be107ba3540c8adfa7ea78114ff922938c76e0e", + "line": 1, + "issue_type": "IncorrectValue", + "search_key": "FROM={{--platform=linux/amd64 alpine:latest}}", + "search_line": -1, + "search_value": "", + "expected_value": "FROM alpine:latest:'version' where version should not be 'latest'", + "actual_value": "FROM alpine:latest'" } ] }, @@ -388,11 +660,33 @@ "description_id": "426121ee", "files": [ { - "file_name": "path/test/fixtures/dockerfile/Dockerfile-example", - "similarity_id": "4d0420e48f4c7d991ed6694980266d5b7313da8abb2e29b2dd777ce7c6f6251d", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample6", + "similarity_id": "793c4c04fb00909f9ff987900ac66f10b1d68b37ab8cb61aaf4cc2499b27e76d", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{openjdk:10-jdk}}", + "search_key": "FROM={{--platform=linux/amd64 ubuntu}}", + "search_line": -1, + "search_value": "", + "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", + "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample2", + "similarity_id": "6a3dc950b6f1c8fee780cf65eec65c48706fcb0f7292b7576851db3fb5fdb378", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", + "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample3", + "similarity_id": "eaa3721d654875beadcda8ad4554bf8bcb96fc9a2e57812d01a8c7d44b2c6473", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{--platform=linux/amd64 alpine:latest}}", "search_line": -1, "search_value": "", "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", @@ -408,6 +702,228 @@ "search_value": "", "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample1", + "similarity_id": "9519f3139dd49d6da04ba94110c99a9c265e54a9e014989a00fc3a3819414be9", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{--platform=linux/arm64 scratch}}", + "search_line": -1, + "search_value": "", + "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", + "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample7", + "similarity_id": "e89f925361ec276fb8b93af3d5e9796d518b266bfbaacf37cd314f1f4963b883", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{example.com:5000/team/my-app:2.0}}", + "search_line": -1, + "search_value": "", + "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", + "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample8", + "similarity_id": "fa449aaa7035f6bb3d231cdd171c20b3c9da2a8dcb1b79915d638e8a153dc30c", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{bighostnameusedasasample.example.com:4903/team/my-app:2.0}}", + "search_line": -1, + "search_value": "", + "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", + "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample4", + "similarity_id": "f387ad8dacb9120f378f376aeba5e2b43cccf7366cb8903cdc44c3c818d7a389", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest}}", + "search_line": -1, + "search_value": "", + "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", + "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample5", + "similarity_id": "e7f0c53246eb7dea6653d51a229d156b19c050b8a3951f42df0f29d3eb89ed59", + "line": 2, + "issue_type": "MissingAttribute", + "search_key": "FROM={{--platform=$BUILDPLATFORM golang:1.21}}", + "search_line": -1, + "search_value": "", + "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", + "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" + }, + { + "file_name": "path/test/fixtures/dockerfile/Dockerfile-example", + "similarity_id": "4d0420e48f4c7d991ed6694980266d5b7313da8abb2e29b2dd777ce7c6f6251d", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{openjdk:10-jdk}}", + "search_line": -1, + "search_value": "", + "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", + "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" + } + ] + }, + { + "query_name": "APT-GET Not Avoiding Additional Packages", + "query_id": "7384dfb2-fcd1-4fbf-91cd-6c44c318c33c", + "query_url": "https://docs.docker.com/engine/reference/builder/#run", + "severity": "INFO", + "platform": "Dockerfile", + "cwe": "710", + "risk_score": "0.0", + "category": "Supply-Chain", + "experimental": false, + "description": "Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages.", + "description_id": "2e92d18c", + "files": [ + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample2", + "similarity_id": "4dcd78fa70e76351869412e7f8fb9c15efefa99100d3774eb9fc81ea9926a117", + "line": 2, + "issue_type": "IncorrectValue", + "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}.{{RUN apt-get update \u0026\u0026 apt-get install -y gcc}}", + "search_line": -1, + "search_value": "", + "expected_value": "'RUN apt-get update \u0026\u0026 apt-get install -y gcc' uses '--no-install-recommends' flag to avoid installing additional packages", + "actual_value": "'RUN apt-get update \u0026\u0026 apt-get install -y gcc' does not use '--no-install-recommends' flag to avoid installing additional packages" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample4", + "similarity_id": "912d16cba22eec66e1706a01d4bdb5eb0ec02cb3c77b19a050e4dd009b3a20c5", + "line": 2, + "issue_type": "IncorrectValue", + "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest}}.{{RUN apt-get update \u0026\u0026 apt-get install -y curl}}", + "search_line": -1, + "search_value": "", + "expected_value": "'RUN apt-get update \u0026\u0026 apt-get install -y curl' uses '--no-install-recommends' flag to avoid installing additional packages", + "actual_value": "'RUN apt-get update \u0026\u0026 apt-get install -y curl' does not use '--no-install-recommends' flag to avoid installing additional packages" + } + ] + }, + { + "query_name": "Apt Get Install Lists Were Not Deleted", + "query_id": "df746b39-6564-4fed-bf85-e9c44382303c", + "query_url": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", + "severity": "INFO", + "platform": "Dockerfile", + "cwe": "459", + "risk_score": "0.0", + "category": "Supply-Chain", + "experimental": false, + "description": "After using apt-get install, it is needed to delete apt-get lists", + "description_id": "4236a50c", + "files": [ + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample2", + "similarity_id": "9e9f33dd54e38743c0c1c428075fc0f85535100e57f417ef948b77c2ecd4f96c", + "line": 2, + "issue_type": "IncorrectValue", + "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}.RUN={{apt-get update \u0026\u0026 apt-get install -y gcc}}", + "search_line": -1, + "search_value": "", + "expected_value": "After using apt-get install, the apt-get lists should be deleted", + "actual_value": "After using apt-get install, the apt-get lists were not deleted" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample4", + "similarity_id": "609d0ab8b60e35e18f5c0a58a4e924fadf731a6aafdb5edbc0567111eb8de5a1", + "line": 2, + "issue_type": "IncorrectValue", + "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest}}.RUN={{apt-get update \u0026\u0026 apt-get install -y curl}}", + "search_line": -1, + "search_value": "", + "expected_value": "After using apt-get install, the apt-get lists should be deleted", + "actual_value": "After using apt-get install, the apt-get lists were not deleted" + } + ] + }, + { + "query_name": "Using Platform Flag with FROM Command", + "query_id": "b16e8501-ef3c-44e1-a543-a093238099c9", + "query_url": "https://docs.docker.com/engine/reference/builder/#from", + "severity": "INFO", + "platform": "Dockerfile", + "cwe": "695", + "risk_score": "0.0", + "cloud_provider": "COMMON", + "category": "Best Practices", + "experimental": false, + "description": "'FROM' instruction should not use the flag '--platform'", + "description_id": "5bd0baab", + "files": [ + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample3", + "similarity_id": "c18b0b59bf46304c5cb40e5e7d9ed707a9a186c75328644b006e9a0d2933de1b", + "line": 1, + "issue_type": "IncorrectValue", + "search_key": "FROM={{--platform=linux/amd64 alpine:latest}}.{{FROM --platform=linux/amd64 alpine:latest}}", + "search_line": -1, + "search_value": "", + "expected_value": "FROM={{--platform=linux/amd64 alpine:latest}}.{{FROM --platform=linux/amd64 alpine:latest}} should not use the '--platform' flag", + "actual_value": "FROM={{--platform=linux/amd64 alpine:latest}}.{{FROM --platform=linux/amd64 alpine:latest}} is using the '--platform' flag" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample6", + "similarity_id": "ad64ddb9f4a2c79d5ba2affc8da6498eebe54415c5bc131baf0498e51d838b27", + "line": 1, + "issue_type": "IncorrectValue", + "search_key": "FROM={{--platform=linux/amd64 ubuntu}}.{{FROM --platform=linux/amd64 ubuntu}}", + "search_line": -1, + "search_value": "", + "expected_value": "FROM={{--platform=linux/amd64 ubuntu}}.{{FROM --platform=linux/amd64 ubuntu}} should not use the '--platform' flag", + "actual_value": "FROM={{--platform=linux/amd64 ubuntu}}.{{FROM --platform=linux/amd64 ubuntu}} is using the '--platform' flag" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample1", + "similarity_id": "b5e933470891a86661890b79a9ca81f554dc8d2124e8b52737399ad667e21788", + "line": 1, + "issue_type": "IncorrectValue", + "search_key": "FROM={{--platform=linux/arm64 scratch}}.{{FROM --platform=linux/arm64 scratch}}", + "search_line": -1, + "search_value": "", + "expected_value": "FROM={{--platform=linux/arm64 scratch}}.{{FROM --platform=linux/arm64 scratch}} should not use the '--platform' flag", + "actual_value": "FROM={{--platform=linux/arm64 scratch}}.{{FROM --platform=linux/arm64 scratch}} is using the '--platform' flag" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample5", + "similarity_id": "c19f45ee26938f1021cc6c749c8405eb13d5ac805ca3eed5b87ad5547f52c680", + "line": 2, + "issue_type": "IncorrectValue", + "search_key": "FROM={{--platform=$BUILDPLATFORM golang:1.21}}.{{FROM --platform=$BUILDPLATFORM golang:1.21}}", + "search_line": -1, + "search_value": "", + "expected_value": "FROM={{--platform=$BUILDPLATFORM golang:1.21}}.{{FROM --platform=$BUILDPLATFORM golang:1.21}} should not use the '--platform' flag", + "actual_value": "FROM={{--platform=$BUILDPLATFORM golang:1.21}}.{{FROM --platform=$BUILDPLATFORM golang:1.21}} is using the '--platform' flag" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample4", + "similarity_id": "6dacf05a9b1980a2fe019ec2208731e9bbcf1dc32f94cc6e87b36b46d004a9d6", + "line": 1, + "issue_type": "IncorrectValue", + "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest}}.{{FROM --platform=linux/amd64 ubuntu:latest}}", + "search_line": -1, + "search_value": "", + "expected_value": "FROM={{--platform=linux/amd64 ubuntu:latest}}.{{FROM --platform=linux/amd64 ubuntu:latest}} should not use the '--platform' flag", + "actual_value": "FROM={{--platform=linux/amd64 ubuntu:latest}}.{{FROM --platform=linux/amd64 ubuntu:latest}} is using the '--platform' flag" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample2", + "similarity_id": "3369062c5c80ef20b457c5b93c136c3045cbd7d8e1e5d04ece08284440b80a8e", + "line": 1, + "issue_type": "IncorrectValue", + "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}.{{FROM --platform=linux/amd64 ubuntu:latest AS builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}.{{FROM --platform=linux/amd64 ubuntu:latest AS builder}} should not use the '--platform' flag", + "actual_value": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}.{{FROM --platform=linux/amd64 ubuntu:latest AS builder}} is using the '--platform' flag" } ] } From d7d9005f1588034a58653dab12796ac88b15a7c0 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Tue, 14 Apr 2026 17:58:56 +0100 Subject: [PATCH 71/84] Final fix for E2E plus the test file removal that should have been in previous commit --- e2e/fixtures/E2E_CLI_106_PAYLOAD.json | 128 +++++++++--------- .../dockerfile/dockerfiles/python_sample.py | 4 - 2 files changed, 64 insertions(+), 68 deletions(-) delete mode 100644 test/fixtures/dockerfile/dockerfiles/python_sample.py diff --git a/e2e/fixtures/E2E_CLI_106_PAYLOAD.json b/e2e/fixtures/E2E_CLI_106_PAYLOAD.json index f6e54c4ea43..fe23ad63522 100644 --- a/e2e/fixtures/E2E_CLI_106_PAYLOAD.json +++ b/e2e/fixtures/E2E_CLI_106_PAYLOAD.json @@ -95,8 +95,8 @@ } ] }, - "file": "../test/fixtures/dockerfile/Dockerfile-example", - "id": "642ad448-baac-4d93-a84a-03cd1dc3838d" + "file": "file", + "id": "0" }, { "args": [], @@ -149,8 +149,8 @@ } ] }, - "file": "../test/fixtures/dockerfile/any_name/DOCKERfile.txt", - "id": "473ae0ea-61c1-4b4e-b60d-1788f4ffa4ac" + "file": "file", + "id": "0" }, { "args": [ @@ -228,8 +228,8 @@ } ] }, - "file": "../test/fixtures/dockerfile/any_name/Dockerfile.something", - "id": "67c9db37-1f48-465b-bd63-e092bcdda028" + "file": "file", + "id": "0" }, { "args": [ @@ -307,8 +307,8 @@ } ] }, - "file": "../test/fixtures/dockerfile/any_name/any_name.debian", - "id": "c3867724-c34f-439a-9e60-ae3478c03912" + "file": "file", + "id": "0" }, { "args": [ @@ -386,8 +386,8 @@ } ] }, - "file": "../test/fixtures/dockerfile/any_name/any_name.ubi8", - "id": "f75b700b-983e-4448-b4f0-5dafb6f702bd" + "file": "file", + "id": "0" }, { "args": [ @@ -465,8 +465,8 @@ } ] }, - "file": "../test/fixtures/dockerfile/any_name/dockerFILE", - "id": "93231545-8aa9-4c86-b1a5-aeb72ed75013" + "file": "file", + "id": "0" }, { "args": [ @@ -532,8 +532,8 @@ } ] }, - "file": "../test/fixtures/dockerfile/any_name/file.Dockerfile", - "id": "5b574486-7742-47ea-95c8-64a12a014c7d" + "file": "file", + "id": "0" }, { "args": [ @@ -599,8 +599,8 @@ } ] }, - "file": "../test/fixtures/dockerfile/any_name/file_2.DOCKERfile", - "id": "68ab189b-439b-4e6f-907d-5e518b162941" + "file": "file", + "id": "0" }, { "args": [ @@ -666,8 +666,8 @@ } ] }, - "file": "../test/fixtures/dockerfile/any_name/random_name", - "id": "1974d0b3-0bf0-45dc-80c3-e7533dc0cf81" + "file": "file", + "id": "0" }, { "args": [], @@ -720,8 +720,8 @@ } ] }, - "file": "../test/fixtures/dockerfile/case_insensitive_tests/DOCKERfile.txt", - "id": "ea99ceac-12a4-4672-9282-e34336d48ad8" + "file": "file", + "id": "0" }, { "args": [ @@ -799,8 +799,8 @@ } ] }, - "file": "../test/fixtures/dockerfile/case_insensitive_tests/Dockerfile.something", - "id": "fc3fa3c3-ef24-4032-bde8-7215870a1064" + "file": "file", + "id": "0" }, { "args": [ @@ -878,8 +878,8 @@ } ] }, - "file": "../test/fixtures/dockerfile/case_insensitive_tests/any_name.debian", - "id": "82d4be70-fc35-4869-b1b2-3a7af63eaefe" + "file": "file", + "id": "0" }, { "args": [ @@ -957,8 +957,8 @@ } ] }, - "file": "../test/fixtures/dockerfile/case_insensitive_tests/any_name.ubi8", - "id": "2bdab0c9-53c3-4fad-8fae-6431682d9752" + "file": "file", + "id": "0" }, { "args": [ @@ -1036,8 +1036,8 @@ } ] }, - "file": "../test/fixtures/dockerfile/case_insensitive_tests/dockerFILE", - "id": "9756f049-fa73-4004-abfc-30447d8f9daa" + "file": "file", + "id": "0" }, { "args": [ @@ -1103,8 +1103,8 @@ } ] }, - "file": "../test/fixtures/dockerfile/case_insensitive_tests/file.Dockerfile", - "id": "7fa06995-2b59-4a58-b3aa-ec2fd81e3e7b" + "file": "file", + "id": "0" }, { "args": [ @@ -1170,8 +1170,8 @@ } ] }, - "file": "../test/fixtures/dockerfile/case_insensitive_tests/file_2.DOCKERfile", - "id": "56c3ad64-8527-48f5-87ef-6c1049bda118" + "file": "file", + "id": "0" }, { "args": [ @@ -1237,8 +1237,8 @@ } ] }, - "file": "../test/fixtures/dockerfile/case_insensitive_tests/random_name", - "id": "adbb6d2b-d2dc-4d65-8994-d57a73e05035" + "file": "file", + "id": "0" }, { "args": [], @@ -1285,8 +1285,8 @@ } ] }, - "file": "../test/fixtures/dockerfile/corrupted_dockerfile", - "id": "a4fba452-33cb-4802-8e99-1de54bc8a814" + "file": "file", + "id": "0" }, { "args": [], @@ -1346,8 +1346,8 @@ } ] }, - "file": "../test/fixtures/dockerfile/should_generate_payload/sample1", - "id": "63b92b43-2d56-4602-af11-5c5d544f91b0" + "file": "file", + "id": "0" }, { "args": [], @@ -1421,8 +1421,8 @@ } ] }, - "file": "../test/fixtures/dockerfile/should_generate_payload/sample2", - "id": "8e7173a5-eb7f-4b72-9124-504498687f6b" + "file": "file", + "id": "0" }, { "args": [], @@ -1484,8 +1484,8 @@ } ] }, - "file": "../test/fixtures/dockerfile/should_generate_payload/sample3", - "id": "9e309d8f-9236-4320-aeb5-e6338afad188" + "file": "file", + "id": "0" }, { "args": [], @@ -1544,8 +1544,8 @@ } ] }, - "file": "../test/fixtures/dockerfile/should_generate_payload/sample4", - "id": "5d4a9144-c86e-4bed-a018-03d93120cd77" + "file": "file", + "id": "0" }, { "args": [ @@ -1642,8 +1642,8 @@ } ] }, - "file": "../test/fixtures/dockerfile/should_generate_payload/sample5", - "id": "53169e02-57cb-4930-9f6a-9e83afaf30b6" + "file": "file", + "id": "0" }, { "args": [], @@ -1690,8 +1690,8 @@ } ] }, - "file": "../test/fixtures/dockerfile/should_generate_payload/sample6", - "id": "2c80b3a1-57f5-4f73-91bb-19e2174beb01" + "file": "file", + "id": "0" }, { "args": [], @@ -1736,8 +1736,8 @@ } ] }, - "file": "../test/fixtures/dockerfile/should_generate_payload/sample7", - "id": "d2b0dd02-9e09-4723-94d3-b71065c2b669" + "file": "file", + "id": "0" }, { "args": [], @@ -1782,8 +1782,8 @@ } ] }, - "file": "../test/fixtures/dockerfile/should_generate_payload/sample8", - "id": "df6865bc-6af6-450d-9e82-5002f02b1077" + "file": "file", + "id": "0" }, { "args": [], @@ -1836,8 +1836,8 @@ } ] }, - "file": "../test/fixtures/dockerfile/test_folder_names/docker/any_file.txt", - "id": "5a51adb1-fe50-4830-9fb3-de1e78c78bba" + "file": "file", + "id": "0" }, { "args": [], @@ -1890,8 +1890,8 @@ } ] }, - "file": "../test/fixtures/dockerfile/test_folder_names/dockerfile/any_file.txt", - "id": "32a0c395-eb13-4bd9-a7f0-1ce1c8d50746" + "file": "file", + "id": "0" }, { "args": [], @@ -1944,8 +1944,8 @@ } ] }, - "file": "../test/fixtures/dockerfile/test_folder_names/dockerfiles/any_file.txt", - "id": "61f901f7-fc3f-4e57-9fcd-1e22a5b43a5a" + "file": "file", + "id": "0" }, { "args": [], @@ -1998,8 +1998,8 @@ } ] }, - "file": "../test/fixtures/dockerfile/test_folder_names_case/Docker/any_file.txt", - "id": "c693ecb3-eefa-4eb6-b331-456a4acf27d4" + "file": "file", + "id": "0" }, { "args": [], @@ -2052,8 +2052,8 @@ } ] }, - "file": "../test/fixtures/dockerfile/test_folder_names_case/Dockerfile/any_file.txt", - "id": "6d418be9-9293-4cfa-9076-def24bad356d" + "file": "file", + "id": "0" }, { "args": [], @@ -2106,8 +2106,8 @@ } ] }, - "file": "../test/fixtures/dockerfile/test_folder_names_case/Dockerfiles/any_file.txt", - "id": "2097b474-af54-4b09-b64d-52e58a01e25c" + "file": "file", + "id": "0" } ] } diff --git a/test/fixtures/dockerfile/dockerfiles/python_sample.py b/test/fixtures/dockerfile/dockerfiles/python_sample.py deleted file mode 100644 index 1a5f2c4cc4e..00000000000 --- a/test/fixtures/dockerfile/dockerfiles/python_sample.py +++ /dev/null @@ -1,4 +0,0 @@ -from urllib import request - -def main(): - print("coiso") \ No newline at end of file From be586a26f9183564395a5c5f81bfa90d2922f768 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Thu, 16 Apr 2026 16:24:50 +0100 Subject: [PATCH 72/84] Fix previous merge with #7995 --- pkg/parser/docker/parser.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/parser/docker/parser.go b/pkg/parser/docker/parser.go index 3fb784a681e..f38d0b40c79 100644 --- a/pkg/parser/docker/parser.go +++ b/pkg/parser/docker/parser.go @@ -138,7 +138,7 @@ func (p *Parser) GetKind() model.FileKind { // SupportedExtensions returns Dockerfile extensions func (p *Parser) SupportedExtensions() []string { - return []string{"Dockerfile", ".dockerfile", ".ubi8", ".debian", "possibleDockerfile"} + return []string{".dockerfile"} } // SupportedTypes returns types supported by this parser, which are dockerfile From 8a0160529ec88bd0b30d9301f1e2c442313305cc Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Thu, 16 Apr 2026 18:07:06 +0100 Subject: [PATCH 73/84] Updates E2E fixtures --- e2e/fixtures/E2E_CLI_106_PAYLOAD.json | 147 +++++++- e2e/fixtures/E2E_CLI_106_RESULT.json | 483 +++++++++++++++----------- 2 files changed, 423 insertions(+), 207 deletions(-) diff --git a/e2e/fixtures/E2E_CLI_106_PAYLOAD.json b/e2e/fixtures/E2E_CLI_106_PAYLOAD.json index fe23ad63522..88e5d47515c 100644 --- a/e2e/fixtures/E2E_CLI_106_PAYLOAD.json +++ b/e2e/fixtures/E2E_CLI_106_PAYLOAD.json @@ -98,6 +98,145 @@ "file": "file", "id": "0" }, + { + "args": [], + "command": { + "ubuntu:latestnightly": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM ubuntu:latestnightly", + "SubCmd": "", + "Value": [ + "ubuntu:latestnightly" + ], + "_kics_line": 1 + }, + { + "Cmd": "volume", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "VOLUME /tmp", + "SubCmd": "", + "Value": [ + "/tmp" + ], + "_kics_line": 2 + }, + { + "Cmd": "entrypoint", + "EndLine": 3, + "Flags": [], + "JSON": true, + "Original": "ENTRYPOINT [\"java\",\"-Djava.security.egd=file:/dev/./urandom\",\"-jar\",\"/app.jar\"]", + "SubCmd": "", + "Value": [ + "java", + "-Djava.security.egd=file:/dev/./urandom", + "-jar", + "/app.jar" + ], + "_kics_line": 3 + } + ], + "ubuntu:latestnightly(1)": [ + { + "Cmd": "from", + "EndLine": 5, + "Flags": [], + "JSON": false, + "Original": "FROM ubuntu:latestnightly", + "SubCmd": "", + "Value": [ + "ubuntu:latestnightly" + ], + "_kics_line": 5 + }, + { + "Cmd": "volume", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "VOLUME /tmp", + "SubCmd": "", + "Value": [ + "/tmp" + ], + "_kics_line": 6 + }, + { + "Cmd": "add", + "EndLine": 7, + "Flags": [], + "JSON": false, + "Original": "ADD http://source.file/package.file.tar.gz /temp", + "SubCmd": "", + "Value": [ + "http://source.file/package.file.tar.gz", + "/temp" + ], + "_kics_line": 7 + }, + { + "Cmd": "run", + "EndLine": 8, + "Flags": [], + "JSON": false, + "Original": "RUN tar -xjf /temp/package.file.tar.gz", + "SubCmd": "", + "Value": [ + "tar -xjf /temp/package.file.tar.gz" + ], + "_kics_line": 8 + }, + { + "Cmd": "arg", + "EndLine": 9, + "Flags": [], + "JSON": false, + "Original": "ARG JAR_FILE", + "SubCmd": "", + "Value": [ + "JAR_FILE" + ], + "_kics_line": 9 + }, + { + "Cmd": "add", + "EndLine": 10, + "Flags": [], + "JSON": false, + "Original": "ADD ${JAR_FILE} app.jar", + "SubCmd": "", + "Value": [ + "${JAR_FILE}", + "app.jar" + ], + "_kics_line": 10 + }, + { + "Cmd": "entrypoint", + "EndLine": 11, + "Flags": [], + "JSON": true, + "Original": "ENTRYPOINT [\"java\",\"-Djava.security.egd=file:/dev/./urandom\",\"-jar\",\"/app.jar\"]", + "SubCmd": "", + "Value": [ + "java", + "-Djava.security.egd=file:/dev/./urandom", + "-jar", + "/app.jar" + ], + "_kics_line": 11 + } + ] + }, + "file": "file", + "id": "0" + }, { "args": [], "command": { @@ -1374,10 +1513,10 @@ "EndLine": 2, "Flags": [], "JSON": false, - "Original": "RUN apt-get update \u0026\u0026 apt-get install -y gcc", + "Original": "RUN apt-get update && apt-get install -y gcc", "SubCmd": "", "Value": [ - "apt-get update \u0026\u0026 apt-get install -y gcc" + "apt-get update && apt-get install -y gcc" ], "_kics_line": 2 }, @@ -1510,10 +1649,10 @@ "EndLine": 2, "Flags": [], "JSON": false, - "Original": "RUN apt-get update \u0026\u0026 apt-get install -y curl", + "Original": "RUN apt-get update && apt-get install -y curl", "SubCmd": "", "Value": [ - "apt-get update \u0026\u0026 apt-get install -y curl" + "apt-get update && apt-get install -y curl" ], "_kics_line": 2 }, diff --git a/e2e/fixtures/E2E_CLI_106_RESULT.json b/e2e/fixtures/E2E_CLI_106_RESULT.json index 7a2be2a9361..6c543370eda 100644 --- a/e2e/fixtures/E2E_CLI_106_RESULT.json +++ b/e2e/fixtures/E2E_CLI_106_RESULT.json @@ -1,9 +1,9 @@ { "kics_version": "development", - "files_scanned": 32, - "lines_scanned": 235, - "files_parsed": 32, - "lines_parsed": 227, + "files_scanned": 33, + "lines_scanned": 247, + "files_parsed": 33, + "lines_parsed": 239, "lines_ignored": 8, "files_failed_to_scan": 0, "queries_total": 48, @@ -12,16 +12,16 @@ "scan_id": "console", "severity_counters": { "CRITICAL": 0, - "HIGH": 31, + "HIGH": 33, "INFO": 10, - "LOW": 11, - "MEDIUM": 16, + "LOW": 13, + "MEDIUM": 19, "TRACE": 0 }, - "total_counter": 68, + "total_counter": 75, "total_bom_resources": 0, - "start": "2026-04-14T17:33:16.2521898+01:00", - "end": "2026-04-14T17:33:27.3968601+01:00", + "start": "2026-04-16T18:01:12.5085564+01:00", + "end": "2026-04-16T18:01:18.0228959+01:00", "paths": [ "/path/test/fixtures/dockerfile", "/path/test/fixtures/negative_dockerfile" @@ -42,31 +42,31 @@ "description_id": "eb49caf6", "files": [ { - "file_name": "path/test/fixtures/dockerfile/Dockerfile-example", - "similarity_id": "aeaf42752011d846797cea09ce1a0eb5457673c67b0fb16914a0c639a253e5c7", - "line": 1, + "file_name": "ppath/test/fixtures/dockerfile/case_insensitive_tests/any_name.debian", + "similarity_id": "3bcbe17d4e87888fabeadb6871fac6370dec66a162d8c94b3afed2327a3ecc11", + "line": 4, "issue_type": "MissingAttribute", - "search_key": "FROM={{openjdk:10-jdk}}", + "search_key": "from={{alpine:3.19 as builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample7", - "similarity_id": "03992dd5495adf4a9c4440fd1e116bb35670d88e71341f062410bc0da96f4f6e", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample6", + "similarity_id": "f96970fdf815bc9bb95fef94b7e461be0c8a6014c66765a36c46168348d5015f", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{example.com:5000/team/my-app:2.0}}", + "search_key": "FROM={{--platform=linux/amd64 ubuntu}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/test_folder_names_case/Docker/any_file.txt", - "similarity_id": "6da391b0e3e24d85f72b3ace5db0569be32ef11e6f9a433b138ae4e0b004df58", - "line": 1, + "file_name": "path/test/fixtures/dockerfile/any_name/file_2.DOCKERfile", + "similarity_id": "29858cfa69a98973cc1ae10f84e66267240bd630126eba2ba15e58a7aa2dd54d", + "line": 4, "issue_type": "MissingAttribute", "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, @@ -75,42 +75,42 @@ "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/any_name.ubi8", - "similarity_id": "ce95928798897e3f22c2677202d38812030cc2dfb5cf0470d397d7baaf8c1de1", - "line": 1, + "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/file_2.DOCKERfile", + "similarity_id": "fbc4d6daf991234501dbcba5df28a58b2de1983ffbcc8b18d2f4546c295dfa39", + "line": 4, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 as builder}}", + "search_key": "from={{alpine:3.19 AS builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/any_name.debian", - "similarity_id": "c949a1c23fe7c61dea7daac22ce6a13ffb8dec65b4bcbeacc76bf295518e72ef", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample8", + "similarity_id": "c35ae31bc00e26a4fd27b0605e5c4d84c5ae683b1354a7e7bc1917ab0f3a428e", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 as builder}}", + "search_key": "FROM={{bighostnameusedasasample.example.com:4903/team/my-app:2.0}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/any_name/dockerFILE", - "similarity_id": "e97a5ec241eb063c5757aed13a666c8126e4375ac9aed300cdc72d4ae883dfdc", + "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/file.Dockerfile", + "similarity_id": "5f4fd65d6c624e63abde45a2c7fbfc4a3c64ab9e7b7bc95ddde9b861818aedfc", "line": 6, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_key": "from={{alpine:3.19 as builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/test_folder_names_case/Dockerfile/any_file.txt", - "similarity_id": "47d6f707c904f56fe3ca1cc7bce1d2e0ae41d421da983110a5c15fc7e48105df", - "line": 1, + "file_name": "path/test/fixtures/dockerfile/any_name/any_name.debian", + "similarity_id": "ef335c394fbaebc802c99ba59b1b3ec830043ac020b711efc7cf497752b73429", + "line": 4, "issue_type": "MissingAttribute", "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, @@ -119,64 +119,64 @@ "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample5", - "similarity_id": "39dca689cbc39cfa0a74e0c08328183a511cbcb074518aa2abac6a45bb842bd3", - "line": 2, + "file_name": "path/test/fixtures/dockerfile/any_name/random_name", + "similarity_id": "ee3531797486eec98e3dd28ec8cc5f7f6f00743d1cf79cd47f6859df87026f59", + "line": 3, "issue_type": "MissingAttribute", - "search_key": "FROM={{--platform=$BUILDPLATFORM golang:1.21}}", + "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/test_folder_names_case/Dockerfiles/any_file.txt", - "similarity_id": "b58c4c4ed6c88b82fdf62608154342a31a2de95eaae39716ff4f6ccf1a5bcdda", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample4", + "similarity_id": "f6839684a157b7e9f44f88c6dcd262b4e4552eddc24e108e8b2555c6885c1853", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample1", - "similarity_id": "7375fc702e9b59cf845aac25968ab2926b5919806a6d739527f70a2727a6ec99", - "line": 1, + "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/DOCKERfile.txt", + "similarity_id": "a1bc54f29a5cd60b430490ab4ddf040dde52e24f1a9c81544e3aae9e21704fe7", + "line": 13, "issue_type": "MissingAttribute", - "search_key": "FROM={{--platform=linux/arm64 scratch}}", + "search_key": "from={{alpine:3.19 as builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/dockerFILE", - "similarity_id": "9977ed3614740afd406ca0a86f0df4da5e8680efbb6e9e66ff71ae1dc2d9025f", + "file_name": "path/test/fixtures/dockerfile/Dockerfile-example", + "similarity_id": "aeaf42752011d846797cea09ce1a0eb5457673c67b0fb16914a0c639a253e5c7", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 as builder}}", + "search_key": "FROM={{openjdk:10-jdk}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/random_name", - "similarity_id": "4df62f3dddaa0fe84e53c387514ff1ffb2405fb47a80011271dfc6742078a0e8", + "file_name": "path/test/fixtures/dockerfile/test_folder_names/docker/any_file.txt", + "similarity_id": "9d78b93c92fe63c29dec006a12993b74dc6c6fbf29ae295ff7c6e19136657e2d", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 as builder}}", + "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/any_name/any_name.debian", - "similarity_id": "ef335c394fbaebc802c99ba59b1b3ec830043ac020b711efc7cf497752b73429", - "line": 4, + "file_name": "path/test/fixtures/dockerfile/test_folder_names/dockerfile/any_file.txt", + "similarity_id": "c2e7f0c0c566a723ff253f4a95e837749faba964ec008551c1f87a7faa476110", + "line": 1, "issue_type": "MissingAttribute", "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, @@ -185,11 +185,11 @@ "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample8", - "similarity_id": "c35ae31bc00e26a4fd27b0605e5c4d84c5ae683b1354a7e7bc1917ab0f3a428e", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample3", + "similarity_id": "da5779454881d9f844e67f2a537820d144c7271fcac24d429583f826c393386e", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{bighostnameusedasasample.example.com:4903/team/my-app:2.0}}", + "search_key": "FROM={{--platform=linux/amd64 alpine:latest}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", @@ -207,20 +207,20 @@ "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/test_folder_names/dockerfiles/any_file.txt", - "similarity_id": "e150676345e87674484ea970ca810125007b743069646ac448feaba242b7211f", - "line": 1, + "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/any_name.ubi8", + "similarity_id": "99145bb5bb5996f2d9518769bbebb143a6edff8c1b9866b9de64b2b6fba667e5", + "line": 4, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_key": "from={{alpine:3.19 as builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/any_name/file_2.DOCKERfile", - "similarity_id": "29858cfa69a98973cc1ae10f84e66267240bd630126eba2ba15e58a7aa2dd54d", - "line": 4, + "file_name": "path/test/fixtures/dockerfile/test_folder_names_case/Dockerfiles/any_file.txt", + "similarity_id": "b58c4c4ed6c88b82fdf62608154342a31a2de95eaae39716ff4f6ccf1a5bcdda", + "line": 1, "issue_type": "MissingAttribute", "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, @@ -229,19 +229,19 @@ "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/any_name/random_name", - "similarity_id": "ee3531797486eec98e3dd28ec8cc5f7f6f00743d1cf79cd47f6859df87026f59", - "line": 3, + "file_name": "path/test/fixtures/dockerfile/corrupted_dockerfile", + "similarity_id": "558c83370b9fc9e230035e00ff7b5302cd64c16f700e73c830579947e250a381", + "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_key": "FROM={{alpine:latest}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/any_name/Dockerfile.something", - "similarity_id": "b41a39fe06c21fc69fbd6e8f7b3e2c44e8d0d7a8e2b0e0c251f5d6a174e031ee", + "file_name": "path/test/fixtures/dockerfile/any_name/any_name.ubi8", + "similarity_id": "4d64348b27180d867de9cf04a51db582786ea6622adb94fb54fdbac03b284769", "line": 4, "issue_type": "MissingAttribute", "search_key": "FROM={{alpine:3.19 AS builder}}", @@ -251,19 +251,19 @@ "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/test_folder_names/dockerfile/any_file.txt", - "similarity_id": "c2e7f0c0c566a723ff253f4a95e837749faba964ec008551c1f87a7faa476110", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample1", + "similarity_id": "7375fc702e9b59cf845aac25968ab2926b5919806a6d739527f70a2727a6ec99", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_key": "FROM={{--platform=linux/arm64 scratch}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/file_2.DOCKERfile", - "similarity_id": "b0694a2913d293ea034d0fe62bd549aed2dd316a81fb82b611a7ab901e32b1b6", + "file_name": "path/test/fixtures/dockerfile/test_folder_names_case/Dockerfile/any_file.txt", + "similarity_id": "47d6f707c904f56fe3ca1cc7bce1d2e0ae41d421da983110a5c15fc7e48105df", "line": 1, "issue_type": "MissingAttribute", "search_key": "FROM={{alpine:3.19 AS builder}}", @@ -273,42 +273,42 @@ "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample4", - "similarity_id": "f6839684a157b7e9f44f88c6dcd262b4e4552eddc24e108e8b2555c6885c1853", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample7", + "similarity_id": "03992dd5495adf4a9c4440fd1e116bb35670d88e71341f062410bc0da96f4f6e", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest}}", + "search_key": "FROM={{example.com:5000/team/my-app:2.0}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/Dockerfile.something", - "similarity_id": "2b1d191f474528c93b66c1f5f891efd3763834725ed4008cbd216702f576ef20", - "line": 1, + "file_name": "path/test/fixtures/dockerfile/any_name/Dockerfile.something", + "similarity_id": "b41a39fe06c21fc69fbd6e8f7b3e2c44e8d0d7a8e2b0e0c251f5d6a174e031ee", + "line": 4, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 as builder}}", + "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample6", - "similarity_id": "f96970fdf815bc9bb95fef94b7e461be0c8a6014c66765a36c46168348d5015f", - "line": 1, + "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/Dockerfile.something", + "similarity_id": "58a26cafd4b62b89183a99f03c581a511654a67074c333f95c0481af8816450e", + "line": 4, "issue_type": "MissingAttribute", - "search_key": "FROM={{--platform=linux/amd64 ubuntu}}", + "search_key": "from={{alpine:3.19 as builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/any_name/any_name.ubi8", - "similarity_id": "4d64348b27180d867de9cf04a51db582786ea6622adb94fb54fdbac03b284769", - "line": 4, + "file_name": "path/test/fixtures/dockerfile/test_folder_names_case/Docker/any_file.txt", + "similarity_id": "6da391b0e3e24d85f72b3ace5db0569be32ef11e6f9a433b138ae4e0b004df58", + "line": 1, "issue_type": "MissingAttribute", "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, @@ -328,44 +328,55 @@ "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample3", - "similarity_id": "da5779454881d9f844e67f2a537820d144c7271fcac24d429583f826c393386e", - "line": 1, + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample5", + "similarity_id": "39dca689cbc39cfa0a74e0c08328183a511cbcb074518aa2abac6a45bb842bd3", + "line": 2, "issue_type": "MissingAttribute", - "search_key": "FROM={{--platform=linux/amd64 alpine:latest}}", + "search_key": "FROM={{--platform=$BUILDPLATFORM golang:1.21}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/corrupted_dockerfile", - "similarity_id": "558c83370b9fc9e230035e00ff7b5302cd64c16f700e73c830579947e250a381", - "line": 1, + "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/random_name", + "similarity_id": "9ca22b0eb1ead0048eef0d5aba185858c316469892ded249c7c261720f293370", + "line": 3, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:latest}}", + "search_key": "from={{alpine:3.19 as builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/DOCKERfile.txt", - "similarity_id": "f9caf5d57d5872073bc7b7a555a3283708f72c9990689c8d4e6b3ce1957b496a", - "line": 1, + "file_name": "path/test/fixtures/dockerfile/any_name/dockerFILE", + "similarity_id": "e97a5ec241eb063c5757aed13a666c8126e4375ac9aed300cdc72d4ae883dfdc", + "line": 6, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 as builder}}", + "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/test_folder_names/docker/any_file.txt", - "similarity_id": "9d78b93c92fe63c29dec006a12993b74dc6c6fbf29ae295ff7c6e19136657e2d", - "line": 1, + "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/dockerFILE", + "similarity_id": "bda0e263debb4ef181a93c60d35e0f28a57ca27f9f19b0a550a2a219c7fb56b6", + "line": 6, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_key": "from={{alpine:3.19 as builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "path/test/fixtures/dockerfile/Dockerfile-multistage", + "similarity_id": "c77e7ff048b27b896b53a89ac6008ec2fea042fb92a18807de325774dd93dfeb", + "line": 5, + "issue_type": "MissingAttribute", + "search_key": "FROM={{ubuntu:latestnightly(1)}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", @@ -381,6 +392,17 @@ "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "path/test/fixtures/dockerfile/test_folder_names/dockerfiles/any_file.txt", + "similarity_id": "e150676345e87674484ea970ca810125007b743069646ac448feaba242b7211f", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" } ] }, @@ -408,6 +430,17 @@ "expected_value": "'COPY' ${JAR_FILE}", "actual_value": "'ADD' ${JAR_FILE}" }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample4", + "similarity_id": "de7635eaa00ecfd9f126b5d020ba38c55b36aef6673a4656308f683fabd999cc", + "line": 4, + "issue_type": "IncorrectValue", + "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest}}.{{ADD ${JAR_FILE} app.jar}}", + "search_line": -1, + "search_value": "", + "expected_value": "'COPY' ${JAR_FILE}", + "actual_value": "'ADD' ${JAR_FILE}" + }, { "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample2", "similarity_id": "c2087c8c5c4fe143dc0ee2644b74ded89979db4380fef678ff4a520355ff30de", @@ -420,77 +453,77 @@ "actual_value": "'ADD' ${JAR_FILE}" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample8", - "similarity_id": "548e63b12a9ed4e2f9f07975ec535c6bdaee35075207d0c927eab288096fec81", - "line": 3, + "file_name": "path/test/fixtures/dockerfile/Dockerfile-multistage", + "similarity_id": "2c8f808eeabb29c31b940c9d5d7526fe997c8c2d155857c1c462030cffd8c366", + "line": 10, "issue_type": "IncorrectValue", - "search_key": "FROM={{bighostnameusedasasample.example.com:4903/team/my-app:2.0}}.{{ADD ${JAR_FILE} app.jar}}", + "search_key": "FROM={{ubuntu:latestnightly(1)}}.{{ADD ${JAR_FILE} app.jar}}", "search_line": -1, "search_value": "", "expected_value": "'COPY' ${JAR_FILE}", "actual_value": "'ADD' ${JAR_FILE}" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample1", - "similarity_id": "7442e1998c8ab26068c3a53221ea6499416a92416c7721796c140d20f59c67d4", - "line": 4, + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample6", + "similarity_id": "ad808a777684d1993fbaa775aa514c4334e1949e1a18bd4047d1e257fd24e402", + "line": 3, "issue_type": "IncorrectValue", - "search_key": "FROM={{--platform=linux/arm64 scratch}}.{{ADD ${JAR_FILE} app.jar}}", + "search_key": "FROM={{--platform=linux/amd64 ubuntu}}.{{ADD ${JAR_FILE} app.jar}}", "search_line": -1, "search_value": "", "expected_value": "'COPY' ${JAR_FILE}", "actual_value": "'ADD' ${JAR_FILE}" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample3", - "similarity_id": "bb1c9e972be6ffcd7d45ee396fb8fea5e8cd942f65ce28e92504ae07bbb1cde2", - "line": 4, + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample7", + "similarity_id": "ac33450fdf5546f7017cb4137d2c42e4bab228ac2d19bb5b04b3d71f0440b786", + "line": 3, "issue_type": "IncorrectValue", - "search_key": "FROM={{--platform=linux/amd64 alpine:latest}}.{{ADD ${JAR_FILE} app.jar}}", + "search_key": "FROM={{example.com:5000/team/my-app:2.0}}.{{ADD ${JAR_FILE} app.jar}}", "search_line": -1, "search_value": "", "expected_value": "'COPY' ${JAR_FILE}", "actual_value": "'ADD' ${JAR_FILE}" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample6", - "similarity_id": "ad808a777684d1993fbaa775aa514c4334e1949e1a18bd4047d1e257fd24e402", - "line": 3, + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample1", + "similarity_id": "7442e1998c8ab26068c3a53221ea6499416a92416c7721796c140d20f59c67d4", + "line": 4, "issue_type": "IncorrectValue", - "search_key": "FROM={{--platform=linux/amd64 ubuntu}}.{{ADD ${JAR_FILE} app.jar}}", + "search_key": "FROM={{--platform=linux/arm64 scratch}}.{{ADD ${JAR_FILE} app.jar}}", "search_line": -1, "search_value": "", "expected_value": "'COPY' ${JAR_FILE}", "actual_value": "'ADD' ${JAR_FILE}" }, { - "file_name": "path/test/fixtures/dockerfile/Dockerfile-example", - "similarity_id": "9d6bb1f4ca1093d79890b1b24b00dbb2e8fa60ca0df6b2ba391db348256eec6f", - "line": 6, + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample3", + "similarity_id": "bb1c9e972be6ffcd7d45ee396fb8fea5e8cd942f65ce28e92504ae07bbb1cde2", + "line": 4, "issue_type": "IncorrectValue", - "search_key": "FROM={{openjdk:10-jdk}}.{{ADD ${JAR_FILE} app.jar}}", + "search_key": "FROM={{--platform=linux/amd64 alpine:latest}}.{{ADD ${JAR_FILE} app.jar}}", "search_line": -1, "search_value": "", "expected_value": "'COPY' ${JAR_FILE}", "actual_value": "'ADD' ${JAR_FILE}" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample4", - "similarity_id": "de7635eaa00ecfd9f126b5d020ba38c55b36aef6673a4656308f683fabd999cc", - "line": 4, + "file_name": "path/test/fixtures/dockerfile/Dockerfile-example", + "similarity_id": "9d6bb1f4ca1093d79890b1b24b00dbb2e8fa60ca0df6b2ba391db348256eec6f", + "line": 6, "issue_type": "IncorrectValue", - "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest}}.{{ADD ${JAR_FILE} app.jar}}", + "search_key": "FROM={{openjdk:10-jdk}}.{{ADD ${JAR_FILE} app.jar}}", "search_line": -1, "search_value": "", "expected_value": "'COPY' ${JAR_FILE}", "actual_value": "'ADD' ${JAR_FILE}" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample7", - "similarity_id": "ac33450fdf5546f7017cb4137d2c42e4bab228ac2d19bb5b04b3d71f0440b786", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample8", + "similarity_id": "548e63b12a9ed4e2f9f07975ec535c6bdaee35075207d0c927eab288096fec81", "line": 3, "issue_type": "IncorrectValue", - "search_key": "FROM={{example.com:5000/team/my-app:2.0}}.{{ADD ${JAR_FILE} app.jar}}", + "search_key": "FROM={{bighostnameusedasasample.example.com:4903/team/my-app:2.0}}.{{ADD ${JAR_FILE} app.jar}}", "search_line": -1, "search_value": "", "expected_value": "'COPY' ${JAR_FILE}", @@ -511,17 +544,6 @@ "description": "When installing a package, its pin version should be defined", "description_id": "e0e1edad", "files": [ - { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample2", - "similarity_id": "c6cf3b49153bb6dcd4adc45c5aa9d50c4e4cd32e84562182d1aca7683d3b0027", - "line": 2, - "issue_type": "MissingAttribute", - "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}.RUN={{apt-get update \u0026\u0026 apt-get install -y gcc}}", - "search_line": -1, - "search_value": "gcc", - "expected_value": "Package 'gcc' has version defined", - "actual_value": "Package 'gcc' does not have version defined" - }, { "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample4", "similarity_id": "4b9d23dc01eea21711278e609dfb25ba41563568125ee505d995c1888c7bdff7", @@ -532,6 +554,17 @@ "search_value": "curl", "expected_value": "Package 'curl' has version defined", "actual_value": "Package 'curl' does not have version defined" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample2", + "similarity_id": "c6cf3b49153bb6dcd4adc45c5aa9d50c4e4cd32e84562182d1aca7683d3b0027", + "line": 2, + "issue_type": "MissingAttribute", + "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}.RUN={{apt-get update \u0026\u0026 apt-get install -y gcc}}", + "search_line": -1, + "search_value": "gcc", + "expected_value": "Package 'gcc' has version defined", + "actual_value": "Package 'gcc' does not have version defined" } ] }, @@ -574,6 +607,17 @@ "description": "When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag", "description_id": "22f535ec", "files": [ + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample4", + "similarity_id": "9ad08db04cbefba3b4ba6e3f740c3f96df285f51223faff802429fe6df561505", + "line": 1, + "issue_type": "IncorrectValue", + "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest}}", + "search_line": -1, + "search_value": "", + "expected_value": "FROM ubuntu:latest:'version' where version should not be 'latest'", + "actual_value": "FROM ubuntu:latest'" + }, { "file_name": "path/test/fixtures/dockerfile/corrupted_dockerfile", "similarity_id": "b8c6f58c6b52c4155b70475008be34bcf7ca39a15378ca1828e657a75ba907f3", @@ -585,6 +629,17 @@ "expected_value": "FROM alpine:latest:'version' where version should not be 'latest'", "actual_value": "FROM alpine:latest'" }, + { + "file_name": "path/test/fixtures/dockerfile/Dockerfile-multistage", + "similarity_id": "c9903f97a9c6b1d61827bd33319d69199388b1c8f2723062fcdffeaa4114e609", + "line": 5, + "issue_type": "IncorrectValue", + "search_key": "FROM={{ubuntu:latestnightly(1)}}", + "search_line": -1, + "search_value": "", + "expected_value": "FROM ubuntu:latestnightly:'version' where version should not be 'latest'", + "actual_value": "FROM ubuntu:latestnightly'" + }, { "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample2", "similarity_id": "57a39816dc53307dd637cfd04019f480144a85881ea41111523d6a0c1c7443db", @@ -597,15 +652,15 @@ "actual_value": "FROM ubuntu:latest'" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample4", - "similarity_id": "9ad08db04cbefba3b4ba6e3f740c3f96df285f51223faff802429fe6df561505", + "file_name": "path/test/fixtures/dockerfile/Dockerfile-multistage", + "similarity_id": "2293ffe73033c89194caa88cbeb6155961a38f987f4ec5da36603522770c38f7", "line": 1, "issue_type": "IncorrectValue", - "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest}}", + "search_key": "FROM={{ubuntu:latestnightly}}", "search_line": -1, "search_value": "", - "expected_value": "FROM ubuntu:latest:'version' where version should not be 'latest'", - "actual_value": "FROM ubuntu:latest'" + "expected_value": "FROM ubuntu:latestnightly:'version' where version should not be 'latest'", + "actual_value": "FROM ubuntu:latestnightly'" }, { "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample3", @@ -633,6 +688,17 @@ "description": "Use of Curl or Wget should be done instead of Add to fetch packages from remote URLs due to the use of Add being strongly discouraged", "description_id": "29e8216b", "files": [ + { + "file_name": "path/test/fixtures/dockerfile/Dockerfile-multistage", + "similarity_id": "553c7b4eeea7e969b88c30c34e9b7e97dc16963e731d1888fec90bb55f00e35a", + "line": 7, + "issue_type": "IncorrectValue", + "search_key": "FROM={{ubuntu:latestnightly(1)}}.{{ADD http://source.file/package.file.tar.gz /temp}}", + "search_line": -1, + "search_value": "", + "expected_value": "Should use 'curl' or 'wget' to download http://source.file/package.file.tar.gz", + "actual_value": "'ADD' http://source.file/package.file.tar.gz" + }, { "file_name": "path/test/fixtures/dockerfile/Dockerfile-example", "similarity_id": "37ebb20d72a17217823809f4bbf670db1167d627157c42c0b4dd9b063e30b5bd", @@ -660,55 +726,66 @@ "description_id": "426121ee", "files": [ { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample6", - "similarity_id": "793c4c04fb00909f9ff987900ac66f10b1d68b37ab8cb61aaf4cc2499b27e76d", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample1", + "similarity_id": "9519f3139dd49d6da04ba94110c99a9c265e54a9e014989a00fc3a3819414be9", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{--platform=linux/amd64 ubuntu}}", + "search_key": "FROM={{--platform=linux/arm64 scratch}}", "search_line": -1, "search_value": "", "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample2", - "similarity_id": "6a3dc950b6f1c8fee780cf65eec65c48706fcb0f7292b7576851db3fb5fdb378", - "line": 1, + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample5", + "similarity_id": "e7f0c53246eb7dea6653d51a229d156b19c050b8a3951f42df0f29d3eb89ed59", + "line": 2, "issue_type": "MissingAttribute", - "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}", + "search_key": "FROM={{--platform=$BUILDPLATFORM golang:1.21}}", "search_line": -1, "search_value": "", "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample3", - "similarity_id": "eaa3721d654875beadcda8ad4554bf8bcb96fc9a2e57812d01a8c7d44b2c6473", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample4", + "similarity_id": "f387ad8dacb9120f378f376aeba5e2b43cccf7366cb8903cdc44c3c818d7a389", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{--platform=linux/amd64 alpine:latest}}", + "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest}}", "search_line": -1, "search_value": "", "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" }, { - "file_name": "path/test/fixtures/dockerfile/corrupted_dockerfile", - "similarity_id": "ae470ca681b82da606c6080acf7ea93906066db785bf47e2372ef7b342f43f7e", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample6", + "similarity_id": "793c4c04fb00909f9ff987900ac66f10b1d68b37ab8cb61aaf4cc2499b27e76d", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:latest}}", + "search_key": "FROM={{--platform=linux/amd64 ubuntu}}", "search_line": -1, "search_value": "", "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample1", - "similarity_id": "9519f3139dd49d6da04ba94110c99a9c265e54a9e014989a00fc3a3819414be9", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample2", + "similarity_id": "6a3dc950b6f1c8fee780cf65eec65c48706fcb0f7292b7576851db3fb5fdb378", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{--platform=linux/arm64 scratch}}", + "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", + "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" + }, + { + "file_name": "path/test/fixtures/dockerfile/Dockerfile-multistage", + "similarity_id": "e6541da925ea5f5ca321e7c1850bc77e4a80991324087953bd41234691c6b8c5", + "line": 5, + "issue_type": "MissingAttribute", + "search_key": "FROM={{ubuntu:latestnightly(1)}}", "search_line": -1, "search_value": "", "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", @@ -726,44 +803,44 @@ "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample8", - "similarity_id": "fa449aaa7035f6bb3d231cdd171c20b3c9da2a8dcb1b79915d638e8a153dc30c", + "file_name": "path/test/fixtures/dockerfile/Dockerfile-example", + "similarity_id": "4d0420e48f4c7d991ed6694980266d5b7313da8abb2e29b2dd777ce7c6f6251d", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{bighostnameusedasasample.example.com:4903/team/my-app:2.0}}", + "search_key": "FROM={{openjdk:10-jdk}}", "search_line": -1, "search_value": "", "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample4", - "similarity_id": "f387ad8dacb9120f378f376aeba5e2b43cccf7366cb8903cdc44c3c818d7a389", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample3", + "similarity_id": "eaa3721d654875beadcda8ad4554bf8bcb96fc9a2e57812d01a8c7d44b2c6473", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest}}", + "search_key": "FROM={{--platform=linux/amd64 alpine:latest}}", "search_line": -1, "search_value": "", "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample5", - "similarity_id": "e7f0c53246eb7dea6653d51a229d156b19c050b8a3951f42df0f29d3eb89ed59", - "line": 2, + "file_name": "path/test/fixtures/dockerfile/corrupted_dockerfile", + "similarity_id": "ae470ca681b82da606c6080acf7ea93906066db785bf47e2372ef7b342f43f7e", + "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{--platform=$BUILDPLATFORM golang:1.21}}", + "search_key": "FROM={{alpine:latest}}", "search_line": -1, "search_value": "", "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" }, { - "file_name": "path/test/fixtures/dockerfile/Dockerfile-example", - "similarity_id": "4d0420e48f4c7d991ed6694980266d5b7313da8abb2e29b2dd777ce7c6f6251d", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample8", + "similarity_id": "fa449aaa7035f6bb3d231cdd171c20b3c9da2a8dcb1b79915d638e8a153dc30c", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{openjdk:10-jdk}}", + "search_key": "FROM={{bighostnameusedasasample.example.com:4903/team/my-app:2.0}}", "search_line": -1, "search_value": "", "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", @@ -859,6 +936,17 @@ "description": "'FROM' instruction should not use the flag '--platform'", "description_id": "5bd0baab", "files": [ + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample1", + "similarity_id": "b5e933470891a86661890b79a9ca81f554dc8d2124e8b52737399ad667e21788", + "line": 1, + "issue_type": "IncorrectValue", + "search_key": "FROM={{--platform=linux/arm64 scratch}}.{{FROM --platform=linux/arm64 scratch}}", + "search_line": -1, + "search_value": "", + "expected_value": "{\"EndLine\": 1, \"Value\": \"FROM\"}={{--platform=linux/arm64 scratch}}.{{FROM --platform=linux/arm64 scratch}} should not use the '--platform' flag", + "actual_value": "{\"EndLine\": 1, \"Value\": \"FROM\"}={{--platform=linux/arm64 scratch}}.{{FROM --platform=linux/arm64 scratch}} is using the '--platform' flag" + }, { "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample3", "similarity_id": "c18b0b59bf46304c5cb40e5e7d9ed707a9a186c75328644b006e9a0d2933de1b", @@ -867,30 +955,30 @@ "search_key": "FROM={{--platform=linux/amd64 alpine:latest}}.{{FROM --platform=linux/amd64 alpine:latest}}", "search_line": -1, "search_value": "", - "expected_value": "FROM={{--platform=linux/amd64 alpine:latest}}.{{FROM --platform=linux/amd64 alpine:latest}} should not use the '--platform' flag", - "actual_value": "FROM={{--platform=linux/amd64 alpine:latest}}.{{FROM --platform=linux/amd64 alpine:latest}} is using the '--platform' flag" + "expected_value": "{\"EndLine\": 1, \"Value\": \"FROM\"}={{--platform=linux/amd64 alpine:latest}}.{{FROM --platform=linux/amd64 alpine:latest}} should not use the '--platform' flag", + "actual_value": "{\"EndLine\": 1, \"Value\": \"FROM\"}={{--platform=linux/amd64 alpine:latest}}.{{FROM --platform=linux/amd64 alpine:latest}} is using the '--platform' flag" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample6", - "similarity_id": "ad64ddb9f4a2c79d5ba2affc8da6498eebe54415c5bc131baf0498e51d838b27", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample2", + "similarity_id": "3369062c5c80ef20b457c5b93c136c3045cbd7d8e1e5d04ece08284440b80a8e", "line": 1, "issue_type": "IncorrectValue", - "search_key": "FROM={{--platform=linux/amd64 ubuntu}}.{{FROM --platform=linux/amd64 ubuntu}}", + "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}.{{FROM --platform=linux/amd64 ubuntu:latest AS builder}}", "search_line": -1, "search_value": "", - "expected_value": "FROM={{--platform=linux/amd64 ubuntu}}.{{FROM --platform=linux/amd64 ubuntu}} should not use the '--platform' flag", - "actual_value": "FROM={{--platform=linux/amd64 ubuntu}}.{{FROM --platform=linux/amd64 ubuntu}} is using the '--platform' flag" + "expected_value": "{\"EndLine\": 1, \"Value\": \"FROM\"}={{--platform=linux/amd64 ubuntu:latest AS builder}}.{{FROM --platform=linux/amd64 ubuntu:latest AS builder}} should not use the '--platform' flag", + "actual_value": "{\"EndLine\": 1, \"Value\": \"FROM\"}={{--platform=linux/amd64 ubuntu:latest AS builder}}.{{FROM --platform=linux/amd64 ubuntu:latest AS builder}} is using the '--platform' flag" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample1", - "similarity_id": "b5e933470891a86661890b79a9ca81f554dc8d2124e8b52737399ad667e21788", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample6", + "similarity_id": "ad64ddb9f4a2c79d5ba2affc8da6498eebe54415c5bc131baf0498e51d838b27", "line": 1, "issue_type": "IncorrectValue", - "search_key": "FROM={{--platform=linux/arm64 scratch}}.{{FROM --platform=linux/arm64 scratch}}", + "search_key": "FROM={{--platform=linux/amd64 ubuntu}}.{{FROM --platform=linux/amd64 ubuntu}}", "search_line": -1, "search_value": "", - "expected_value": "FROM={{--platform=linux/arm64 scratch}}.{{FROM --platform=linux/arm64 scratch}} should not use the '--platform' flag", - "actual_value": "FROM={{--platform=linux/arm64 scratch}}.{{FROM --platform=linux/arm64 scratch}} is using the '--platform' flag" + "expected_value": "{\"EndLine\": 1, \"Value\": \"FROM\"}={{--platform=linux/amd64 ubuntu}}.{{FROM --platform=linux/amd64 ubuntu}} should not use the '--platform' flag", + "actual_value": "{\"EndLine\": 1, \"Value\": \"FROM\"}={{--platform=linux/amd64 ubuntu}}.{{FROM --platform=linux/amd64 ubuntu}} is using the '--platform' flag" }, { "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample5", @@ -900,8 +988,8 @@ "search_key": "FROM={{--platform=$BUILDPLATFORM golang:1.21}}.{{FROM --platform=$BUILDPLATFORM golang:1.21}}", "search_line": -1, "search_value": "", - "expected_value": "FROM={{--platform=$BUILDPLATFORM golang:1.21}}.{{FROM --platform=$BUILDPLATFORM golang:1.21}} should not use the '--platform' flag", - "actual_value": "FROM={{--platform=$BUILDPLATFORM golang:1.21}}.{{FROM --platform=$BUILDPLATFORM golang:1.21}} is using the '--platform' flag" + "expected_value": "{\"EndLine\": 2, \"Value\": \"FROM\"}={{--platform=$BUILDPLATFORM golang:1.21}}.{{FROM --platform=$BUILDPLATFORM golang:1.21}} should not use the '--platform' flag", + "actual_value": "{\"EndLine\": 2, \"Value\": \"FROM\"}={{--platform=$BUILDPLATFORM golang:1.21}}.{{FROM --platform=$BUILDPLATFORM golang:1.21}} is using the '--platform' flag" }, { "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample4", @@ -911,19 +999,8 @@ "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest}}.{{FROM --platform=linux/amd64 ubuntu:latest}}", "search_line": -1, "search_value": "", - "expected_value": "FROM={{--platform=linux/amd64 ubuntu:latest}}.{{FROM --platform=linux/amd64 ubuntu:latest}} should not use the '--platform' flag", - "actual_value": "FROM={{--platform=linux/amd64 ubuntu:latest}}.{{FROM --platform=linux/amd64 ubuntu:latest}} is using the '--platform' flag" - }, - { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample2", - "similarity_id": "3369062c5c80ef20b457c5b93c136c3045cbd7d8e1e5d04ece08284440b80a8e", - "line": 1, - "issue_type": "IncorrectValue", - "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}.{{FROM --platform=linux/amd64 ubuntu:latest AS builder}}", - "search_line": -1, - "search_value": "", - "expected_value": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}.{{FROM --platform=linux/amd64 ubuntu:latest AS builder}} should not use the '--platform' flag", - "actual_value": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}.{{FROM --platform=linux/amd64 ubuntu:latest AS builder}} is using the '--platform' flag" + "expected_value": "{\"EndLine\": 1, \"Value\": \"FROM\"}={{--platform=linux/amd64 ubuntu:latest}}.{{FROM --platform=linux/amd64 ubuntu:latest}} should not use the '--platform' flag", + "actual_value": "{\"EndLine\": 1, \"Value\": \"FROM\"}={{--platform=linux/amd64 ubuntu:latest}}.{{FROM --platform=linux/amd64 ubuntu:latest}} is using the '--platform' flag" } ] } From e6b802db243bd31df29edeedb9f2c4afe7ebe9ad Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Thu, 16 Apr 2026 18:11:09 +0100 Subject: [PATCH 74/84] First fix attempt on validate-search-line script --- .github/scripts/validate-search-line/validate_search_line.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/scripts/validate-search-line/validate_search_line.py b/.github/scripts/validate-search-line/validate_search_line.py index e06ca4ef955..5c5011f4684 100644 --- a/.github/scripts/validate-search-line/validate_search_line.py +++ b/.github/scripts/validate-search-line/validate_search_line.py @@ -30,6 +30,9 @@ def get_changed_queries(): dirs = [] for f in files: if f.endswith("/query.rego"): + if f.startswith("assets/queries/dockerfile/"): + print(f" [SKIP] {f}: Dockerfile queries do not support searchLine") + continue dirs.append(REPO_ROOT / Path(f).parent) return dirs From 71648b53b74d934bcf9650b774a9b047c321d9ca Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Fri, 17 Apr 2026 15:19:22 +0100 Subject: [PATCH 75/84] Removed need to do -1 when calling line hint function and updated documentation to reflect specific dockerfile searchKey building --- assets/libraries/dockerfile.rego | 2 +- .../dockerfile/add_instead_of_copy/query.rego | 2 +- .../apk_add_using_local_cache_path/query.rego | 2 +- .../query.rego | 2 +- .../query.rego | 4 +- .../query.rego | 4 +- .../query.rego | 4 +- .../query.rego | 4 +- .../dockerfile/chown_flag_exists/query.rego | 2 +- .../query.rego | 2 +- .../query.rego | 2 +- .../curl_or_wget_instead_of_add/query.rego | 2 +- .../dockerfile/exposing_port_22/query.rego | 2 +- .../gem_install_without_version/query.rego | 4 +- .../query.rego | 2 +- .../image_version_not_explicit/query.rego | 2 +- .../image_version_using_latest/query.rego | 2 +- .../dockerfile/last_user_is_root/query.rego | 2 +- .../query.rego | 2 +- .../missing_dnf_clean_all/query.rego | 2 +- .../missing_flag_from_dnf_install/query.rego | 2 +- .../missing_user_instruction/query.rego | 2 +- .../query.rego | 4 +- .../missing_zypper_clean/query.rego | 2 +- .../query.rego | 2 +- .../query.rego | 2 +- .../query.rego | 2 +- .../query.rego | 2 +- .../query.rego | 4 +- .../query.rego | 2 +- .../query.rego | 4 +- .../query.rego | 2 +- .../dockerfile/run_using_apt/query.rego | 2 +- .../dockerfile/run_using_sudo/query.rego | 4 +- .../run_using_wget_and_curl/query.rego | 2 +- .../query.rego | 2 +- .../same_alias_in_different_froms/query.rego | 2 +- .../query.rego | 4 +- .../unix_ports_out_of_range/query.rego | 2 +- .../query.rego | 8 ++-- .../query.rego | 4 +- .../update_instruction_alone/query.rego | 4 +- .../using_platform_with_from/query.rego | 2 +- .../using_unnamed_build_stages/query.rego | 2 +- .../workdir_path_not_absolute/query.rego | 2 +- .../yum_clean_all_missing/query.rego | 2 +- .../query.rego | 4 +- .../yum_install_without_version/query.rego | 4 +- .../zypper_install_without_version/query.rego | 4 +- docs/creating-queries.md | 43 ++++++++++++++++++- 50 files changed, 109 insertions(+), 68 deletions(-) diff --git a/assets/libraries/dockerfile.rego b/assets/libraries/dockerfile.rego index 5c3f7d27c6d..b4cfc055a34 100644 --- a/assets/libraries/dockerfile.rego +++ b/assets/libraries/dockerfile.rego @@ -75,7 +75,7 @@ get_original_from_command(commands) = from_command { commands[i].Cmd == "from" from_command := { "Value": substring(commands[i].Original, 0, 4), - "EndLine" : commands[i].EndLine + "LineHint" : commands[i].EndLine - 1 } } diff --git a/assets/queries/dockerfile/add_instead_of_copy/query.rego b/assets/queries/dockerfile/add_instead_of_copy/query.rego index 48251a88717..4561ec322e0 100644 --- a/assets/queries/dockerfile/add_instead_of_copy/query.rego +++ b/assets/queries/dockerfile/add_instead_of_copy/query.rego @@ -12,7 +12,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.LineHint), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'COPY' %s", [resource.Value[0]]), "keyActualValue": sprintf("'ADD' %s", [resource.Value[0]]), diff --git a/assets/queries/dockerfile/apk_add_using_local_cache_path/query.rego b/assets/queries/dockerfile/apk_add_using_local_cache_path/query.rego index b891d2ad2de..90df21e0979 100644 --- a/assets/queries/dockerfile/apk_add_using_local_cache_path/query.rego +++ b/assets/queries/dockerfile/apk_add_using_local_cache_path/query.rego @@ -14,7 +14,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, command.Original]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, command.Original]), from_command.LineHint), "issueType": "IncorrectValue", "keyExpectedValue": "'RUN' should not contain 'apk add' command without '--no-cache' switch", "keyActualValue": "'RUN' contains 'apk add' command without '--no-cache' switch", diff --git a/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/query.rego b/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/query.rego index 43fce443258..a19be16a2a2 100644 --- a/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/query.rego +++ b/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/query.rego @@ -17,7 +17,7 @@ CxPolicy[result] { run_command := substring(resource.Original, 0, 3) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.%s={{%s}}", [from_command.Value, name, run_command, commands]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.%s={{%s}}", [from_command.Value, name, run_command, commands]), from_command.LineHint), "issueType": "IncorrectValue", #"MissingAttribute" / "RedundantAttribute" "keyExpectedValue": "After using apt-get install, the apt-get lists should be deleted", "keyActualValue": "After using apt-get install, the apt-get lists were not deleted", diff --git a/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/query.rego b/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/query.rego index db3eb40787b..807c9b49310 100644 --- a/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/query.rego +++ b/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/query.rego @@ -23,7 +23,7 @@ CxPolicy[result] { run_command := substring(resource.Original, 0, 3) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.%s={{%s}}", [from_command.Value, name, run_command, commands]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.%s={{%s}}", [from_command.Value, name, run_command, commands]), from_command.LineHint), "searchValue": packageName, "issueType": "MissingAttribute", "keyExpectedValue": sprintf("Package '%s' has version defined", [packageName]), @@ -51,7 +51,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.LineHint), "searchValue": packageName, "issueType": "IncorrectValue", "keyExpectedValue": sprintf("Package '%s' has version defined", [packageName]), diff --git a/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/query.rego b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/query.rego index 0d22ae6f581..ee2c364a4e3 100644 --- a/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/query.rego +++ b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/query.rego @@ -19,7 +19,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.LineHint), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("{{%s}} should avoid manual input", [resource.Original]), "keyActualValue": sprintf("{{%s}} doesn't avoid manual input", [resource.Original]), @@ -40,7 +40,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.LineHint), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("{{%s}} should avoid manual input", [resource.Original]), "keyActualValue": sprintf("{{%s}} doesn't avoid manual input", [resource.Original]), diff --git a/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/query.rego b/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/query.rego index da6940c61c8..ff9b0a83bfa 100644 --- a/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/query.rego +++ b/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/query.rego @@ -19,7 +19,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.LineHint), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'%s' uses '--no-install-recommends' flag to avoid installing additional packages", [resource.Original]), "keyActualValue": sprintf("'%s' does not use '--no-install-recommends' flag to avoid installing additional packages", [resource.Original]), @@ -43,7 +43,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.LineHint), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'%s' uses '--no-install-recommends' flag to avoid installing additional packages", [resource.Original]), "keyActualValue": sprintf("'%s' does not use '--no-install-recommends' flag to avoid installing additional packages", [resource.Original]), diff --git a/assets/queries/dockerfile/changing_default_shell_using_run_command/query.rego b/assets/queries/dockerfile/changing_default_shell_using_run_command/query.rego index fc0af057426..a43dba6e428 100644 --- a/assets/queries/dockerfile/changing_default_shell_using_run_command/query.rego +++ b/assets/queries/dockerfile/changing_default_shell_using_run_command/query.rego @@ -34,7 +34,7 @@ CxPolicy[result] { result := { "debug": sprintf("%s", [value[v]]), "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.LineHint), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("{{%s}} should use the SHELL command to change the default shell", [resource.Original]), "keyActualValue": sprintf("{{%s}} uses the RUN command to change the default shell", [resource.Original]), @@ -53,7 +53,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.LineHint), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("{{%s}} should use the SHELL command to change the default shell", [resource.Original]), "keyActualValue": sprintf("{{%s}} uses the RUN command to change the default shell", [resource.Original]), diff --git a/assets/queries/dockerfile/chown_flag_exists/query.rego b/assets/queries/dockerfile/chown_flag_exists/query.rego index 8109adc132a..2acc6764e76 100644 --- a/assets/queries/dockerfile/chown_flag_exists/query.rego +++ b/assets/queries/dockerfile/chown_flag_exists/query.rego @@ -10,7 +10,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(resource) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource[j].Original]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource[j].Original]), from_command.LineHint), "category": "Best Practices", "issueType": "IncorrectValue", "keyExpectedValue": "The 'Dockerfile' shouldn´t contain the 'chown' flag", diff --git a/assets/queries/dockerfile/copy_from_references_current_from_alias/query.rego b/assets/queries/dockerfile/copy_from_references_current_from_alias/query.rego index bf0ad854ab5..4ad6e247cad 100644 --- a/assets/queries/dockerfile/copy_from_references_current_from_alias/query.rego +++ b/assets/queries/dockerfile/copy_from_references_current_from_alias/query.rego @@ -15,7 +15,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.LineHint), "issueType": "IncorrectValue", "keyExpectedValue": "COPY --from should not reference the current FROM alias", "keyActualValue": "COPY --from references the current FROM alias", diff --git a/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/query.rego b/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/query.rego index ef9331e30b5..9734986d6df 100644 --- a/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/query.rego +++ b/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/query.rego @@ -19,7 +19,7 @@ CxPolicy[result] { copy_command := substring(resource.Original, 0, 3) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.%s={{%s}}", [from_command.Value, name, copy_command, resource.Value[0]]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.%s={{%s}}", [from_command.Value, name, copy_command, resource.Value[0]]), from_command.LineHint), "issueType": "IncorrectValue", #"MissingAttribute" / "RedundantAttribute" "keyExpectedValue": "When COPY command has more than two arguments, the last one should end with a slash", "keyActualValue": "COPY command has more than two arguments and the last one does not end with a slash", diff --git a/assets/queries/dockerfile/curl_or_wget_instead_of_add/query.rego b/assets/queries/dockerfile/curl_or_wget_instead_of_add/query.rego index c8cfd2cc1a9..b43f6a9d1f3 100644 --- a/assets/queries/dockerfile/curl_or_wget_instead_of_add/query.rego +++ b/assets/queries/dockerfile/curl_or_wget_instead_of_add/query.rego @@ -11,7 +11,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.LineHint), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("Should use 'curl' or 'wget' to download %s", [resource.Value[0]]), "keyActualValue": sprintf("'ADD' %s", [resource.Value[0]]), diff --git a/assets/queries/dockerfile/exposing_port_22/query.rego b/assets/queries/dockerfile/exposing_port_22/query.rego index e00a912b938..9095a9a343a 100644 --- a/assets/queries/dockerfile/exposing_port_22/query.rego +++ b/assets/queries/dockerfile/exposing_port_22/query.rego @@ -12,7 +12,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, command.Original]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, command.Original]), from_command.LineHint), "issueType": "IncorrectValue", "keyExpectedValue": "'EXPOSE' shouldn't contain the port 22 ", "keyActualValue": "'EXPOSE' contains the port 22 ", diff --git a/assets/queries/dockerfile/gem_install_without_version/query.rego b/assets/queries/dockerfile/gem_install_without_version/query.rego index c0e798821ff..fad16c3ee4f 100644 --- a/assets/queries/dockerfile/gem_install_without_version/query.rego +++ b/assets/queries/dockerfile/gem_install_without_version/query.rego @@ -22,7 +22,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.LineHint), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("%s is 'gem install :'", [resource.Original]), "keyActualValue": sprintf("%s is 'gem install ', you should use 'gem install :", [resource.Original]), @@ -46,7 +46,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.LineHint), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("%s is 'gem install :'", [resource.Original]), "keyActualValue": sprintf("%s is 'gem install ', you should use 'gem install :", [resource.Original]), diff --git a/assets/queries/dockerfile/healthcheck_instruction_missing/query.rego b/assets/queries/dockerfile/healthcheck_instruction_missing/query.rego index 4196c5a48cc..c3fb25f1ceb 100644 --- a/assets/queries/dockerfile/healthcheck_instruction_missing/query.rego +++ b/assets/queries/dockerfile/healthcheck_instruction_missing/query.rego @@ -11,7 +11,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(resource) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}", [from_command.Value, name]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}", [from_command.Value, name]), from_command.LineHint), "issueType": "MissingAttribute", "keyExpectedValue": "Dockerfile should contain instruction 'HEALTHCHECK'", "keyActualValue": "Dockerfile doesn't contain instruction 'HEALTHCHECK'", diff --git a/assets/queries/dockerfile/image_version_not_explicit/query.rego b/assets/queries/dockerfile/image_version_not_explicit/query.rego index 96dbbc78660..95d2bf75bea 100644 --- a/assets/queries/dockerfile/image_version_not_explicit/query.rego +++ b/assets/queries/dockerfile/image_version_not_explicit/query.rego @@ -13,7 +13,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}", [from_command.Value, name]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}", [from_command.Value, name]), from_command.LineHint), "issueType": "MissingAttribute", "keyExpectedValue": sprintf("FROM %s:'version'", [resource.Value[0]]), "keyActualValue": sprintf("FROM %s'", [resource.Value[0]]), diff --git a/assets/queries/dockerfile/image_version_using_latest/query.rego b/assets/queries/dockerfile/image_version_using_latest/query.rego index 85f53ddab8f..34bc06b3274 100644 --- a/assets/queries/dockerfile/image_version_using_latest/query.rego +++ b/assets/queries/dockerfile/image_version_using_latest/query.rego @@ -12,7 +12,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}", [from_command.Value, name]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}", [from_command.Value, name]), from_command.LineHint), "issueType": "IncorrectValue", #"MissingAttribute" / "RedundantAttribute" "keyExpectedValue": sprintf("FROM %s:'version' where version should not be 'latest'", [resource.Value[0]]), "keyActualValue": sprintf("FROM %s'", [resource.Value[0]]), diff --git a/assets/queries/dockerfile/last_user_is_root/query.rego b/assets/queries/dockerfile/last_user_is_root/query.rego index b227577ccb6..5326140d9f8 100644 --- a/assets/queries/dockerfile/last_user_is_root/query.rego +++ b/assets/queries/dockerfile/last_user_is_root/query.rego @@ -12,7 +12,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(resource) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, userCmd[minus(count(userCmd), 1)].Original]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, userCmd[minus(count(userCmd), 1)].Original]), from_command.LineHint), "issueType": "IncorrectValue", "keyExpectedValue": "Last User shouldn't be root", "keyActualValue": "Last User is root", diff --git a/assets/queries/dockerfile/maintainer_instruction_being_used/query.rego b/assets/queries/dockerfile/maintainer_instruction_being_used/query.rego index 817b4dceffc..a57b1b94b11 100644 --- a/assets/queries/dockerfile/maintainer_instruction_being_used/query.rego +++ b/assets/queries/dockerfile/maintainer_instruction_being_used/query.rego @@ -11,7 +11,7 @@ CxPolicy[result] { maintainer_command := substring(resource.Original, 0, 10) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.%s={{%s}}", [from_command.Value, name, maintainer_command, resource.Value[0]]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.%s={{%s}}", [from_command.Value, name, maintainer_command, resource.Value[0]]), from_command.LineHint), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("Maintainer instruction being used in Label 'LABEL maintainer=%s'", [resource.Value[0]]), "keyActualValue": sprintf("Maintainer instruction not being used in Label 'MAINTAINER %s'", [resource.Value[0]]), diff --git a/assets/queries/dockerfile/missing_dnf_clean_all/query.rego b/assets/queries/dockerfile/missing_dnf_clean_all/query.rego index 0a2a0e0da9e..d41edc7b878 100644 --- a/assets/queries/dockerfile/missing_dnf_clean_all/query.rego +++ b/assets/queries/dockerfile/missing_dnf_clean_all/query.rego @@ -18,7 +18,7 @@ CxPolicy[result] { run_command := substring(resource.Original, 0, 3) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.%s={{%s}}", [from_command.Value, name, run_command, resource.Value[0]]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.%s={{%s}}", [from_command.Value, name, run_command, resource.Value[0]]), from_command.LineHint), "issueType": "IncorrectValue", "keyExpectedValue": "After installing a package with dnf, command 'dnf clean all' should run.", "keyActualValue": "Command `dnf clean all` is not being run after installing packages.", diff --git a/assets/queries/dockerfile/missing_flag_from_dnf_install/query.rego b/assets/queries/dockerfile/missing_flag_from_dnf_install/query.rego index 5985e91433a..a77b56e8300 100644 --- a/assets/queries/dockerfile/missing_flag_from_dnf_install/query.rego +++ b/assets/queries/dockerfile/missing_flag_from_dnf_install/query.rego @@ -19,7 +19,7 @@ CxPolicy[result] { run_command := substring(resource.Original, 0, 3) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.%s={{%s}}", [from_command.Value, name, run_command, resource.Value[0]]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.%s={{%s}}", [from_command.Value, name, run_command, resource.Value[0]]), from_command.LineHint), "searchValue": trim_space(c), "issueType": "IncorrectValue", "keyExpectedValue": "When running `dnf install`, `-y` or `--assumeyes` switch should be set to avoid build failure ", diff --git a/assets/queries/dockerfile/missing_user_instruction/query.rego b/assets/queries/dockerfile/missing_user_instruction/query.rego index 721948d9853..be5594d9bf7 100644 --- a/assets/queries/dockerfile/missing_user_instruction/query.rego +++ b/assets/queries/dockerfile/missing_user_instruction/query.rego @@ -13,7 +13,7 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}", [from_command.Value, name]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}", [from_command.Value, name]), from_command.LineHint), "issueType": "MissingAttribute", "keyExpectedValue": "The 'Dockerfile' should contain the 'USER' instruction", "keyActualValue": "The 'Dockerfile' does not contain any 'USER' instruction" diff --git a/assets/queries/dockerfile/missing_version_specification_in_dnf_install/query.rego b/assets/queries/dockerfile/missing_version_specification_in_dnf_install/query.rego index c60defded39..aca877aee59 100644 --- a/assets/queries/dockerfile/missing_version_specification_in_dnf_install/query.rego +++ b/assets/queries/dockerfile/missing_version_specification_in_dnf_install/query.rego @@ -23,7 +23,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.LineHint), "issueType": "IncorrectValue", "keyExpectedValue": "Package version should be specified when using 'dnf install'", "keyActualValue": "Package version should be pinned when running ´dnf install´", @@ -48,7 +48,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.LineHint), "issueType": "IncorrectValue", "keyExpectedValue": "Package version should be specified when using 'dnf install'", "keyActualValue": "Package version should be pinned when running ´dnf install´", diff --git a/assets/queries/dockerfile/missing_zypper_clean/query.rego b/assets/queries/dockerfile/missing_zypper_clean/query.rego index 1d4fc292bb7..004a9c0d5e6 100644 --- a/assets/queries/dockerfile/missing_zypper_clean/query.rego +++ b/assets/queries/dockerfile/missing_zypper_clean/query.rego @@ -17,7 +17,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(commands[img]) result := { "documentId": document.id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, img, commands[img][c].Original]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, img, commands[img][c].Original]), from_command.LineHint), "issueType": "MissingAttribute", "keyExpectedValue": "There should be a zypper clean after a zypper usage", "keyActualValue": sprintf("The command '%s' does not have a zypper clean after it", [commands[img][c].Value[j]]), diff --git a/assets/queries/dockerfile/missing_zypper_non_interactive_switch/query.rego b/assets/queries/dockerfile/missing_zypper_non_interactive_switch/query.rego index 8ce0d5ff14a..04bff7a8f30 100644 --- a/assets/queries/dockerfile/missing_zypper_non_interactive_switch/query.rego +++ b/assets/queries/dockerfile/missing_zypper_non_interactive_switch/query.rego @@ -17,7 +17,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(commands[img]) result := { "documentId": document.id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, img, commands[img][c].Original]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, img, commands[img][c].Original]), from_command.LineHint), "issueType": "IncorrectValue", "keyExpectedValue": "zypper usages should have the non-interactive switch activated", "keyActualValue": sprintf("The command '%s' does not have the non-interactive switch activated (-y | --no-confirm)", [commands[img][c].Original]), diff --git a/assets/queries/dockerfile/multiple_cmd_instructions_listed/query.rego b/assets/queries/dockerfile/multiple_cmd_instructions_listed/query.rego index e2edd94417f..537abac872e 100644 --- a/assets/queries/dockerfile/multiple_cmd_instructions_listed/query.rego +++ b/assets/queries/dockerfile/multiple_cmd_instructions_listed/query.rego @@ -12,7 +12,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(resource) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, cmdInst[0].Original]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, cmdInst[0].Original]), from_command.LineHint), "issueType": "RedundantAttribute", #"MissingAttribute" / "RedundantAttribute" "keyExpectedValue": "There should be only one CMD instruction", "keyActualValue": sprintf("There are %d CMD instructions", [count(cmdInst)]), diff --git a/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/query.rego b/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/query.rego index 8cf1f46744e..8ce7212e0c2 100644 --- a/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/query.rego +++ b/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/query.rego @@ -12,7 +12,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(resource) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, cmdInst[0].Original]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, cmdInst[0].Original]), from_command.LineHint), "issueType": "RedundantAttribute", "keyExpectedValue": "There should be only one ENTRYPOINT instruction", "keyActualValue": sprintf("There are %d ENTRYPOINT instructions", [count(cmdInst)]), diff --git a/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/query.rego b/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/query.rego index 4e8f92e68db..0ad800a0e72 100644 --- a/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/query.rego +++ b/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/query.rego @@ -25,7 +25,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(resource) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, lineCounter[0].Original]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, lineCounter[0].Original]), from_command.LineHint), "issueType": "RedundantAttribute", "keyExpectedValue": sprintf("There isn´t any %s instruction that could be grouped", [upperName]), "keyActualValue": sprintf("There are %s instructions that could be grouped", [upperName]), diff --git a/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/query.rego b/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/query.rego index e22391c70c6..c6a5e4dd4fe 100644 --- a/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/query.rego +++ b/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/query.rego @@ -13,7 +13,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.LineHint), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("{{%s}} should be in the JSON Notation", [resource.Original]), "keyActualValue": sprintf("{{%s}} isn't in JSON Notation", [resource.Original]), @@ -31,7 +31,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.LineHint), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("{{%s}} should be in the JSON Notation", [resource.Original]), "keyActualValue": sprintf("{{%s}} isn't in JSON Notation", [resource.Original]), diff --git a/assets/queries/dockerfile/npm_install_without_pinned_version/query.rego b/assets/queries/dockerfile/npm_install_without_pinned_version/query.rego index 26d196281f1..b5dceec999a 100644 --- a/assets/queries/dockerfile/npm_install_without_pinned_version/query.rego +++ b/assets/queries/dockerfile/npm_install_without_pinned_version/query.rego @@ -27,7 +27,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, runCmd.Original]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, runCmd.Original]), from_command.LineHint), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'%s' uses npm install with a pinned version", [runCmd.Original]), "keyActualValue": sprintf("'%s' does not uses npm install with a pinned version", [runCmd.Original]), diff --git a/assets/queries/dockerfile/pip_install_keeping_cached_packages/query.rego b/assets/queries/dockerfile/pip_install_keeping_cached_packages/query.rego index 2a14856977f..8e9e7f2952a 100644 --- a/assets/queries/dockerfile/pip_install_keeping_cached_packages/query.rego +++ b/assets/queries/dockerfile/pip_install_keeping_cached_packages/query.rego @@ -15,7 +15,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, values]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, values]), from_command.LineHint), "issueType": "IncorrectValue", "keyExpectedValue": "The '--no-cache-dir' flag should be set when running 'pip/pip3 install'", "keyActualValue": "The '--no-cache-dir' flag isn't set when running 'pip/pip3 install'", @@ -36,7 +36,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.LineHint), "issueType": "IncorrectValue", "keyExpectedValue": "The '--no-cache-dir' flag should be set when running 'pip/pip3 install'", "keyActualValue": "The '--no-cache-dir' flag isn't set when running 'pip/pip3 install'", diff --git a/assets/queries/dockerfile/run_command_cd_instead_of_workdir/query.rego b/assets/queries/dockerfile/run_command_cd_instead_of_workdir/query.rego index 2e7ac4462d8..10a13075da2 100644 --- a/assets/queries/dockerfile/run_command_cd_instead_of_workdir/query.rego +++ b/assets/queries/dockerfile/run_command_cd_instead_of_workdir/query.rego @@ -17,7 +17,7 @@ CxPolicy[result] { run_command := substring(resource.Original, 0, 3) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.%s={{%s}}", [from_command.Value, name, run_command, resource.Value[0]]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.%s={{%s}}", [from_command.Value, name, run_command, resource.Value[0]]), from_command.LineHint), "issueType": "IncorrectValue", "keyExpectedValue": "Using WORKDIR to change directory", "keyActualValue": sprintf("RUN %s'", [resource.Value[0]]), diff --git a/assets/queries/dockerfile/run_using_apt/query.rego b/assets/queries/dockerfile/run_using_apt/query.rego index 6d1a448fe45..ae5a81b193d 100644 --- a/assets/queries/dockerfile/run_using_apt/query.rego +++ b/assets/queries/dockerfile/run_using_apt/query.rego @@ -14,7 +14,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(commands[img]) result := { "documentId": document.id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, img, commands[img][c].Original]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, img, commands[img][c].Original]), from_command.LineHint), "issueType": "IncorrectValue", "keyExpectedValue": "RUN instructions should not use the 'apt' program", "keyActualValue": "RUN instruction is invoking the 'apt' program", diff --git a/assets/queries/dockerfile/run_using_sudo/query.rego b/assets/queries/dockerfile/run_using_sudo/query.rego index 250095fb69c..c8c7f78f602 100644 --- a/assets/queries/dockerfile/run_using_sudo/query.rego +++ b/assets/queries/dockerfile/run_using_sudo/query.rego @@ -14,7 +14,7 @@ CxPolicy[result] { run_command := substring(resource.Original, 0, 3) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.%s={{%s}}", [from_command.Value, name, run_command, resource.Value[0]]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.%s={{%s}}", [from_command.Value, name, run_command, resource.Value[0]]), from_command.LineHint), "issueType": "IncorrectValue", "keyExpectedValue": "RUN instruction shouldn't contain sudo", "keyActualValue": "RUN instruction contains sudo", @@ -33,7 +33,7 @@ CxPolicy[result] { run_command := substring(resource.Original, 0, 3) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.%s={{%s}}", [from_command.Value, name, run_command, resource.Value[0]]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.%s={{%s}}", [from_command.Value, name, run_command, resource.Value[0]]), from_command.LineHint), "issueType": "IncorrectValue", "keyExpectedValue": "RUN instruction shouldn't contain sudo", "keyActualValue": "RUN instruction contains sudo", diff --git a/assets/queries/dockerfile/run_using_wget_and_curl/query.rego b/assets/queries/dockerfile/run_using_wget_and_curl/query.rego index 450878a9cf5..98479d6405d 100644 --- a/assets/queries/dockerfile/run_using_wget_and_curl/query.rego +++ b/assets/queries/dockerfile/run_using_wget_and_curl/query.rego @@ -14,7 +14,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(resource) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, curl[0]]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, curl[0]]), from_command.LineHint), "issueType": "RedundantAttribute", "keyExpectedValue": "Exclusively using 'wget' or 'curl'", "keyActualValue": "Using both 'wget' and 'curl'", diff --git a/assets/queries/dockerfile/run_utilities_and_posix_commands/query.rego b/assets/queries/dockerfile/run_utilities_and_posix_commands/query.rego index 2e045fda70e..dbb6eae2c7d 100644 --- a/assets/queries/dockerfile/run_utilities_and_posix_commands/query.rego +++ b/assets/queries/dockerfile/run_utilities_and_posix_commands/query.rego @@ -12,7 +12,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.LineHint), "issueType": "IncorrectValue", "keyExpectedValue": "There should be no dangerous commands or utilities executed", "keyActualValue": sprintf("Run instruction is executing the %s command", [resource.Value[0]]), diff --git a/assets/queries/dockerfile/same_alias_in_different_froms/query.rego b/assets/queries/dockerfile/same_alias_in_different_froms/query.rego index ee084a53c34..10fd87a717c 100644 --- a/assets/queries/dockerfile/same_alias_in_different_froms/query.rego +++ b/assets/queries/dockerfile/same_alias_in_different_froms/query.rego @@ -19,7 +19,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(input.document[i].command[name2]) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}", [from_command.Value, aliasResource.Value[idx_2]]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}", [from_command.Value, aliasResource.Value[idx_2]]), from_command.LineHint), "issueType": "IncorrectValue", "keyExpectedValue": "Different FROM commands don't have the same alias defined", "keyActualValue": sprintf("Different FROM commands with the same alias '%s' defined", [aliasResource.Value[idx_2]]), diff --git a/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/query.rego b/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/query.rego index 47f45ca06b4..4db8d8ed1ba 100644 --- a/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/query.rego +++ b/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/query.rego @@ -23,7 +23,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(commands) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, runCmd.Original]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, runCmd.Original]), from_command.LineHint), "searchValue": match.shell, "issueType": "MissingAttribute", "keyExpectedValue": sprintf("'%s' has pipefail option set for pipe command with shell %s.", [runCmd.Original, match.shell]), @@ -52,7 +52,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(commands) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, runCmd.Original]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, runCmd.Original]), from_command.LineHint), "searchValue": match.shell, "issueType": "MissingAttribute", "keyExpectedValue": sprintf("'%s' has pipefail option set for pipe command with shell %s.", [cmdFormatted, match.shell]), diff --git a/assets/queries/dockerfile/unix_ports_out_of_range/query.rego b/assets/queries/dockerfile/unix_ports_out_of_range/query.rego index 2fc1695c6e1..b4b7ce1e1c4 100644 --- a/assets/queries/dockerfile/unix_ports_out_of_range/query.rego +++ b/assets/queries/dockerfile/unix_ports_out_of_range/query.rego @@ -12,7 +12,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, command.Original]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, command.Original]), from_command.LineHint), "issueType": "IncorrectValue", "keyExpectedValue": "'EXPOSE' should not contain ports out of range [0, 65535]", "keyActualValue": "'EXPOSE' contains ports out of range [0, 65535]", diff --git a/assets/queries/dockerfile/unpinned_package_version_in_apk_add/query.rego b/assets/queries/dockerfile/unpinned_package_version_in_apk_add/query.rego index 29de624bcf5..fddee27a9f8 100644 --- a/assets/queries/dockerfile/unpinned_package_version_in_apk_add/query.rego +++ b/assets/queries/dockerfile/unpinned_package_version_in_apk_add/query.rego @@ -26,7 +26,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.LineHint), "issueType": "IncorrectValue", "keyExpectedValue": "RUN instruction with 'apk add ' should use package pinning form 'apk add ='", "keyActualValue": sprintf("RUN instruction %s does not use package pinning form", [resource.Value[0]]), @@ -57,7 +57,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.LineHint), "issueType": "IncorrectValue", "keyExpectedValue": "RUN instruction with 'apk add ' should use package pinning form 'apk add ='", "keyActualValue": sprintf("RUN instruction %s does not use package pinning form", [resource.Value[0]]), @@ -87,7 +87,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.LineHint), "issueType": "IncorrectValue", "keyExpectedValue": "RUN instruction with 'apk add ' should use package pinning form 'apk add ='", "keyActualValue": sprintf("RUN instruction %s does not use package pinning form", [resource.Value[0]]), @@ -113,7 +113,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.LineHint), "searchValue": resource.Value[j], "issueType": "IncorrectValue", "keyExpectedValue": "RUN instruction with 'apk add ' should use package pinning form 'apk add ='", diff --git a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego index 59f109e0c34..53d41d0f659 100644 --- a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego +++ b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/query.rego @@ -27,7 +27,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.LineHint), "issueType": "IncorrectValue", "keyExpectedValue": "RUN instruction with 'pip/pip3 install ' should use package pinning form 'pip/pip3 install ='", "keyActualValue": sprintf("RUN instruction %s does not use package pinning form", [commands]), @@ -53,7 +53,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.LineHint), "issueType": "IncorrectValue", "keyExpectedValue": "RUN instruction with 'pip/pip3 install ' should use package pinning form 'pip/pip3 install ='", "keyActualValue": sprintf("RUN instruction %s does not use package pinning form", [resource.Value[j]]), diff --git a/assets/queries/dockerfile/update_instruction_alone/query.rego b/assets/queries/dockerfile/update_instruction_alone/query.rego index 4332c639886..1436d2fd1da 100644 --- a/assets/queries/dockerfile/update_instruction_alone/query.rego +++ b/assets/queries/dockerfile/update_instruction_alone/query.rego @@ -27,7 +27,7 @@ CxPolicy[result] { run_command := substring(resource.Original, 0, 3) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.%s={{%s}}", [from_command.Value, name, run_command, resource.Value[0]]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.%s={{%s}}", [from_command.Value, name, run_command, resource.Value[0]]), from_command.LineHint), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("Instruction 'RUN %s %s' should be followed by 'RUN %s %s' in the same 'RUN' statement", [packageManager, pkg_installer[packageManager], packageManager, pkg_updater[packageManager]]), "keyActualValue": sprintf("Instruction 'RUN %s %s' isn't followed by 'RUN %s %s in the same 'RUN' statement", [packageManager, pkg_installer[packageManager], packageManager, pkg_updater[packageManager]]), @@ -68,7 +68,7 @@ CxPolicy[result] { run_command := substring(resource.Original, 0, 3) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.%s={{%s}}", [from_command.Value, name, run_command, nextResource.Value[0]]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.%s={{%s}}", [from_command.Value, name, run_command, nextResource.Value[0]]), from_command.LineHint), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("Instruction 'RUN %s %s' should be combined with 'RUN %s %s' in the same 'RUN' statement", [nextPackageManager, pkg_installer[nextPackageManager], nextPackageManager, pkg_updater[nextPackageManager]]), "keyActualValue": sprintf("Instruction 'RUN %s %s' isn't combined with 'RUN %s %s in the same 'RUN' statement", [nextPackageManager, pkg_installer[nextPackageManager], nextPackageManager, pkg_updater[nextPackageManager]]), diff --git a/assets/queries/dockerfile/using_platform_with_from/query.rego b/assets/queries/dockerfile/using_platform_with_from/query.rego index 3a826e0f08a..fbaa53d30a2 100644 --- a/assets/queries/dockerfile/using_platform_with_from/query.rego +++ b/assets/queries/dockerfile/using_platform_with_from/query.rego @@ -13,7 +13,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.LineHint), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("%s={{%s}}.{{%s}} should not use the '--platform' flag", [from_command, name, resource.Original]), "keyActualValue": sprintf("%s={{%s}}.{{%s}} is using the '--platform' flag", [from_command, name, resource.Original]), diff --git a/assets/queries/dockerfile/using_unnamed_build_stages/query.rego b/assets/queries/dockerfile/using_unnamed_build_stages/query.rego index d1cc26de6b8..b39850fa2d9 100644 --- a/assets/queries/dockerfile/using_unnamed_build_stages/query.rego +++ b/assets/queries/dockerfile/using_unnamed_build_stages/query.rego @@ -17,7 +17,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, commands.Original]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, commands.Original]), from_command.LineHint), "issueType": "IncorrectValue", "keyExpectedValue": "COPY '--from' should reference a previously defined FROM alias", "keyActualValue": "COPY '--from' does not reference a previously defined FROM alias", diff --git a/assets/queries/dockerfile/workdir_path_not_absolute/query.rego b/assets/queries/dockerfile/workdir_path_not_absolute/query.rego index 18f5ea77418..def161b9769 100644 --- a/assets/queries/dockerfile/workdir_path_not_absolute/query.rego +++ b/assets/queries/dockerfile/workdir_path_not_absolute/query.rego @@ -12,7 +12,7 @@ CxPolicy[result] { workdir_command := substring(resource.Original, 0, 7) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.%s={{%s}}", [from_command.Value, name, workdir_command, resource.Value[0]]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.%s={{%s}}", [from_command.Value, name, workdir_command, resource.Value[0]]), from_command.LineHint), "issueType": "IncorrectValue", #"MissingAttribute" / "RedundantAttribute" "keyExpectedValue": "'WORKDIR' Command has absolute path", "keyActualValue": "'WORKDIR' Command doesn't have absolute path", diff --git a/assets/queries/dockerfile/yum_clean_all_missing/query.rego b/assets/queries/dockerfile/yum_clean_all_missing/query.rego index d88898a46f6..3ec1659dd4e 100644 --- a/assets/queries/dockerfile/yum_clean_all_missing/query.rego +++ b/assets/queries/dockerfile/yum_clean_all_missing/query.rego @@ -19,7 +19,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.LineHint), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("{{%s}} should have 'yum clean all' after 'yum install' command", [resource.Original]), "keyActualValue": sprintf("{{%s}} doesn't have 'yum clean all' after 'yum install' command", [resource.Original]), diff --git a/assets/queries/dockerfile/yum_install_allows_manual_input/query.rego b/assets/queries/dockerfile/yum_install_allows_manual_input/query.rego index 1919ee73834..179392addff 100644 --- a/assets/queries/dockerfile/yum_install_allows_manual_input/query.rego +++ b/assets/queries/dockerfile/yum_install_allows_manual_input/query.rego @@ -16,7 +16,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.LineHint), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("{{%s}} should avoid manual input", [resource.Original]), "keyActualValue": sprintf("{{%s}} doesn't avoid manual input", [resource.Original]), @@ -36,7 +36,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.LineHint), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("{{%s}} should avoid manual input", [resource.Original]), "keyActualValue": sprintf("{{%s}} doesn't avoid manual input", [resource.Original]), diff --git a/assets/queries/dockerfile/yum_install_without_version/query.rego b/assets/queries/dockerfile/yum_install_without_version/query.rego index 7bbdf85bd54..f4c510183a3 100644 --- a/assets/queries/dockerfile/yum_install_without_version/query.rego +++ b/assets/queries/dockerfile/yum_install_without_version/query.rego @@ -23,7 +23,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.LineHint), "searchValue": packages[j], "issueType": "IncorrectValue", "keyExpectedValue": "The package version should always be specified when using yum install", @@ -49,7 +49,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.LineHint), "searchValue": resource.Value[j], "issueType": "IncorrectValue", "keyExpectedValue": "The package version should always be specified when using yum install", diff --git a/assets/queries/dockerfile/zypper_install_without_version/query.rego b/assets/queries/dockerfile/zypper_install_without_version/query.rego index 4a907aeaae5..0847a43667c 100644 --- a/assets/queries/dockerfile/zypper_install_without_version/query.rego +++ b/assets/queries/dockerfile/zypper_install_without_version/query.rego @@ -23,7 +23,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.LineHint), "searchValue": packages[j], "issueType": "IncorrectValue", "keyExpectedValue": "The package version should always be specified when using zypper install", @@ -49,7 +49,7 @@ CxPolicy[result] { from_command := dockerLib.get_original_from_command(stage) result := { "documentId": input.document[i].id, - "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.EndLine-1), + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.LineHint), "searchValue": resource.Value[j], "issueType": "IncorrectValue", "keyExpectedValue": "The package version should always be specified when using zypper install", diff --git a/docs/creating-queries.md b/docs/creating-queries.md index 5471685e7ba..66de29ced9b 100644 --- a/docs/creating-queries.md +++ b/docs/creating-queries.md @@ -462,9 +462,50 @@ Examples: build_search_line(path, ["son"]) ``` -##### Ansible Inventory +#### 🚨 Platform Specific Guidelines 🚨 + +##### Ⓐ Ansible Inventory "searchLine" To create a `searchLine` query in Rego for this case, you need to think of the path as if you were dealing with a YAML/JSON file. This way, the query will be capable of locating vulnerabilities in all three types of Ansible host files. +--- + +##### 🐳 Dockerfile "searchKey" + +Dockerfile queries use a dedicated searchKey format and two helper functions from the `dockerfile.rego` library (`import data.generic.dockerfile as dockerLib`). + +Basic format: + +``` +FROM={{}}.={{}} +``` + +Where the first segment identifies the build stage by its FROM image, and subsequent segments identify the target instruction. For example: + +``` +FROM={{alpine:3.14}}.RUN={{apk update && apk add curl}} +``` + +Helper functions: + + - `dockerLib.get_original_from_command(stage)` — returns an object with `Value` (the literal `"FROM"` string preserving the original casing) and `LineHint` (the line number hint derived from the FROM instruction, used to tell the detector where to start searching). Use this instead of hardcoding `"FROM"`. + - `dockerLib.add_line_hint(searchKey, lineHint)` — appends a `^` suffix to the searchKey that tells the detector where to start searching in the file. The line hint is stripped before reaching the final results. + +Typical usage in a query: + +```rego +stage := input.document[i].command[name] +from_command := dockerLib.get_original_from_command(stage) + +result := { + "documentId": input.document[i].id, + "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.%s={{%s}}", [from_command.Value, name, run_command, commands]), from_command.LineHint), + ... +} +``` + +This produces a searchKey like: `FROM={{alpine:3.14}}.RUN={{apk update && apk add curl}}^2` + + #### Allowing users to overwrite query data Starting on v1.3.5, KICS started to support custom data overwriting on queries. This can be useful if users want to provide their own dataset or if users have different datasets for multiple environments. This can be supported easily following some steps: From f07ee000f05b8f22212f98fbabeda1d2fffefd01 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Fri, 17 Apr 2026 15:45:31 +0100 Subject: [PATCH 76/84] Fixed expected and actual values for using_platform_with_from query --- assets/queries/dockerfile/using_platform_with_from/query.rego | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/assets/queries/dockerfile/using_platform_with_from/query.rego b/assets/queries/dockerfile/using_platform_with_from/query.rego index fbaa53d30a2..64b9fe67b15 100644 --- a/assets/queries/dockerfile/using_platform_with_from/query.rego +++ b/assets/queries/dockerfile/using_platform_with_from/query.rego @@ -15,7 +15,7 @@ CxPolicy[result] { "documentId": input.document[i].id, "searchKey": dockerLib.add_line_hint(sprintf("%s={{%s}}.{{%s}}", [from_command.Value, name, resource.Original]), from_command.LineHint), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("%s={{%s}}.{{%s}} should not use the '--platform' flag", [from_command, name, resource.Original]), - "keyActualValue": sprintf("%s={{%s}}.{{%s}} is using the '--platform' flag", [from_command, name, resource.Original]), + "keyExpectedValue": sprintf("%s={{%s}}.{{%s}} should not use the '--platform' flag", [from_command.Value, name, resource.Original]), + "keyActualValue": sprintf("%s={{%s}}.{{%s}} is using the '--platform' flag", [from_command.Value, name, resource.Original]), } } From df9ce03df2574782f229d690bf5bcd8ba8a0f969 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Fri, 17 Apr 2026 15:48:45 +0100 Subject: [PATCH 77/84] Fix E2E results --- e2e/fixtures/E2E_CLI_106_RESULT.json | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/e2e/fixtures/E2E_CLI_106_RESULT.json b/e2e/fixtures/E2E_CLI_106_RESULT.json index 6c543370eda..f23b72c7b01 100644 --- a/e2e/fixtures/E2E_CLI_106_RESULT.json +++ b/e2e/fixtures/E2E_CLI_106_RESULT.json @@ -944,8 +944,8 @@ "search_key": "FROM={{--platform=linux/arm64 scratch}}.{{FROM --platform=linux/arm64 scratch}}", "search_line": -1, "search_value": "", - "expected_value": "{\"EndLine\": 1, \"Value\": \"FROM\"}={{--platform=linux/arm64 scratch}}.{{FROM --platform=linux/arm64 scratch}} should not use the '--platform' flag", - "actual_value": "{\"EndLine\": 1, \"Value\": \"FROM\"}={{--platform=linux/arm64 scratch}}.{{FROM --platform=linux/arm64 scratch}} is using the '--platform' flag" + "expected_value": "FROM={{--platform=linux/arm64 scratch}}.{{FROM --platform=linux/arm64 scratch}} should not use the '--platform' flag", + "actual_value": "FROM={{--platform=linux/arm64 scratch}}.{{FROM --platform=linux/arm64 scratch}} is using the '--platform' flag" }, { "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample3", @@ -955,8 +955,8 @@ "search_key": "FROM={{--platform=linux/amd64 alpine:latest}}.{{FROM --platform=linux/amd64 alpine:latest}}", "search_line": -1, "search_value": "", - "expected_value": "{\"EndLine\": 1, \"Value\": \"FROM\"}={{--platform=linux/amd64 alpine:latest}}.{{FROM --platform=linux/amd64 alpine:latest}} should not use the '--platform' flag", - "actual_value": "{\"EndLine\": 1, \"Value\": \"FROM\"}={{--platform=linux/amd64 alpine:latest}}.{{FROM --platform=linux/amd64 alpine:latest}} is using the '--platform' flag" + "expected_value": "FROM={{--platform=linux/amd64 alpine:latest}}.{{FROM --platform=linux/amd64 alpine:latest}} should not use the '--platform' flag", + "actual_value": "FROM={{--platform=linux/amd64 alpine:latest}}.{{FROM --platform=linux/amd64 alpine:latest}} is using the '--platform' flag" }, { "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample2", @@ -966,8 +966,8 @@ "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}.{{FROM --platform=linux/amd64 ubuntu:latest AS builder}}", "search_line": -1, "search_value": "", - "expected_value": "{\"EndLine\": 1, \"Value\": \"FROM\"}={{--platform=linux/amd64 ubuntu:latest AS builder}}.{{FROM --platform=linux/amd64 ubuntu:latest AS builder}} should not use the '--platform' flag", - "actual_value": "{\"EndLine\": 1, \"Value\": \"FROM\"}={{--platform=linux/amd64 ubuntu:latest AS builder}}.{{FROM --platform=linux/amd64 ubuntu:latest AS builder}} is using the '--platform' flag" + "expected_value": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}.{{FROM --platform=linux/amd64 ubuntu:latest AS builder}} should not use the '--platform' flag", + "actual_value": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}.{{FROM --platform=linux/amd64 ubuntu:latest AS builder}} is using the '--platform' flag" }, { "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample6", @@ -977,8 +977,8 @@ "search_key": "FROM={{--platform=linux/amd64 ubuntu}}.{{FROM --platform=linux/amd64 ubuntu}}", "search_line": -1, "search_value": "", - "expected_value": "{\"EndLine\": 1, \"Value\": \"FROM\"}={{--platform=linux/amd64 ubuntu}}.{{FROM --platform=linux/amd64 ubuntu}} should not use the '--platform' flag", - "actual_value": "{\"EndLine\": 1, \"Value\": \"FROM\"}={{--platform=linux/amd64 ubuntu}}.{{FROM --platform=linux/amd64 ubuntu}} is using the '--platform' flag" + "expected_value": "FROM={{--platform=linux/amd64 ubuntu}}.{{FROM --platform=linux/amd64 ubuntu}} should not use the '--platform' flag", + "actual_value": "FROM={{--platform=linux/amd64 ubuntu}}.{{FROM --platform=linux/amd64 ubuntu}} is using the '--platform' flag" }, { "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample5", @@ -988,8 +988,8 @@ "search_key": "FROM={{--platform=$BUILDPLATFORM golang:1.21}}.{{FROM --platform=$BUILDPLATFORM golang:1.21}}", "search_line": -1, "search_value": "", - "expected_value": "{\"EndLine\": 2, \"Value\": \"FROM\"}={{--platform=$BUILDPLATFORM golang:1.21}}.{{FROM --platform=$BUILDPLATFORM golang:1.21}} should not use the '--platform' flag", - "actual_value": "{\"EndLine\": 2, \"Value\": \"FROM\"}={{--platform=$BUILDPLATFORM golang:1.21}}.{{FROM --platform=$BUILDPLATFORM golang:1.21}} is using the '--platform' flag" + "expected_value": "FROM={{--platform=$BUILDPLATFORM golang:1.21}}.{{FROM --platform=$BUILDPLATFORM golang:1.21}} should not use the '--platform' flag", + "actual_value": "FROM={{--platform=$BUILDPLATFORM golang:1.21}}.{{FROM --platform=$BUILDPLATFORM golang:1.21}} is using the '--platform' flag" }, { "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample4", @@ -999,8 +999,8 @@ "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest}}.{{FROM --platform=linux/amd64 ubuntu:latest}}", "search_line": -1, "search_value": "", - "expected_value": "{\"EndLine\": 1, \"Value\": \"FROM\"}={{--platform=linux/amd64 ubuntu:latest}}.{{FROM --platform=linux/amd64 ubuntu:latest}} should not use the '--platform' flag", - "actual_value": "{\"EndLine\": 1, \"Value\": \"FROM\"}={{--platform=linux/amd64 ubuntu:latest}}.{{FROM --platform=linux/amd64 ubuntu:latest}} is using the '--platform' flag" + "expected_value": "FROM={{--platform=linux/amd64 ubuntu:latest}}.{{FROM --platform=linux/amd64 ubuntu:latest}} should not use the '--platform' flag", + "actual_value": "FROM={{--platform=linux/amd64 ubuntu:latest}}.{{FROM --platform=linux/amd64 ubuntu:latest}} is using the '--platform' flag" } ] } From 2051586f1699bbb548a6fd8279e6a4d35acf2b37 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Mon, 20 Apr 2026 18:25:56 +0100 Subject: [PATCH 78/84] Made UrlRegex a constant --- pkg/utils/get_extension.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/utils/get_extension.go b/pkg/utils/get_extension.go index 9647bd04fb3..e110a4e9304 100644 --- a/pkg/utils/get_extension.go +++ b/pkg/utils/get_extension.go @@ -14,6 +14,7 @@ import ( const ( extDockerfile = ".dockerfile" + UrlRegex = `[-a-zA-Z0-9@:%._\+~#=]{2,256}\.[a-z]{2,6}\b([-a-zA-Z0-9@:%_\+.~#?&//=]*)` ) // GetExtension gets the extension of a file path @@ -86,7 +87,6 @@ func readPossibleDockerFile(path string) bool { if strings.HasPrefix(scanner.Text(), "#") || strings.HasPrefix(strings.ToLower(scanner.Text()), "arg") || scanner.Text() == "" { continue } else { - UrlRegex := `[-a-zA-Z0-9@:%._\+~#=]{2,256}\.[a-z]{2,6}\b([-a-zA-Z0-9@:%_\+.~#?&//=]*)` pattern := `(?i)^\s*FROM\s+(--platform=\S+\s+)?(` + UrlRegex + `:[0-9]+)?[a-zA-Z0-9.\-/]+(:[a-zA-Z0-9.\-_]+)?(\s*$|\s+AS\s+\S+\s*$)` matched, _ := regexp.MatchString(pattern, scanner.Text()) return matched From dc012a75b0edf60d7859452cdd757d71e10e3e9a Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Tue, 21 Apr 2026 15:52:56 +0100 Subject: [PATCH 79/84] New samples, changed fockerfile syntax identification to aproach to exclusion based regex --- e2e/fixtures/E2E_CLI_106_PAYLOAD.json | 4449 +++++++++-------- e2e/fixtures/E2E_CLI_106_RESULT.json | 583 ++- pkg/parser/docker/parser.go | 1 + pkg/utils/get_extension.go | 32 +- .../case_insensitive_tests/file.Dockerfile | 2 +- .../base_image_reference | 2 + .../{sample8 => big_host_name} | 0 .../should_generate_payload/big_indent_from | 4 + .../should_generate_payload/full_sha_digest | 3 + .../should_generate_payload/host_ip_address | 1 + .../multiline_from_statement | 9 + .../{sample3 => platform_flag} | 0 .../{sample2 => platform_flag_and_alias} | 0 .../{sample1 => platform_flag_scratch} | 0 .../{sample5 => platform_with_arg_reference} | 0 .../should_generate_payload/sample4 | 4 - .../should_generate_payload/sample6 | 3 - .../{sample7 => use_of_host} | 0 .../with_excluded_comments | 11 + .../invalid_syntax | 3 + .../negative_email_2 | 3 + .../negative_hiveql | 10 - .../negative_python_2 | 4 + 23 files changed, 2724 insertions(+), 2400 deletions(-) create mode 100644 test/fixtures/dockerfile/should_generate_payload/base_image_reference rename test/fixtures/dockerfile/should_generate_payload/{sample8 => big_host_name} (100%) create mode 100644 test/fixtures/dockerfile/should_generate_payload/big_indent_from create mode 100644 test/fixtures/dockerfile/should_generate_payload/full_sha_digest create mode 100644 test/fixtures/dockerfile/should_generate_payload/host_ip_address create mode 100644 test/fixtures/dockerfile/should_generate_payload/multiline_from_statement rename test/fixtures/dockerfile/should_generate_payload/{sample3 => platform_flag} (100%) rename test/fixtures/dockerfile/should_generate_payload/{sample2 => platform_flag_and_alias} (100%) rename test/fixtures/dockerfile/should_generate_payload/{sample1 => platform_flag_scratch} (100%) rename test/fixtures/dockerfile/should_generate_payload/{sample5 => platform_with_arg_reference} (100%) delete mode 100644 test/fixtures/dockerfile/should_generate_payload/sample4 delete mode 100644 test/fixtures/dockerfile/should_generate_payload/sample6 rename test/fixtures/dockerfile/should_generate_payload/{sample7 => use_of_host} (100%) create mode 100644 test/fixtures/dockerfile/should_generate_payload/with_excluded_comments create mode 100644 test/fixtures/negative_dockerfile/should_not_generate_payload/invalid_syntax create mode 100644 test/fixtures/negative_dockerfile/should_not_generate_payload/negative_email_2 delete mode 100644 test/fixtures/negative_dockerfile/should_not_generate_payload/negative_hiveql create mode 100644 test/fixtures/negative_dockerfile/should_not_generate_payload/negative_python_2 diff --git a/e2e/fixtures/E2E_CLI_106_PAYLOAD.json b/e2e/fixtures/E2E_CLI_106_PAYLOAD.json index fe23ad63522..288076d7a7f 100644 --- a/e2e/fixtures/E2E_CLI_106_PAYLOAD.json +++ b/e2e/fixtures/E2E_CLI_106_PAYLOAD.json @@ -1,2113 +1,2340 @@ { - "document": [ - { - "args": [], - "command": { - "openjdk:10-jdk": [ - { - "Cmd": "from", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "FROM openjdk:10-jdk", - "SubCmd": "", - "Value": [ - "openjdk:10-jdk" - ], - "_kics_line": 1 - }, - { - "Cmd": "volume", - "EndLine": 2, - "Flags": [], - "JSON": false, - "Original": "VOLUME /tmp", - "SubCmd": "", - "Value": [ - "/tmp" - ], - "_kics_line": 2 - }, - { - "Cmd": "add", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "ADD http://source.file/package.file.tar.gz /temp", - "SubCmd": "", - "Value": [ - "http://source.file/package.file.tar.gz", - "/temp" - ], - "_kics_line": 3 - }, - { - "Cmd": "run", - "EndLine": 4, - "Flags": [], - "JSON": false, - "Original": "RUN tar -xjf /temp/package.file.tar.gz", - "SubCmd": "", - "Value": [ - "tar -xjf /temp/package.file.tar.gz" - ], - "_kics_line": 4 - }, - { - "Cmd": "arg", - "EndLine": 5, - "Flags": [], - "JSON": false, - "Original": "ARG JAR_FILE", - "SubCmd": "", - "Value": [ - "JAR_FILE" - ], - "_kics_line": 5 - }, - { - "Cmd": "add", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "ADD ${JAR_FILE} app.jar", - "SubCmd": "", - "Value": [ - "${JAR_FILE}", - "app.jar" - ], - "_kics_line": 6 - }, - { - "Cmd": "entrypoint", - "EndLine": 7, - "Flags": [], - "JSON": true, - "Original": "ENTRYPOINT [\"java\",\"-Djava.security.egd=file:/dev/./urandom\",\"-jar\",\"/app.jar\"]", - "SubCmd": "", - "Value": [ - "java", - "-Djava.security.egd=file:/dev/./urandom", - "-jar", - "/app.jar" - ], - "_kics_line": 7 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 13, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 13 - }, - { - "Cmd": "copy", - "EndLine": 15, - "Flags": [], - "JSON": false, - "Original": "COPY . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 15 - }, - { - "Cmd": "healthcheck", - "EndLine": 17, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 17 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "ARG VERSION=1.0", - "SubCmd": "", - "Value": [ - "VERSION=1.0" - ], - "_kics_line": 1 - }, - { - "Cmd": "arg", - "EndLine": 2, - "Flags": [], - "JSON": false, - "Original": "ARG BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 2 - } - ], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 4, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 4 - }, - { - "Cmd": "copy", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "COPY . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 6 - }, - { - "Cmd": "healthcheck", - "EndLine": 8, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 8 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "ARG VERSION=1.0", - "SubCmd": "", - "Value": [ - "VERSION=1.0" - ], - "_kics_line": 1 - }, - { - "Cmd": "arg", - "EndLine": 2, - "Flags": [], - "JSON": false, - "Original": "ARG BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 2 - } - ], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 4, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 4 - }, - { - "Cmd": "copy", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "COPY . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 6 - }, - { - "Cmd": "healthcheck", - "EndLine": 8, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 8 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "ARG VERSION=1.0", - "SubCmd": "", - "Value": [ - "VERSION=1.0" - ], - "_kics_line": 1 - }, - { - "Cmd": "arg", - "EndLine": 2, - "Flags": [], - "JSON": false, - "Original": "ARG BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 2 - } - ], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 4, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 4 - }, - { - "Cmd": "copy", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "COPY . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 6 - }, - { - "Cmd": "healthcheck", - "EndLine": 8, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 8 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "ARG BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 1 - }, - { - "Cmd": "arg", - "EndLine": 4, - "Flags": [], - "JSON": false, - "Original": "ARG JAR_FILE", - "SubCmd": "", - "Value": [ - "JAR_FILE" - ], - "_kics_line": 4 - } - ], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 6 - }, - { - "Cmd": "copy", - "EndLine": 8, - "Flags": [], - "JSON": false, - "Original": "COPY . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 8 - }, - { - "Cmd": "healthcheck", - "EndLine": 10, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 10 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 2, - "Flags": [], - "JSON": false, - "Original": "ARG BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 2 - } - ], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 6 - }, - { - "Cmd": "copy", - "EndLine": 8, - "Flags": [], - "JSON": false, - "Original": "COPY . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 8 - }, - { - "Cmd": "healthcheck", - "EndLine": 10, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 10 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "ARG BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 1 - } - ], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 4, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 4 - }, - { - "Cmd": "copy", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "COPY .. .", - "SubCmd": "", - "Value": [ - "..", - "." - ], - "_kics_line": 6 - }, - { - "Cmd": "healthcheck", - "EndLine": 8, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 8 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "ARG BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 1 - } - ], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 3 - }, - { - "Cmd": "copy", - "EndLine": 5, - "Flags": [], - "JSON": false, - "Original": "COPY . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 5 - }, - { - "Cmd": "healthcheck", - "EndLine": 7, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 7 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [], - "command": { - "alpine:3.19 as builder": [ - { - "Cmd": "from", - "EndLine": 13, - "Flags": [], - "JSON": false, - "Original": "from alpine:3.19 as builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "as", - "builder" - ], - "_kics_line": 13 - }, - { - "Cmd": "copy", - "EndLine": 15, - "Flags": [], - "JSON": false, - "Original": "copy . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 15 - }, - { - "Cmd": "healthcheck", - "EndLine": 17, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "cmd", - "executable" - ], - "_kics_line": 17 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "arg VERSION=1.0", - "SubCmd": "", - "Value": [ - "VERSION=1.0" - ], - "_kics_line": 1 - }, - { - "Cmd": "arg", - "EndLine": 2, - "Flags": [], - "JSON": false, - "Original": "arg BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 2 - } - ], - "command": { - "alpine:3.19 as builder": [ - { - "Cmd": "from", - "EndLine": 4, - "Flags": [], - "JSON": false, - "Original": "from alpine:3.19 as builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "as", - "builder" - ], - "_kics_line": 4 - }, - { - "Cmd": "copy", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "copy . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 6 - }, - { - "Cmd": "healthcheck", - "EndLine": 8, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "cmd", - "executable" - ], - "_kics_line": 8 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "arg VERSION=1.0", - "SubCmd": "", - "Value": [ - "VERSION=1.0" - ], - "_kics_line": 1 - }, - { - "Cmd": "arg", - "EndLine": 2, - "Flags": [], - "JSON": false, - "Original": "arg BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 2 - } - ], - "command": { - "alpine:3.19 as builder": [ - { - "Cmd": "from", - "EndLine": 4, - "Flags": [], - "JSON": false, - "Original": "from alpine:3.19 as builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "as", - "builder" - ], - "_kics_line": 4 - }, - { - "Cmd": "copy", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "copy . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 6 - }, - { - "Cmd": "healthcheck", - "EndLine": 8, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "cmd", - "executable" - ], - "_kics_line": 8 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "arg VERSION=1.0", - "SubCmd": "", - "Value": [ - "VERSION=1.0" - ], - "_kics_line": 1 - }, - { - "Cmd": "arg", - "EndLine": 2, - "Flags": [], - "JSON": false, - "Original": "arg BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 2 - } - ], - "command": { - "alpine:3.19 as builder": [ - { - "Cmd": "from", - "EndLine": 4, - "Flags": [], - "JSON": false, - "Original": "from alpine:3.19 as builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "as", - "builder" - ], - "_kics_line": 4 - }, - { - "Cmd": "copy", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "copy . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 6 - }, - { - "Cmd": "healthcheck", - "EndLine": 8, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "cmd", - "executable" - ], - "_kics_line": 8 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "arg BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 1 - }, - { - "Cmd": "arg", - "EndLine": 4, - "Flags": [], - "JSON": false, - "Original": "arg JAR_FILE", - "SubCmd": "", - "Value": [ - "JAR_FILE" - ], - "_kics_line": 4 - } - ], - "command": { - "alpine:3.19 as builder": [ - { - "Cmd": "from", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "from alpine:3.19 as builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "as", - "builder" - ], - "_kics_line": 6 - }, - { - "Cmd": "copy", - "EndLine": 8, - "Flags": [], - "JSON": false, - "Original": "copy . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 8 - }, - { - "Cmd": "healthcheck", - "EndLine": 10, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "cmd", - "executable" - ], - "_kics_line": 10 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 2, - "Flags": [], - "JSON": false, - "Original": "arg BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 2 - } - ], - "command": { - "alpine:3.19 as builder": [ - { - "Cmd": "from", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "from alpine:3.19 as builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "as", - "builder" - ], - "_kics_line": 6 - }, - { - "Cmd": "copy", - "EndLine": 8, - "Flags": [], - "JSON": false, - "Original": "copy . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 8 - }, - { - "Cmd": "healthcheck", - "EndLine": 10, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "cmd", - "executable" - ], - "_kics_line": 10 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "arg BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 1 - } - ], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 4, - "Flags": [], - "JSON": false, - "Original": "from alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 4 - }, - { - "Cmd": "copy", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "copy .. .", - "SubCmd": "", - "Value": [ - "..", - "." - ], - "_kics_line": 6 - }, - { - "Cmd": "healthcheck", - "EndLine": 8, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "cmd", - "executable" - ], - "_kics_line": 8 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "arg BASE_IMAGE=ubuntu:22.04", - "SubCmd": "", - "Value": [ - "BASE_IMAGE=ubuntu:22.04" - ], - "_kics_line": 1 - } - ], - "command": { - "alpine:3.19 as builder": [ - { - "Cmd": "from", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "from alpine:3.19 as builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "as", - "builder" - ], - "_kics_line": 3 - }, - { - "Cmd": "copy", - "EndLine": 5, - "Flags": [], - "JSON": false, - "Original": "copy . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 5 - }, - { - "Cmd": "healthcheck", - "EndLine": 7, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "cmd", - "executable" - ], - "_kics_line": 7 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [], - "command": { - "alpine:latest": [ - { - "Cmd": "from", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:latest", - "SubCmd": "", - "Value": [ - "alpine:latest" - ], - "_kics_line": 1 - }, - { - "Cmd": "copy", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "COPY {{ file_path }} /test", - "SubCmd": "", - "Value": [ - "{{", - "file_path", - "}}", - "/test" - ], - "_kics_line": 3 - }, - { - "Cmd": "run", - "EndLine": 5, - "Flags": [], - "JSON": false, - "Original": "RUN echo \"failure\"", - "SubCmd": "", - "Value": [ - "echo \"failure\"" - ], - "_kics_line": 5 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [], - "command": { - "--platform=linux/arm64 scratch": [ - { - "Cmd": "from", - "EndLine": 1, - "Flags": [ - "--platform=linux/arm64" - ], - "JSON": false, - "Original": "FROM --platform=linux/arm64 scratch", - "SubCmd": "", - "Value": [ - "scratch" - ], - "_kics_line": 1 - }, - { - "Cmd": "copy", - "EndLine": 2, - "Flags": [], - "JSON": false, - "Original": "COPY myapp /", - "SubCmd": "", - "Value": [ - "myapp", - "/" - ], - "_kics_line": 2 - }, - { - "Cmd": "entrypoint", - "EndLine": 3, - "Flags": [], - "JSON": true, - "Original": "ENTRYPOINT [\"/myapp\"]", - "SubCmd": "", - "Value": [ - "/myapp" - ], - "_kics_line": 3 - }, - { - "Cmd": "add", - "EndLine": 4, - "Flags": [], - "JSON": false, - "Original": "ADD ${JAR_FILE} app.jar", - "SubCmd": "", - "Value": [ - "${JAR_FILE}", - "app.jar" - ], - "_kics_line": 4 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [], - "command": { - "--platform=linux/amd64 ubuntu:latest AS builder": [ - { - "Cmd": "from", - "EndLine": 1, - "Flags": [ - "--platform=linux/amd64" - ], - "JSON": false, - "Original": "FROM --platform=linux/amd64 ubuntu:latest AS builder", - "SubCmd": "", - "Value": [ - "ubuntu:latest", - "AS", - "builder" - ], - "_kics_line": 1 - }, - { - "Cmd": "run", - "EndLine": 2, - "Flags": [], - "JSON": false, - "Original": "RUN apt-get update \u0026\u0026 apt-get install -y gcc", - "SubCmd": "", - "Value": [ - "apt-get update \u0026\u0026 apt-get install -y gcc" - ], - "_kics_line": 2 - }, - { - "Cmd": "copy", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "COPY . /src", - "SubCmd": "", - "Value": [ - ".", - "/src" - ], - "_kics_line": 3 - }, - { - "Cmd": "run", - "EndLine": 4, - "Flags": [], - "JSON": false, - "Original": "RUN make /src", - "SubCmd": "", - "Value": [ - "make /src" - ], - "_kics_line": 4 - }, - { - "Cmd": "add", - "EndLine": 5, - "Flags": [], - "JSON": false, - "Original": "ADD ${JAR_FILE} app.jar", - "SubCmd": "", - "Value": [ - "${JAR_FILE}", - "app.jar" - ], - "_kics_line": 5 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [], - "command": { - "--platform=linux/amd64 alpine:latest": [ - { - "Cmd": "from", - "EndLine": 1, - "Flags": [ - "--platform=linux/amd64" - ], - "JSON": false, - "Original": "FROM --platform=linux/amd64 alpine:latest", - "SubCmd": "", - "Value": [ - "alpine:latest" - ], - "_kics_line": 1 - }, - { - "Cmd": "copy", - "EndLine": 2, - "Flags": [ - "--from=builder" - ], - "JSON": false, - "Original": "COPY --from=builder /src/bin /usr/local/bin/", - "SubCmd": "", - "Value": [ - "/src/bin", - "/usr/local/bin/" - ], - "_kics_line": 2 - }, - { - "Cmd": "cmd", - "EndLine": 3, - "Flags": [], - "JSON": true, - "Original": "CMD [\"/usr/local/bin/app\"]", - "SubCmd": "", - "Value": [ - "/usr/local/bin/app" - ], - "_kics_line": 3 - }, - { - "Cmd": "add", - "EndLine": 4, - "Flags": [], - "JSON": false, - "Original": "ADD ${JAR_FILE} app.jar", - "SubCmd": "", - "Value": [ - "${JAR_FILE}", - "app.jar" - ], - "_kics_line": 4 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [], - "command": { - "--platform=linux/amd64 ubuntu:latest": [ - { - "Cmd": "from", - "EndLine": 1, - "Flags": [ - "--platform=linux/amd64" - ], - "JSON": false, - "Original": "FROM --platform=linux/amd64 ubuntu:latest", - "SubCmd": "", - "Value": [ - "ubuntu:latest" - ], - "_kics_line": 1 - }, - { - "Cmd": "run", - "EndLine": 2, - "Flags": [], - "JSON": false, - "Original": "RUN apt-get update \u0026\u0026 apt-get install -y curl", - "SubCmd": "", - "Value": [ - "apt-get update \u0026\u0026 apt-get install -y curl" - ], - "_kics_line": 2 - }, - { - "Cmd": "cmd", - "EndLine": 3, - "Flags": [], - "JSON": true, - "Original": "CMD [\"/bin/bash\"]", - "SubCmd": "", - "Value": [ - "/bin/bash" - ], - "_kics_line": 3 - }, - { - "Cmd": "add", - "EndLine": 4, - "Flags": [], - "JSON": false, - "Original": "ADD ${JAR_FILE} app.jar", - "SubCmd": "", - "Value": [ - "${JAR_FILE}", - "app.jar" - ], - "_kics_line": 4 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [ - { - "Cmd": "arg", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "ARG BUILDPLATFORM", - "SubCmd": "", - "Value": [ - "BUILDPLATFORM" - ], - "_kics_line": 1 - } - ], - "command": { - "--platform=$BUILDPLATFORM golang:1.21": [ - { - "Cmd": "from", - "EndLine": 2, - "Flags": [ - "--platform=$BUILDPLATFORM" - ], - "JSON": false, - "Original": "FROM --platform=$BUILDPLATFORM golang:1.21", - "SubCmd": "", - "Value": [ - "golang:1.21" - ], - "_kics_line": 2 - }, - { - "Cmd": "workdir", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "WORKDIR /src", - "SubCmd": "", - "Value": [ - "/src" - ], - "_kics_line": 3 - }, - { - "Cmd": "copy", - "EndLine": 4, - "Flags": [], - "JSON": false, - "Original": "COPY . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 4 - }, - { - "Cmd": "run", - "EndLine": 5, - "Flags": [], - "JSON": false, - "Original": "RUN go build -o /app", - "SubCmd": "", - "Value": [ - "go build -o /app" - ], - "_kics_line": 5 - }, - { - "Cmd": "cmd", - "EndLine": 6, - "Flags": [], - "JSON": true, - "Original": "CMD [\"/app\"]", - "SubCmd": "", - "Value": [ - "/app" - ], - "_kics_line": 6 - }, - { - "Cmd": "add", - "EndLine": 7, - "Flags": [], - "JSON": false, - "Original": "ADD ${JAR_FILE} app.jar", - "SubCmd": "", - "Value": [ - "${JAR_FILE}", - "app.jar" - ], - "_kics_line": 7 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [], - "command": { - "--platform=linux/amd64 ubuntu": [ - { - "Cmd": "from", - "EndLine": 1, - "Flags": [ - "--platform=linux/amd64" - ], - "JSON": false, - "Original": "FROM --platform=linux/amd64 ubuntu", - "SubCmd": "", - "Value": [ - "ubuntu" - ], - "_kics_line": 1 - }, - { - "Cmd": "run", - "EndLine": 2, - "Flags": [], - "JSON": false, - "Original": "RUN echo \"hello\"", - "SubCmd": "", - "Value": [ - "echo \"hello\"" - ], - "_kics_line": 2 - }, - { - "Cmd": "add", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "ADD ${JAR_FILE} app.jar", - "SubCmd": "", - "Value": [ - "${JAR_FILE}", - "app.jar" - ], - "_kics_line": 3 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [], - "command": { - "example.com:5000/team/my-app:2.0": [ - { - "Cmd": "from", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "FROM example.com:5000/team/my-app:2.0", - "SubCmd": "", - "Value": [ - "example.com:5000/team/my-app:2.0" - ], - "_kics_line": 1 - }, - { - "Cmd": "run", - "EndLine": 2, - "Flags": [], - "JSON": false, - "Original": "RUN echo \"hello\"", - "SubCmd": "", - "Value": [ - "echo \"hello\"" - ], - "_kics_line": 2 - }, - { - "Cmd": "add", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "ADD ${JAR_FILE} app.jar", - "SubCmd": "", - "Value": [ - "${JAR_FILE}", - "app.jar" - ], - "_kics_line": 3 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [], - "command": { - "bighostnameusedasasample.example.com:4903/team/my-app:2.0": [ - { - "Cmd": "from", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "FROM bighostnameusedasasample.example.com:4903/team/my-app:2.0", - "SubCmd": "", - "Value": [ - "bighostnameusedasasample.example.com:4903/team/my-app:2.0" - ], - "_kics_line": 1 - }, - { - "Cmd": "run", - "EndLine": 2, - "Flags": [], - "JSON": false, - "Original": "RUN echo \"hello\"", - "SubCmd": "", - "Value": [ - "echo \"hello\"" - ], - "_kics_line": 2 - }, - { - "Cmd": "add", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "ADD ${JAR_FILE} app.jar", - "SubCmd": "", - "Value": [ - "${JAR_FILE}", - "app.jar" - ], - "_kics_line": 3 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 1 - }, - { - "Cmd": "copy", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "COPY . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 3 - }, - { - "Cmd": "healthcheck", - "EndLine": 5, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 5 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 1 - }, - { - "Cmd": "copy", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "COPY . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 3 - }, - { - "Cmd": "healthcheck", - "EndLine": 5, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 5 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 1 - }, - { - "Cmd": "copy", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "COPY . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 3 - }, - { - "Cmd": "healthcheck", - "EndLine": 5, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 5 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 1 - }, - { - "Cmd": "copy", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "COPY . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 3 - }, - { - "Cmd": "healthcheck", - "EndLine": 5, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 5 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 1 - }, - { - "Cmd": "copy", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "COPY . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 3 - }, - { - "Cmd": "healthcheck", - "EndLine": 5, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 5 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [], - "command": { - "alpine:3.19 AS builder": [ - { - "Cmd": "from", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "FROM alpine:3.19 AS builder", - "SubCmd": "", - "Value": [ - "alpine:3.19", - "AS", - "builder" - ], - "_kics_line": 1 - }, - { - "Cmd": "copy", - "EndLine": 3, - "Flags": [], - "JSON": false, - "Original": "COPY . .", - "SubCmd": "", - "Value": [ - ".", - "." - ], - "_kics_line": 3 - }, - { - "Cmd": "healthcheck", - "EndLine": 5, - "Flags": [ - "--interval=30s", - "--timeout=30s", - "--start-period=5s", - "--retries=3" - ], - "JSON": true, - "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", - "SubCmd": "", - "Value": [ - "CMD", - "executable" - ], - "_kics_line": 5 - } - ] - }, - "file": "file", - "id": "0" - } - ] + "document": [ + { + "args": [], + "command": { + "openjdk:10-jdk": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM openjdk:10-jdk", + "SubCmd": "", + "Value": [ + "openjdk:10-jdk" + ], + "_kics_line": 1 + }, + { + "Cmd": "volume", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "VOLUME /tmp", + "SubCmd": "", + "Value": [ + "/tmp" + ], + "_kics_line": 2 + }, + { + "Cmd": "add", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "ADD http://source.file/package.file.tar.gz /temp", + "SubCmd": "", + "Value": [ + "http://source.file/package.file.tar.gz", + "/temp" + ], + "_kics_line": 3 + }, + { + "Cmd": "run", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "RUN tar -xjf /temp/package.file.tar.gz", + "SubCmd": "", + "Value": [ + "tar -xjf /temp/package.file.tar.gz" + ], + "_kics_line": 4 + }, + { + "Cmd": "arg", + "EndLine": 5, + "Flags": [], + "JSON": false, + "Original": "ARG JAR_FILE", + "SubCmd": "", + "Value": [ + "JAR_FILE" + ], + "_kics_line": 5 + }, + { + "Cmd": "add", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "ADD ${JAR_FILE} app.jar", + "SubCmd": "", + "Value": [ + "${JAR_FILE}", + "app.jar" + ], + "_kics_line": 6 + }, + { + "Cmd": "entrypoint", + "EndLine": 7, + "Flags": [], + "JSON": true, + "Original": "ENTRYPOINT [\"java\",\"-Djava.security.egd=file:/dev/./urandom\",\"-jar\",\"/app.jar\"]", + "SubCmd": "", + "Value": [ + "java", + "-Djava.security.egd=file:/dev/./urandom", + "-jar", + "/app.jar" + ], + "_kics_line": 7 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 13, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 13 + }, + { + "Cmd": "copy", + "EndLine": 15, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 15 + }, + { + "Cmd": "healthcheck", + "EndLine": 17, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 17 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "ARG VERSION=1.0", + "SubCmd": "", + "Value": [ + "VERSION=1.0" + ], + "_kics_line": 1 + }, + { + "Cmd": "arg", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "ARG BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 2 + } + ], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 4 + }, + { + "Cmd": "copy", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 6 + }, + { + "Cmd": "healthcheck", + "EndLine": 8, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 8 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "ARG VERSION=1.0", + "SubCmd": "", + "Value": [ + "VERSION=1.0" + ], + "_kics_line": 1 + }, + { + "Cmd": "arg", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "ARG BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 2 + } + ], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 4 + }, + { + "Cmd": "copy", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 6 + }, + { + "Cmd": "healthcheck", + "EndLine": 8, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 8 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "ARG VERSION=1.0", + "SubCmd": "", + "Value": [ + "VERSION=1.0" + ], + "_kics_line": 1 + }, + { + "Cmd": "arg", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "ARG BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 2 + } + ], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 4 + }, + { + "Cmd": "copy", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 6 + }, + { + "Cmd": "healthcheck", + "EndLine": 8, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 8 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "ARG BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 1 + }, + { + "Cmd": "arg", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "ARG JAR_FILE", + "SubCmd": "", + "Value": [ + "JAR_FILE" + ], + "_kics_line": 4 + } + ], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 6 + }, + { + "Cmd": "copy", + "EndLine": 8, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 8 + }, + { + "Cmd": "healthcheck", + "EndLine": 10, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 10 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "ARG BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 2 + } + ], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 6 + }, + { + "Cmd": "copy", + "EndLine": 8, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 8 + }, + { + "Cmd": "healthcheck", + "EndLine": 10, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 10 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "ARG BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 1 + } + ], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 4 + }, + { + "Cmd": "copy", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "COPY .. .", + "SubCmd": "", + "Value": [ + "..", + "." + ], + "_kics_line": 6 + }, + { + "Cmd": "healthcheck", + "EndLine": 8, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 8 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "ARG BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 1 + } + ], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 3 + }, + { + "Cmd": "copy", + "EndLine": 5, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 5 + }, + { + "Cmd": "healthcheck", + "EndLine": 7, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 7 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "alpine:3.19 as builder": [ + { + "Cmd": "from", + "EndLine": 13, + "Flags": [], + "JSON": false, + "Original": "from alpine:3.19 as builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "as", + "builder" + ], + "_kics_line": 13 + }, + { + "Cmd": "copy", + "EndLine": 15, + "Flags": [], + "JSON": false, + "Original": "copy . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 15 + }, + { + "Cmd": "healthcheck", + "EndLine": 17, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "cmd", + "executable" + ], + "_kics_line": 17 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "arg VERSION=1.0", + "SubCmd": "", + "Value": [ + "VERSION=1.0" + ], + "_kics_line": 1 + }, + { + "Cmd": "arg", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "arg BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 2 + } + ], + "command": { + "alpine:3.19 as builder": [ + { + "Cmd": "from", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "from alpine:3.19 as builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "as", + "builder" + ], + "_kics_line": 4 + }, + { + "Cmd": "copy", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "copy . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 6 + }, + { + "Cmd": "healthcheck", + "EndLine": 8, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "cmd", + "executable" + ], + "_kics_line": 8 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "arg VERSION=1.0", + "SubCmd": "", + "Value": [ + "VERSION=1.0" + ], + "_kics_line": 1 + }, + { + "Cmd": "arg", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "arg BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 2 + } + ], + "command": { + "alpine:3.19 as builder": [ + { + "Cmd": "from", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "from alpine:3.19 as builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "as", + "builder" + ], + "_kics_line": 4 + }, + { + "Cmd": "copy", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "copy . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 6 + }, + { + "Cmd": "healthcheck", + "EndLine": 8, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "cmd", + "executable" + ], + "_kics_line": 8 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "arg VERSION=1.0", + "SubCmd": "", + "Value": [ + "VERSION=1.0" + ], + "_kics_line": 1 + }, + { + "Cmd": "arg", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "arg BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 2 + } + ], + "command": { + "alpine:3.19 as builder": [ + { + "Cmd": "from", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "from alpine:3.19 as builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "as", + "builder" + ], + "_kics_line": 4 + }, + { + "Cmd": "copy", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "copy . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 6 + }, + { + "Cmd": "healthcheck", + "EndLine": 8, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "cmd", + "executable" + ], + "_kics_line": 8 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "arg BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 1 + }, + { + "Cmd": "arg", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "arg JAR_FILE", + "SubCmd": "", + "Value": [ + "JAR_FILE" + ], + "_kics_line": 4 + } + ], + "command": { + "alpine:3.19 as builder": [ + { + "Cmd": "from", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "from alpine:3.19 as builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "as", + "builder" + ], + "_kics_line": 6 + }, + { + "Cmd": "copy", + "EndLine": 8, + "Flags": [], + "JSON": false, + "Original": "copy . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 8 + }, + { + "Cmd": "healthcheck", + "EndLine": 10, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "cmd", + "executable" + ], + "_kics_line": 10 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "arg BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 2 + } + ], + "command": { + "alpine:3.19 as builder": [ + { + "Cmd": "from", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "from alpine:3.19 as builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "as", + "builder" + ], + "_kics_line": 6 + }, + { + "Cmd": "copy", + "EndLine": 8, + "Flags": [], + "JSON": false, + "Original": "copy . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 8 + }, + { + "Cmd": "healthcheck", + "EndLine": 10, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "cmd", + "executable" + ], + "_kics_line": 10 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "arg BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 1 + } + ], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "from alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 4 + }, + { + "Cmd": "copy", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "copy .. .", + "SubCmd": "", + "Value": [ + "..", + "." + ], + "_kics_line": 6 + }, + { + "Cmd": "healthcheck", + "EndLine": 8, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "cmd", + "executable" + ], + "_kics_line": 8 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "arg BASE_IMAGE=ubuntu:22.04", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=ubuntu:22.04" + ], + "_kics_line": 1 + } + ], + "command": { + "alpine:3.19 as builder": [ + { + "Cmd": "from", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "from alpine:3.19 as builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "as", + "builder" + ], + "_kics_line": 3 + }, + { + "Cmd": "copy", + "EndLine": 5, + "Flags": [], + "JSON": false, + "Original": "copy . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 5 + }, + { + "Cmd": "healthcheck", + "EndLine": 7, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "healthcheck --interval=30s --timeout=30s --start-period=5s --retries=3 cmd [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "cmd", + "executable" + ], + "_kics_line": 7 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "alpine:latest": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:latest", + "SubCmd": "", + "Value": [ + "alpine:latest" + ], + "_kics_line": 1 + }, + { + "Cmd": "copy", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "COPY {{ file_path }} /test", + "SubCmd": "", + "Value": [ + "{{", + "file_path", + "}}", + "/test" + ], + "_kics_line": 3 + }, + { + "Cmd": "run", + "EndLine": 5, + "Flags": [], + "JSON": false, + "Original": "RUN echo \"failure\"", + "SubCmd": "", + "Value": [ + "echo \"failure\"" + ], + "_kics_line": 5 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "ARG BASE_IMAGE=alpine:latest", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=alpine:latest" + ], + "_kics_line": 1 + } + ], + "command": { + "${BASE_IMAGE}": [ + { + "Cmd": "from", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "FROM ${BASE_IMAGE}", + "SubCmd": "", + "Value": [ + "alpine:latest" + ], + "_kics_line": 2 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "bighostnameusedasasample.example.com:4903/team/my-app:2.0": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM bighostnameusedasasample.example.com:4903/team/my-app:2.0", + "SubCmd": "", + "Value": [ + "bighostnameusedasasample.example.com:4903/team/my-app:2.0" + ], + "_kics_line": 1 + }, + { + "Cmd": "run", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "RUN echo \"hello\"", + "SubCmd": "", + "Value": [ + "echo \"hello\"" + ], + "_kics_line": 2 + }, + { + "Cmd": "add", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "ADD ${JAR_FILE} app.jar", + "SubCmd": "", + "Value": [ + "${JAR_FILE}", + "app.jar" + ], + "_kics_line": 3 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "alpine:latest": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:latest", + "SubCmd": "", + "Value": [ + "alpine:latest" + ], + "_kics_line": 1 + }, + { + "Cmd": "copy", + "EndLine": 2, + "Flags": [ + "--from=builder" + ], + "JSON": false, + "Original": "COPY --from=builder /src/bin /usr/local/bin/", + "SubCmd": "", + "Value": [ + "/src/bin", + "/usr/local/bin/" + ], + "_kics_line": 2 + }, + { + "Cmd": "cmd", + "EndLine": 3, + "Flags": [], + "JSON": true, + "Original": "CMD [\"/usr/local/bin/app\"]", + "SubCmd": "", + "Value": [ + "/usr/local/bin/app" + ], + "_kics_line": 3 + }, + { + "Cmd": "add", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "ADD ${JAR_FILE} app.jar", + "SubCmd": "", + "Value": [ + "${JAR_FILE}", + "app.jar" + ], + "_kics_line": 4 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "alpine@sha256:e1c082e3d3c45cccac829840a25941e679c25d438cc8412c2fa221cf1a824e6a": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM alpine@sha256:e1c082e3d3c45cccac829840a25941e679c25d438cc8412c2fa221cf1a824e6a", + "SubCmd": "", + "Value": [ + "alpine@sha256:e1c082e3d3c45cccac829840a25941e679c25d438cc8412c2fa221cf1a824e6a" + ], + "_kics_line": 1 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "192.168.1.100:5000/team/image:v1": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM 192.168.1.100:5000/team/image:v1", + "SubCmd": "", + "Value": [ + "192.168.1.100:5000/team/image:v1" + ], + "_kics_line": 1 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "alpine:3.18 AS base": [ + { + "Cmd": "from", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.18 AS base", + "SubCmd": "", + "Value": [ + "alpine:3.18", + "AS", + "base" + ], + "_kics_line": 1 + }, + { + "Cmd": "volume", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "VOLUME /tmp", + "SubCmd": "", + "Value": [ + "/tmp" + ], + "_kics_line": 4 + }, + { + "Cmd": "add", + "EndLine": 5, + "Flags": [], + "JSON": false, + "Original": "ADD http://source.file/package.file.tar.gz /temp", + "SubCmd": "", + "Value": [ + "http://source.file/package.file.tar.gz", + "/temp" + ], + "_kics_line": 5 + }, + { + "Cmd": "run", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "RUN tar -xjf /temp/package.file.tar.gz", + "SubCmd": "", + "Value": [ + "tar -xjf /temp/package.file.tar.gz" + ], + "_kics_line": 6 + }, + { + "Cmd": "arg", + "EndLine": 7, + "Flags": [], + "JSON": false, + "Original": "ARG JAR_FILE", + "SubCmd": "", + "Value": [ + "JAR_FILE" + ], + "_kics_line": 7 + }, + { + "Cmd": "add", + "EndLine": 8, + "Flags": [], + "JSON": false, + "Original": "ADD ${JAR_FILE} app.jar", + "SubCmd": "", + "Value": [ + "${JAR_FILE}", + "app.jar" + ], + "_kics_line": 8 + }, + { + "Cmd": "entrypoint", + "EndLine": 9, + "Flags": [], + "JSON": true, + "Original": "ENTRYPOINT [\"java\",\"-Djava.security.egd=file:/dev/./urandom\",\"-jar\",\"/app.jar\"]", + "SubCmd": "", + "Value": [ + "java", + "-Djava.security.egd=file:/dev/./urandom", + "-jar", + "/app.jar" + ], + "_kics_line": 9 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "--platform=linux/amd64 alpine:latest": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [ + "--platform=linux/amd64" + ], + "JSON": false, + "Original": "FROM --platform=linux/amd64 alpine:latest", + "SubCmd": "", + "Value": [ + "alpine:latest" + ], + "_kics_line": 1 + }, + { + "Cmd": "copy", + "EndLine": 2, + "Flags": [ + "--from=builder" + ], + "JSON": false, + "Original": "COPY --from=builder /src/bin /usr/local/bin/", + "SubCmd": "", + "Value": [ + "/src/bin", + "/usr/local/bin/" + ], + "_kics_line": 2 + }, + { + "Cmd": "cmd", + "EndLine": 3, + "Flags": [], + "JSON": true, + "Original": "CMD [\"/usr/local/bin/app\"]", + "SubCmd": "", + "Value": [ + "/usr/local/bin/app" + ], + "_kics_line": 3 + }, + { + "Cmd": "add", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "ADD ${JAR_FILE} app.jar", + "SubCmd": "", + "Value": [ + "${JAR_FILE}", + "app.jar" + ], + "_kics_line": 4 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "--platform=linux/amd64 ubuntu:latest AS builder": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [ + "--platform=linux/amd64" + ], + "JSON": false, + "Original": "FROM --platform=linux/amd64 ubuntu:latest AS builder", + "SubCmd": "", + "Value": [ + "ubuntu:latest", + "AS", + "builder" + ], + "_kics_line": 1 + }, + { + "Cmd": "run", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "RUN apt-get update && apt-get install -y gcc", + "SubCmd": "", + "Value": [ + "apt-get update && apt-get install -y gcc" + ], + "_kics_line": 2 + }, + { + "Cmd": "copy", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "COPY . /src", + "SubCmd": "", + "Value": [ + ".", + "/src" + ], + "_kics_line": 3 + }, + { + "Cmd": "run", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "RUN make /src", + "SubCmd": "", + "Value": [ + "make /src" + ], + "_kics_line": 4 + }, + { + "Cmd": "add", + "EndLine": 5, + "Flags": [], + "JSON": false, + "Original": "ADD ${JAR_FILE} app.jar", + "SubCmd": "", + "Value": [ + "${JAR_FILE}", + "app.jar" + ], + "_kics_line": 5 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "--platform=linux/arm64 scratch": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [ + "--platform=linux/arm64" + ], + "JSON": false, + "Original": "FROM --platform=linux/arm64 scratch", + "SubCmd": "", + "Value": [ + "scratch" + ], + "_kics_line": 1 + }, + { + "Cmd": "copy", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "COPY myapp /", + "SubCmd": "", + "Value": [ + "myapp", + "/" + ], + "_kics_line": 2 + }, + { + "Cmd": "entrypoint", + "EndLine": 3, + "Flags": [], + "JSON": true, + "Original": "ENTRYPOINT [\"/myapp\"]", + "SubCmd": "", + "Value": [ + "/myapp" + ], + "_kics_line": 3 + }, + { + "Cmd": "add", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "ADD ${JAR_FILE} app.jar", + "SubCmd": "", + "Value": [ + "${JAR_FILE}", + "app.jar" + ], + "_kics_line": 4 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "ARG BUILDPLATFORM", + "SubCmd": "", + "Value": [ + "BUILDPLATFORM" + ], + "_kics_line": 1 + } + ], + "command": { + "--platform=$BUILDPLATFORM golang:1.21": [ + { + "Cmd": "from", + "EndLine": 2, + "Flags": [ + "--platform=$BUILDPLATFORM" + ], + "JSON": false, + "Original": "FROM --platform=$BUILDPLATFORM golang:1.21", + "SubCmd": "", + "Value": [ + "golang:1.21" + ], + "_kics_line": 2 + }, + { + "Cmd": "workdir", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "WORKDIR /src", + "SubCmd": "", + "Value": [ + "/src" + ], + "_kics_line": 3 + }, + { + "Cmd": "copy", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 4 + }, + { + "Cmd": "run", + "EndLine": 5, + "Flags": [], + "JSON": false, + "Original": "RUN go build -o /app", + "SubCmd": "", + "Value": [ + "go build -o /app" + ], + "_kics_line": 5 + }, + { + "Cmd": "cmd", + "EndLine": 6, + "Flags": [], + "JSON": true, + "Original": "CMD [\"/app\"]", + "SubCmd": "", + "Value": [ + "/app" + ], + "_kics_line": 6 + }, + { + "Cmd": "add", + "EndLine": 7, + "Flags": [], + "JSON": false, + "Original": "ADD ${JAR_FILE} app.jar", + "SubCmd": "", + "Value": [ + "${JAR_FILE}", + "app.jar" + ], + "_kics_line": 7 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "example.com:5000/team/my-app:2.0": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM example.com:5000/team/my-app:2.0", + "SubCmd": "", + "Value": [ + "example.com:5000/team/my-app:2.0" + ], + "_kics_line": 1 + }, + { + "Cmd": "run", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "RUN echo \"hello\"", + "SubCmd": "", + "Value": [ + "echo \"hello\"" + ], + "_kics_line": 2 + }, + { + "Cmd": "add", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "ADD ${JAR_FILE} app.jar", + "SubCmd": "", + "Value": [ + "${JAR_FILE}", + "app.jar" + ], + "_kics_line": 3 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "openjdk:10-jdk": [ + { + "Cmd": "from", + "EndLine": 5, + "Flags": [], + "JSON": false, + "Original": "FROM openjdk:10-jdk", + "SubCmd": "", + "Value": [ + "openjdk:10-jdk" + ], + "_kics_line": 5 + }, + { + "Cmd": "volume", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "VOLUME /tmp", + "SubCmd": "", + "Value": [ + "/tmp" + ], + "_kics_line": 6 + }, + { + "Cmd": "add", + "EndLine": 7, + "Flags": [], + "JSON": false, + "Original": "ADD http://source.file/package.file.tar.gz /temp", + "SubCmd": "", + "Value": [ + "http://source.file/package.file.tar.gz", + "/temp" + ], + "_kics_line": 7 + }, + { + "Cmd": "run", + "EndLine": 8, + "Flags": [], + "JSON": false, + "Original": "RUN tar -xjf /temp/package.file.tar.gz", + "SubCmd": "", + "Value": [ + "tar -xjf /temp/package.file.tar.gz" + ], + "_kics_line": 8 + }, + { + "Cmd": "arg", + "EndLine": 9, + "Flags": [], + "JSON": false, + "Original": "ARG JAR_FILE", + "SubCmd": "", + "Value": [ + "JAR_FILE" + ], + "_kics_line": 9 + }, + { + "Cmd": "add", + "EndLine": 10, + "Flags": [], + "JSON": false, + "Original": "ADD ${JAR_FILE} app.jar", + "SubCmd": "", + "Value": [ + "${JAR_FILE}", + "app.jar" + ], + "_kics_line": 10 + }, + { + "Cmd": "entrypoint", + "EndLine": 11, + "Flags": [], + "JSON": true, + "Original": "ENTRYPOINT [\"java\",\"-Djava.security.egd=file:/dev/./urandom\",\"-jar\",\"/app.jar\"]", + "SubCmd": "", + "Value": [ + "java", + "-Djava.security.egd=file:/dev/./urandom", + "-jar", + "/app.jar" + ], + "_kics_line": 11 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 1 + }, + { + "Cmd": "copy", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 3 + }, + { + "Cmd": "healthcheck", + "EndLine": 5, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 5 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 1 + }, + { + "Cmd": "copy", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 3 + }, + { + "Cmd": "healthcheck", + "EndLine": 5, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 5 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 1 + }, + { + "Cmd": "copy", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 3 + }, + { + "Cmd": "healthcheck", + "EndLine": 5, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 5 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 1 + }, + { + "Cmd": "copy", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 3 + }, + { + "Cmd": "healthcheck", + "EndLine": 5, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 5 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 1 + }, + { + "Cmd": "copy", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 3 + }, + { + "Cmd": "healthcheck", + "EndLine": 5, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 5 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "alpine:3.19 AS builder": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:3.19 AS builder", + "SubCmd": "", + "Value": [ + "alpine:3.19", + "AS", + "builder" + ], + "_kics_line": 1 + }, + { + "Cmd": "copy", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "COPY . .", + "SubCmd": "", + "Value": [ + ".", + "." + ], + "_kics_line": 3 + }, + { + "Cmd": "healthcheck", + "EndLine": 5, + "Flags": [ + "--interval=30s", + "--timeout=30s", + "--start-period=5s", + "--retries=3" + ], + "JSON": true, + "Original": "HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ \"executable\" ]", + "SubCmd": "", + "Value": [ + "CMD", + "executable" + ], + "_kics_line": 5 + } + ] + }, + "file": "file", + "id": "0" + } + ] } diff --git a/e2e/fixtures/E2E_CLI_106_RESULT.json b/e2e/fixtures/E2E_CLI_106_RESULT.json index 7a2be2a9361..2afad4cea36 100644 --- a/e2e/fixtures/E2E_CLI_106_RESULT.json +++ b/e2e/fixtures/E2E_CLI_106_RESULT.json @@ -1,10 +1,10 @@ { "kics_version": "development", - "files_scanned": 32, - "lines_scanned": 235, - "files_parsed": 32, - "lines_parsed": 227, - "lines_ignored": 8, + "files_scanned": 36, + "lines_scanned": 261, + "files_parsed": 36, + "lines_parsed": 250, + "lines_ignored": 11, "files_failed_to_scan": 0, "queries_total": 48, "queries_failed_to_execute": 1, @@ -12,16 +12,16 @@ "scan_id": "console", "severity_counters": { "CRITICAL": 0, - "HIGH": 31, - "INFO": 10, - "LOW": 11, + "HIGH": 35, + "INFO": 6, + "LOW": 17, "MEDIUM": 16, "TRACE": 0 }, - "total_counter": 68, + "total_counter": 74, "total_bom_resources": 0, - "start": "2026-04-14T17:33:16.2521898+01:00", - "end": "2026-04-14T17:33:27.3968601+01:00", + "start": "2026-04-21T15:48:50.4046892+01:00", + "end": "2026-04-21T15:48:58.266124+01:00", "paths": [ "/path/test/fixtures/dockerfile", "/path/test/fixtures/negative_dockerfile" @@ -42,55 +42,55 @@ "description_id": "eb49caf6", "files": [ { - "file_name": "path/test/fixtures/dockerfile/Dockerfile-example", - "similarity_id": "aeaf42752011d846797cea09ce1a0eb5457673c67b0fb16914a0c639a253e5c7", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/big_indent_from", + "similarity_id": "fd5fe33f391e08e2d4d4fe8058f5e93a75c6cd8424ea137b9944b8d871d5c37e", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{openjdk:10-jdk}}", + "search_key": "FROM={{alpine:latest}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample7", - "similarity_id": "03992dd5495adf4a9c4440fd1e116bb35670d88e71341f062410bc0da96f4f6e", - "line": 1, + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/with_excluded_comments", + "similarity_id": "7635feaa0695981bc88dd51b213bc0763acd55575fae3d0fe196fe6b2d727bc4", + "line": 5, "issue_type": "MissingAttribute", - "search_key": "FROM={{example.com:5000/team/my-app:2.0}}", + "search_key": "FROM={{openjdk:10-jdk}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/test_folder_names_case/Docker/any_file.txt", - "similarity_id": "6da391b0e3e24d85f72b3ace5db0569be32ef11e6f9a433b138ae4e0b004df58", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag", + "similarity_id": "574ad8efea37036e772f5f133327ee6d82456fcfa268e0a01f942dd36d84a30d", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_key": "FROM={{--platform=linux/amd64 alpine:latest}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/any_name.ubi8", - "similarity_id": "ce95928798897e3f22c2677202d38812030cc2dfb5cf0470d397d7baaf8c1de1", + "file_name": "path/test/fixtures/dockerfile/corrupted_dockerfile", + "similarity_id": "558c83370b9fc9e230035e00ff7b5302cd64c16f700e73c830579947e250a381", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 as builder}}", + "search_key": "FROM={{alpine:latest}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/any_name.debian", - "similarity_id": "c949a1c23fe7c61dea7daac22ce6a13ffb8dec65b4bcbeacc76bf295518e72ef", + "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/file_2.DOCKERfile", + "similarity_id": "b0694a2913d293ea034d0fe62bd549aed2dd316a81fb82b611a7ab901e32b1b6", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 as builder}}", + "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", @@ -108,55 +108,66 @@ "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/test_folder_names_case/Dockerfile/any_file.txt", - "similarity_id": "47d6f707c904f56fe3ca1cc7bce1d2e0ae41d421da983110a5c15fc7e48105df", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/big_host_name", + "similarity_id": "357d434e6436d7fc32420359985019be12903ca92c03f50369e95a19b96e9d97", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_key": "FROM={{bighostnameusedasasample.example.com:4903/team/my-app:2.0}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample5", - "similarity_id": "39dca689cbc39cfa0a74e0c08328183a511cbcb074518aa2abac6a45bb842bd3", - "line": 2, + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag_and_alias", + "similarity_id": "d6c1ff98af764022d3ff3dce0b91cb19fb8dce099e87c506ddd542176b9444c1", + "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{--platform=$BUILDPLATFORM golang:1.21}}", + "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/test_folder_names_case/Dockerfiles/any_file.txt", - "similarity_id": "b58c4c4ed6c88b82fdf62608154342a31a2de95eaae39716ff4f6ccf1a5bcdda", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag_scratch", + "similarity_id": "f7e67be39f384d20f8816eff63ab5538f5990b6bae86ddd244478d9cb89f7b65", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_key": "FROM={{--platform=linux/arm64 scratch}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample1", - "similarity_id": "7375fc702e9b59cf845aac25968ab2926b5919806a6d739527f70a2727a6ec99", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/multiline_from_statement", + "similarity_id": "af265ea3757c481a3f200faa7949ddb6fe1b0527c191d95ef81be533b12a55ca", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{--platform=linux/arm64 scratch}}", + "search_key": "FROM={{alpine:3.18 AS base}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/dockerFILE", - "similarity_id": "9977ed3614740afd406ca0a86f0df4da5e8680efbb6e9e66ff71ae1dc2d9025f", + "file_name": "path/test/fixtures/dockerfile/any_name/DOCKERfile.txt", + "similarity_id": "5663f110b46dbc0378ff0540fc4a54700c80197a1ced862564f987d4f2e7116d", + "line": 13, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/host_ip_address", + "similarity_id": "9f206d8845b08c15965c3cf00b7db7d9ee679c281d14cb5f2d414065a423b8a3", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 as builder}}", + "search_key": "FROM={{192.168.1.100:5000/team/image:v1}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", @@ -174,9 +185,20 @@ "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/any_name/any_name.debian", - "similarity_id": "ef335c394fbaebc802c99ba59b1b3ec830043ac020b711efc7cf497752b73429", - "line": 4, + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/full_sha_digest", + "similarity_id": "bfb661b85dd88d16e0c74c1c07972ecf9ae95203607e762f0faad91a3a02c94a", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine@sha256:e1c082e3d3c45cccac829840a25941e679c25d438cc8412c2fa221cf1a824e6a}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "path/test/fixtures/dockerfile/test_folder_names/dockerfiles/any_file.txt", + "similarity_id": "e150676345e87674484ea970ca810125007b743069646ac448feaba242b7211f", + "line": 1, "issue_type": "MissingAttribute", "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, @@ -185,20 +207,20 @@ "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample8", - "similarity_id": "c35ae31bc00e26a4fd27b0605e5c4d84c5ae683b1354a7e7bc1917ab0f3a428e", + "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/dockerFILE", + "similarity_id": "9977ed3614740afd406ca0a86f0df4da5e8680efbb6e9e66ff71ae1dc2d9025f", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{bighostnameusedasasample.example.com:4903/team/my-app:2.0}}", + "search_key": "FROM={{alpine:3.19 as builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/any_name/file.Dockerfile", - "similarity_id": "1d972910b640dfb968ab630847182b4a19f44b78aeeaa0ef93c96c7e27aa8b6a", - "line": 6, + "file_name": "path/test/fixtures/dockerfile/any_name/any_name.debian", + "similarity_id": "ef335c394fbaebc802c99ba59b1b3ec830043ac020b711efc7cf497752b73429", + "line": 4, "issue_type": "MissingAttribute", "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, @@ -207,20 +229,20 @@ "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/test_folder_names/dockerfiles/any_file.txt", - "similarity_id": "e150676345e87674484ea970ca810125007b743069646ac448feaba242b7211f", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/use_of_host", + "similarity_id": "98a9086dd512b76196866fa544fda9b79cdbe49097e0781edb284da60286a356", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_key": "FROM={{example.com:5000/team/my-app:2.0}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/any_name/file_2.DOCKERfile", - "similarity_id": "29858cfa69a98973cc1ae10f84e66267240bd630126eba2ba15e58a7aa2dd54d", - "line": 4, + "file_name": "path/test/fixtures/dockerfile/test_folder_names_case/Dockerfiles/any_file.txt", + "similarity_id": "b58c4c4ed6c88b82fdf62608154342a31a2de95eaae39716ff4f6ccf1a5bcdda", + "line": 1, "issue_type": "MissingAttribute", "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, @@ -229,9 +251,9 @@ "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/any_name/random_name", - "similarity_id": "ee3531797486eec98e3dd28ec8cc5f7f6f00743d1cf79cd47f6859df87026f59", - "line": 3, + "file_name": "path/test/fixtures/dockerfile/any_name/any_name.ubi8", + "similarity_id": "4d64348b27180d867de9cf04a51db582786ea6622adb94fb54fdbac03b284769", + "line": 4, "issue_type": "MissingAttribute", "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, @@ -240,30 +262,41 @@ "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/any_name/Dockerfile.something", - "similarity_id": "b41a39fe06c21fc69fbd6e8f7b3e2c44e8d0d7a8e2b0e0c251f5d6a174e031ee", - "line": 4, + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_with_arg_reference", + "similarity_id": "68909c9c7a5f9979df2102bd5e7a21930d1b036b25710875c5cd76f52539490d", + "line": 2, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_key": "FROM={{--platform=$BUILDPLATFORM golang:1.21}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/test_folder_names/dockerfile/any_file.txt", - "similarity_id": "c2e7f0c0c566a723ff253f4a95e837749faba964ec008551c1f87a7faa476110", + "file_name": "path/test/fixtures/dockerfile/Dockerfile-example", + "similarity_id": "aeaf42752011d846797cea09ce1a0eb5457673c67b0fb16914a0c639a253e5c7", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_key": "FROM={{openjdk:10-jdk}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/file_2.DOCKERfile", - "similarity_id": "b0694a2913d293ea034d0fe62bd549aed2dd316a81fb82b611a7ab901e32b1b6", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/base_image_reference", + "similarity_id": "d2716fd01d8e6d44b30749e106a2bd40ce4cb0b673ec7e62a4df8ca982c0582e", + "line": 2, + "issue_type": "MissingAttribute", + "search_key": "FROM={{${BASE_IMAGE}}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "path/test/fixtures/dockerfile/test_folder_names/docker/any_file.txt", + "similarity_id": "9d78b93c92fe63c29dec006a12993b74dc6c6fbf29ae295ff7c6e19136657e2d", "line": 1, "issue_type": "MissingAttribute", "search_key": "FROM={{alpine:3.19 AS builder}}", @@ -273,41 +306,41 @@ "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample4", - "similarity_id": "f6839684a157b7e9f44f88c6dcd262b4e4552eddc24e108e8b2555c6885c1853", + "file_name": "path/test/fixtures/dockerfile/test_folder_names_case/Dockerfile/any_file.txt", + "similarity_id": "47d6f707c904f56fe3ca1cc7bce1d2e0ae41d421da983110a5c15fc7e48105df", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest}}", + "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/Dockerfile.something", - "similarity_id": "2b1d191f474528c93b66c1f5f891efd3763834725ed4008cbd216702f576ef20", - "line": 1, + "file_name": "path/test/fixtures/dockerfile/any_name/random_name", + "similarity_id": "ee3531797486eec98e3dd28ec8cc5f7f6f00743d1cf79cd47f6859df87026f59", + "line": 3, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 as builder}}", + "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample6", - "similarity_id": "f96970fdf815bc9bb95fef94b7e461be0c8a6014c66765a36c46168348d5015f", + "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/any_name.debian", + "similarity_id": "c949a1c23fe7c61dea7daac22ce6a13ffb8dec65b4bcbeacc76bf295518e72ef", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{--platform=linux/amd64 ubuntu}}", + "search_key": "FROM={{alpine:3.19 as builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/any_name/any_name.ubi8", - "similarity_id": "4d64348b27180d867de9cf04a51db582786ea6622adb94fb54fdbac03b284769", + "file_name": "path/test/fixtures/dockerfile/any_name/file_2.DOCKERfile", + "similarity_id": "29858cfa69a98973cc1ae10f84e66267240bd630126eba2ba15e58a7aa2dd54d", "line": 4, "issue_type": "MissingAttribute", "search_key": "FROM={{alpine:3.19 AS builder}}", @@ -317,53 +350,53 @@ "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/any_name/DOCKERfile.txt", - "similarity_id": "5663f110b46dbc0378ff0540fc4a54700c80197a1ced862564f987d4f2e7116d", - "line": 13, + "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/DOCKERfile.txt", + "similarity_id": "f9caf5d57d5872073bc7b7a555a3283708f72c9990689c8d4e6b3ce1957b496a", + "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_key": "FROM={{alpine:3.19 as builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample3", - "similarity_id": "da5779454881d9f844e67f2a537820d144c7271fcac24d429583f826c393386e", + "file_name": "path/test/fixtures/dockerfile/test_folder_names/dockerfile/any_file.txt", + "similarity_id": "c2e7f0c0c566a723ff253f4a95e837749faba964ec008551c1f87a7faa476110", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{--platform=linux/amd64 alpine:latest}}", + "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/corrupted_dockerfile", - "similarity_id": "558c83370b9fc9e230035e00ff7b5302cd64c16f700e73c830579947e250a381", - "line": 1, + "file_name": "path/test/fixtures/dockerfile/any_name/file.Dockerfile", + "similarity_id": "1d972910b640dfb968ab630847182b4a19f44b78aeeaa0ef93c96c7e27aa8b6a", + "line": 6, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:latest}}", + "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/DOCKERfile.txt", - "similarity_id": "f9caf5d57d5872073bc7b7a555a3283708f72c9990689c8d4e6b3ce1957b496a", + "file_name": "path/test/fixtures/dockerfile/test_folder_names_case/Docker/any_file.txt", + "similarity_id": "6da391b0e3e24d85f72b3ace5db0569be32ef11e6f9a433b138ae4e0b004df58", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 as builder}}", + "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/test_folder_names/docker/any_file.txt", - "similarity_id": "9d78b93c92fe63c29dec006a12993b74dc6c6fbf29ae295ff7c6e19136657e2d", - "line": 1, + "file_name": "path/test/fixtures/dockerfile/any_name/Dockerfile.something", + "similarity_id": "b41a39fe06c21fc69fbd6e8f7b3e2c44e8d0d7a8e2b0e0c251f5d6a174e031ee", + "line": 4, "issue_type": "MissingAttribute", "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, @@ -372,11 +405,22 @@ "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample2", - "similarity_id": "1e7b96b468341de289759fa97fb78d3c3ff3f7eec6b8ab23d3afd9b7c1bc5104", + "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/Dockerfile.something", + "similarity_id": "2b1d191f474528c93b66c1f5f891efd3763834725ed4008cbd216702f576ef20", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}", + "search_key": "FROM={{alpine:3.19 as builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/any_name.ubi8", + "similarity_id": "ce95928798897e3f22c2677202d38812030cc2dfb5cf0470d397d7baaf8c1de1", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.19 as builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", @@ -398,19 +442,8 @@ "description_id": "0aedd324", "files": [ { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample5", - "similarity_id": "7858145601685ba90f4181fd4186ab8cabab8912e16d9a819b46955a7c53369a", - "line": 7, - "issue_type": "IncorrectValue", - "search_key": "FROM={{--platform=$BUILDPLATFORM golang:1.21}}.{{ADD ${JAR_FILE} app.jar}}", - "search_line": -1, - "search_value": "", - "expected_value": "'COPY' ${JAR_FILE}", - "actual_value": "'ADD' ${JAR_FILE}" - }, - { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample2", - "similarity_id": "c2087c8c5c4fe143dc0ee2644b74ded89979db4380fef678ff4a520355ff30de", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag_and_alias", + "similarity_id": "331f21aa559609154c76603d67a2ea7ae94f1fe97c9c8614dba0424eb43da6bf", "line": 5, "issue_type": "IncorrectValue", "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}.{{ADD ${JAR_FILE} app.jar}}", @@ -420,8 +453,8 @@ "actual_value": "'ADD' ${JAR_FILE}" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample8", - "similarity_id": "548e63b12a9ed4e2f9f07975ec535c6bdaee35075207d0c927eab288096fec81", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/big_host_name", + "similarity_id": "715dceeefda701d5bbe85ec0915d7a322c7685d2efb3a265d9701f8a62e16042", "line": 3, "issue_type": "IncorrectValue", "search_key": "FROM={{bighostnameusedasasample.example.com:4903/team/my-app:2.0}}.{{ADD ${JAR_FILE} app.jar}}", @@ -431,33 +464,33 @@ "actual_value": "'ADD' ${JAR_FILE}" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample1", - "similarity_id": "7442e1998c8ab26068c3a53221ea6499416a92416c7721796c140d20f59c67d4", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag", + "similarity_id": "7a1036d28f16660bc2d10439a80109abd807dfef90aae78130092d8a395b6868", "line": 4, "issue_type": "IncorrectValue", - "search_key": "FROM={{--platform=linux/arm64 scratch}}.{{ADD ${JAR_FILE} app.jar}}", + "search_key": "FROM={{--platform=linux/amd64 alpine:latest}}.{{ADD ${JAR_FILE} app.jar}}", "search_line": -1, "search_value": "", "expected_value": "'COPY' ${JAR_FILE}", "actual_value": "'ADD' ${JAR_FILE}" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample3", - "similarity_id": "bb1c9e972be6ffcd7d45ee396fb8fea5e8cd942f65ce28e92504ae07bbb1cde2", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/big_indent_from", + "similarity_id": "3dbca73c5f5b0d65cb9d6f2e1748ddde903c80ec9e97848b8d6d23a8554320b9", "line": 4, "issue_type": "IncorrectValue", - "search_key": "FROM={{--platform=linux/amd64 alpine:latest}}.{{ADD ${JAR_FILE} app.jar}}", + "search_key": "FROM={{alpine:latest}}.{{ADD ${JAR_FILE} app.jar}}", "search_line": -1, "search_value": "", "expected_value": "'COPY' ${JAR_FILE}", "actual_value": "'ADD' ${JAR_FILE}" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample6", - "similarity_id": "ad808a777684d1993fbaa775aa514c4334e1949e1a18bd4047d1e257fd24e402", - "line": 3, + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_with_arg_reference", + "similarity_id": "a6fec2d84a496642691bb3bb5e77cb5fdd04755e956063e42804d5072abb2281", + "line": 7, "issue_type": "IncorrectValue", - "search_key": "FROM={{--platform=linux/amd64 ubuntu}}.{{ADD ${JAR_FILE} app.jar}}", + "search_key": "FROM={{--platform=$BUILDPLATFORM golang:1.21}}.{{ADD ${JAR_FILE} app.jar}}", "search_line": -1, "search_value": "", "expected_value": "'COPY' ${JAR_FILE}", @@ -475,19 +508,41 @@ "actual_value": "'ADD' ${JAR_FILE}" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample4", - "similarity_id": "de7635eaa00ecfd9f126b5d020ba38c55b36aef6673a4656308f683fabd999cc", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag_scratch", + "similarity_id": "b293e7dc91ace6a7c4fec199190cdf5805dede7f6f499ede4f8401b32c6b0d95", "line": 4, "issue_type": "IncorrectValue", - "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest}}.{{ADD ${JAR_FILE} app.jar}}", + "search_key": "FROM={{--platform=linux/arm64 scratch}}.{{ADD ${JAR_FILE} app.jar}}", + "search_line": -1, + "search_value": "", + "expected_value": "'COPY' ${JAR_FILE}", + "actual_value": "'ADD' ${JAR_FILE}" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/multiline_from_statement", + "similarity_id": "65fa5eb4dc035a375e7de6745c524a241571a42543ac1e1e50ab6b97992e36e7", + "line": 8, + "issue_type": "IncorrectValue", + "search_key": "FROM={{alpine:3.18 AS base}}.{{ADD ${JAR_FILE} app.jar}}", + "search_line": -1, + "search_value": "", + "expected_value": "'COPY' ${JAR_FILE}", + "actual_value": "'ADD' ${JAR_FILE}" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/with_excluded_comments", + "similarity_id": "58376185618893478741c810195c3194b9947675f6855e3b36ac4788fee9c97c", + "line": 10, + "issue_type": "IncorrectValue", + "search_key": "FROM={{openjdk:10-jdk}}.{{ADD ${JAR_FILE} app.jar}}", "search_line": -1, "search_value": "", "expected_value": "'COPY' ${JAR_FILE}", "actual_value": "'ADD' ${JAR_FILE}" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample7", - "similarity_id": "ac33450fdf5546f7017cb4137d2c42e4bab228ac2d19bb5b04b3d71f0440b786", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/use_of_host", + "similarity_id": "46bf1a187c7c8aa95cc825281d886f4f34560a3f48210f81bbc1ed7c0b0ebab6", "line": 3, "issue_type": "IncorrectValue", "search_key": "FROM={{example.com:5000/team/my-app:2.0}}.{{ADD ${JAR_FILE} app.jar}}", @@ -512,8 +567,8 @@ "description_id": "e0e1edad", "files": [ { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample2", - "similarity_id": "c6cf3b49153bb6dcd4adc45c5aa9d50c4e4cd32e84562182d1aca7683d3b0027", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag_and_alias", + "similarity_id": "f6fd7d36e1105623f456a64c19447ba1688c981aac4d7ae8724c57c8437461fb", "line": 2, "issue_type": "MissingAttribute", "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}.RUN={{apt-get update \u0026\u0026 apt-get install -y gcc}}", @@ -521,43 +576,6 @@ "search_value": "gcc", "expected_value": "Package 'gcc' has version defined", "actual_value": "Package 'gcc' does not have version defined" - }, - { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample4", - "similarity_id": "4b9d23dc01eea21711278e609dfb25ba41563568125ee505d995c1888c7bdff7", - "line": 2, - "issue_type": "MissingAttribute", - "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest}}.RUN={{apt-get update \u0026\u0026 apt-get install -y curl}}", - "search_line": -1, - "search_value": "curl", - "expected_value": "Package 'curl' has version defined", - "actual_value": "Package 'curl' does not have version defined" - } - ] - }, - { - "query_name": "Image Version Not Explicit", - "query_id": "9efb0b2d-89c9-41a3-91ca-dcc0aec911fd", - "query_url": "https://docs.docker.com/engine/reference/builder/#from", - "severity": "MEDIUM", - "platform": "Dockerfile", - "cwe": "1357", - "risk_score": "6.4", - "category": "Supply-Chain", - "experimental": false, - "description": "Always tag the version of an image explicitly", - "description_id": "4f469f06", - "files": [ - { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample6", - "similarity_id": "4115302289fdd8823e1e65125035c7b26ce305abea4ddbb2803a967ba326fc94", - "line": 1, - "issue_type": "MissingAttribute", - "search_key": "FROM={{--platform=linux/amd64 ubuntu}}", - "search_line": -1, - "search_value": "", - "expected_value": "FROM ubuntu:'version'", - "actual_value": "FROM ubuntu'" } ] }, @@ -586,33 +604,44 @@ "actual_value": "FROM alpine:latest'" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample2", - "similarity_id": "57a39816dc53307dd637cfd04019f480144a85881ea41111523d6a0c1c7443db", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/base_image_reference", + "similarity_id": "2b585700aa5471374491ee55cb32bd19043a996c4b527ef7968f21e217aa2d83", + "line": 2, + "issue_type": "IncorrectValue", + "search_key": "FROM={{${BASE_IMAGE}}}", + "search_line": -1, + "search_value": "", + "expected_value": "FROM alpine:latest:'version' where version should not be 'latest'", + "actual_value": "FROM alpine:latest'" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag", + "similarity_id": "49639e49bb52319bd968d4a82dcc022a74bd93f58db8badc3757f4f416158e78", "line": 1, "issue_type": "IncorrectValue", - "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}", + "search_key": "FROM={{--platform=linux/amd64 alpine:latest}}", "search_line": -1, "search_value": "", - "expected_value": "FROM ubuntu:latest:'version' where version should not be 'latest'", - "actual_value": "FROM ubuntu:latest'" + "expected_value": "FROM alpine:latest:'version' where version should not be 'latest'", + "actual_value": "FROM alpine:latest'" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample4", - "similarity_id": "9ad08db04cbefba3b4ba6e3f740c3f96df285f51223faff802429fe6df561505", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag_and_alias", + "similarity_id": "eddc0cae749b1b03806a495198d58e2675acdf908cd8d039dfd8743339069808", "line": 1, "issue_type": "IncorrectValue", - "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest}}", + "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}", "search_line": -1, "search_value": "", "expected_value": "FROM ubuntu:latest:'version' where version should not be 'latest'", "actual_value": "FROM ubuntu:latest'" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample3", - "similarity_id": "471d11a25255b3b36ed1e24e4be107ba3540c8adfa7ea78114ff922938c76e0e", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/big_indent_from", + "similarity_id": "152040fb0f74af479251b64b3f3e04cddc103fceebe34abc81c8402b33b5791e", "line": 1, "issue_type": "IncorrectValue", - "search_key": "FROM={{--platform=linux/amd64 alpine:latest}}", + "search_key": "FROM={{alpine:latest}}", "search_line": -1, "search_value": "", "expected_value": "FROM alpine:latest:'version' where version should not be 'latest'", @@ -643,6 +672,28 @@ "search_value": "", "expected_value": "Should use 'curl' or 'wget' to download http://source.file/package.file.tar.gz", "actual_value": "'ADD' http://source.file/package.file.tar.gz" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/with_excluded_comments", + "similarity_id": "b7b5e6e04d1eedc9ce08a3b3cc6182d6c77f41539c44825f6b065a9b911a9541", + "line": 7, + "issue_type": "IncorrectValue", + "search_key": "FROM={{openjdk:10-jdk}}.{{ADD http://source.file/package.file.tar.gz /temp}}", + "search_line": -1, + "search_value": "", + "expected_value": "Should use 'curl' or 'wget' to download http://source.file/package.file.tar.gz", + "actual_value": "'ADD' http://source.file/package.file.tar.gz" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/multiline_from_statement", + "similarity_id": "b859a2050fd4032304ab5aa47a5ec7e7be60998e29f82c531d23ca123d31bbc0", + "line": 5, + "issue_type": "IncorrectValue", + "search_key": "FROM={{alpine:3.18 AS base}}.{{ADD http://source.file/package.file.tar.gz /temp}}", + "search_line": -1, + "search_value": "", + "expected_value": "Should use 'curl' or 'wget' to download http://source.file/package.file.tar.gz", + "actual_value": "'ADD' http://source.file/package.file.tar.gz" } ] }, @@ -660,30 +711,30 @@ "description_id": "426121ee", "files": [ { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample6", - "similarity_id": "793c4c04fb00909f9ff987900ac66f10b1d68b37ab8cb61aaf4cc2499b27e76d", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/big_host_name", + "similarity_id": "0fbe6b1fc068e59c4519a7f0191bf3c66bcd48426bb400f8a17ada2e0db7f373", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{--platform=linux/amd64 ubuntu}}", + "search_key": "FROM={{bighostnameusedasasample.example.com:4903/team/my-app:2.0}}", "search_line": -1, "search_value": "", "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample2", - "similarity_id": "6a3dc950b6f1c8fee780cf65eec65c48706fcb0f7292b7576851db3fb5fdb378", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/big_indent_from", + "similarity_id": "6606bcfea791ee1653816d7fd3d11dda7df4f96cb35ef1557fa3556b0fdca764", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}", + "search_key": "FROM={{alpine:latest}}", "search_line": -1, "search_value": "", "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample3", - "similarity_id": "eaa3721d654875beadcda8ad4554bf8bcb96fc9a2e57812d01a8c7d44b2c6473", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag", + "similarity_id": "1d75c91d6f47b6b0e00a70fb3aba1461133e91c394cd42a0378a30020a772c33", "line": 1, "issue_type": "MissingAttribute", "search_key": "FROM={{--platform=linux/amd64 alpine:latest}}", @@ -692,6 +743,17 @@ "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/multiline_from_statement", + "similarity_id": "60e999ea86c199e26ee55024580e3e69d262b5c83092a25da9eddd321c7c2d21", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.18 AS base}}", + "search_line": -1, + "search_value": "", + "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", + "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" + }, { "file_name": "path/test/fixtures/dockerfile/corrupted_dockerfile", "similarity_id": "ae470ca681b82da606c6080acf7ea93906066db785bf47e2372ef7b342f43f7e", @@ -704,52 +766,52 @@ "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample1", - "similarity_id": "9519f3139dd49d6da04ba94110c99a9c265e54a9e014989a00fc3a3819414be9", + "file_name": "path/test/fixtures/dockerfile/Dockerfile-example", + "similarity_id": "4d0420e48f4c7d991ed6694980266d5b7313da8abb2e29b2dd777ce7c6f6251d", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{--platform=linux/arm64 scratch}}", + "search_key": "FROM={{openjdk:10-jdk}}", "search_line": -1, "search_value": "", "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample7", - "similarity_id": "e89f925361ec276fb8b93af3d5e9796d518b266bfbaacf37cd314f1f4963b883", - "line": 1, + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/base_image_reference", + "similarity_id": "f89c7daf1bda819bc9f8c88ba0537cc09d73eabc47d2fb265289c7b60d6318c2", + "line": 2, "issue_type": "MissingAttribute", - "search_key": "FROM={{example.com:5000/team/my-app:2.0}}", + "search_key": "FROM={{${BASE_IMAGE}}}", "search_line": -1, "search_value": "", "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample8", - "similarity_id": "fa449aaa7035f6bb3d231cdd171c20b3c9da2a8dcb1b79915d638e8a153dc30c", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag_and_alias", + "similarity_id": "84c42fce04501e4cab82857ba0eac27193fbf52554ddf85aed92c9e50b1a55cc", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{bighostnameusedasasample.example.com:4903/team/my-app:2.0}}", + "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}", "search_line": -1, "search_value": "", "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample4", - "similarity_id": "f387ad8dacb9120f378f376aeba5e2b43cccf7366cb8903cdc44c3c818d7a389", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/use_of_host", + "similarity_id": "e295d381f5cf7b496d9557d229dace321cf50a10cf6f35a47733c05d16cec1b4", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest}}", + "search_key": "FROM={{example.com:5000/team/my-app:2.0}}", "search_line": -1, "search_value": "", "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample5", - "similarity_id": "e7f0c53246eb7dea6653d51a229d156b19c050b8a3951f42df0f29d3eb89ed59", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_with_arg_reference", + "similarity_id": "2b6ecbffb0ae35559c7e7fd068707a6774060cfdb0b6aad4e30c27f6f2201a2e", "line": 2, "issue_type": "MissingAttribute", "search_key": "FROM={{--platform=$BUILDPLATFORM golang:1.21}}", @@ -759,15 +821,48 @@ "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" }, { - "file_name": "path/test/fixtures/dockerfile/Dockerfile-example", - "similarity_id": "4d0420e48f4c7d991ed6694980266d5b7313da8abb2e29b2dd777ce7c6f6251d", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag_scratch", + "similarity_id": "1413f0f83a852273b3346b226059394439ada151ef2e23c654bf26fa3a2de923", "line": 1, "issue_type": "MissingAttribute", + "search_key": "FROM={{--platform=linux/arm64 scratch}}", + "search_line": -1, + "search_value": "", + "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", + "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/with_excluded_comments", + "similarity_id": "22833bad92ed958c49f1684b045a6c42d3b6551b87be013ada097a30a35b3121", + "line": 5, + "issue_type": "MissingAttribute", "search_key": "FROM={{openjdk:10-jdk}}", "search_line": -1, "search_value": "", "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/full_sha_digest", + "similarity_id": "bac31787e6c7d3a127e2936f11ef5dadc6b477d8db1a10ed9e5d50c1c688d619", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine@sha256:e1c082e3d3c45cccac829840a25941e679c25d438cc8412c2fa221cf1a824e6a}}", + "search_line": -1, + "search_value": "", + "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", + "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/host_ip_address", + "similarity_id": "7549d9922711401d3f5a77b06fe02dbec6baf8f6488c483160b3adc5e27002de", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{192.168.1.100:5000/team/image:v1}}", + "search_line": -1, + "search_value": "", + "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", + "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" } ] }, @@ -785,8 +880,8 @@ "description_id": "2e92d18c", "files": [ { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample2", - "similarity_id": "4dcd78fa70e76351869412e7f8fb9c15efefa99100d3774eb9fc81ea9926a117", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag_and_alias", + "similarity_id": "9e2783060abf1251b3d7a3d12355870c24afc059e8755e7794806b710f95967e", "line": 2, "issue_type": "IncorrectValue", "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}.{{RUN apt-get update \u0026\u0026 apt-get install -y gcc}}", @@ -794,17 +889,6 @@ "search_value": "", "expected_value": "'RUN apt-get update \u0026\u0026 apt-get install -y gcc' uses '--no-install-recommends' flag to avoid installing additional packages", "actual_value": "'RUN apt-get update \u0026\u0026 apt-get install -y gcc' does not use '--no-install-recommends' flag to avoid installing additional packages" - }, - { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample4", - "similarity_id": "912d16cba22eec66e1706a01d4bdb5eb0ec02cb3c77b19a050e4dd009b3a20c5", - "line": 2, - "issue_type": "IncorrectValue", - "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest}}.{{RUN apt-get update \u0026\u0026 apt-get install -y curl}}", - "search_line": -1, - "search_value": "", - "expected_value": "'RUN apt-get update \u0026\u0026 apt-get install -y curl' uses '--no-install-recommends' flag to avoid installing additional packages", - "actual_value": "'RUN apt-get update \u0026\u0026 apt-get install -y curl' does not use '--no-install-recommends' flag to avoid installing additional packages" } ] }, @@ -822,8 +906,8 @@ "description_id": "4236a50c", "files": [ { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample2", - "similarity_id": "9e9f33dd54e38743c0c1c428075fc0f85535100e57f417ef948b77c2ecd4f96c", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag_and_alias", + "similarity_id": "589b8ca20e5ccc137ddd4f428f5217d55df9621929f33a87b75c724f6a93239f", "line": 2, "issue_type": "IncorrectValue", "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}.RUN={{apt-get update \u0026\u0026 apt-get install -y gcc}}", @@ -831,17 +915,6 @@ "search_value": "", "expected_value": "After using apt-get install, the apt-get lists should be deleted", "actual_value": "After using apt-get install, the apt-get lists were not deleted" - }, - { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample4", - "similarity_id": "609d0ab8b60e35e18f5c0a58a4e924fadf731a6aafdb5edbc0567111eb8de5a1", - "line": 2, - "issue_type": "IncorrectValue", - "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest}}.RUN={{apt-get update \u0026\u0026 apt-get install -y curl}}", - "search_line": -1, - "search_value": "", - "expected_value": "After using apt-get install, the apt-get lists should be deleted", - "actual_value": "After using apt-get install, the apt-get lists were not deleted" } ] }, @@ -860,30 +933,8 @@ "description_id": "5bd0baab", "files": [ { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample3", - "similarity_id": "c18b0b59bf46304c5cb40e5e7d9ed707a9a186c75328644b006e9a0d2933de1b", - "line": 1, - "issue_type": "IncorrectValue", - "search_key": "FROM={{--platform=linux/amd64 alpine:latest}}.{{FROM --platform=linux/amd64 alpine:latest}}", - "search_line": -1, - "search_value": "", - "expected_value": "FROM={{--platform=linux/amd64 alpine:latest}}.{{FROM --platform=linux/amd64 alpine:latest}} should not use the '--platform' flag", - "actual_value": "FROM={{--platform=linux/amd64 alpine:latest}}.{{FROM --platform=linux/amd64 alpine:latest}} is using the '--platform' flag" - }, - { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample6", - "similarity_id": "ad64ddb9f4a2c79d5ba2affc8da6498eebe54415c5bc131baf0498e51d838b27", - "line": 1, - "issue_type": "IncorrectValue", - "search_key": "FROM={{--platform=linux/amd64 ubuntu}}.{{FROM --platform=linux/amd64 ubuntu}}", - "search_line": -1, - "search_value": "", - "expected_value": "FROM={{--platform=linux/amd64 ubuntu}}.{{FROM --platform=linux/amd64 ubuntu}} should not use the '--platform' flag", - "actual_value": "FROM={{--platform=linux/amd64 ubuntu}}.{{FROM --platform=linux/amd64 ubuntu}} is using the '--platform' flag" - }, - { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample1", - "similarity_id": "b5e933470891a86661890b79a9ca81f554dc8d2124e8b52737399ad667e21788", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag_scratch", + "similarity_id": "aa0029fe9eeb17144a5fd68b1017848f3bf0ca1fe083f9aacea7c4b6ca22b8cd", "line": 1, "issue_type": "IncorrectValue", "search_key": "FROM={{--platform=linux/arm64 scratch}}.{{FROM --platform=linux/arm64 scratch}}", @@ -893,8 +944,8 @@ "actual_value": "FROM={{--platform=linux/arm64 scratch}}.{{FROM --platform=linux/arm64 scratch}} is using the '--platform' flag" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample5", - "similarity_id": "c19f45ee26938f1021cc6c749c8405eb13d5ac805ca3eed5b87ad5547f52c680", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_with_arg_reference", + "similarity_id": "6ddfbe87de63e9678da90c68dcb202f4e4f2e9bc1d4af42f3d2bdd9a9984cd65", "line": 2, "issue_type": "IncorrectValue", "search_key": "FROM={{--platform=$BUILDPLATFORM golang:1.21}}.{{FROM --platform=$BUILDPLATFORM golang:1.21}}", @@ -904,19 +955,19 @@ "actual_value": "FROM={{--platform=$BUILDPLATFORM golang:1.21}}.{{FROM --platform=$BUILDPLATFORM golang:1.21}} is using the '--platform' flag" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample4", - "similarity_id": "6dacf05a9b1980a2fe019ec2208731e9bbcf1dc32f94cc6e87b36b46d004a9d6", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag", + "similarity_id": "d0502e1abfdc65c9d3caa7d9526e8289097c38bf09f81bc3e58a8391f18d9093", "line": 1, "issue_type": "IncorrectValue", - "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest}}.{{FROM --platform=linux/amd64 ubuntu:latest}}", + "search_key": "FROM={{--platform=linux/amd64 alpine:latest}}.{{FROM --platform=linux/amd64 alpine:latest}}", "search_line": -1, "search_value": "", - "expected_value": "FROM={{--platform=linux/amd64 ubuntu:latest}}.{{FROM --platform=linux/amd64 ubuntu:latest}} should not use the '--platform' flag", - "actual_value": "FROM={{--platform=linux/amd64 ubuntu:latest}}.{{FROM --platform=linux/amd64 ubuntu:latest}} is using the '--platform' flag" + "expected_value": "FROM={{--platform=linux/amd64 alpine:latest}}.{{FROM --platform=linux/amd64 alpine:latest}} should not use the '--platform' flag", + "actual_value": "FROM={{--platform=linux/amd64 alpine:latest}}.{{FROM --platform=linux/amd64 alpine:latest}} is using the '--platform' flag" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample2", - "similarity_id": "3369062c5c80ef20b457c5b93c136c3045cbd7d8e1e5d04ece08284440b80a8e", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag_and_alias", + "similarity_id": "9b809e69a6609234e47deb34e1c6c519bb5a76364d8bbf6c1df962b9f7eebdcf", "line": 1, "issue_type": "IncorrectValue", "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}.{{FROM --platform=linux/amd64 ubuntu:latest AS builder}}", diff --git a/pkg/parser/docker/parser.go b/pkg/parser/docker/parser.go index 333db689198..28bd7de9a6a 100644 --- a/pkg/parser/docker/parser.go +++ b/pkg/parser/docker/parser.go @@ -60,6 +60,7 @@ func (p *Parser) Parse(_ string, fileContent []byte) ([]model.Document, []int, e child.Value = strings.ToLower(child.Value) if child.Value == "from" { fromValue = child.Original[5:] + fromValue = strings.TrimSpace(fromValue) } if ignoreStruct.getIgnoreComments(child) { diff --git a/pkg/utils/get_extension.go b/pkg/utils/get_extension.go index e110a4e9304..67e40e43b27 100644 --- a/pkg/utils/get_extension.go +++ b/pkg/utils/get_extension.go @@ -13,10 +13,25 @@ import ( ) const ( - extDockerfile = ".dockerfile" - UrlRegex = `[-a-zA-Z0-9@:%._\+~#=]{2,256}\.[a-z]{2,6}\b([-a-zA-Z0-9@:%_\+.~#?&//=]*)` + extDockerfile = ".dockerfile" + dockerFromPattern = `(?i)^\s*from\s+` + + // Patters to exclude: + pythonImportPattern = `(?i)from\s+\S+\s+import\s+\S+` + emailPattern = `(?i)from\s*(:)?\s*[\w\-\.]+@([\w\-]+\.)+[\w\-]{2,4}` + capitalizedAliasPattern = `^\s*(?i:FROM)\s+\S+\s+(?i:AS)\s+[A-Z]` + dockerfileIllegalCharacters = `["'` + "`" + `()\[\],;|&?*^%!~<>]` ) +var dockerFrom = regexp.MustCompile(dockerFromPattern) + +var falsePositiveFROMPatterns = []*regexp.Regexp{ + regexp.MustCompile(pythonImportPattern), + regexp.MustCompile(emailPattern), + regexp.MustCompile(capitalizedAliasPattern), + regexp.MustCompile(dockerfileIllegalCharacters), +} + // GetExtension gets the extension of a file path func GetExtension(path string) (string, error) { fileInfo, err := os.Stat(path) @@ -87,9 +102,16 @@ func readPossibleDockerFile(path string) bool { if strings.HasPrefix(scanner.Text(), "#") || strings.HasPrefix(strings.ToLower(scanner.Text()), "arg") || scanner.Text() == "" { continue } else { - pattern := `(?i)^\s*FROM\s+(--platform=\S+\s+)?(` + UrlRegex + `:[0-9]+)?[a-zA-Z0-9.\-/]+(:[a-zA-Z0-9.\-_]+)?(\s*$|\s+AS\s+\S+\s*$)` - matched, _ := regexp.MatchString(pattern, scanner.Text()) - return matched + return dockerFrom.MatchString(scanner.Text()) && !matchesAny(falsePositiveFROMPatterns, scanner.Text()) + } + } + return false +} + +func matchesAny(patterns []*regexp.Regexp, s string) bool { + for _, p := range patterns { + if p.MatchString(s) { + return true } } return false diff --git a/test/fixtures/dockerfile/case_insensitive_tests/file.Dockerfile b/test/fixtures/dockerfile/case_insensitive_tests/file.Dockerfile index 8850eed9d72..66464c06378 100644 --- a/test/fixtures/dockerfile/case_insensitive_tests/file.Dockerfile +++ b/test/fixtures/dockerfile/case_insensitive_tests/file.Dockerfile @@ -3,7 +3,7 @@ arg BASE_IMAGE=ubuntu:22.04 # Comments after arg - from alpine:3.19 as builder +from alpine:3.19 as builder copy . . diff --git a/test/fixtures/dockerfile/should_generate_payload/base_image_reference b/test/fixtures/dockerfile/should_generate_payload/base_image_reference new file mode 100644 index 00000000000..9bd70f9f19d --- /dev/null +++ b/test/fixtures/dockerfile/should_generate_payload/base_image_reference @@ -0,0 +1,2 @@ +ARG BASE_IMAGE=alpine:latest +FROM ${BASE_IMAGE} \ No newline at end of file diff --git a/test/fixtures/dockerfile/should_generate_payload/sample8 b/test/fixtures/dockerfile/should_generate_payload/big_host_name similarity index 100% rename from test/fixtures/dockerfile/should_generate_payload/sample8 rename to test/fixtures/dockerfile/should_generate_payload/big_host_name diff --git a/test/fixtures/dockerfile/should_generate_payload/big_indent_from b/test/fixtures/dockerfile/should_generate_payload/big_indent_from new file mode 100644 index 00000000000..d33baab3c25 --- /dev/null +++ b/test/fixtures/dockerfile/should_generate_payload/big_indent_from @@ -0,0 +1,4 @@ + FROM alpine:latest +COPY --from=builder /src/bin /usr/local/bin/ +CMD ["/usr/local/bin/app"] +ADD ${JAR_FILE} app.jar diff --git a/test/fixtures/dockerfile/should_generate_payload/full_sha_digest b/test/fixtures/dockerfile/should_generate_payload/full_sha_digest new file mode 100644 index 00000000000..ca2a195b08e --- /dev/null +++ b/test/fixtures/dockerfile/should_generate_payload/full_sha_digest @@ -0,0 +1,3 @@ +FROM alpine@sha256:e1c082e3d3c45cccac829840a25941e679c25d438cc8412c2fa221cf1a824e6a + + diff --git a/test/fixtures/dockerfile/should_generate_payload/host_ip_address b/test/fixtures/dockerfile/should_generate_payload/host_ip_address new file mode 100644 index 00000000000..431590a8d2d --- /dev/null +++ b/test/fixtures/dockerfile/should_generate_payload/host_ip_address @@ -0,0 +1 @@ +FROM 192.168.1.100:5000/team/image:v1 \ No newline at end of file diff --git a/test/fixtures/dockerfile/should_generate_payload/multiline_from_statement b/test/fixtures/dockerfile/should_generate_payload/multiline_from_statement new file mode 100644 index 00000000000..6795be694c4 --- /dev/null +++ b/test/fixtures/dockerfile/should_generate_payload/multiline_from_statement @@ -0,0 +1,9 @@ +FROM \ + alpine:3.18 \ + AS base + VOLUME /tmp + ADD http://source.file/package.file.tar.gz /temp + RUN tar -xjf /temp/package.file.tar.gz + ARG JAR_FILE + ADD ${JAR_FILE} app.jar + ENTRYPOINT ["java","-Djava.security.egd=file:/dev/./urandom","-jar","/app.jar"] \ No newline at end of file diff --git a/test/fixtures/dockerfile/should_generate_payload/sample3 b/test/fixtures/dockerfile/should_generate_payload/platform_flag similarity index 100% rename from test/fixtures/dockerfile/should_generate_payload/sample3 rename to test/fixtures/dockerfile/should_generate_payload/platform_flag diff --git a/test/fixtures/dockerfile/should_generate_payload/sample2 b/test/fixtures/dockerfile/should_generate_payload/platform_flag_and_alias similarity index 100% rename from test/fixtures/dockerfile/should_generate_payload/sample2 rename to test/fixtures/dockerfile/should_generate_payload/platform_flag_and_alias diff --git a/test/fixtures/dockerfile/should_generate_payload/sample1 b/test/fixtures/dockerfile/should_generate_payload/platform_flag_scratch similarity index 100% rename from test/fixtures/dockerfile/should_generate_payload/sample1 rename to test/fixtures/dockerfile/should_generate_payload/platform_flag_scratch diff --git a/test/fixtures/dockerfile/should_generate_payload/sample5 b/test/fixtures/dockerfile/should_generate_payload/platform_with_arg_reference similarity index 100% rename from test/fixtures/dockerfile/should_generate_payload/sample5 rename to test/fixtures/dockerfile/should_generate_payload/platform_with_arg_reference diff --git a/test/fixtures/dockerfile/should_generate_payload/sample4 b/test/fixtures/dockerfile/should_generate_payload/sample4 deleted file mode 100644 index 041cefc4a50..00000000000 --- a/test/fixtures/dockerfile/should_generate_payload/sample4 +++ /dev/null @@ -1,4 +0,0 @@ -FROM --platform=linux/amd64 ubuntu:latest -RUN apt-get update && apt-get install -y curl -CMD ["/bin/bash"] -ADD ${JAR_FILE} app.jar \ No newline at end of file diff --git a/test/fixtures/dockerfile/should_generate_payload/sample6 b/test/fixtures/dockerfile/should_generate_payload/sample6 deleted file mode 100644 index c0349d7a372..00000000000 --- a/test/fixtures/dockerfile/should_generate_payload/sample6 +++ /dev/null @@ -1,3 +0,0 @@ -FROM --platform=linux/amd64 ubuntu -RUN echo "hello" -ADD ${JAR_FILE} app.jar \ No newline at end of file diff --git a/test/fixtures/dockerfile/should_generate_payload/sample7 b/test/fixtures/dockerfile/should_generate_payload/use_of_host similarity index 100% rename from test/fixtures/dockerfile/should_generate_payload/sample7 rename to test/fixtures/dockerfile/should_generate_payload/use_of_host diff --git a/test/fixtures/dockerfile/should_generate_payload/with_excluded_comments b/test/fixtures/dockerfile/should_generate_payload/with_excluded_comments new file mode 100644 index 00000000000..9cc045be133 --- /dev/null +++ b/test/fixtures/dockerfile/should_generate_payload/with_excluded_comments @@ -0,0 +1,11 @@ +# Maintainer: from user@example.com. +# from pyhtonSample export dockerfile +# FROM (SELECT * FROM t) AS sub + +FROM openjdk:10-jdk +VOLUME /tmp +ADD http://source.file/package.file.tar.gz /temp +RUN tar -xjf /temp/package.file.tar.gz +ARG JAR_FILE +ADD ${JAR_FILE} app.jar +ENTRYPOINT ["java","-Djava.security.egd=file:/dev/./urandom","-jar","/app.jar"] diff --git a/test/fixtures/negative_dockerfile/should_not_generate_payload/invalid_syntax b/test/fixtures/negative_dockerfile/should_not_generate_payload/invalid_syntax new file mode 100644 index 00000000000..3558d624ac5 --- /dev/null +++ b/test/fixtures/negative_dockerfile/should_not_generate_payload/invalid_syntax @@ -0,0 +1,3 @@ +# Uppercase character at start of alias is not allowed +FROM alpine AS My!Stage + diff --git a/test/fixtures/negative_dockerfile/should_not_generate_payload/negative_email_2 b/test/fixtures/negative_dockerfile/should_not_generate_payload/negative_email_2 new file mode 100644 index 00000000000..48712c0550c --- /dev/null +++ b/test/fixtures/negative_dockerfile/should_not_generate_payload/negative_email_2 @@ -0,0 +1,3 @@ +From: jdoe@company.co.uk Mon Jan 1 12:00:00 2024 +Return-Path: +Received: from mail.example.com \ No newline at end of file diff --git a/test/fixtures/negative_dockerfile/should_not_generate_payload/negative_hiveql b/test/fixtures/negative_dockerfile/should_not_generate_payload/negative_hiveql deleted file mode 100644 index c74992bd9df..00000000000 --- a/test/fixtures/negative_dockerfile/should_not_generate_payload/negative_hiveql +++ /dev/null @@ -1,10 +0,0 @@ -# HiveQL - FROM before SELECT is valid syntax -FROM table_name -# "_" is not allowed outside of image tag -SELECT col1, col2, col3 -WHERE partition_date = '2024-01-01' - -# HiveQL with database-qualified table -FROM database.table_name -SELECT * -LIMIT 100 \ No newline at end of file diff --git a/test/fixtures/negative_dockerfile/should_not_generate_payload/negative_python_2 b/test/fixtures/negative_dockerfile/should_not_generate_payload/negative_python_2 new file mode 100644 index 00000000000..af4bfedc0de --- /dev/null +++ b/test/fixtures/negative_dockerfile/should_not_generate_payload/negative_python_2 @@ -0,0 +1,4 @@ +from ...grandparent import other + +def main(): + print("Dockerfile sample") \ No newline at end of file From 7d7e26bb24a3f276ef3476bd32995b4898134620 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Tue, 21 Apr 2026 16:19:33 +0100 Subject: [PATCH 80/84] Linter fix --- pkg/utils/get_extension.go | 2 -- 1 file changed, 2 deletions(-) diff --git a/pkg/utils/get_extension.go b/pkg/utils/get_extension.go index 67e40e43b27..3a13ce34e1a 100644 --- a/pkg/utils/get_extension.go +++ b/pkg/utils/get_extension.go @@ -15,8 +15,6 @@ import ( const ( extDockerfile = ".dockerfile" dockerFromPattern = `(?i)^\s*from\s+` - - // Patters to exclude: pythonImportPattern = `(?i)from\s+\S+\s+import\s+\S+` emailPattern = `(?i)from\s*(:)?\s*[\w\-\.]+@([\w\-]+\.)+[\w\-]{2,4}` capitalizedAliasPattern = `^\s*(?i:FROM)\s+\S+\s+(?i:AS)\s+[A-Z]` From ed47fffbddddedf55828e1931150ebea971e0516 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Tue, 21 Apr 2026 16:28:51 +0100 Subject: [PATCH 81/84] The actual linter fix --- pkg/utils/get_extension.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/utils/get_extension.go b/pkg/utils/get_extension.go index 3a13ce34e1a..b0b5d6fbc05 100644 --- a/pkg/utils/get_extension.go +++ b/pkg/utils/get_extension.go @@ -16,7 +16,7 @@ const ( extDockerfile = ".dockerfile" dockerFromPattern = `(?i)^\s*from\s+` pythonImportPattern = `(?i)from\s+\S+\s+import\s+\S+` - emailPattern = `(?i)from\s*(:)?\s*[\w\-\.]+@([\w\-]+\.)+[\w\-]{2,4}` + emailPattern = `(?i)from\s*(:)?\s*[\w\-.]+@([\w\-]+\.)+[\w\-]{2,4}` capitalizedAliasPattern = `^\s*(?i:FROM)\s+\S+\s+(?i:AS)\s+[A-Z]` dockerfileIllegalCharacters = `["'` + "`" + `()\[\],;|&?*^%!~<>]` ) From 68510bf92eccc9f9a0e7f859f82780b806031b70 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Wed, 22 Apr 2026 11:35:27 +0100 Subject: [PATCH 82/84] E2E fix --- e2e/fixtures/E2E_CLI_106_PAYLOAD.json | 538 ++++++++++++++++---- e2e/fixtures/E2E_CLI_106_RESULT.json | 698 +++++++++++++++----------- 2 files changed, 865 insertions(+), 371 deletions(-) diff --git a/e2e/fixtures/E2E_CLI_106_PAYLOAD.json b/e2e/fixtures/E2E_CLI_106_PAYLOAD.json index fe23ad63522..3afe41bb0e0 100644 --- a/e2e/fixtures/E2E_CLI_106_PAYLOAD.json +++ b/e2e/fixtures/E2E_CLI_106_PAYLOAD.json @@ -98,6 +98,145 @@ "file": "file", "id": "0" }, + { + "args": [], + "command": { + "ubuntu:latestnightly": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM ubuntu:latestnightly", + "SubCmd": "", + "Value": [ + "ubuntu:latestnightly" + ], + "_kics_line": 1 + }, + { + "Cmd": "volume", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "VOLUME /tmp", + "SubCmd": "", + "Value": [ + "/tmp" + ], + "_kics_line": 2 + }, + { + "Cmd": "entrypoint", + "EndLine": 3, + "Flags": [], + "JSON": true, + "Original": "ENTRYPOINT [\"java\",\"-Djava.security.egd=file:/dev/./urandom\",\"-jar\",\"/app.jar\"]", + "SubCmd": "", + "Value": [ + "java", + "-Djava.security.egd=file:/dev/./urandom", + "-jar", + "/app.jar" + ], + "_kics_line": 3 + } + ], + "ubuntu:latestnightly(1)": [ + { + "Cmd": "from", + "EndLine": 5, + "Flags": [], + "JSON": false, + "Original": "FROM ubuntu:latestnightly", + "SubCmd": "", + "Value": [ + "ubuntu:latestnightly" + ], + "_kics_line": 5 + }, + { + "Cmd": "volume", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "VOLUME /tmp", + "SubCmd": "", + "Value": [ + "/tmp" + ], + "_kics_line": 6 + }, + { + "Cmd": "add", + "EndLine": 7, + "Flags": [], + "JSON": false, + "Original": "ADD http://source.file/package.file.tar.gz /temp", + "SubCmd": "", + "Value": [ + "http://source.file/package.file.tar.gz", + "/temp" + ], + "_kics_line": 7 + }, + { + "Cmd": "run", + "EndLine": 8, + "Flags": [], + "JSON": false, + "Original": "RUN tar -xjf /temp/package.file.tar.gz", + "SubCmd": "", + "Value": [ + "tar -xjf /temp/package.file.tar.gz" + ], + "_kics_line": 8 + }, + { + "Cmd": "arg", + "EndLine": 9, + "Flags": [], + "JSON": false, + "Original": "ARG JAR_FILE", + "SubCmd": "", + "Value": [ + "JAR_FILE" + ], + "_kics_line": 9 + }, + { + "Cmd": "add", + "EndLine": 10, + "Flags": [], + "JSON": false, + "Original": "ADD ${JAR_FILE} app.jar", + "SubCmd": "", + "Value": [ + "${JAR_FILE}", + "app.jar" + ], + "_kics_line": 10 + }, + { + "Cmd": "entrypoint", + "EndLine": 11, + "Flags": [], + "JSON": true, + "Original": "ENTRYPOINT [\"java\",\"-Djava.security.egd=file:/dev/./urandom\",\"-jar\",\"/app.jar\"]", + "SubCmd": "", + "Value": [ + "java", + "-Djava.security.egd=file:/dev/./urandom", + "-jar", + "/app.jar" + ], + "_kics_line": 11 + } + ] + }, + "file": "file", + "id": "0" + }, { "args": [], "command": { @@ -1288,46 +1427,126 @@ "file": "file", "id": "0" }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "ARG BASE_IMAGE=alpine:latest", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=alpine:latest" + ], + "_kics_line": 1 + } + ], + "command": { + "${BASE_IMAGE}": [ + { + "Cmd": "from", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "FROM ${BASE_IMAGE}", + "SubCmd": "", + "Value": [ + "alpine:latest" + ], + "_kics_line": 2 + } + ] + }, + "file": "file", + "id": "0" + }, { "args": [], "command": { - "--platform=linux/arm64 scratch": [ + "bighostnameusedasasample.example.com:4903/team/my-app:2.0": [ { "Cmd": "from", "EndLine": 1, - "Flags": [ - "--platform=linux/arm64" + "Flags": [], + "JSON": false, + "Original": "FROM bighostnameusedasasample.example.com:4903/team/my-app:2.0", + "SubCmd": "", + "Value": [ + "bighostnameusedasasample.example.com:4903/team/my-app:2.0" ], + "_kics_line": 1 + }, + { + "Cmd": "run", + "EndLine": 2, + "Flags": [], "JSON": false, - "Original": "FROM --platform=linux/arm64 scratch", + "Original": "RUN echo \"hello\"", "SubCmd": "", "Value": [ - "scratch" + "echo \"hello\"" + ], + "_kics_line": 2 + }, + { + "Cmd": "add", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "ADD ${JAR_FILE} app.jar", + "SubCmd": "", + "Value": [ + "${JAR_FILE}", + "app.jar" + ], + "_kics_line": 3 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "alpine:latest": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM alpine:latest", + "SubCmd": "", + "Value": [ + "alpine:latest" ], "_kics_line": 1 }, { "Cmd": "copy", "EndLine": 2, - "Flags": [], + "Flags": [ + "--from=builder" + ], "JSON": false, - "Original": "COPY myapp /", + "Original": "COPY --from=builder /src/bin /usr/local/bin/", "SubCmd": "", "Value": [ - "myapp", - "/" + "/src/bin", + "/usr/local/bin/" ], "_kics_line": 2 }, { - "Cmd": "entrypoint", + "Cmd": "cmd", "EndLine": 3, "Flags": [], "JSON": true, - "Original": "ENTRYPOINT [\"/myapp\"]", + "Original": "CMD [\"/usr/local/bin/app\"]", "SubCmd": "", "Value": [ - "/myapp" + "/usr/local/bin/app" ], "_kics_line": 3 }, @@ -1352,63 +1571,115 @@ { "args": [], "command": { - "--platform=linux/amd64 ubuntu:latest AS builder": [ + "alpine@sha256:e1c082e3d3c45cccac829840a25941e679c25d438cc8412c2fa221cf1a824e6a": [ { "Cmd": "from", "EndLine": 1, - "Flags": [ - "--platform=linux/amd64" + "Flags": [], + "JSON": false, + "Original": "FROM alpine@sha256:e1c082e3d3c45cccac829840a25941e679c25d438cc8412c2fa221cf1a824e6a", + "SubCmd": "", + "Value": [ + "alpine@sha256:e1c082e3d3c45cccac829840a25941e679c25d438cc8412c2fa221cf1a824e6a" + ], + "_kics_line": 1 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "192.168.1.100:5000/team/image:v1": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM 192.168.1.100:5000/team/image:v1", + "SubCmd": "", + "Value": [ + "192.168.1.100:5000/team/image:v1" ], + "_kics_line": 1 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "alpine:3.18 AS base": [ + { + "Cmd": "from", + "EndLine": 3, + "Flags": [], "JSON": false, - "Original": "FROM --platform=linux/amd64 ubuntu:latest AS builder", + "Original": "FROM alpine:3.18 AS base", "SubCmd": "", "Value": [ - "ubuntu:latest", + "alpine:3.18", "AS", - "builder" + "base" ], "_kics_line": 1 }, { - "Cmd": "run", - "EndLine": 2, + "Cmd": "volume", + "EndLine": 4, "Flags": [], "JSON": false, - "Original": "RUN apt-get update \u0026\u0026 apt-get install -y gcc", + "Original": "VOLUME /tmp", "SubCmd": "", "Value": [ - "apt-get update \u0026\u0026 apt-get install -y gcc" + "/tmp" ], - "_kics_line": 2 + "_kics_line": 4 }, { - "Cmd": "copy", - "EndLine": 3, + "Cmd": "add", + "EndLine": 5, "Flags": [], "JSON": false, - "Original": "COPY . /src", + "Original": "ADD http://source.file/package.file.tar.gz /temp", "SubCmd": "", "Value": [ - ".", - "/src" + "http://source.file/package.file.tar.gz", + "/temp" ], - "_kics_line": 3 + "_kics_line": 5 }, { "Cmd": "run", - "EndLine": 4, + "EndLine": 6, "Flags": [], "JSON": false, - "Original": "RUN make /src", + "Original": "RUN tar -xjf /temp/package.file.tar.gz", "SubCmd": "", "Value": [ - "make /src" + "tar -xjf /temp/package.file.tar.gz" ], - "_kics_line": 4 + "_kics_line": 6 + }, + { + "Cmd": "arg", + "EndLine": 7, + "Flags": [], + "JSON": false, + "Original": "ARG JAR_FILE", + "SubCmd": "", + "Value": [ + "JAR_FILE" + ], + "_kics_line": 7 }, { "Cmd": "add", - "EndLine": 5, + "EndLine": 8, "Flags": [], "JSON": false, "Original": "ADD ${JAR_FILE} app.jar", @@ -1417,7 +1688,22 @@ "${JAR_FILE}", "app.jar" ], - "_kics_line": 5 + "_kics_line": 8 + }, + { + "Cmd": "entrypoint", + "EndLine": 9, + "Flags": [], + "JSON": true, + "Original": "ENTRYPOINT [\"java\",\"-Djava.security.egd=file:/dev/./urandom\",\"-jar\",\"/app.jar\"]", + "SubCmd": "", + "Value": [ + "java", + "-Djava.security.egd=file:/dev/./urandom", + "-jar", + "/app.jar" + ], + "_kics_line": 9 } ] }, @@ -1490,7 +1776,7 @@ { "args": [], "command": { - "--platform=linux/amd64 ubuntu:latest": [ + "--platform=linux/amd64 ubuntu:latest AS builder": [ { "Cmd": "from", "EndLine": 1, @@ -1498,10 +1784,12 @@ "--platform=linux/amd64" ], "JSON": false, - "Original": "FROM --platform=linux/amd64 ubuntu:latest", + "Original": "FROM --platform=linux/amd64 ubuntu:latest AS builder", "SubCmd": "", "Value": [ - "ubuntu:latest" + "ubuntu:latest", + "AS", + "builder" ], "_kics_line": 1 }, @@ -1510,22 +1798,96 @@ "EndLine": 2, "Flags": [], "JSON": false, - "Original": "RUN apt-get update \u0026\u0026 apt-get install -y curl", + "Original": "RUN apt-get update && apt-get install -y gcc", "SubCmd": "", "Value": [ - "apt-get update \u0026\u0026 apt-get install -y curl" + "apt-get update && apt-get install -y gcc" ], "_kics_line": 2 }, { - "Cmd": "cmd", + "Cmd": "copy", + "EndLine": 3, + "Flags": [], + "JSON": false, + "Original": "COPY . /src", + "SubCmd": "", + "Value": [ + ".", + "/src" + ], + "_kics_line": 3 + }, + { + "Cmd": "run", + "EndLine": 4, + "Flags": [], + "JSON": false, + "Original": "RUN make /src", + "SubCmd": "", + "Value": [ + "make /src" + ], + "_kics_line": 4 + }, + { + "Cmd": "add", + "EndLine": 5, + "Flags": [], + "JSON": false, + "Original": "ADD ${JAR_FILE} app.jar", + "SubCmd": "", + "Value": [ + "${JAR_FILE}", + "app.jar" + ], + "_kics_line": 5 + } + ] + }, + "file": "file", + "id": "0" + }, + { + "args": [], + "command": { + "--platform=linux/arm64 scratch": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [ + "--platform=linux/arm64" + ], + "JSON": false, + "Original": "FROM --platform=linux/arm64 scratch", + "SubCmd": "", + "Value": [ + "scratch" + ], + "_kics_line": 1 + }, + { + "Cmd": "copy", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "COPY myapp /", + "SubCmd": "", + "Value": [ + "myapp", + "/" + ], + "_kics_line": 2 + }, + { + "Cmd": "entrypoint", "EndLine": 3, "Flags": [], "JSON": true, - "Original": "CMD [\"/bin/bash\"]", + "Original": "ENTRYPOINT [\"/myapp\"]", "SubCmd": "", "Value": [ - "/bin/bash" + "/myapp" ], "_kics_line": 3 }, @@ -1648,18 +2010,16 @@ { "args": [], "command": { - "--platform=linux/amd64 ubuntu": [ + "example.com:5000/team/my-app:2.0": [ { "Cmd": "from", "EndLine": 1, - "Flags": [ - "--platform=linux/amd64" - ], + "Flags": [], "JSON": false, - "Original": "FROM --platform=linux/amd64 ubuntu", + "Original": "FROM example.com:5000/team/my-app:2.0", "SubCmd": "", "Value": [ - "ubuntu" + "example.com:5000/team/my-app:2.0" ], "_kics_line": 1 }, @@ -1696,80 +2056,71 @@ { "args": [], "command": { - "example.com:5000/team/my-app:2.0": [ + "openjdk:10-jdk": [ { "Cmd": "from", - "EndLine": 1, + "EndLine": 5, "Flags": [], "JSON": false, - "Original": "FROM example.com:5000/team/my-app:2.0", + "Original": "FROM openjdk:10-jdk", "SubCmd": "", "Value": [ - "example.com:5000/team/my-app:2.0" + "openjdk:10-jdk" ], - "_kics_line": 1 + "_kics_line": 5 }, { - "Cmd": "run", - "EndLine": 2, + "Cmd": "volume", + "EndLine": 6, "Flags": [], "JSON": false, - "Original": "RUN echo \"hello\"", + "Original": "VOLUME /tmp", "SubCmd": "", "Value": [ - "echo \"hello\"" + "/tmp" ], - "_kics_line": 2 + "_kics_line": 6 }, { "Cmd": "add", - "EndLine": 3, + "EndLine": 7, "Flags": [], "JSON": false, - "Original": "ADD ${JAR_FILE} app.jar", + "Original": "ADD http://source.file/package.file.tar.gz /temp", "SubCmd": "", "Value": [ - "${JAR_FILE}", - "app.jar" + "http://source.file/package.file.tar.gz", + "/temp" ], - "_kics_line": 3 - } - ] - }, - "file": "file", - "id": "0" - }, - { - "args": [], - "command": { - "bighostnameusedasasample.example.com:4903/team/my-app:2.0": [ + "_kics_line": 7 + }, { - "Cmd": "from", - "EndLine": 1, + "Cmd": "run", + "EndLine": 8, "Flags": [], "JSON": false, - "Original": "FROM bighostnameusedasasample.example.com:4903/team/my-app:2.0", + "Original": "RUN tar -xjf /temp/package.file.tar.gz", "SubCmd": "", "Value": [ - "bighostnameusedasasample.example.com:4903/team/my-app:2.0" + "tar -xjf /temp/package.file.tar.gz" ], - "_kics_line": 1 + "_kics_line": 8 }, { - "Cmd": "run", - "EndLine": 2, + "Cmd": "arg", + "EndLine": 9, "Flags": [], "JSON": false, - "Original": "RUN echo \"hello\"", + "Original": "ARG JAR_FILE", "SubCmd": "", "Value": [ - "echo \"hello\"" + "JAR_FILE" ], - "_kics_line": 2 + "_kics_line": 9 }, { "Cmd": "add", - "EndLine": 3, + "EndLine": 10, "Flags": [], "JSON": false, "Original": "ADD ${JAR_FILE} app.jar", @@ -1778,7 +2129,22 @@ "${JAR_FILE}", "app.jar" ], - "_kics_line": 3 + "_kics_line": 10 + }, + { + "Cmd": "entrypoint", + "EndLine": 11, + "Flags": [], + "JSON": true, + "Original": "ENTRYPOINT [\"java\",\"-Djava.security.egd=file:/dev/./urandom\",\"-jar\",\"/app.jar\"]", + "SubCmd": "", + "Value": [ + "java", + "-Djava.security.egd=file:/dev/./urandom", + "-jar", + "/app.jar" + ], + "_kics_line": 11 } ] }, diff --git a/e2e/fixtures/E2E_CLI_106_RESULT.json b/e2e/fixtures/E2E_CLI_106_RESULT.json index 7a2be2a9361..e0bce9e4709 100644 --- a/e2e/fixtures/E2E_CLI_106_RESULT.json +++ b/e2e/fixtures/E2E_CLI_106_RESULT.json @@ -1,10 +1,10 @@ { "kics_version": "development", - "files_scanned": 32, - "lines_scanned": 235, - "files_parsed": 32, - "lines_parsed": 227, - "lines_ignored": 8, + "files_scanned": 37, + "lines_scanned": 273, + "files_parsed": 37, + "lines_parsed": 262, + "lines_ignored": 11, "files_failed_to_scan": 0, "queries_total": 48, "queries_failed_to_execute": 1, @@ -12,16 +12,16 @@ "scan_id": "console", "severity_counters": { "CRITICAL": 0, - "HIGH": 31, - "INFO": 10, - "LOW": 11, - "MEDIUM": 16, + "HIGH": 37, + "INFO": 6, + "LOW": 19, + "MEDIUM": 19, "TRACE": 0 }, - "total_counter": 68, + "total_counter": 81, "total_bom_resources": 0, - "start": "2026-04-14T17:33:16.2521898+01:00", - "end": "2026-04-14T17:33:27.3968601+01:00", + "start": "2026-04-22T11:22:16.7947548+01:00", + "end": "2026-04-22T11:22:18.3420558+01:00", "paths": [ "/path/test/fixtures/dockerfile", "/path/test/fixtures/negative_dockerfile" @@ -42,31 +42,31 @@ "description_id": "eb49caf6", "files": [ { - "file_name": "path/test/fixtures/dockerfile/Dockerfile-example", - "similarity_id": "aeaf42752011d846797cea09ce1a0eb5457673c67b0fb16914a0c639a253e5c7", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag", + "similarity_id": "574ad8efea37036e772f5f133327ee6d82456fcfa268e0a01f942dd36d84a30d", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{openjdk:10-jdk}}", + "search_key": "FROM={{--platform=linux/amd64 alpine:latest}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample7", - "similarity_id": "03992dd5495adf4a9c4440fd1e116bb35670d88e71341f062410bc0da96f4f6e", + "file_name": "path/test/fixtures/dockerfile/test_folder_names/dockerfiles/any_file.txt", + "similarity_id": "e150676345e87674484ea970ca810125007b743069646ac448feaba242b7211f", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{example.com:5000/team/my-app:2.0}}", + "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/test_folder_names_case/Docker/any_file.txt", - "similarity_id": "6da391b0e3e24d85f72b3ace5db0569be32ef11e6f9a433b138ae4e0b004df58", - "line": 1, + "file_name": "path/test/fixtures/dockerfile/any_name/file_2.DOCKERfile", + "similarity_id": "29858cfa69a98973cc1ae10f84e66267240bd630126eba2ba15e58a7aa2dd54d", + "line": 4, "issue_type": "MissingAttribute", "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, @@ -75,31 +75,31 @@ "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/any_name.ubi8", - "similarity_id": "ce95928798897e3f22c2677202d38812030cc2dfb5cf0470d397d7baaf8c1de1", - "line": 1, + "file_name": "path/test/fixtures/dockerfile/Dockerfile-multistage", + "similarity_id": "c77e7ff048b27b896b53a89ac6008ec2fea042fb92a18807de325774dd93dfeb", + "line": 5, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 as builder}}", + "search_key": "FROM={{ubuntu:latestnightly(1)}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/any_name.debian", - "similarity_id": "c949a1c23fe7c61dea7daac22ce6a13ffb8dec65b4bcbeacc76bf295518e72ef", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/big_indent_from", + "similarity_id": "fd5fe33f391e08e2d4d4fe8058f5e93a75c6cd8424ea137b9944b8d871d5c37e", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 as builder}}", + "search_key": "FROM={{alpine:latest}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/any_name/dockerFILE", - "similarity_id": "e97a5ec241eb063c5757aed13a666c8126e4375ac9aed300cdc72d4ae883dfdc", - "line": 6, + "file_name": "path/test/fixtures/dockerfile/test_folder_names_case/Dockerfiles/any_file.txt", + "similarity_id": "b58c4c4ed6c88b82fdf62608154342a31a2de95eaae39716ff4f6ccf1a5bcdda", + "line": 1, "issue_type": "MissingAttribute", "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, @@ -108,74 +108,74 @@ "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/test_folder_names_case/Dockerfile/any_file.txt", - "similarity_id": "47d6f707c904f56fe3ca1cc7bce1d2e0ae41d421da983110a5c15fc7e48105df", - "line": 1, + "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/DOCKERfile.txt", + "similarity_id": "a1bc54f29a5cd60b430490ab4ddf040dde52e24f1a9c81544e3aae9e21704fe7", + "line": 13, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_key": "from={{alpine:3.19 as builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample5", - "similarity_id": "39dca689cbc39cfa0a74e0c08328183a511cbcb074518aa2abac6a45bb842bd3", - "line": 2, + "file_name": "path/test/fixtures/dockerfile/any_name/file.Dockerfile", + "similarity_id": "1d972910b640dfb968ab630847182b4a19f44b78aeeaa0ef93c96c7e27aa8b6a", + "line": 6, "issue_type": "MissingAttribute", - "search_key": "FROM={{--platform=$BUILDPLATFORM golang:1.21}}", + "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/test_folder_names_case/Dockerfiles/any_file.txt", - "similarity_id": "b58c4c4ed6c88b82fdf62608154342a31a2de95eaae39716ff4f6ccf1a5bcdda", - "line": 1, + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/with_excluded_comments", + "similarity_id": "7635feaa0695981bc88dd51b213bc0763acd55575fae3d0fe196fe6b2d727bc4", + "line": 5, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_key": "FROM={{openjdk:10-jdk}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample1", - "similarity_id": "7375fc702e9b59cf845aac25968ab2926b5919806a6d739527f70a2727a6ec99", - "line": 1, + "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/any_name.ubi8", + "similarity_id": "99145bb5bb5996f2d9518769bbebb143a6edff8c1b9866b9de64b2b6fba667e5", + "line": 4, "issue_type": "MissingAttribute", - "search_key": "FROM={{--platform=linux/arm64 scratch}}", + "search_key": "from={{alpine:3.19 as builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/dockerFILE", - "similarity_id": "9977ed3614740afd406ca0a86f0df4da5e8680efbb6e9e66ff71ae1dc2d9025f", + "file_name": "path/test/fixtures/dockerfile/test_folder_names_case/Docker/any_file.txt", + "similarity_id": "6da391b0e3e24d85f72b3ace5db0569be32ef11e6f9a433b138ae4e0b004df58", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 as builder}}", + "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/random_name", - "similarity_id": "4df62f3dddaa0fe84e53c387514ff1ffb2405fb47a80011271dfc6742078a0e8", - "line": 1, + "file_name": "path/test/fixtures/dockerfile/any_name/dockerFILE", + "similarity_id": "e97a5ec241eb063c5757aed13a666c8126e4375ac9aed300cdc72d4ae883dfdc", + "line": 6, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 as builder}}", + "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/any_name/any_name.debian", - "similarity_id": "ef335c394fbaebc802c99ba59b1b3ec830043ac020b711efc7cf497752b73429", + "file_name": "path/test/fixtures/dockerfile/any_name/any_name.ubi8", + "similarity_id": "4d64348b27180d867de9cf04a51db582786ea6622adb94fb54fdbac03b284769", "line": 4, "issue_type": "MissingAttribute", "search_key": "FROM={{alpine:3.19 AS builder}}", @@ -185,20 +185,31 @@ "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample8", - "similarity_id": "c35ae31bc00e26a4fd27b0605e5c4d84c5ae683b1354a7e7bc1917ab0f3a428e", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/full_sha_digest", + "similarity_id": "bfb661b85dd88d16e0c74c1c07972ecf9ae95203607e762f0faad91a3a02c94a", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{bighostnameusedasasample.example.com:4903/team/my-app:2.0}}", + "search_key": "FROM={{alpine@sha256:e1c082e3d3c45cccac829840a25941e679c25d438cc8412c2fa221cf1a824e6a}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/any_name/file.Dockerfile", - "similarity_id": "1d972910b640dfb968ab630847182b4a19f44b78aeeaa0ef93c96c7e27aa8b6a", - "line": 6, + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_with_arg_reference", + "similarity_id": "68909c9c7a5f9979df2102bd5e7a21930d1b036b25710875c5cd76f52539490d", + "line": 2, + "issue_type": "MissingAttribute", + "search_key": "FROM={{--platform=$BUILDPLATFORM golang:1.21}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "path/test/fixtures/dockerfile/any_name/Dockerfile.something", + "similarity_id": "b41a39fe06c21fc69fbd6e8f7b3e2c44e8d0d7a8e2b0e0c251f5d6a174e031ee", + "line": 4, "issue_type": "MissingAttribute", "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, @@ -207,8 +218,8 @@ "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/test_folder_names/dockerfiles/any_file.txt", - "similarity_id": "e150676345e87674484ea970ca810125007b743069646ac448feaba242b7211f", + "file_name": "path/test/fixtures/dockerfile/test_folder_names_case/Dockerfile/any_file.txt", + "similarity_id": "47d6f707c904f56fe3ca1cc7bce1d2e0ae41d421da983110a5c15fc7e48105df", "line": 1, "issue_type": "MissingAttribute", "search_key": "FROM={{alpine:3.19 AS builder}}", @@ -218,9 +229,9 @@ "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/any_name/file_2.DOCKERfile", - "similarity_id": "29858cfa69a98973cc1ae10f84e66267240bd630126eba2ba15e58a7aa2dd54d", - "line": 4, + "file_name": "path/test/fixtures/dockerfile/test_folder_names/dockerfile/any_file.txt", + "similarity_id": "c2e7f0c0c566a723ff253f4a95e837749faba964ec008551c1f87a7faa476110", + "line": 1, "issue_type": "MissingAttribute", "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, @@ -229,9 +240,9 @@ "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/any_name/random_name", - "similarity_id": "ee3531797486eec98e3dd28ec8cc5f7f6f00743d1cf79cd47f6859df87026f59", - "line": 3, + "file_name": "path/test/fixtures/dockerfile/test_folder_names/docker/any_file.txt", + "similarity_id": "9d78b93c92fe63c29dec006a12993b74dc6c6fbf29ae295ff7c6e19136657e2d", + "line": 1, "issue_type": "MissingAttribute", "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, @@ -240,99 +251,99 @@ "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/any_name/Dockerfile.something", - "similarity_id": "b41a39fe06c21fc69fbd6e8f7b3e2c44e8d0d7a8e2b0e0c251f5d6a174e031ee", - "line": 4, + "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/file.Dockerfile", + "similarity_id": "5f4fd65d6c624e63abde45a2c7fbfc4a3c64ab9e7b7bc95ddde9b861818aedfc", + "line": 6, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_key": "from={{alpine:3.19 as builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/test_folder_names/dockerfile/any_file.txt", - "similarity_id": "c2e7f0c0c566a723ff253f4a95e837749faba964ec008551c1f87a7faa476110", + "file_name": "path/test/fixtures/dockerfile/Dockerfile-example", + "similarity_id": "aeaf42752011d846797cea09ce1a0eb5457673c67b0fb16914a0c639a253e5c7", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_key": "FROM={{openjdk:10-jdk}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/file_2.DOCKERfile", - "similarity_id": "b0694a2913d293ea034d0fe62bd549aed2dd316a81fb82b611a7ab901e32b1b6", - "line": 1, + "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/random_name", + "similarity_id": "9ca22b0eb1ead0048eef0d5aba185858c316469892ded249c7c261720f293370", + "line": 3, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_key": "from={{alpine:3.19 as builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample4", - "similarity_id": "f6839684a157b7e9f44f88c6dcd262b4e4552eddc24e108e8b2555c6885c1853", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/big_host_name", + "similarity_id": "357d434e6436d7fc32420359985019be12903ca92c03f50369e95a19b96e9d97", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest}}", + "search_key": "FROM={{bighostnameusedasasample.example.com:4903/team/my-app:2.0}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/Dockerfile.something", - "similarity_id": "2b1d191f474528c93b66c1f5f891efd3763834725ed4008cbd216702f576ef20", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/host_ip_address", + "similarity_id": "9f206d8845b08c15965c3cf00b7db7d9ee679c281d14cb5f2d414065a423b8a3", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 as builder}}", + "search_key": "FROM={{192.168.1.100:5000/team/image:v1}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample6", - "similarity_id": "f96970fdf815bc9bb95fef94b7e461be0c8a6014c66765a36c46168348d5015f", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/multiline_from_statement", + "similarity_id": "af265ea3757c481a3f200faa7949ddb6fe1b0527c191d95ef81be533b12a55ca", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{--platform=linux/amd64 ubuntu}}", + "search_key": "FROM={{alpine:3.18 AS base}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/any_name/any_name.ubi8", - "similarity_id": "4d64348b27180d867de9cf04a51db582786ea6622adb94fb54fdbac03b284769", + "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/file_2.DOCKERfile", + "similarity_id": "fbc4d6daf991234501dbcba5df28a58b2de1983ffbcc8b18d2f4546c295dfa39", "line": 4, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_key": "from={{alpine:3.19 AS builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/any_name/DOCKERfile.txt", - "similarity_id": "5663f110b46dbc0378ff0540fc4a54700c80197a1ced862564f987d4f2e7116d", - "line": 13, + "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/any_name.debian", + "similarity_id": "3bcbe17d4e87888fabeadb6871fac6370dec66a162d8c94b3afed2327a3ecc11", + "line": 4, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_key": "from={{alpine:3.19 as builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample3", - "similarity_id": "da5779454881d9f844e67f2a537820d144c7271fcac24d429583f826c393386e", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag_and_alias", + "similarity_id": "d6c1ff98af764022d3ff3dce0b91cb19fb8dce099e87c506ddd542176b9444c1", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{--platform=linux/amd64 alpine:latest}}", + "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", @@ -350,20 +361,31 @@ "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/DOCKERfile.txt", - "similarity_id": "f9caf5d57d5872073bc7b7a555a3283708f72c9990689c8d4e6b3ce1957b496a", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/use_of_host", + "similarity_id": "98a9086dd512b76196866fa544fda9b79cdbe49097e0781edb284da60286a356", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 as builder}}", + "search_key": "FROM={{example.com:5000/team/my-app:2.0}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/base_image_reference", + "similarity_id": "d2716fd01d8e6d44b30749e106a2bd40ce4cb0b673ec7e62a4df8ca982c0582e", + "line": 2, + "issue_type": "MissingAttribute", + "search_key": "FROM={{${BASE_IMAGE}}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/test_folder_names/docker/any_file.txt", - "similarity_id": "9d78b93c92fe63c29dec006a12993b74dc6c6fbf29ae295ff7c6e19136657e2d", - "line": 1, + "file_name": "path/test/fixtures/dockerfile/any_name/any_name.debian", + "similarity_id": "ef335c394fbaebc802c99ba59b1b3ec830043ac020b711efc7cf497752b73429", + "line": 4, "issue_type": "MissingAttribute", "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, @@ -372,11 +394,55 @@ "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample2", - "similarity_id": "1e7b96b468341de289759fa97fb78d3c3ff3f7eec6b8ab23d3afd9b7c1bc5104", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag_scratch", + "similarity_id": "f7e67be39f384d20f8816eff63ab5538f5990b6bae86ddd244478d9cb89f7b65", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}", + "search_key": "FROM={{--platform=linux/arm64 scratch}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/dockerFILE", + "similarity_id": "bda0e263debb4ef181a93c60d35e0f28a57ca27f9f19b0a550a2a219c7fb56b6", + "line": 6, + "issue_type": "MissingAttribute", + "search_key": "from={{alpine:3.19 as builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/Dockerfile.something", + "similarity_id": "58a26cafd4b62b89183a99f03c581a511654a67074c333f95c0481af8816450e", + "line": 4, + "issue_type": "MissingAttribute", + "search_key": "from={{alpine:3.19 as builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "path/test/fixtures/dockerfile/any_name/random_name", + "similarity_id": "ee3531797486eec98e3dd28ec8cc5f7f6f00743d1cf79cd47f6859df87026f59", + "line": 3, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "path/test/fixtures/dockerfile/any_name/DOCKERfile.txt", + "similarity_id": "5663f110b46dbc0378ff0540fc4a54700c80197a1ced862564f987d4f2e7116d", + "line": 13, + "issue_type": "MissingAttribute", + "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", @@ -398,8 +464,8 @@ "description_id": "0aedd324", "files": [ { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample5", - "similarity_id": "7858145601685ba90f4181fd4186ab8cabab8912e16d9a819b46955a7c53369a", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_with_arg_reference", + "similarity_id": "a6fec2d84a496642691bb3bb5e77cb5fdd04755e956063e42804d5072abb2281", "line": 7, "issue_type": "IncorrectValue", "search_key": "FROM={{--platform=$BUILDPLATFORM golang:1.21}}.{{ADD ${JAR_FILE} app.jar}}", @@ -409,19 +475,19 @@ "actual_value": "'ADD' ${JAR_FILE}" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample2", - "similarity_id": "c2087c8c5c4fe143dc0ee2644b74ded89979db4380fef678ff4a520355ff30de", - "line": 5, + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/multiline_from_statement", + "similarity_id": "65fa5eb4dc035a375e7de6745c524a241571a42543ac1e1e50ab6b97992e36e7", + "line": 1, "issue_type": "IncorrectValue", - "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}.{{ADD ${JAR_FILE} app.jar}}", + "search_key": "FROM={{alpine:3.18 AS base}}.{{ADD ${JAR_FILE} app.jar}}", "search_line": -1, "search_value": "", "expected_value": "'COPY' ${JAR_FILE}", "actual_value": "'ADD' ${JAR_FILE}" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample8", - "similarity_id": "548e63b12a9ed4e2f9f07975ec535c6bdaee35075207d0c927eab288096fec81", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/big_host_name", + "similarity_id": "715dceeefda701d5bbe85ec0915d7a322c7685d2efb3a265d9701f8a62e16042", "line": 3, "issue_type": "IncorrectValue", "search_key": "FROM={{bighostnameusedasasample.example.com:4903/team/my-app:2.0}}.{{ADD ${JAR_FILE} app.jar}}", @@ -431,66 +497,88 @@ "actual_value": "'ADD' ${JAR_FILE}" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample1", - "similarity_id": "7442e1998c8ab26068c3a53221ea6499416a92416c7721796c140d20f59c67d4", - "line": 4, + "file_name": "path/test/fixtures/dockerfile/Dockerfile-example", + "similarity_id": "9d6bb1f4ca1093d79890b1b24b00dbb2e8fa60ca0df6b2ba391db348256eec6f", + "line": 6, "issue_type": "IncorrectValue", - "search_key": "FROM={{--platform=linux/arm64 scratch}}.{{ADD ${JAR_FILE} app.jar}}", + "search_key": "FROM={{openjdk:10-jdk}}.{{ADD ${JAR_FILE} app.jar}}", "search_line": -1, "search_value": "", "expected_value": "'COPY' ${JAR_FILE}", "actual_value": "'ADD' ${JAR_FILE}" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample3", - "similarity_id": "bb1c9e972be6ffcd7d45ee396fb8fea5e8cd942f65ce28e92504ae07bbb1cde2", - "line": 4, + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/use_of_host", + "similarity_id": "46bf1a187c7c8aa95cc825281d886f4f34560a3f48210f81bbc1ed7c0b0ebab6", + "line": 3, "issue_type": "IncorrectValue", - "search_key": "FROM={{--platform=linux/amd64 alpine:latest}}.{{ADD ${JAR_FILE} app.jar}}", + "search_key": "FROM={{example.com:5000/team/my-app:2.0}}.{{ADD ${JAR_FILE} app.jar}}", "search_line": -1, "search_value": "", "expected_value": "'COPY' ${JAR_FILE}", "actual_value": "'ADD' ${JAR_FILE}" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample6", - "similarity_id": "ad808a777684d1993fbaa775aa514c4334e1949e1a18bd4047d1e257fd24e402", - "line": 3, + "file_name": "path/test/fixtures/dockerfile/Dockerfile-multistage", + "similarity_id": "2c8f808eeabb29c31b940c9d5d7526fe997c8c2d155857c1c462030cffd8c366", + "line": 10, "issue_type": "IncorrectValue", - "search_key": "FROM={{--platform=linux/amd64 ubuntu}}.{{ADD ${JAR_FILE} app.jar}}", + "search_key": "FROM={{ubuntu:latestnightly(1)}}.{{ADD ${JAR_FILE} app.jar}}", "search_line": -1, "search_value": "", "expected_value": "'COPY' ${JAR_FILE}", "actual_value": "'ADD' ${JAR_FILE}" }, { - "file_name": "path/test/fixtures/dockerfile/Dockerfile-example", - "similarity_id": "9d6bb1f4ca1093d79890b1b24b00dbb2e8fa60ca0df6b2ba391db348256eec6f", - "line": 6, + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/big_indent_from", + "similarity_id": "3dbca73c5f5b0d65cb9d6f2e1748ddde903c80ec9e97848b8d6d23a8554320b9", + "line": 4, "issue_type": "IncorrectValue", - "search_key": "FROM={{openjdk:10-jdk}}.{{ADD ${JAR_FILE} app.jar}}", + "search_key": "FROM={{alpine:latest}}.{{ADD ${JAR_FILE} app.jar}}", "search_line": -1, "search_value": "", "expected_value": "'COPY' ${JAR_FILE}", "actual_value": "'ADD' ${JAR_FILE}" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample4", - "similarity_id": "de7635eaa00ecfd9f126b5d020ba38c55b36aef6673a4656308f683fabd999cc", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag_scratch", + "similarity_id": "b293e7dc91ace6a7c4fec199190cdf5805dede7f6f499ede4f8401b32c6b0d95", "line": 4, "issue_type": "IncorrectValue", - "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest}}.{{ADD ${JAR_FILE} app.jar}}", + "search_key": "FROM={{--platform=linux/arm64 scratch}}.{{ADD ${JAR_FILE} app.jar}}", "search_line": -1, "search_value": "", "expected_value": "'COPY' ${JAR_FILE}", "actual_value": "'ADD' ${JAR_FILE}" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample7", - "similarity_id": "ac33450fdf5546f7017cb4137d2c42e4bab228ac2d19bb5b04b3d71f0440b786", - "line": 3, + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag", + "similarity_id": "7a1036d28f16660bc2d10439a80109abd807dfef90aae78130092d8a395b6868", + "line": 4, "issue_type": "IncorrectValue", - "search_key": "FROM={{example.com:5000/team/my-app:2.0}}.{{ADD ${JAR_FILE} app.jar}}", + "search_key": "FROM={{--platform=linux/amd64 alpine:latest}}.{{ADD ${JAR_FILE} app.jar}}", + "search_line": -1, + "search_value": "", + "expected_value": "'COPY' ${JAR_FILE}", + "actual_value": "'ADD' ${JAR_FILE}" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag_and_alias", + "similarity_id": "331f21aa559609154c76603d67a2ea7ae94f1fe97c9c8614dba0424eb43da6bf", + "line": 5, + "issue_type": "IncorrectValue", + "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}.{{ADD ${JAR_FILE} app.jar}}", + "search_line": -1, + "search_value": "", + "expected_value": "'COPY' ${JAR_FILE}", + "actual_value": "'ADD' ${JAR_FILE}" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/with_excluded_comments", + "similarity_id": "58376185618893478741c810195c3194b9947675f6855e3b36ac4788fee9c97c", + "line": 10, + "issue_type": "IncorrectValue", + "search_key": "FROM={{openjdk:10-jdk}}.{{ADD ${JAR_FILE} app.jar}}", "search_line": -1, "search_value": "", "expected_value": "'COPY' ${JAR_FILE}", @@ -512,52 +600,15 @@ "description_id": "e0e1edad", "files": [ { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample2", - "similarity_id": "c6cf3b49153bb6dcd4adc45c5aa9d50c4e4cd32e84562182d1aca7683d3b0027", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag_and_alias", + "similarity_id": "f6fd7d36e1105623f456a64c19447ba1688c981aac4d7ae8724c57c8437461fb", "line": 2, "issue_type": "MissingAttribute", - "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}.RUN={{apt-get update \u0026\u0026 apt-get install -y gcc}}", + "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}.RUN={{apt-get update /u0026/u0026 apt-get install -y gcc}}", "search_line": -1, "search_value": "gcc", "expected_value": "Package 'gcc' has version defined", "actual_value": "Package 'gcc' does not have version defined" - }, - { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample4", - "similarity_id": "4b9d23dc01eea21711278e609dfb25ba41563568125ee505d995c1888c7bdff7", - "line": 2, - "issue_type": "MissingAttribute", - "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest}}.RUN={{apt-get update \u0026\u0026 apt-get install -y curl}}", - "search_line": -1, - "search_value": "curl", - "expected_value": "Package 'curl' has version defined", - "actual_value": "Package 'curl' does not have version defined" - } - ] - }, - { - "query_name": "Image Version Not Explicit", - "query_id": "9efb0b2d-89c9-41a3-91ca-dcc0aec911fd", - "query_url": "https://docs.docker.com/engine/reference/builder/#from", - "severity": "MEDIUM", - "platform": "Dockerfile", - "cwe": "1357", - "risk_score": "6.4", - "category": "Supply-Chain", - "experimental": false, - "description": "Always tag the version of an image explicitly", - "description_id": "4f469f06", - "files": [ - { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample6", - "similarity_id": "4115302289fdd8823e1e65125035c7b26ce305abea4ddbb2803a967ba326fc94", - "line": 1, - "issue_type": "MissingAttribute", - "search_key": "FROM={{--platform=linux/amd64 ubuntu}}", - "search_line": -1, - "search_value": "", - "expected_value": "FROM ubuntu:'version'", - "actual_value": "FROM ubuntu'" } ] }, @@ -575,8 +626,30 @@ "description_id": "22f535ec", "files": [ { - "file_name": "path/test/fixtures/dockerfile/corrupted_dockerfile", - "similarity_id": "b8c6f58c6b52c4155b70475008be34bcf7ca39a15378ca1828e657a75ba907f3", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/base_image_reference", + "similarity_id": "2b585700aa5471374491ee55cb32bd19043a996c4b527ef7968f21e217aa2d83", + "line": 2, + "issue_type": "IncorrectValue", + "search_key": "FROM={{${BASE_IMAGE}}}", + "search_line": -1, + "search_value": "", + "expected_value": "FROM alpine:latest:'version' where version should not be 'latest'", + "actual_value": "FROM alpine:latest'" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag", + "similarity_id": "49639e49bb52319bd968d4a82dcc022a74bd93f58db8badc3757f4f416158e78", + "line": 1, + "issue_type": "IncorrectValue", + "search_key": "FROM={{--platform=linux/amd64 alpine:latest}}", + "search_line": -1, + "search_value": "", + "expected_value": "FROM alpine:latest:'version' where version should not be 'latest'", + "actual_value": "FROM alpine:latest'" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/big_indent_from", + "similarity_id": "152040fb0f74af479251b64b3f3e04cddc103fceebe34abc81c8402b33b5791e", "line": 1, "issue_type": "IncorrectValue", "search_key": "FROM={{alpine:latest}}", @@ -586,8 +659,8 @@ "actual_value": "FROM alpine:latest'" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample2", - "similarity_id": "57a39816dc53307dd637cfd04019f480144a85881ea41111523d6a0c1c7443db", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag_and_alias", + "similarity_id": "eddc0cae749b1b03806a495198d58e2675acdf908cd8d039dfd8743339069808", "line": 1, "issue_type": "IncorrectValue", "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}", @@ -597,22 +670,33 @@ "actual_value": "FROM ubuntu:latest'" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample4", - "similarity_id": "9ad08db04cbefba3b4ba6e3f740c3f96df285f51223faff802429fe6df561505", + "file_name": "path/test/fixtures/dockerfile/Dockerfile-multistage", + "similarity_id": "c9903f97a9c6b1d61827bd33319d69199388b1c8f2723062fcdffeaa4114e609", + "line": 5, + "issue_type": "IncorrectValue", + "search_key": "FROM={{ubuntu:latestnightly(1)}}", + "search_line": -1, + "search_value": "", + "expected_value": "FROM ubuntu:latestnightly:'version' where version should not be 'latest'", + "actual_value": "FROM ubuntu:latestnightly'" + }, + { + "file_name": "path/test/fixtures/dockerfile/Dockerfile-multistage", + "similarity_id": "2293ffe73033c89194caa88cbeb6155961a38f987f4ec5da36603522770c38f7", "line": 1, "issue_type": "IncorrectValue", - "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest}}", + "search_key": "FROM={{ubuntu:latestnightly}}", "search_line": -1, "search_value": "", - "expected_value": "FROM ubuntu:latest:'version' where version should not be 'latest'", - "actual_value": "FROM ubuntu:latest'" + "expected_value": "FROM ubuntu:latestnightly:'version' where version should not be 'latest'", + "actual_value": "FROM ubuntu:latestnightly'" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample3", - "similarity_id": "471d11a25255b3b36ed1e24e4be107ba3540c8adfa7ea78114ff922938c76e0e", + "file_name": "path/test/fixtures/dockerfile/corrupted_dockerfile", + "similarity_id": "b8c6f58c6b52c4155b70475008be34bcf7ca39a15378ca1828e657a75ba907f3", "line": 1, "issue_type": "IncorrectValue", - "search_key": "FROM={{--platform=linux/amd64 alpine:latest}}", + "search_key": "FROM={{alpine:latest}}", "search_line": -1, "search_value": "", "expected_value": "FROM alpine:latest:'version' where version should not be 'latest'", @@ -643,6 +727,39 @@ "search_value": "", "expected_value": "Should use 'curl' or 'wget' to download http://source.file/package.file.tar.gz", "actual_value": "'ADD' http://source.file/package.file.tar.gz" + }, + { + "file_name": "path/test/fixtures/dockerfile/Dockerfile-multistage", + "similarity_id": "553c7b4eeea7e969b88c30c34e9b7e97dc16963e731d1888fec90bb55f00e35a", + "line": 7, + "issue_type": "IncorrectValue", + "search_key": "FROM={{ubuntu:latestnightly(1)}}.{{ADD http://source.file/package.file.tar.gz /temp}}", + "search_line": -1, + "search_value": "", + "expected_value": "Should use 'curl' or 'wget' to download http://source.file/package.file.tar.gz", + "actual_value": "'ADD' http://source.file/package.file.tar.gz" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/with_excluded_comments", + "similarity_id": "b7b5e6e04d1eedc9ce08a3b3cc6182d6c77f41539c44825f6b065a9b911a9541", + "line": 7, + "issue_type": "IncorrectValue", + "search_key": "FROM={{openjdk:10-jdk}}.{{ADD http://source.file/package.file.tar.gz /temp}}", + "search_line": -1, + "search_value": "", + "expected_value": "Should use 'curl' or 'wget' to download http://source.file/package.file.tar.gz", + "actual_value": "'ADD' http://source.file/package.file.tar.gz" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/multiline_from_statement", + "similarity_id": "b859a2050fd4032304ab5aa47a5ec7e7be60998e29f82c531d23ca123d31bbc0", + "line": 1, + "issue_type": "IncorrectValue", + "search_key": "FROM={{alpine:3.18 AS base}}.{{ADD http://source.file/package.file.tar.gz /temp}}", + "search_line": -1, + "search_value": "", + "expected_value": "Should use 'curl' or 'wget' to download http://source.file/package.file.tar.gz", + "actual_value": "'ADD' http://source.file/package.file.tar.gz" } ] }, @@ -660,30 +777,74 @@ "description_id": "426121ee", "files": [ { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample6", - "similarity_id": "793c4c04fb00909f9ff987900ac66f10b1d68b37ab8cb61aaf4cc2499b27e76d", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag_and_alias", + "similarity_id": "84c42fce04501e4cab82857ba0eac27193fbf52554ddf85aed92c9e50b1a55cc", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{--platform=linux/amd64 ubuntu}}", + "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}", "search_line": -1, "search_value": "", "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample2", - "similarity_id": "6a3dc950b6f1c8fee780cf65eec65c48706fcb0f7292b7576851db3fb5fdb378", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/with_excluded_comments", + "similarity_id": "22833bad92ed958c49f1684b045a6c42d3b6551b87be013ada097a30a35b3121", + "line": 5, + "issue_type": "MissingAttribute", + "search_key": "FROM={{openjdk:10-jdk}}", + "search_line": -1, + "search_value": "", + "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", + "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag_scratch", + "similarity_id": "1413f0f83a852273b3346b226059394439ada151ef2e23c654bf26fa3a2de923", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}", + "search_key": "FROM={{--platform=linux/arm64 scratch}}", + "search_line": -1, + "search_value": "", + "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", + "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" + }, + { + "file_name": "path/test/fixtures/dockerfile/Dockerfile-example", + "similarity_id": "4d0420e48f4c7d991ed6694980266d5b7313da8abb2e29b2dd777ce7c6f6251d", + "line": 1, + "issue_type": "MissingAttribute", + "search_key": "FROM={{openjdk:10-jdk}}", + "search_line": -1, + "search_value": "", + "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", + "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" + }, + { + "file_name": "path/test/fixtures/dockerfile/Dockerfile-multistage", + "similarity_id": "e6541da925ea5f5ca321e7c1850bc77e4a80991324087953bd41234691c6b8c5", + "line": 5, + "issue_type": "MissingAttribute", + "search_key": "FROM={{ubuntu:latestnightly(1)}}", "search_line": -1, "search_value": "", "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample3", - "similarity_id": "eaa3721d654875beadcda8ad4554bf8bcb96fc9a2e57812d01a8c7d44b2c6473", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_with_arg_reference", + "similarity_id": "2b6ecbffb0ae35559c7e7fd068707a6774060cfdb0b6aad4e30c27f6f2201a2e", + "line": 2, + "issue_type": "MissingAttribute", + "search_key": "FROM={{--platform=$BUILDPLATFORM golang:1.21}}", + "search_line": -1, + "search_value": "", + "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", + "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag", + "similarity_id": "1d75c91d6f47b6b0e00a70fb3aba1461133e91c394cd42a0378a30020a772c33", "line": 1, "issue_type": "MissingAttribute", "search_key": "FROM={{--platform=linux/amd64 alpine:latest}}", @@ -704,66 +865,77 @@ "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample1", - "similarity_id": "9519f3139dd49d6da04ba94110c99a9c265e54a9e014989a00fc3a3819414be9", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/base_image_reference", + "similarity_id": "f89c7daf1bda819bc9f8c88ba0537cc09d73eabc47d2fb265289c7b60d6318c2", + "line": 2, + "issue_type": "MissingAttribute", + "search_key": "FROM={{${BASE_IMAGE}}}", + "search_line": -1, + "search_value": "", + "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", + "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/multiline_from_statement", + "similarity_id": "60e999ea86c199e26ee55024580e3e69d262b5c83092a25da9eddd321c7c2d21", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{--platform=linux/arm64 scratch}}", + "search_key": "FROM={{alpine:3.18 AS base}}", "search_line": -1, "search_value": "", "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample7", - "similarity_id": "e89f925361ec276fb8b93af3d5e9796d518b266bfbaacf37cd314f1f4963b883", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/big_indent_from", + "similarity_id": "6606bcfea791ee1653816d7fd3d11dda7df4f96cb35ef1557fa3556b0fdca764", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{example.com:5000/team/my-app:2.0}}", + "search_key": "FROM={{alpine:latest}}", "search_line": -1, "search_value": "", "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample8", - "similarity_id": "fa449aaa7035f6bb3d231cdd171c20b3c9da2a8dcb1b79915d638e8a153dc30c", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/full_sha_digest", + "similarity_id": "bac31787e6c7d3a127e2936f11ef5dadc6b477d8db1a10ed9e5d50c1c688d619", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{bighostnameusedasasample.example.com:4903/team/my-app:2.0}}", + "search_key": "FROM={{alpine@sha256:e1c082e3d3c45cccac829840a25941e679c25d438cc8412c2fa221cf1a824e6a}}", "search_line": -1, "search_value": "", "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample4", - "similarity_id": "f387ad8dacb9120f378f376aeba5e2b43cccf7366cb8903cdc44c3c818d7a389", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/use_of_host", + "similarity_id": "e295d381f5cf7b496d9557d229dace321cf50a10cf6f35a47733c05d16cec1b4", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest}}", + "search_key": "FROM={{example.com:5000/team/my-app:2.0}}", "search_line": -1, "search_value": "", "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample5", - "similarity_id": "e7f0c53246eb7dea6653d51a229d156b19c050b8a3951f42df0f29d3eb89ed59", - "line": 2, + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/big_host_name", + "similarity_id": "0fbe6b1fc068e59c4519a7f0191bf3c66bcd48426bb400f8a17ada2e0db7f373", + "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{--platform=$BUILDPLATFORM golang:1.21}}", + "search_key": "FROM={{bighostnameusedasasample.example.com:4903/team/my-app:2.0}}", "search_line": -1, "search_value": "", "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" }, { - "file_name": "path/test/fixtures/dockerfile/Dockerfile-example", - "similarity_id": "4d0420e48f4c7d991ed6694980266d5b7313da8abb2e29b2dd777ce7c6f6251d", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/host_ip_address", + "similarity_id": "7549d9922711401d3f5a77b06fe02dbec6baf8f6488c483160b3adc5e27002de", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{openjdk:10-jdk}}", + "search_key": "FROM={{192.168.1.100:5000/team/image:v1}}", "search_line": -1, "search_value": "", "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", @@ -785,26 +957,15 @@ "description_id": "2e92d18c", "files": [ { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample2", - "similarity_id": "4dcd78fa70e76351869412e7f8fb9c15efefa99100d3774eb9fc81ea9926a117", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag_and_alias", + "similarity_id": "9e2783060abf1251b3d7a3d12355870c24afc059e8755e7794806b710f95967e", "line": 2, "issue_type": "IncorrectValue", - "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}.{{RUN apt-get update \u0026\u0026 apt-get install -y gcc}}", + "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}.{{RUN apt-get update /u0026/u0026 apt-get install -y gcc}}", "search_line": -1, "search_value": "", - "expected_value": "'RUN apt-get update \u0026\u0026 apt-get install -y gcc' uses '--no-install-recommends' flag to avoid installing additional packages", - "actual_value": "'RUN apt-get update \u0026\u0026 apt-get install -y gcc' does not use '--no-install-recommends' flag to avoid installing additional packages" - }, - { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample4", - "similarity_id": "912d16cba22eec66e1706a01d4bdb5eb0ec02cb3c77b19a050e4dd009b3a20c5", - "line": 2, - "issue_type": "IncorrectValue", - "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest}}.{{RUN apt-get update \u0026\u0026 apt-get install -y curl}}", - "search_line": -1, - "search_value": "", - "expected_value": "'RUN apt-get update \u0026\u0026 apt-get install -y curl' uses '--no-install-recommends' flag to avoid installing additional packages", - "actual_value": "'RUN apt-get update \u0026\u0026 apt-get install -y curl' does not use '--no-install-recommends' flag to avoid installing additional packages" + "expected_value": "'RUN apt-get update /u0026/u0026 apt-get install -y gcc' uses '--no-install-recommends' flag to avoid installing additional packages", + "actual_value": "'RUN apt-get update /u0026/u0026 apt-get install -y gcc' does not use '--no-install-recommends' flag to avoid installing additional packages" } ] }, @@ -822,22 +983,11 @@ "description_id": "4236a50c", "files": [ { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample2", - "similarity_id": "9e9f33dd54e38743c0c1c428075fc0f85535100e57f417ef948b77c2ecd4f96c", - "line": 2, - "issue_type": "IncorrectValue", - "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}.RUN={{apt-get update \u0026\u0026 apt-get install -y gcc}}", - "search_line": -1, - "search_value": "", - "expected_value": "After using apt-get install, the apt-get lists should be deleted", - "actual_value": "After using apt-get install, the apt-get lists were not deleted" - }, - { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample4", - "similarity_id": "609d0ab8b60e35e18f5c0a58a4e924fadf731a6aafdb5edbc0567111eb8de5a1", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag_and_alias", + "similarity_id": "589b8ca20e5ccc137ddd4f428f5217d55df9621929f33a87b75c724f6a93239f", "line": 2, "issue_type": "IncorrectValue", - "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest}}.RUN={{apt-get update \u0026\u0026 apt-get install -y curl}}", + "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}.RUN={{apt-get update /u0026/u0026 apt-get install -y gcc}}", "search_line": -1, "search_value": "", "expected_value": "After using apt-get install, the apt-get lists should be deleted", @@ -860,30 +1010,19 @@ "description_id": "5bd0baab", "files": [ { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample3", - "similarity_id": "c18b0b59bf46304c5cb40e5e7d9ed707a9a186c75328644b006e9a0d2933de1b", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag_and_alias", + "similarity_id": "9b809e69a6609234e47deb34e1c6c519bb5a76364d8bbf6c1df962b9f7eebdcf", "line": 1, "issue_type": "IncorrectValue", - "search_key": "FROM={{--platform=linux/amd64 alpine:latest}}.{{FROM --platform=linux/amd64 alpine:latest}}", - "search_line": -1, - "search_value": "", - "expected_value": "FROM={{--platform=linux/amd64 alpine:latest}}.{{FROM --platform=linux/amd64 alpine:latest}} should not use the '--platform' flag", - "actual_value": "FROM={{--platform=linux/amd64 alpine:latest}}.{{FROM --platform=linux/amd64 alpine:latest}} is using the '--platform' flag" - }, - { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample6", - "similarity_id": "ad64ddb9f4a2c79d5ba2affc8da6498eebe54415c5bc131baf0498e51d838b27", - "line": 1, - "issue_type": "IncorrectValue", - "search_key": "FROM={{--platform=linux/amd64 ubuntu}}.{{FROM --platform=linux/amd64 ubuntu}}", + "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}.{{FROM --platform=linux/amd64 ubuntu:latest AS builder}}", "search_line": -1, "search_value": "", - "expected_value": "FROM={{--platform=linux/amd64 ubuntu}}.{{FROM --platform=linux/amd64 ubuntu}} should not use the '--platform' flag", - "actual_value": "FROM={{--platform=linux/amd64 ubuntu}}.{{FROM --platform=linux/amd64 ubuntu}} is using the '--platform' flag" + "expected_value": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}.{{FROM --platform=linux/amd64 ubuntu:latest AS builder}} should not use the '--platform' flag", + "actual_value": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}.{{FROM --platform=linux/amd64 ubuntu:latest AS builder}} is using the '--platform' flag" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample1", - "similarity_id": "b5e933470891a86661890b79a9ca81f554dc8d2124e8b52737399ad667e21788", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag_scratch", + "similarity_id": "aa0029fe9eeb17144a5fd68b1017848f3bf0ca1fe083f9aacea7c4b6ca22b8cd", "line": 1, "issue_type": "IncorrectValue", "search_key": "FROM={{--platform=linux/arm64 scratch}}.{{FROM --platform=linux/arm64 scratch}}", @@ -893,8 +1032,8 @@ "actual_value": "FROM={{--platform=linux/arm64 scratch}}.{{FROM --platform=linux/arm64 scratch}} is using the '--platform' flag" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample5", - "similarity_id": "c19f45ee26938f1021cc6c749c8405eb13d5ac805ca3eed5b87ad5547f52c680", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_with_arg_reference", + "similarity_id": "6ddfbe87de63e9678da90c68dcb202f4e4f2e9bc1d4af42f3d2bdd9a9984cd65", "line": 2, "issue_type": "IncorrectValue", "search_key": "FROM={{--platform=$BUILDPLATFORM golang:1.21}}.{{FROM --platform=$BUILDPLATFORM golang:1.21}}", @@ -904,26 +1043,15 @@ "actual_value": "FROM={{--platform=$BUILDPLATFORM golang:1.21}}.{{FROM --platform=$BUILDPLATFORM golang:1.21}} is using the '--platform' flag" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample4", - "similarity_id": "6dacf05a9b1980a2fe019ec2208731e9bbcf1dc32f94cc6e87b36b46d004a9d6", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag", + "similarity_id": "d0502e1abfdc65c9d3caa7d9526e8289097c38bf09f81bc3e58a8391f18d9093", "line": 1, "issue_type": "IncorrectValue", - "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest}}.{{FROM --platform=linux/amd64 ubuntu:latest}}", - "search_line": -1, - "search_value": "", - "expected_value": "FROM={{--platform=linux/amd64 ubuntu:latest}}.{{FROM --platform=linux/amd64 ubuntu:latest}} should not use the '--platform' flag", - "actual_value": "FROM={{--platform=linux/amd64 ubuntu:latest}}.{{FROM --platform=linux/amd64 ubuntu:latest}} is using the '--platform' flag" - }, - { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/sample2", - "similarity_id": "3369062c5c80ef20b457c5b93c136c3045cbd7d8e1e5d04ece08284440b80a8e", - "line": 1, - "issue_type": "IncorrectValue", - "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}.{{FROM --platform=linux/amd64 ubuntu:latest AS builder}}", + "search_key": "FROM={{--platform=linux/amd64 alpine:latest}}.{{FROM --platform=linux/amd64 alpine:latest}}", "search_line": -1, "search_value": "", - "expected_value": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}.{{FROM --platform=linux/amd64 ubuntu:latest AS builder}} should not use the '--platform' flag", - "actual_value": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}.{{FROM --platform=linux/amd64 ubuntu:latest AS builder}} is using the '--platform' flag" + "expected_value": "FROM={{--platform=linux/amd64 alpine:latest}}.{{FROM --platform=linux/amd64 alpine:latest}} should not use the '--platform' flag", + "actual_value": "FROM={{--platform=linux/amd64 alpine:latest}}.{{FROM --platform=linux/amd64 alpine:latest}} is using the '--platform' flag" } ] } From c3d241145eb216c52be02db42edcbd050ac346bd Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Wed, 22 Apr 2026 12:11:01 +0100 Subject: [PATCH 83/84] Fixed dokcerfile lib from statement function LineHint value so multiline FROM statements are compatible, fixed whitespace support for ARG/comments in dockerfiles and fix new E2E results --- assets/libraries/dockerfile.rego | 2 +- e2e/fixtures/E2E_CLI_106_PAYLOAD.json | 62 ++ e2e/fixtures/E2E_CLI_106_RESULT.json | 629 ++++++++++-------- pkg/utils/get_extension.go | 9 +- .../fixtures/dockerfile/Dockerfile-multistage | 3 + .../should_generate_payload/commands_indented | 2 + 6 files changed, 415 insertions(+), 292 deletions(-) create mode 100644 test/fixtures/dockerfile/should_generate_payload/commands_indented diff --git a/assets/libraries/dockerfile.rego b/assets/libraries/dockerfile.rego index b4cfc055a34..dcf4452d95e 100644 --- a/assets/libraries/dockerfile.rego +++ b/assets/libraries/dockerfile.rego @@ -75,7 +75,7 @@ get_original_from_command(commands) = from_command { commands[i].Cmd == "from" from_command := { "Value": substring(commands[i].Original, 0, 4), - "LineHint" : commands[i].EndLine - 1 + "LineHint" : commands[i]._kics_line - 1 } } diff --git a/e2e/fixtures/E2E_CLI_106_PAYLOAD.json b/e2e/fixtures/E2E_CLI_106_PAYLOAD.json index 3afe41bb0e0..845d13c6cdd 100644 --- a/e2e/fixtures/E2E_CLI_106_PAYLOAD.json +++ b/e2e/fixtures/E2E_CLI_106_PAYLOAD.json @@ -232,6 +232,34 @@ ], "_kics_line": 11 } + ], + "ubuntu:latestnightly(2)": [ + { + "Cmd": "from", + "EndLine": 13, + "Flags": [], + "JSON": false, + "Original": "FROM ubuntu:latestnightly", + "SubCmd": "", + "Value": [ + "ubuntu:latestnightly" + ], + "_kics_line": 13 + } + ], + "ubuntu:latestnightly(3)": [ + { + "Cmd": "from", + "EndLine": 14, + "Flags": [], + "JSON": false, + "Original": "FROM ubuntu:latestnightly", + "SubCmd": "", + "Value": [ + "ubuntu:latestnightly" + ], + "_kics_line": 14 + } ] }, "file": "file", @@ -1568,6 +1596,40 @@ "file": "file", "id": "0" }, + { + "args": [ + { + "Cmd": "arg", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "ARG BASE_IMAGE=alpine:latest", + "SubCmd": "", + "Value": [ + "BASE_IMAGE=alpine:latest" + ], + "_kics_line": 1 + } + ], + "command": { + "${BASE_IMAGE}": [ + { + "Cmd": "from", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "FROM ${BASE_IMAGE}", + "SubCmd": "", + "Value": [ + "alpine:latest" + ], + "_kics_line": 2 + } + ] + }, + "file": "file", + "id": "0" + }, { "args": [], "command": { diff --git a/e2e/fixtures/E2E_CLI_106_RESULT.json b/e2e/fixtures/E2E_CLI_106_RESULT.json index e0bce9e4709..2e4eb58d8ac 100644 --- a/e2e/fixtures/E2E_CLI_106_RESULT.json +++ b/e2e/fixtures/E2E_CLI_106_RESULT.json @@ -1,9 +1,9 @@ { "kics_version": "development", - "files_scanned": 37, - "lines_scanned": 273, - "files_parsed": 37, - "lines_parsed": 262, + "files_scanned": 38, + "lines_scanned": 278, + "files_parsed": 38, + "lines_parsed": 267, "lines_ignored": 11, "files_failed_to_scan": 0, "queries_total": 48, @@ -12,16 +12,16 @@ "scan_id": "console", "severity_counters": { "CRITICAL": 0, - "HIGH": 37, + "HIGH": 38, "INFO": 6, - "LOW": 19, - "MEDIUM": 19, + "LOW": 20, + "MEDIUM": 22, "TRACE": 0 }, - "total_counter": 81, + "total_counter": 86, "total_bom_resources": 0, - "start": "2026-04-22T11:22:16.7947548+01:00", - "end": "2026-04-22T11:22:18.3420558+01:00", + "start": "2026-04-22T11:52:42.7735722+01:00", + "end": "2026-04-22T11:52:44.496561+01:00", "paths": [ "/path/test/fixtures/dockerfile", "/path/test/fixtures/negative_dockerfile" @@ -42,22 +42,22 @@ "description_id": "eb49caf6", "files": [ { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag", - "similarity_id": "574ad8efea37036e772f5f133327ee6d82456fcfa268e0a01f942dd36d84a30d", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/multiline_from_statement", + "similarity_id": "af265ea3757c481a3f200faa7949ddb6fe1b0527c191d95ef81be533b12a55ca", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{--platform=linux/amd64 alpine:latest}}", + "search_key": "FROM={{alpine:3.18 AS base}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/test_folder_names/dockerfiles/any_file.txt", - "similarity_id": "e150676345e87674484ea970ca810125007b743069646ac448feaba242b7211f", - "line": 1, + "file_name": "path/test/fixtures/dockerfile/Dockerfile-multistage", + "similarity_id": "3a12e5dfa0766d9df64e7c2ea00321aae6756bfe37a36ecff1da59755e0f9d36", + "line": 14, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_key": "FROM={{ubuntu:latestnightly(3)}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", @@ -75,32 +75,43 @@ "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/Dockerfile-multistage", - "similarity_id": "c77e7ff048b27b896b53a89ac6008ec2fea042fb92a18807de325774dd93dfeb", - "line": 5, + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/big_indent_from", + "similarity_id": "fd5fe33f391e08e2d4d4fe8058f5e93a75c6cd8424ea137b9944b8d871d5c37e", + "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{ubuntu:latestnightly(1)}}", + "search_key": "FROM={{alpine:latest}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/big_indent_from", - "similarity_id": "fd5fe33f391e08e2d4d4fe8058f5e93a75c6cd8424ea137b9944b8d871d5c37e", + "file_name": "path/test/fixtures/dockerfile/test_folder_names_case/Docker/any_file.txt", + "similarity_id": "6da391b0e3e24d85f72b3ace5db0569be32ef11e6f9a433b138ae4e0b004df58", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:latest}}", + "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/test_folder_names_case/Dockerfiles/any_file.txt", - "similarity_id": "b58c4c4ed6c88b82fdf62608154342a31a2de95eaae39716ff4f6ccf1a5bcdda", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/use_of_host", + "similarity_id": "98a9086dd512b76196866fa544fda9b79cdbe49097e0781edb284da60286a356", "line": 1, "issue_type": "MissingAttribute", + "search_key": "FROM={{example.com:5000/team/my-app:2.0}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "path/test/fixtures/dockerfile/any_name/Dockerfile.something", + "similarity_id": "b41a39fe06c21fc69fbd6e8f7b3e2c44e8d0d7a8e2b0e0c251f5d6a174e031ee", + "line": 4, + "issue_type": "MissingAttribute", "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, "search_value": "", @@ -108,41 +119,41 @@ "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/DOCKERfile.txt", - "similarity_id": "a1bc54f29a5cd60b430490ab4ddf040dde52e24f1a9c81544e3aae9e21704fe7", + "file_name": "path/test/fixtures/dockerfile/any_name/DOCKERfile.txt", + "similarity_id": "5663f110b46dbc0378ff0540fc4a54700c80197a1ced862564f987d4f2e7116d", "line": 13, "issue_type": "MissingAttribute", - "search_key": "from={{alpine:3.19 as builder}}", + "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/any_name/file.Dockerfile", - "similarity_id": "1d972910b640dfb968ab630847182b4a19f44b78aeeaa0ef93c96c7e27aa8b6a", - "line": 6, + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/base_image_reference", + "similarity_id": "d2716fd01d8e6d44b30749e106a2bd40ce4cb0b673ec7e62a4df8ca982c0582e", + "line": 2, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_key": "FROM={{${BASE_IMAGE}}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/with_excluded_comments", - "similarity_id": "7635feaa0695981bc88dd51b213bc0763acd55575fae3d0fe196fe6b2d727bc4", - "line": 5, + "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/file_2.DOCKERfile", + "similarity_id": "fbc4d6daf991234501dbcba5df28a58b2de1983ffbcc8b18d2f4546c295dfa39", + "line": 4, "issue_type": "MissingAttribute", - "search_key": "FROM={{openjdk:10-jdk}}", + "search_key": "from={{alpine:3.19 AS builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/any_name.ubi8", - "similarity_id": "99145bb5bb5996f2d9518769bbebb143a6edff8c1b9866b9de64b2b6fba667e5", + "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/Dockerfile.something", + "similarity_id": "58a26cafd4b62b89183a99f03c581a511654a67074c333f95c0481af8816450e", "line": 4, "issue_type": "MissingAttribute", "search_key": "from={{alpine:3.19 as builder}}", @@ -152,8 +163,19 @@ "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/test_folder_names_case/Docker/any_file.txt", - "similarity_id": "6da391b0e3e24d85f72b3ace5db0569be32ef11e6f9a433b138ae4e0b004df58", + "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/random_name", + "similarity_id": "9ca22b0eb1ead0048eef0d5aba185858c316469892ded249c7c261720f293370", + "line": 3, + "issue_type": "MissingAttribute", + "search_key": "from={{alpine:3.19 as builder}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + }, + { + "file_name": "path/test/fixtures/dockerfile/test_folder_names/dockerfile/any_file.txt", + "similarity_id": "c2e7f0c0c566a723ff253f4a95e837749faba964ec008551c1f87a7faa476110", "line": 1, "issue_type": "MissingAttribute", "search_key": "FROM={{alpine:3.19 AS builder}}", @@ -163,33 +185,33 @@ "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/any_name/dockerFILE", - "similarity_id": "e97a5ec241eb063c5757aed13a666c8126e4375ac9aed300cdc72d4ae883dfdc", - "line": 6, + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/with_excluded_comments", + "similarity_id": "7635feaa0695981bc88dd51b213bc0763acd55575fae3d0fe196fe6b2d727bc4", + "line": 5, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_key": "FROM={{openjdk:10-jdk}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/any_name/any_name.ubi8", - "similarity_id": "4d64348b27180d867de9cf04a51db582786ea6622adb94fb54fdbac03b284769", - "line": 4, + "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/dockerFILE", + "similarity_id": "bda0e263debb4ef181a93c60d35e0f28a57ca27f9f19b0a550a2a219c7fb56b6", + "line": 6, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_key": "from={{alpine:3.19 as builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/full_sha_digest", - "similarity_id": "bfb661b85dd88d16e0c74c1c07972ecf9ae95203607e762f0faad91a3a02c94a", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/host_ip_address", + "similarity_id": "9f206d8845b08c15965c3cf00b7db7d9ee679c281d14cb5f2d414065a423b8a3", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine@sha256:e1c082e3d3c45cccac829840a25941e679c25d438cc8412c2fa221cf1a824e6a}}", + "search_key": "FROM={{192.168.1.100:5000/team/image:v1}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", @@ -207,121 +229,110 @@ "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/any_name/Dockerfile.something", - "similarity_id": "b41a39fe06c21fc69fbd6e8f7b3e2c44e8d0d7a8e2b0e0c251f5d6a174e031ee", - "line": 4, + "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/DOCKERfile.txt", + "similarity_id": "a1bc54f29a5cd60b430490ab4ddf040dde52e24f1a9c81544e3aae9e21704fe7", + "line": 13, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_key": "from={{alpine:3.19 as builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/test_folder_names_case/Dockerfile/any_file.txt", - "similarity_id": "47d6f707c904f56fe3ca1cc7bce1d2e0ae41d421da983110a5c15fc7e48105df", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag_and_alias", + "similarity_id": "d6c1ff98af764022d3ff3dce0b91cb19fb8dce099e87c506ddd542176b9444c1", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/test_folder_names/dockerfile/any_file.txt", - "similarity_id": "c2e7f0c0c566a723ff253f4a95e837749faba964ec008551c1f87a7faa476110", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag_scratch", + "similarity_id": "f7e67be39f384d20f8816eff63ab5538f5990b6bae86ddd244478d9cb89f7b65", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_key": "FROM={{--platform=linux/arm64 scratch}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/test_folder_names/docker/any_file.txt", - "similarity_id": "9d78b93c92fe63c29dec006a12993b74dc6c6fbf29ae295ff7c6e19136657e2d", + "file_name": "path/test/fixtures/dockerfile/corrupted_dockerfile", + "similarity_id": "558c83370b9fc9e230035e00ff7b5302cd64c16f700e73c830579947e250a381", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_key": "FROM={{alpine:latest}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/file.Dockerfile", - "similarity_id": "5f4fd65d6c624e63abde45a2c7fbfc4a3c64ab9e7b7bc95ddde9b861818aedfc", - "line": 6, + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/commands_indented", + "similarity_id": "0cd6617349fda5c8b8a9a1f3a2d35161133350a3e3617586a260ba4b53648950", + "line": 2, "issue_type": "MissingAttribute", - "search_key": "from={{alpine:3.19 as builder}}", + "search_key": "FROM={{${BASE_IMAGE}}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/Dockerfile-example", - "similarity_id": "aeaf42752011d846797cea09ce1a0eb5457673c67b0fb16914a0c639a253e5c7", + "file_name": "path/test/fixtures/dockerfile/test_folder_names_case/Dockerfile/any_file.txt", + "similarity_id": "47d6f707c904f56fe3ca1cc7bce1d2e0ae41d421da983110a5c15fc7e48105df", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{openjdk:10-jdk}}", - "search_line": -1, - "search_value": "", - "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", - "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" - }, - { - "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/random_name", - "similarity_id": "9ca22b0eb1ead0048eef0d5aba185858c316469892ded249c7c261720f293370", - "line": 3, - "issue_type": "MissingAttribute", - "search_key": "from={{alpine:3.19 as builder}}", + "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/big_host_name", - "similarity_id": "357d434e6436d7fc32420359985019be12903ca92c03f50369e95a19b96e9d97", - "line": 1, + "file_name": "path/test/fixtures/dockerfile/any_name/dockerFILE", + "similarity_id": "e97a5ec241eb063c5757aed13a666c8126e4375ac9aed300cdc72d4ae883dfdc", + "line": 6, "issue_type": "MissingAttribute", - "search_key": "FROM={{bighostnameusedasasample.example.com:4903/team/my-app:2.0}}", + "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/host_ip_address", - "similarity_id": "9f206d8845b08c15965c3cf00b7db7d9ee679c281d14cb5f2d414065a423b8a3", + "file_name": "path/test/fixtures/dockerfile/Dockerfile-example", + "similarity_id": "aeaf42752011d846797cea09ce1a0eb5457673c67b0fb16914a0c639a253e5c7", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{192.168.1.100:5000/team/image:v1}}", + "search_key": "FROM={{openjdk:10-jdk}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/multiline_from_statement", - "similarity_id": "af265ea3757c481a3f200faa7949ddb6fe1b0527c191d95ef81be533b12a55ca", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/big_host_name", + "similarity_id": "357d434e6436d7fc32420359985019be12903ca92c03f50369e95a19b96e9d97", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.18 AS base}}", + "search_key": "FROM={{bighostnameusedasasample.example.com:4903/team/my-app:2.0}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/file_2.DOCKERfile", - "similarity_id": "fbc4d6daf991234501dbcba5df28a58b2de1983ffbcc8b18d2f4546c295dfa39", - "line": 4, + "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/file.Dockerfile", + "similarity_id": "5f4fd65d6c624e63abde45a2c7fbfc4a3c64ab9e7b7bc95ddde9b861818aedfc", + "line": 6, "issue_type": "MissingAttribute", - "search_key": "from={{alpine:3.19 AS builder}}", + "search_key": "from={{alpine:3.19 as builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", @@ -339,53 +350,53 @@ "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag_and_alias", - "similarity_id": "d6c1ff98af764022d3ff3dce0b91cb19fb8dce099e87c506ddd542176b9444c1", - "line": 1, + "file_name": "path/test/fixtures/dockerfile/any_name/random_name", + "similarity_id": "ee3531797486eec98e3dd28ec8cc5f7f6f00743d1cf79cd47f6859df87026f59", + "line": 3, "issue_type": "MissingAttribute", - "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}", + "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/corrupted_dockerfile", - "similarity_id": "558c83370b9fc9e230035e00ff7b5302cd64c16f700e73c830579947e250a381", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag", + "similarity_id": "574ad8efea37036e772f5f133327ee6d82456fcfa268e0a01f942dd36d84a30d", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:latest}}", + "search_key": "FROM={{--platform=linux/amd64 alpine:latest}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/use_of_host", - "similarity_id": "98a9086dd512b76196866fa544fda9b79cdbe49097e0781edb284da60286a356", + "file_name": "path/test/fixtures/dockerfile/test_folder_names_case/Dockerfiles/any_file.txt", + "similarity_id": "b58c4c4ed6c88b82fdf62608154342a31a2de95eaae39716ff4f6ccf1a5bcdda", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{example.com:5000/team/my-app:2.0}}", + "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/base_image_reference", - "similarity_id": "d2716fd01d8e6d44b30749e106a2bd40ce4cb0b673ec7e62a4df8ca982c0582e", - "line": 2, + "file_name": "path/test/fixtures/dockerfile/any_name/file.Dockerfile", + "similarity_id": "1d972910b640dfb968ab630847182b4a19f44b78aeeaa0ef93c96c7e27aa8b6a", + "line": 6, "issue_type": "MissingAttribute", - "search_key": "FROM={{${BASE_IMAGE}}}", + "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/any_name/any_name.debian", - "similarity_id": "ef335c394fbaebc802c99ba59b1b3ec830043ac020b711efc7cf497752b73429", - "line": 4, + "file_name": "path/test/fixtures/dockerfile/test_folder_names/docker/any_file.txt", + "similarity_id": "9d78b93c92fe63c29dec006a12993b74dc6c6fbf29ae295ff7c6e19136657e2d", + "line": 1, "issue_type": "MissingAttribute", "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, @@ -394,53 +405,53 @@ "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag_scratch", - "similarity_id": "f7e67be39f384d20f8816eff63ab5538f5990b6bae86ddd244478d9cb89f7b65", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/full_sha_digest", + "similarity_id": "bfb661b85dd88d16e0c74c1c07972ecf9ae95203607e762f0faad91a3a02c94a", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{--platform=linux/arm64 scratch}}", + "search_key": "FROM={{alpine@sha256:e1c082e3d3c45cccac829840a25941e679c25d438cc8412c2fa221cf1a824e6a}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/dockerFILE", - "similarity_id": "bda0e263debb4ef181a93c60d35e0f28a57ca27f9f19b0a550a2a219c7fb56b6", - "line": 6, + "file_name": "path/test/fixtures/dockerfile/any_name/any_name.ubi8", + "similarity_id": "4d64348b27180d867de9cf04a51db582786ea6622adb94fb54fdbac03b284769", + "line": 4, "issue_type": "MissingAttribute", - "search_key": "from={{alpine:3.19 as builder}}", + "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/Dockerfile.something", - "similarity_id": "58a26cafd4b62b89183a99f03c581a511654a67074c333f95c0481af8816450e", - "line": 4, + "file_name": "path/test/fixtures/dockerfile/test_folder_names/dockerfiles/any_file.txt", + "similarity_id": "e150676345e87674484ea970ca810125007b743069646ac448feaba242b7211f", + "line": 1, "issue_type": "MissingAttribute", - "search_key": "from={{alpine:3.19 as builder}}", + "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/any_name/random_name", - "similarity_id": "ee3531797486eec98e3dd28ec8cc5f7f6f00743d1cf79cd47f6859df87026f59", - "line": 3, + "file_name": "path/test/fixtures/dockerfile/case_insensitive_tests/any_name.ubi8", + "similarity_id": "99145bb5bb5996f2d9518769bbebb143a6edff8c1b9866b9de64b2b6fba667e5", + "line": 4, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.19 AS builder}}", + "search_key": "from={{alpine:3.19 as builder}}", "search_line": -1, "search_value": "", "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" }, { - "file_name": "path/test/fixtures/dockerfile/any_name/DOCKERfile.txt", - "similarity_id": "5663f110b46dbc0378ff0540fc4a54700c80197a1ced862564f987d4f2e7116d", - "line": 13, + "file_name": "path/test/fixtures/dockerfile/any_name/any_name.debian", + "similarity_id": "ef335c394fbaebc802c99ba59b1b3ec830043ac020b711efc7cf497752b73429", + "line": 4, "issue_type": "MissingAttribute", "search_key": "FROM={{alpine:3.19 AS builder}}", "search_line": -1, @@ -464,22 +475,22 @@ "description_id": "0aedd324", "files": [ { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_with_arg_reference", - "similarity_id": "a6fec2d84a496642691bb3bb5e77cb5fdd04755e956063e42804d5072abb2281", - "line": 7, + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/with_excluded_comments", + "similarity_id": "58376185618893478741c810195c3194b9947675f6855e3b36ac4788fee9c97c", + "line": 10, "issue_type": "IncorrectValue", - "search_key": "FROM={{--platform=$BUILDPLATFORM golang:1.21}}.{{ADD ${JAR_FILE} app.jar}}", + "search_key": "FROM={{openjdk:10-jdk}}.{{ADD ${JAR_FILE} app.jar}}", "search_line": -1, "search_value": "", "expected_value": "'COPY' ${JAR_FILE}", "actual_value": "'ADD' ${JAR_FILE}" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/multiline_from_statement", - "similarity_id": "65fa5eb4dc035a375e7de6745c524a241571a42543ac1e1e50ab6b97992e36e7", - "line": 1, + "file_name": "path/test/fixtures/dockerfile/Dockerfile-multistage", + "similarity_id": "2c8f808eeabb29c31b940c9d5d7526fe997c8c2d155857c1c462030cffd8c366", + "line": 10, "issue_type": "IncorrectValue", - "search_key": "FROM={{alpine:3.18 AS base}}.{{ADD ${JAR_FILE} app.jar}}", + "search_key": "FROM={{ubuntu:latestnightly(1)}}.{{ADD ${JAR_FILE} app.jar}}", "search_line": -1, "search_value": "", "expected_value": "'COPY' ${JAR_FILE}", @@ -497,88 +508,88 @@ "actual_value": "'ADD' ${JAR_FILE}" }, { - "file_name": "path/test/fixtures/dockerfile/Dockerfile-example", - "similarity_id": "9d6bb1f4ca1093d79890b1b24b00dbb2e8fa60ca0df6b2ba391db348256eec6f", - "line": 6, + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag", + "similarity_id": "7a1036d28f16660bc2d10439a80109abd807dfef90aae78130092d8a395b6868", + "line": 4, "issue_type": "IncorrectValue", - "search_key": "FROM={{openjdk:10-jdk}}.{{ADD ${JAR_FILE} app.jar}}", + "search_key": "FROM={{--platform=linux/amd64 alpine:latest}}.{{ADD ${JAR_FILE} app.jar}}", "search_line": -1, "search_value": "", "expected_value": "'COPY' ${JAR_FILE}", "actual_value": "'ADD' ${JAR_FILE}" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/use_of_host", - "similarity_id": "46bf1a187c7c8aa95cc825281d886f4f34560a3f48210f81bbc1ed7c0b0ebab6", - "line": 3, + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/big_indent_from", + "similarity_id": "3dbca73c5f5b0d65cb9d6f2e1748ddde903c80ec9e97848b8d6d23a8554320b9", + "line": 4, "issue_type": "IncorrectValue", - "search_key": "FROM={{example.com:5000/team/my-app:2.0}}.{{ADD ${JAR_FILE} app.jar}}", + "search_key": "FROM={{alpine:latest}}.{{ADD ${JAR_FILE} app.jar}}", "search_line": -1, "search_value": "", "expected_value": "'COPY' ${JAR_FILE}", "actual_value": "'ADD' ${JAR_FILE}" }, { - "file_name": "path/test/fixtures/dockerfile/Dockerfile-multistage", - "similarity_id": "2c8f808eeabb29c31b940c9d5d7526fe997c8c2d155857c1c462030cffd8c366", - "line": 10, + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/multiline_from_statement", + "similarity_id": "65fa5eb4dc035a375e7de6745c524a241571a42543ac1e1e50ab6b97992e36e7", + "line": 8, "issue_type": "IncorrectValue", - "search_key": "FROM={{ubuntu:latestnightly(1)}}.{{ADD ${JAR_FILE} app.jar}}", + "search_key": "FROM={{alpine:3.18 AS base}}.{{ADD ${JAR_FILE} app.jar}}", "search_line": -1, "search_value": "", "expected_value": "'COPY' ${JAR_FILE}", "actual_value": "'ADD' ${JAR_FILE}" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/big_indent_from", - "similarity_id": "3dbca73c5f5b0d65cb9d6f2e1748ddde903c80ec9e97848b8d6d23a8554320b9", - "line": 4, + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_with_arg_reference", + "similarity_id": "a6fec2d84a496642691bb3bb5e77cb5fdd04755e956063e42804d5072abb2281", + "line": 7, "issue_type": "IncorrectValue", - "search_key": "FROM={{alpine:latest}}.{{ADD ${JAR_FILE} app.jar}}", + "search_key": "FROM={{--platform=$BUILDPLATFORM golang:1.21}}.{{ADD ${JAR_FILE} app.jar}}", "search_line": -1, "search_value": "", "expected_value": "'COPY' ${JAR_FILE}", "actual_value": "'ADD' ${JAR_FILE}" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag_scratch", - "similarity_id": "b293e7dc91ace6a7c4fec199190cdf5805dede7f6f499ede4f8401b32c6b0d95", - "line": 4, + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/use_of_host", + "similarity_id": "46bf1a187c7c8aa95cc825281d886f4f34560a3f48210f81bbc1ed7c0b0ebab6", + "line": 3, "issue_type": "IncorrectValue", - "search_key": "FROM={{--platform=linux/arm64 scratch}}.{{ADD ${JAR_FILE} app.jar}}", + "search_key": "FROM={{example.com:5000/team/my-app:2.0}}.{{ADD ${JAR_FILE} app.jar}}", "search_line": -1, "search_value": "", "expected_value": "'COPY' ${JAR_FILE}", "actual_value": "'ADD' ${JAR_FILE}" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag", - "similarity_id": "7a1036d28f16660bc2d10439a80109abd807dfef90aae78130092d8a395b6868", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag_scratch", + "similarity_id": "b293e7dc91ace6a7c4fec199190cdf5805dede7f6f499ede4f8401b32c6b0d95", "line": 4, "issue_type": "IncorrectValue", - "search_key": "FROM={{--platform=linux/amd64 alpine:latest}}.{{ADD ${JAR_FILE} app.jar}}", + "search_key": "FROM={{--platform=linux/arm64 scratch}}.{{ADD ${JAR_FILE} app.jar}}", "search_line": -1, "search_value": "", "expected_value": "'COPY' ${JAR_FILE}", "actual_value": "'ADD' ${JAR_FILE}" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag_and_alias", - "similarity_id": "331f21aa559609154c76603d67a2ea7ae94f1fe97c9c8614dba0424eb43da6bf", - "line": 5, + "file_name": "path/test/fixtures/dockerfile/Dockerfile-example", + "similarity_id": "9d6bb1f4ca1093d79890b1b24b00dbb2e8fa60ca0df6b2ba391db348256eec6f", + "line": 6, "issue_type": "IncorrectValue", - "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}.{{ADD ${JAR_FILE} app.jar}}", + "search_key": "FROM={{openjdk:10-jdk}}.{{ADD ${JAR_FILE} app.jar}}", "search_line": -1, "search_value": "", "expected_value": "'COPY' ${JAR_FILE}", "actual_value": "'ADD' ${JAR_FILE}" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/with_excluded_comments", - "similarity_id": "58376185618893478741c810195c3194b9947675f6855e3b36ac4788fee9c97c", - "line": 10, + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag_and_alias", + "similarity_id": "331f21aa559609154c76603d67a2ea7ae94f1fe97c9c8614dba0424eb43da6bf", + "line": 5, "issue_type": "IncorrectValue", - "search_key": "FROM={{openjdk:10-jdk}}.{{ADD ${JAR_FILE} app.jar}}", + "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}.{{ADD ${JAR_FILE} app.jar}}", "search_line": -1, "search_value": "", "expected_value": "'COPY' ${JAR_FILE}", @@ -604,7 +615,7 @@ "similarity_id": "f6fd7d36e1105623f456a64c19447ba1688c981aac4d7ae8724c57c8437461fb", "line": 2, "issue_type": "MissingAttribute", - "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}.RUN={{apt-get update /u0026/u0026 apt-get install -y gcc}}", + "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}.RUN={{apt-get update && apt-get install -y gcc}}", "search_line": -1, "search_value": "gcc", "expected_value": "Package 'gcc' has version defined", @@ -626,30 +637,52 @@ "description_id": "22f535ec", "files": [ { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/base_image_reference", - "similarity_id": "2b585700aa5471374491ee55cb32bd19043a996c4b527ef7968f21e217aa2d83", - "line": 2, + "file_name": "path/test/fixtures/dockerfile/Dockerfile-multistage", + "similarity_id": "c9903f97a9c6b1d61827bd33319d69199388b1c8f2723062fcdffeaa4114e609", + "line": 5, "issue_type": "IncorrectValue", - "search_key": "FROM={{${BASE_IMAGE}}}", + "search_key": "FROM={{ubuntu:latestnightly(1)}}", "search_line": -1, "search_value": "", - "expected_value": "FROM alpine:latest:'version' where version should not be 'latest'", - "actual_value": "FROM alpine:latest'" + "expected_value": "FROM ubuntu:latestnightly:'version' where version should not be 'latest'", + "actual_value": "FROM ubuntu:latestnightly'" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag", - "similarity_id": "49639e49bb52319bd968d4a82dcc022a74bd93f58db8badc3757f4f416158e78", + "file_name": "path/test/fixtures/dockerfile/Dockerfile-multistage", + "similarity_id": "d46445b62bae41ab265d7e79bca6c132018c33fd09d4ea48c354edc19628e83c", + "line": 14, + "issue_type": "IncorrectValue", + "search_key": "FROM={{ubuntu:latestnightly(3)}}", + "search_line": -1, + "search_value": "", + "expected_value": "FROM ubuntu:latestnightly:'version' where version should not be 'latest'", + "actual_value": "FROM ubuntu:latestnightly'" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag_and_alias", + "similarity_id": "eddc0cae749b1b03806a495198d58e2675acdf908cd8d039dfd8743339069808", "line": 1, "issue_type": "IncorrectValue", - "search_key": "FROM={{--platform=linux/amd64 alpine:latest}}", + "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}", "search_line": -1, "search_value": "", - "expected_value": "FROM alpine:latest:'version' where version should not be 'latest'", - "actual_value": "FROM alpine:latest'" + "expected_value": "FROM ubuntu:latest:'version' where version should not be 'latest'", + "actual_value": "FROM ubuntu:latest'" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/big_indent_from", - "similarity_id": "152040fb0f74af479251b64b3f3e04cddc103fceebe34abc81c8402b33b5791e", + "file_name": "path/test/fixtures/dockerfile/Dockerfile-multistage", + "similarity_id": "2293ffe73033c89194caa88cbeb6155961a38f987f4ec5da36603522770c38f7", + "line": 1, + "issue_type": "IncorrectValue", + "search_key": "FROM={{ubuntu:latestnightly}}", + "search_line": -1, + "search_value": "", + "expected_value": "FROM ubuntu:latestnightly:'version' where version should not be 'latest'", + "actual_value": "FROM ubuntu:latestnightly'" + }, + { + "file_name": "path/test/fixtures/dockerfile/corrupted_dockerfile", + "similarity_id": "b8c6f58c6b52c4155b70475008be34bcf7ca39a15378ca1828e657a75ba907f3", "line": 1, "issue_type": "IncorrectValue", "search_key": "FROM={{alpine:latest}}", @@ -659,41 +692,52 @@ "actual_value": "FROM alpine:latest'" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag_and_alias", - "similarity_id": "eddc0cae749b1b03806a495198d58e2675acdf908cd8d039dfd8743339069808", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag", + "similarity_id": "49639e49bb52319bd968d4a82dcc022a74bd93f58db8badc3757f4f416158e78", "line": 1, "issue_type": "IncorrectValue", - "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}", + "search_key": "FROM={{--platform=linux/amd64 alpine:latest}}", "search_line": -1, "search_value": "", - "expected_value": "FROM ubuntu:latest:'version' where version should not be 'latest'", - "actual_value": "FROM ubuntu:latest'" + "expected_value": "FROM alpine:latest:'version' where version should not be 'latest'", + "actual_value": "FROM alpine:latest'" }, { - "file_name": "path/test/fixtures/dockerfile/Dockerfile-multistage", - "similarity_id": "c9903f97a9c6b1d61827bd33319d69199388b1c8f2723062fcdffeaa4114e609", - "line": 5, + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/commands_indented", + "similarity_id": "9e14c38135b0625af308eb7ed536813f8e353739f4263fc3accfb91b0b8865bd", + "line": 2, "issue_type": "IncorrectValue", - "search_key": "FROM={{ubuntu:latestnightly(1)}}", + "search_key": "FROM={{${BASE_IMAGE}}}", "search_line": -1, "search_value": "", - "expected_value": "FROM ubuntu:latestnightly:'version' where version should not be 'latest'", - "actual_value": "FROM ubuntu:latestnightly'" + "expected_value": "FROM alpine:latest:'version' where version should not be 'latest'", + "actual_value": "FROM alpine:latest'" }, { "file_name": "path/test/fixtures/dockerfile/Dockerfile-multistage", - "similarity_id": "2293ffe73033c89194caa88cbeb6155961a38f987f4ec5da36603522770c38f7", - "line": 1, + "similarity_id": "c4486197745bf07a12ebe07d539eea97e4fb169a394676d2775028cdc4d1bcd3", + "line": 13, "issue_type": "IncorrectValue", - "search_key": "FROM={{ubuntu:latestnightly}}", + "search_key": "FROM={{ubuntu:latestnightly(2)}}", "search_line": -1, "search_value": "", "expected_value": "FROM ubuntu:latestnightly:'version' where version should not be 'latest'", "actual_value": "FROM ubuntu:latestnightly'" }, { - "file_name": "path/test/fixtures/dockerfile/corrupted_dockerfile", - "similarity_id": "b8c6f58c6b52c4155b70475008be34bcf7ca39a15378ca1828e657a75ba907f3", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/base_image_reference", + "similarity_id": "2b585700aa5471374491ee55cb32bd19043a996c4b527ef7968f21e217aa2d83", + "line": 2, + "issue_type": "IncorrectValue", + "search_key": "FROM={{${BASE_IMAGE}}}", + "search_line": -1, + "search_value": "", + "expected_value": "FROM alpine:latest:'version' where version should not be 'latest'", + "actual_value": "FROM alpine:latest'" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/big_indent_from", + "similarity_id": "152040fb0f74af479251b64b3f3e04cddc103fceebe34abc81c8402b33b5791e", "line": 1, "issue_type": "IncorrectValue", "search_key": "FROM={{alpine:latest}}", @@ -718,9 +762,9 @@ "description_id": "29e8216b", "files": [ { - "file_name": "path/test/fixtures/dockerfile/Dockerfile-example", - "similarity_id": "37ebb20d72a17217823809f4bbf670db1167d627157c42c0b4dd9b063e30b5bd", - "line": 3, + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/with_excluded_comments", + "similarity_id": "b7b5e6e04d1eedc9ce08a3b3cc6182d6c77f41539c44825f6b065a9b911a9541", + "line": 7, "issue_type": "IncorrectValue", "search_key": "FROM={{openjdk:10-jdk}}.{{ADD http://source.file/package.file.tar.gz /temp}}", "search_line": -1, @@ -729,20 +773,20 @@ "actual_value": "'ADD' http://source.file/package.file.tar.gz" }, { - "file_name": "path/test/fixtures/dockerfile/Dockerfile-multistage", - "similarity_id": "553c7b4eeea7e969b88c30c34e9b7e97dc16963e731d1888fec90bb55f00e35a", - "line": 7, + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/multiline_from_statement", + "similarity_id": "b859a2050fd4032304ab5aa47a5ec7e7be60998e29f82c531d23ca123d31bbc0", + "line": 5, "issue_type": "IncorrectValue", - "search_key": "FROM={{ubuntu:latestnightly(1)}}.{{ADD http://source.file/package.file.tar.gz /temp}}", + "search_key": "FROM={{alpine:3.18 AS base}}.{{ADD http://source.file/package.file.tar.gz /temp}}", "search_line": -1, "search_value": "", "expected_value": "Should use 'curl' or 'wget' to download http://source.file/package.file.tar.gz", "actual_value": "'ADD' http://source.file/package.file.tar.gz" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/with_excluded_comments", - "similarity_id": "b7b5e6e04d1eedc9ce08a3b3cc6182d6c77f41539c44825f6b065a9b911a9541", - "line": 7, + "file_name": "path/test/fixtures/dockerfile/Dockerfile-example", + "similarity_id": "37ebb20d72a17217823809f4bbf670db1167d627157c42c0b4dd9b063e30b5bd", + "line": 3, "issue_type": "IncorrectValue", "search_key": "FROM={{openjdk:10-jdk}}.{{ADD http://source.file/package.file.tar.gz /temp}}", "search_line": -1, @@ -751,11 +795,11 @@ "actual_value": "'ADD' http://source.file/package.file.tar.gz" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/multiline_from_statement", - "similarity_id": "b859a2050fd4032304ab5aa47a5ec7e7be60998e29f82c531d23ca123d31bbc0", - "line": 1, + "file_name": "path/test/fixtures/dockerfile/Dockerfile-multistage", + "similarity_id": "553c7b4eeea7e969b88c30c34e9b7e97dc16963e731d1888fec90bb55f00e35a", + "line": 7, "issue_type": "IncorrectValue", - "search_key": "FROM={{alpine:3.18 AS base}}.{{ADD http://source.file/package.file.tar.gz /temp}}", + "search_key": "FROM={{ubuntu:latestnightly(1)}}.{{ADD http://source.file/package.file.tar.gz /temp}}", "search_line": -1, "search_value": "", "expected_value": "Should use 'curl' or 'wget' to download http://source.file/package.file.tar.gz", @@ -777,118 +821,129 @@ "description_id": "426121ee", "files": [ { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag_and_alias", - "similarity_id": "84c42fce04501e4cab82857ba0eac27193fbf52554ddf85aed92c9e50b1a55cc", - "line": 1, + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/with_excluded_comments", + "similarity_id": "22833bad92ed958c49f1684b045a6c42d3b6551b87be013ada097a30a35b3121", + "line": 5, "issue_type": "MissingAttribute", - "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}", + "search_key": "FROM={{openjdk:10-jdk}}", "search_line": -1, "search_value": "", "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/with_excluded_comments", - "similarity_id": "22833bad92ed958c49f1684b045a6c42d3b6551b87be013ada097a30a35b3121", - "line": 5, + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_with_arg_reference", + "similarity_id": "2b6ecbffb0ae35559c7e7fd068707a6774060cfdb0b6aad4e30c27f6f2201a2e", + "line": 2, "issue_type": "MissingAttribute", - "search_key": "FROM={{openjdk:10-jdk}}", + "search_key": "FROM={{--platform=$BUILDPLATFORM golang:1.21}}", "search_line": -1, "search_value": "", "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag_scratch", - "similarity_id": "1413f0f83a852273b3346b226059394439ada151ef2e23c654bf26fa3a2de923", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/big_indent_from", + "similarity_id": "6606bcfea791ee1653816d7fd3d11dda7df4f96cb35ef1557fa3556b0fdca764", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{--platform=linux/arm64 scratch}}", + "search_key": "FROM={{alpine:latest}}", "search_line": -1, "search_value": "", "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" }, { - "file_name": "path/test/fixtures/dockerfile/Dockerfile-example", - "similarity_id": "4d0420e48f4c7d991ed6694980266d5b7313da8abb2e29b2dd777ce7c6f6251d", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/big_host_name", + "similarity_id": "0fbe6b1fc068e59c4519a7f0191bf3c66bcd48426bb400f8a17ada2e0db7f373", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{openjdk:10-jdk}}", + "search_key": "FROM={{bighostnameusedasasample.example.com:4903/team/my-app:2.0}}", "search_line": -1, "search_value": "", "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" }, { - "file_name": "path/test/fixtures/dockerfile/Dockerfile-multistage", - "similarity_id": "e6541da925ea5f5ca321e7c1850bc77e4a80991324087953bd41234691c6b8c5", - "line": 5, + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/multiline_from_statement", + "similarity_id": "60e999ea86c199e26ee55024580e3e69d262b5c83092a25da9eddd321c7c2d21", + "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{ubuntu:latestnightly(1)}}", + "search_key": "FROM={{alpine:3.18 AS base}}", "search_line": -1, "search_value": "", "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_with_arg_reference", - "similarity_id": "2b6ecbffb0ae35559c7e7fd068707a6774060cfdb0b6aad4e30c27f6f2201a2e", - "line": 2, + "file_name": "path/test/fixtures/dockerfile/Dockerfile-multistage", + "similarity_id": "7ce21db0493aefb24ea17710effc041ad227a72e7a1fe7cda7b1a18183a2c13a", + "line": 14, "issue_type": "MissingAttribute", - "search_key": "FROM={{--platform=$BUILDPLATFORM golang:1.21}}", + "search_key": "FROM={{ubuntu:latestnightly(3)}}", "search_line": -1, "search_value": "", "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag", - "similarity_id": "1d75c91d6f47b6b0e00a70fb3aba1461133e91c394cd42a0378a30020a772c33", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag_scratch", + "similarity_id": "1413f0f83a852273b3346b226059394439ada151ef2e23c654bf26fa3a2de923", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{--platform=linux/amd64 alpine:latest}}", + "search_key": "FROM={{--platform=linux/arm64 scratch}}", "search_line": -1, "search_value": "", "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" }, { - "file_name": "path/test/fixtures/dockerfile/corrupted_dockerfile", - "similarity_id": "ae470ca681b82da606c6080acf7ea93906066db785bf47e2372ef7b342f43f7e", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/base_image_reference", + "similarity_id": "f89c7daf1bda819bc9f8c88ba0537cc09d73eabc47d2fb265289c7b60d6318c2", + "line": 2, + "issue_type": "MissingAttribute", + "search_key": "FROM={{${BASE_IMAGE}}}", + "search_line": -1, + "search_value": "", + "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", + "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag", + "similarity_id": "1d75c91d6f47b6b0e00a70fb3aba1461133e91c394cd42a0378a30020a772c33", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:latest}}", + "search_key": "FROM={{--platform=linux/amd64 alpine:latest}}", "search_line": -1, "search_value": "", "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/base_image_reference", - "similarity_id": "f89c7daf1bda819bc9f8c88ba0537cc09d73eabc47d2fb265289c7b60d6318c2", - "line": 2, + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/use_of_host", + "similarity_id": "e295d381f5cf7b496d9557d229dace321cf50a10cf6f35a47733c05d16cec1b4", + "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{${BASE_IMAGE}}}", + "search_key": "FROM={{example.com:5000/team/my-app:2.0}}", "search_line": -1, "search_value": "", "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/multiline_from_statement", - "similarity_id": "60e999ea86c199e26ee55024580e3e69d262b5c83092a25da9eddd321c7c2d21", + "file_name": "path/test/fixtures/dockerfile/Dockerfile-example", + "similarity_id": "4d0420e48f4c7d991ed6694980266d5b7313da8abb2e29b2dd777ce7c6f6251d", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine:3.18 AS base}}", + "search_key": "FROM={{openjdk:10-jdk}}", "search_line": -1, "search_value": "", "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/big_indent_from", - "similarity_id": "6606bcfea791ee1653816d7fd3d11dda7df4f96cb35ef1557fa3556b0fdca764", + "file_name": "path/test/fixtures/dockerfile/corrupted_dockerfile", + "similarity_id": "ae470ca681b82da606c6080acf7ea93906066db785bf47e2372ef7b342f43f7e", "line": 1, "issue_type": "MissingAttribute", "search_key": "FROM={{alpine:latest}}", @@ -898,33 +953,33 @@ "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/full_sha_digest", - "similarity_id": "bac31787e6c7d3a127e2936f11ef5dadc6b477d8db1a10ed9e5d50c1c688d619", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag_and_alias", + "similarity_id": "84c42fce04501e4cab82857ba0eac27193fbf52554ddf85aed92c9e50b1a55cc", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{alpine@sha256:e1c082e3d3c45cccac829840a25941e679c25d438cc8412c2fa221cf1a824e6a}}", + "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}", "search_line": -1, "search_value": "", "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/use_of_host", - "similarity_id": "e295d381f5cf7b496d9557d229dace321cf50a10cf6f35a47733c05d16cec1b4", - "line": 1, + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/commands_indented", + "similarity_id": "04ab9fbe080f52e2e5951e52d1377606b73d01ab60a8640d8fc5824e199d9d34", + "line": 2, "issue_type": "MissingAttribute", - "search_key": "FROM={{example.com:5000/team/my-app:2.0}}", + "search_key": "FROM={{${BASE_IMAGE}}}", "search_line": -1, "search_value": "", "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/big_host_name", - "similarity_id": "0fbe6b1fc068e59c4519a7f0191bf3c66bcd48426bb400f8a17ada2e0db7f373", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/full_sha_digest", + "similarity_id": "bac31787e6c7d3a127e2936f11ef5dadc6b477d8db1a10ed9e5d50c1c688d619", "line": 1, "issue_type": "MissingAttribute", - "search_key": "FROM={{bighostnameusedasasample.example.com:4903/team/my-app:2.0}}", + "search_key": "FROM={{alpine@sha256:e1c082e3d3c45cccac829840a25941e679c25d438cc8412c2fa221cf1a824e6a}}", "search_line": -1, "search_value": "", "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", @@ -961,11 +1016,11 @@ "similarity_id": "9e2783060abf1251b3d7a3d12355870c24afc059e8755e7794806b710f95967e", "line": 2, "issue_type": "IncorrectValue", - "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}.{{RUN apt-get update /u0026/u0026 apt-get install -y gcc}}", + "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}.{{RUN apt-get update && apt-get install -y gcc}}", "search_line": -1, "search_value": "", - "expected_value": "'RUN apt-get update /u0026/u0026 apt-get install -y gcc' uses '--no-install-recommends' flag to avoid installing additional packages", - "actual_value": "'RUN apt-get update /u0026/u0026 apt-get install -y gcc' does not use '--no-install-recommends' flag to avoid installing additional packages" + "expected_value": "'RUN apt-get update && apt-get install -y gcc' uses '--no-install-recommends' flag to avoid installing additional packages", + "actual_value": "'RUN apt-get update && apt-get install -y gcc' does not use '--no-install-recommends' flag to avoid installing additional packages" } ] }, @@ -987,7 +1042,7 @@ "similarity_id": "589b8ca20e5ccc137ddd4f428f5217d55df9621929f33a87b75c724f6a93239f", "line": 2, "issue_type": "IncorrectValue", - "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}.RUN={{apt-get update /u0026/u0026 apt-get install -y gcc}}", + "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}.RUN={{apt-get update && apt-get install -y gcc}}", "search_line": -1, "search_value": "", "expected_value": "After using apt-get install, the apt-get lists should be deleted", @@ -1010,26 +1065,15 @@ "description_id": "5bd0baab", "files": [ { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag_and_alias", - "similarity_id": "9b809e69a6609234e47deb34e1c6c519bb5a76364d8bbf6c1df962b9f7eebdcf", - "line": 1, - "issue_type": "IncorrectValue", - "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}.{{FROM --platform=linux/amd64 ubuntu:latest AS builder}}", - "search_line": -1, - "search_value": "", - "expected_value": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}.{{FROM --platform=linux/amd64 ubuntu:latest AS builder}} should not use the '--platform' flag", - "actual_value": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}.{{FROM --platform=linux/amd64 ubuntu:latest AS builder}} is using the '--platform' flag" - }, - { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag_scratch", - "similarity_id": "aa0029fe9eeb17144a5fd68b1017848f3bf0ca1fe083f9aacea7c4b6ca22b8cd", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag", + "similarity_id": "d0502e1abfdc65c9d3caa7d9526e8289097c38bf09f81bc3e58a8391f18d9093", "line": 1, "issue_type": "IncorrectValue", - "search_key": "FROM={{--platform=linux/arm64 scratch}}.{{FROM --platform=linux/arm64 scratch}}", + "search_key": "FROM={{--platform=linux/amd64 alpine:latest}}.{{FROM --platform=linux/amd64 alpine:latest}}", "search_line": -1, "search_value": "", - "expected_value": "FROM={{--platform=linux/arm64 scratch}}.{{FROM --platform=linux/arm64 scratch}} should not use the '--platform' flag", - "actual_value": "FROM={{--platform=linux/arm64 scratch}}.{{FROM --platform=linux/arm64 scratch}} is using the '--platform' flag" + "expected_value": "FROM={{--platform=linux/amd64 alpine:latest}}.{{FROM --platform=linux/amd64 alpine:latest}} should not use the '--platform' flag", + "actual_value": "FROM={{--platform=linux/amd64 alpine:latest}}.{{FROM --platform=linux/amd64 alpine:latest}} is using the '--platform' flag" }, { "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_with_arg_reference", @@ -1043,15 +1087,26 @@ "actual_value": "FROM={{--platform=$BUILDPLATFORM golang:1.21}}.{{FROM --platform=$BUILDPLATFORM golang:1.21}} is using the '--platform' flag" }, { - "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag", - "similarity_id": "d0502e1abfdc65c9d3caa7d9526e8289097c38bf09f81bc3e58a8391f18d9093", + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag_and_alias", + "similarity_id": "9b809e69a6609234e47deb34e1c6c519bb5a76364d8bbf6c1df962b9f7eebdcf", "line": 1, "issue_type": "IncorrectValue", - "search_key": "FROM={{--platform=linux/amd64 alpine:latest}}.{{FROM --platform=linux/amd64 alpine:latest}}", + "search_key": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}.{{FROM --platform=linux/amd64 ubuntu:latest AS builder}}", "search_line": -1, "search_value": "", - "expected_value": "FROM={{--platform=linux/amd64 alpine:latest}}.{{FROM --platform=linux/amd64 alpine:latest}} should not use the '--platform' flag", - "actual_value": "FROM={{--platform=linux/amd64 alpine:latest}}.{{FROM --platform=linux/amd64 alpine:latest}} is using the '--platform' flag" + "expected_value": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}.{{FROM --platform=linux/amd64 ubuntu:latest AS builder}} should not use the '--platform' flag", + "actual_value": "FROM={{--platform=linux/amd64 ubuntu:latest AS builder}}.{{FROM --platform=linux/amd64 ubuntu:latest AS builder}} is using the '--platform' flag" + }, + { + "file_name": "path/test/fixtures/dockerfile/should_generate_payload/platform_flag_scratch", + "similarity_id": "aa0029fe9eeb17144a5fd68b1017848f3bf0ca1fe083f9aacea7c4b6ca22b8cd", + "line": 1, + "issue_type": "IncorrectValue", + "search_key": "FROM={{--platform=linux/arm64 scratch}}.{{FROM --platform=linux/arm64 scratch}}", + "search_line": -1, + "search_value": "", + "expected_value": "FROM={{--platform=linux/arm64 scratch}}.{{FROM --platform=linux/arm64 scratch}} should not use the '--platform' flag", + "actual_value": "FROM={{--platform=linux/arm64 scratch}}.{{FROM --platform=linux/arm64 scratch}} is using the '--platform' flag" } ] } diff --git a/pkg/utils/get_extension.go b/pkg/utils/get_extension.go index b0b5d6fbc05..827058d0f81 100644 --- a/pkg/utils/get_extension.go +++ b/pkg/utils/get_extension.go @@ -14,10 +14,10 @@ import ( const ( extDockerfile = ".dockerfile" - dockerFromPattern = `(?i)^\s*from\s+` + dockerFromPattern = `(?i)^from\s+` pythonImportPattern = `(?i)from\s+\S+\s+import\s+\S+` emailPattern = `(?i)from\s*(:)?\s*[\w\-.]+@([\w\-]+\.)+[\w\-]{2,4}` - capitalizedAliasPattern = `^\s*(?i:FROM)\s+\S+\s+(?i:AS)\s+[A-Z]` + capitalizedAliasPattern = `^(?i:FROM)\s+\S+\s+(?i:AS)\s+[A-Z]` dockerfileIllegalCharacters = `["'` + "`" + `()\[\],;|&?*^%!~<>]` ) @@ -97,10 +97,11 @@ func readPossibleDockerFile(path string) bool { scanner := bufio.NewScanner(file) // Read lines from the file for scanner.Scan() { - if strings.HasPrefix(scanner.Text(), "#") || strings.HasPrefix(strings.ToLower(scanner.Text()), "arg") || scanner.Text() == "" { + line := strings.TrimSpace(scanner.Text()) + if strings.HasPrefix(line, "#") || strings.HasPrefix(strings.ToLower(line), "arg") || line == "" { continue } else { - return dockerFrom.MatchString(scanner.Text()) && !matchesAny(falsePositiveFROMPatterns, scanner.Text()) + return dockerFrom.MatchString(line) && !matchesAny(falsePositiveFROMPatterns, line) } } return false diff --git a/test/fixtures/dockerfile/Dockerfile-multistage b/test/fixtures/dockerfile/Dockerfile-multistage index ff222325319..553875db8ba 100644 --- a/test/fixtures/dockerfile/Dockerfile-multistage +++ b/test/fixtures/dockerfile/Dockerfile-multistage @@ -9,3 +9,6 @@ RUN tar -xjf /temp/package.file.tar.gz ARG JAR_FILE ADD ${JAR_FILE} app.jar ENTRYPOINT ["java","-Djava.security.egd=file:/dev/./urandom","-jar","/app.jar"] + +FROM ubuntu:latestnightly +FROM ubuntu:latestnightly diff --git a/test/fixtures/dockerfile/should_generate_payload/commands_indented b/test/fixtures/dockerfile/should_generate_payload/commands_indented new file mode 100644 index 00000000000..04930146ee9 --- /dev/null +++ b/test/fixtures/dockerfile/should_generate_payload/commands_indented @@ -0,0 +1,2 @@ + ARG BASE_IMAGE=alpine:latest + FROM ${BASE_IMAGE} \ No newline at end of file From adfe6fd13d412629747e375fdff80f84077d9345 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Wed, 22 Apr 2026 12:34:19 +0100 Subject: [PATCH 84/84] Fix E2E 107 --- e2e/fixtures/E2E_CLI_107_PAYLOAD.json | 310 ++++++++++++---------- e2e/fixtures/E2E_CLI_107_RESULT.json | 362 ++++++++++++++------------ 2 files changed, 361 insertions(+), 311 deletions(-) diff --git a/e2e/fixtures/E2E_CLI_107_PAYLOAD.json b/e2e/fixtures/E2E_CLI_107_PAYLOAD.json index 1d86f2f3256..405e897ca42 100644 --- a/e2e/fixtures/E2E_CLI_107_PAYLOAD.json +++ b/e2e/fixtures/E2E_CLI_107_PAYLOAD.json @@ -1,143 +1,171 @@ { - "document": [ - { - "args": [], - "command": { - "ubuntu:latestnightly": [ - { - "Cmd": "from", - "EndLine": 1, - "Flags": [], - "JSON": false, - "Original": "FROM ubuntu:latestnightly", - "SubCmd": "", - "Value": [ - "ubuntu:latestnightly" - ], - "_kics_line": 1 - }, - { - "Cmd": "volume", - "EndLine": 2, - "Flags": [], - "JSON": false, - "Original": "VOLUME /tmp", - "SubCmd": "", - "Value": [ - "/tmp" - ], - "_kics_line": 2 - }, - { - "Cmd": "entrypoint", - "EndLine": 3, - "Flags": [], - "JSON": true, - "Original": "ENTRYPOINT [\"java\",\"-Djava.security.egd=file:/dev/./urandom\",\"-jar\",\"/app.jar\"]", - "SubCmd": "", - "Value": [ - "java", - "-Djava.security.egd=file:/dev/./urandom", - "-jar", - "/app.jar" - ], - "_kics_line": 3 - } - ], - "ubuntu:latestnightly(1)": [ - { - "Cmd": "from", - "EndLine": 5, - "Flags": [], - "JSON": false, - "Original": "FROM ubuntu:latestnightly", - "SubCmd": "", - "Value": [ - "ubuntu:latestnightly" - ], - "_kics_line": 5 - }, - { - "Cmd": "volume", - "EndLine": 6, - "Flags": [], - "JSON": false, - "Original": "VOLUME /tmp", - "SubCmd": "", - "Value": [ - "/tmp" - ], - "_kics_line": 6 - }, - { - "Cmd": "add", - "EndLine": 7, - "Flags": [], - "JSON": false, - "Original": "ADD http://source.file/package.file.tar.gz /temp", - "SubCmd": "", - "Value": [ - "http://source.file/package.file.tar.gz", - "/temp" - ], - "_kics_line": 7 - }, - { - "Cmd": "run", - "EndLine": 8, - "Flags": [], - "JSON": false, - "Original": "RUN tar -xjf /temp/package.file.tar.gz", - "SubCmd": "", - "Value": [ - "tar -xjf /temp/package.file.tar.gz" - ], - "_kics_line": 8 - }, - { - "Cmd": "arg", - "EndLine": 9, - "Flags": [], - "JSON": false, - "Original": "ARG JAR_FILE", - "SubCmd": "", - "Value": [ - "JAR_FILE" - ], - "_kics_line": 9 - }, - { - "Cmd": "add", - "EndLine": 10, - "Flags": [], - "JSON": false, - "Original": "ADD ${JAR_FILE} app.jar", - "SubCmd": "", - "Value": [ - "${JAR_FILE}", - "app.jar" - ], - "_kics_line": 10 - }, - { - "Cmd": "entrypoint", - "EndLine": 11, - "Flags": [], - "JSON": true, - "Original": "ENTRYPOINT [\"java\",\"-Djava.security.egd=file:/dev/./urandom\",\"-jar\",\"/app.jar\"]", - "SubCmd": "", - "Value": [ - "java", - "-Djava.security.egd=file:/dev/./urandom", - "-jar", - "/app.jar" - ], - "_kics_line": 11 - } - ] - }, - "file": "file", - "id": "0" - } - ] + "document": [ + { + "args": [], + "command": { + "ubuntu:latestnightly": [ + { + "Cmd": "from", + "EndLine": 1, + "Flags": [], + "JSON": false, + "Original": "FROM ubuntu:latestnightly", + "SubCmd": "", + "Value": [ + "ubuntu:latestnightly" + ], + "_kics_line": 1 + }, + { + "Cmd": "volume", + "EndLine": 2, + "Flags": [], + "JSON": false, + "Original": "VOLUME /tmp", + "SubCmd": "", + "Value": [ + "/tmp" + ], + "_kics_line": 2 + }, + { + "Cmd": "entrypoint", + "EndLine": 3, + "Flags": [], + "JSON": true, + "Original": "ENTRYPOINT [\"java\",\"-Djava.security.egd=file:/dev/./urandom\",\"-jar\",\"/app.jar\"]", + "SubCmd": "", + "Value": [ + "java", + "-Djava.security.egd=file:/dev/./urandom", + "-jar", + "/app.jar" + ], + "_kics_line": 3 + } + ], + "ubuntu:latestnightly(1)": [ + { + "Cmd": "from", + "EndLine": 5, + "Flags": [], + "JSON": false, + "Original": "FROM ubuntu:latestnightly", + "SubCmd": "", + "Value": [ + "ubuntu:latestnightly" + ], + "_kics_line": 5 + }, + { + "Cmd": "volume", + "EndLine": 6, + "Flags": [], + "JSON": false, + "Original": "VOLUME /tmp", + "SubCmd": "", + "Value": [ + "/tmp" + ], + "_kics_line": 6 + }, + { + "Cmd": "add", + "EndLine": 7, + "Flags": [], + "JSON": false, + "Original": "ADD http://source.file/package.file.tar.gz /temp", + "SubCmd": "", + "Value": [ + "http://source.file/package.file.tar.gz", + "/temp" + ], + "_kics_line": 7 + }, + { + "Cmd": "run", + "EndLine": 8, + "Flags": [], + "JSON": false, + "Original": "RUN tar -xjf /temp/package.file.tar.gz", + "SubCmd": "", + "Value": [ + "tar -xjf /temp/package.file.tar.gz" + ], + "_kics_line": 8 + }, + { + "Cmd": "arg", + "EndLine": 9, + "Flags": [], + "JSON": false, + "Original": "ARG JAR_FILE", + "SubCmd": "", + "Value": [ + "JAR_FILE" + ], + "_kics_line": 9 + }, + { + "Cmd": "add", + "EndLine": 10, + "Flags": [], + "JSON": false, + "Original": "ADD ${JAR_FILE} app.jar", + "SubCmd": "", + "Value": [ + "${JAR_FILE}", + "app.jar" + ], + "_kics_line": 10 + }, + { + "Cmd": "entrypoint", + "EndLine": 11, + "Flags": [], + "JSON": true, + "Original": "ENTRYPOINT [\"java\",\"-Djava.security.egd=file:/dev/./urandom\",\"-jar\",\"/app.jar\"]", + "SubCmd": "", + "Value": [ + "java", + "-Djava.security.egd=file:/dev/./urandom", + "-jar", + "/app.jar" + ], + "_kics_line": 11 + } + ], + "ubuntu:latestnightly(2)": [ + { + "Cmd": "from", + "EndLine": 13, + "Flags": [], + "JSON": false, + "Original": "FROM ubuntu:latestnightly", + "SubCmd": "", + "Value": [ + "ubuntu:latestnightly" + ], + "_kics_line": 13 + } + ], + "ubuntu:latestnightly(3)": [ + { + "Cmd": "from", + "EndLine": 14, + "Flags": [], + "JSON": false, + "Original": "FROM ubuntu:latestnightly", + "SubCmd": "", + "Value": [ + "ubuntu:latestnightly" + ], + "_kics_line": 14 + } + ] + }, + "file": "file", + "id": "0" + } + ] } diff --git a/e2e/fixtures/E2E_CLI_107_RESULT.json b/e2e/fixtures/E2E_CLI_107_RESULT.json index b9e89e0bbc3..92b1be4bd20 100644 --- a/e2e/fixtures/E2E_CLI_107_RESULT.json +++ b/e2e/fixtures/E2E_CLI_107_RESULT.json @@ -1,172 +1,194 @@ { - "kics_version": "development", - "files_scanned": 1, - "lines_scanned": 12, - "files_parsed": 1, - "lines_parsed": 12, - "lines_ignored": 0, - "files_failed_to_scan": 0, - "queries_total": 48, - "queries_failed_to_execute": 0, - "queries_failed_to_compute_similarity_id": 0, - "scan_id": "console", - "severity_counters": { - "CRITICAL": 0, - "HIGH": 1, - "INFO": 0, - "LOW": 2, - "MEDIUM": 3, - "TRACE": 0 - }, - "total_counter": 6, - "total_bom_resources": 0, - "start": "2026-04-09T14:58:58.1938463+01:00", - "end": "2026-04-09T14:59:10.5630691+01:00", - "paths": [ - "/path/test/fixtures/dockerfile/Dockerfile-multistage" - ], - "queries": [ - { - "query_name": "Missing User Instruction", - "query_id": "fd54f200-402c-4333-a5a4-36ef6709af2f", - "query_url": "https://docs.docker.com/engine/reference/builder/#user", - "severity": "HIGH", - "platform": "Dockerfile", - "cwe": "250", - "risk_score": "7.7", - "cloud_provider": "COMMON", - "category": "Build Process", - "experimental": false, - "description": "Always set a user in the runtime stage of your Dockerfile. Without it, the container defaults to root, even if earlier build stages define a user.", - "description_id": "eb49caf6", - "files": [ - { - "file_name": "path/test/fixtures/dockerfile/Dockerfile-multistage", - "similarity_id": "d39796b9bbf6b6b45774ce1a7aea11e5ef87c9c24cd7fd5b99c4595cb2b510d3", - "line": 5, - "issue_type": "MissingAttribute", - "search_key": "FROM={{ubuntu:latestnightly(1)}}", - "search_line": -1, - "search_value": "", - "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", - "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" - } - ] - }, - { - "query_name": "Add Instead of Copy", - "query_id": "9513a694-aa0d-41d8-be61-3271e056f36b", - "query_url": "https://docs.docker.com/engine/reference/builder/#add", - "severity": "MEDIUM", - "platform": "Dockerfile", - "cwe": "610", - "risk_score": "5.2", - "category": "Supply-Chain", - "experimental": false, - "description": "Using ADD to load external installation scripts could lead to an evil web server leveraging this and loading a malicious script.", - "description_id": "0aedd324", - "files": [ - { - "file_name": "path/test/fixtures/dockerfile/Dockerfile-multistage", - "similarity_id": "8a77052e7fe9677bd371c5a652763f6d4edcb6ef3ece7b2574a37de1e532870c", - "line": 10, - "issue_type": "IncorrectValue", - "search_key": "FROM={{ubuntu:latestnightly(1)}}.{{ADD ${JAR_FILE} app.jar}}", - "search_line": -1, - "search_value": "", - "expected_value": "'COPY' ${JAR_FILE}", - "actual_value": "'ADD' ${JAR_FILE}" - } - ] - }, - { - "query_name": "Image Version Using 'latest'", - "query_id": "f45ea400-6bbe-4501-9fc7-1c3d75c32067", - "query_url": "https://docs.docker.com/develop/dev-best-practices/", - "severity": "MEDIUM", - "platform": "Dockerfile", - "cwe": "1357", - "risk_score": "5.1", - "category": "Best Practices", - "experimental": false, - "description": "When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag", - "description_id": "22f535ec", - "files": [ - { - "file_name": "path/test/fixtures/dockerfile/Dockerfile-multistage", - "similarity_id": "7cd0ad90e5f32a85978dbfa12788d4098d089c58464d0206b3686a24c0401a0f", - "line": 5, - "issue_type": "IncorrectValue", - "search_key": "FROM={{ubuntu:latestnightly(1)}}", - "search_line": -1, - "search_value": "", - "expected_value": "FROM ubuntu:latestnightly:'version' where version should not be 'latest'", - "actual_value": "FROM ubuntu:latestnightly'" - }, - { - "file_name": "path/test/fixtures/dockerfile/Dockerfile-multistage", - "similarity_id": "61497abefc29818ee73a40c7bd0c69f67c83e20279fbd89fbe69e7f6eac4e71c", - "line": 1, - "issue_type": "IncorrectValue", - "search_key": "FROM={{ubuntu:latestnightly}}", - "search_line": -1, - "search_value": "", - "expected_value": "FROM ubuntu:latestnightly:'version' where version should not be 'latest'", - "actual_value": "FROM ubuntu:latestnightly'" - } - ] - }, - { - "query_name": "Curl or Wget Instead of Add", - "query_id": "4b410d24-1cbe-4430-a632-62c9a931cf1c", - "query_url": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", - "severity": "LOW", - "platform": "Dockerfile", - "cwe": "610", - "risk_score": "2.8", - "category": "Best Practices", - "experimental": false, - "description": "Use of Curl or Wget should be done instead of Add to fetch packages from remote URLs due to the use of Add being strongly discouraged", - "description_id": "29e8216b", - "files": [ - { - "file_name": "path/test/fixtures/dockerfile/Dockerfile-multistage", - "similarity_id": "dfcf010141323091aa3e4594c429c4fa9c9c9e3ac1baa0bc553772e6cc5efafc", - "line": 7, - "issue_type": "IncorrectValue", - "search_key": "FROM={{ubuntu:latestnightly(1)}}.{{ADD http://source.file/package.file.tar.gz /temp}}", - "search_line": -1, - "search_value": "", - "expected_value": "Should use 'curl' or 'wget' to download http://source.file/package.file.tar.gz", - "actual_value": "'ADD' http://source.file/package.file.tar.gz" - } - ] - }, - { - "query_name": "Healthcheck Instruction Missing", - "query_id": "b03a748a-542d-44f4-bb86-9199ab4fd2d5", - "query_url": "https://docs.docker.com/engine/reference/builder/#healthcheck", - "severity": "LOW", - "platform": "Dockerfile", - "cwe": "710", - "risk_score": "3.6", - "category": "Insecure Configurations", - "experimental": false, - "description": "Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working", - "description_id": "426121ee", - "files": [ - { - "file_name": "path/test/fixtures/dockerfile/Dockerfile-multistage", - "similarity_id": "d2274cbdc91a3888d9efcf4241ef4acf2da0ac270d9bf6066f6bf37d6e99616c", - "line": 5, - "issue_type": "MissingAttribute", - "search_key": "FROM={{ubuntu:latestnightly(1)}}", - "search_line": -1, - "search_value": "", - "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", - "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" - } - ] - } - ] + "kics_version": "development", + "files_scanned": 1, + "lines_scanned": 15, + "files_parsed": 1, + "lines_parsed": 15, + "lines_ignored": 0, + "files_failed_to_scan": 0, + "queries_total": 48, + "queries_failed_to_execute": 0, + "queries_failed_to_compute_similarity_id": 0, + "scan_id": "console", + "severity_counters": { + "CRITICAL": 0, + "HIGH": 1, + "INFO": 0, + "LOW": 2, + "MEDIUM": 5, + "TRACE": 0 + }, + "total_counter": 8, + "total_bom_resources": 0, + "start": "2026-04-22T12:30:41.5288415+01:00", + "end": "2026-04-22T12:30:43.3332084+01:00", + "paths": [ + "/path/test/fixtures/dockerfile/Dockerfile-multistage" + ], + "queries": [ + { + "query_name": "Missing User Instruction", + "query_id": "fd54f200-402c-4333-a5a4-36ef6709af2f", + "query_url": "https://docs.docker.com/engine/reference/builder/#user", + "severity": "HIGH", + "platform": "Dockerfile", + "cwe": "250", + "risk_score": "7.7", + "cloud_provider": "COMMON", + "category": "Build Process", + "experimental": false, + "description": "Always set a user in the runtime stage of your Dockerfile. Without it, the container defaults to root, even if earlier build stages define a user.", + "description_id": "eb49caf6", + "files": [ + { + "file_name": "path/test/fixtures/dockerfile/Dockerfile-multistage", + "similarity_id": "10ce4cfcc91d053ee1b926b632f05f3c744c73044a629a8ac5416a73d6ba80da", + "line": 14, + "issue_type": "MissingAttribute", + "search_key": "FROM={{ubuntu:latestnightly(3)}}", + "search_line": -1, + "search_value": "", + "expected_value": "The 'Dockerfile' should contain the 'USER' instruction", + "actual_value": "The 'Dockerfile' does not contain any 'USER' instruction" + } + ] + }, + { + "query_name": "Add Instead of Copy", + "query_id": "9513a694-aa0d-41d8-be61-3271e056f36b", + "query_url": "https://docs.docker.com/engine/reference/builder/#add", + "severity": "MEDIUM", + "platform": "Dockerfile", + "cwe": "610", + "risk_score": "5.2", + "category": "Supply-Chain", + "experimental": false, + "description": "Using ADD to load external installation scripts could lead to an evil web server leveraging this and loading a malicious script.", + "description_id": "0aedd324", + "files": [ + { + "file_name": "path/test/fixtures/dockerfile/Dockerfile-multistage", + "similarity_id": "8a77052e7fe9677bd371c5a652763f6d4edcb6ef3ece7b2574a37de1e532870c", + "line": 10, + "issue_type": "IncorrectValue", + "search_key": "FROM={{ubuntu:latestnightly(1)}}.{{ADD ${JAR_FILE} app.jar}}", + "search_line": -1, + "search_value": "", + "expected_value": "'COPY' ${JAR_FILE}", + "actual_value": "'ADD' ${JAR_FILE}" + } + ] + }, + { + "query_name": "Image Version Using 'latest'", + "query_id": "f45ea400-6bbe-4501-9fc7-1c3d75c32067", + "query_url": "https://docs.docker.com/develop/dev-best-practices/", + "severity": "MEDIUM", + "platform": "Dockerfile", + "cwe": "1357", + "risk_score": "5.1", + "category": "Best Practices", + "experimental": false, + "description": "When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag", + "description_id": "22f535ec", + "files": [ + { + "file_name": "path/test/fixtures/dockerfile/Dockerfile-multistage", + "similarity_id": "7cd0ad90e5f32a85978dbfa12788d4098d089c58464d0206b3686a24c0401a0f", + "line": 5, + "issue_type": "IncorrectValue", + "search_key": "FROM={{ubuntu:latestnightly(1)}}", + "search_line": -1, + "search_value": "", + "expected_value": "FROM ubuntu:latestnightly:'version' where version should not be 'latest'", + "actual_value": "FROM ubuntu:latestnightly'" + }, + { + "file_name": "path/test/fixtures/dockerfile/Dockerfile-multistage", + "similarity_id": "35196abdb4d1bc998a888b4f84a2c27ff21cc3ef0c98866f921313a59e871c2f", + "line": 13, + "issue_type": "IncorrectValue", + "search_key": "FROM={{ubuntu:latestnightly(2)}}", + "search_line": -1, + "search_value": "", + "expected_value": "FROM ubuntu:latestnightly:'version' where version should not be 'latest'", + "actual_value": "FROM ubuntu:latestnightly'" + }, + { + "file_name": "path/test/fixtures/dockerfile/Dockerfile-multistage", + "similarity_id": "3ce5bdec335929d052c1cd553ea0f09716eca37667944c5f2703da9e92b1a50c", + "line": 14, + "issue_type": "IncorrectValue", + "search_key": "FROM={{ubuntu:latestnightly(3)}}", + "search_line": -1, + "search_value": "", + "expected_value": "FROM ubuntu:latestnightly:'version' where version should not be 'latest'", + "actual_value": "FROM ubuntu:latestnightly'" + }, + { + "file_name": "path/test/fixtures/dockerfile/Dockerfile-multistage", + "similarity_id": "61497abefc29818ee73a40c7bd0c69f67c83e20279fbd89fbe69e7f6eac4e71c", + "line": 1, + "issue_type": "IncorrectValue", + "search_key": "FROM={{ubuntu:latestnightly}}", + "search_line": -1, + "search_value": "", + "expected_value": "FROM ubuntu:latestnightly:'version' where version should not be 'latest'", + "actual_value": "FROM ubuntu:latestnightly'" + } + ] + }, + { + "query_name": "Curl or Wget Instead of Add", + "query_id": "4b410d24-1cbe-4430-a632-62c9a931cf1c", + "query_url": "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", + "severity": "LOW", + "platform": "Dockerfile", + "cwe": "610", + "risk_score": "2.8", + "category": "Best Practices", + "experimental": false, + "description": "Use of Curl or Wget should be done instead of Add to fetch packages from remote URLs due to the use of Add being strongly discouraged", + "description_id": "29e8216b", + "files": [ + { + "file_name": "path/test/fixtures/dockerfile/Dockerfile-multistage", + "similarity_id": "dfcf010141323091aa3e4594c429c4fa9c9c9e3ac1baa0bc553772e6cc5efafc", + "line": 7, + "issue_type": "IncorrectValue", + "search_key": "FROM={{ubuntu:latestnightly(1)}}.{{ADD http://source.file/package.file.tar.gz /temp}}", + "search_line": -1, + "search_value": "", + "expected_value": "Should use 'curl' or 'wget' to download http://source.file/package.file.tar.gz", + "actual_value": "'ADD' http://source.file/package.file.tar.gz" + } + ] + }, + { + "query_name": "Healthcheck Instruction Missing", + "query_id": "b03a748a-542d-44f4-bb86-9199ab4fd2d5", + "query_url": "https://docs.docker.com/engine/reference/builder/#healthcheck", + "severity": "LOW", + "platform": "Dockerfile", + "cwe": "710", + "risk_score": "3.6", + "category": "Insecure Configurations", + "experimental": false, + "description": "Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working", + "description_id": "426121ee", + "files": [ + { + "file_name": "path/test/fixtures/dockerfile/Dockerfile-multistage", + "similarity_id": "ab1403dc6252c1a8affa62b3642775a987231a5e7144b78bdce4c4747376ef51", + "line": 14, + "issue_type": "MissingAttribute", + "search_key": "FROM={{ubuntu:latestnightly(3)}}", + "search_line": -1, + "search_value": "", + "expected_value": "Dockerfile should contain instruction 'HEALTHCHECK'", + "actual_value": "Dockerfile doesn't contain instruction 'HEALTHCHECK'" + } + ] + } + ] }