fix(checks): check no-cache flag only with add command in DS025

Signed-off-by: Nikita Pivkin <[email protected]>
aquasecurity · Jan 23, 2025 · 91032cd · 91032cd
1 parent 3e84852
commit 91032cd
Show file tree

Hide file tree

Showing 4 changed files with 109 additions and 21 deletions.
diff --git a/checks/docker/missing_apk_no_cache.rego b/checks/docker/missing_apk_no_cache.rego
@@ -19,28 +19,16 @@ package builtin.dockerfile.DS025
 
 import rego.v1
 
+import data.lib.cmdutil
 import data.lib.docker
 
-get_apk contains output if {
-	run := docker.run[_]
-	arg := run.Value[0]
-
-	regex.match("apk (-[a-zA-Z]+\\s*)*add", arg)
-
-	not contains_no_cache(arg)
-
-	output := {
-		"cmd": run,
-		"arg": arg,
-	}
-}
-
 deny contains res if {
-	output := get_apk[_]
-	msg := sprintf("'--no-cache' is missed: %s", [output.arg])
-	res := result.new(msg, output.cmd)
-}
-
-contains_no_cache(cmd) if {
-	split(cmd, " ")[_] == "--no-cache"
+	some run in docker.run
+	raw_cmd := cmdutil.to_command_string(run.Value)
+	some tokens in sh.parse_commands(raw_cmd)
+	cmdutil.is_tool(tokens, "apk")
+	cmdutil.is_command(tokens, "add")
+	not cmdutil.has_flag(tokens, "--no-cache")
+	msg := sprintf("'--no-cache' is missed: %s", [raw_cmd])
+	res := result.new(msg, run)
 }
diff --git a/checks/docker/missing_apk_no_cache_test.rego b/checks/docker/missing_apk_no_cache_test.rego
@@ -41,6 +41,33 @@ test_basic_denied if {
 	r[_].msg == "'--no-cache' is missed: apk add python3"
 }
 
+test_deny_run_is_array if {
+	r := deny with input as {"Stages": [{"Name": "alpine:3.17", "Commands": [
+		{
+			"Cmd": "from",
+			"Value": ["alpine:3.17"],
+		},
+		{
+			"Cmd": "run",
+			"Value": ["apk", "add", "python3"],
+		},
+		{
+			"Cmd": "run",
+			"Value": ["pip install --no-cache-dir -r /usr/src/app/requirements.txt"],
+		},
+		{
+			"Cmd": "cmd",
+			"Value": [
+				"python",
+				"/usr/src/app/app.py",
+			],
+		},
+	]}]}
+
+	count(r) == 1
+	r[_].msg == "'--no-cache' is missed: apk add python3"
+}
+
 test_wrong_flag_name_denied if {
 	r := deny with input as {"Stages": [{"Name": "alpine:3.5", "Commands": [
 		{
@@ -97,3 +124,30 @@ test_basic_allowed if {
 
 	count(r) == 0
 }
+
+test_deny_no_cache_flag_with_other_command if {
+	r := deny with input as {"Stages": [{"Name": "alpine:3.17", "Commands": [
+		{
+			"Cmd": "from",
+			"Value": ["alpine:3.17"],
+		},
+		{
+			"Cmd": "run",
+			"Value": ["apk upgrade --no-cache && apk add python3"],
+		},
+		{
+			"Cmd": "run",
+			"Value": ["pip install --no-cache-dir -r /usr/src/app/requirements.txt"],
+		},
+		{
+			"Cmd": "cmd",
+			"Value": [
+				"python",
+				"/usr/src/app/app.py",
+			],
+		},
+	]}]}
+
+	count(r) == 1
+	r[_].msg == "'--no-cache' is missed: apk upgrade --no-cache && apk add python3"
+}
diff --git a/lib/docker/cmdutil.rego b/lib/docker/cmdutil.rego
@@ -0,0 +1,23 @@
+# METADATA
+# custom:
+#   library: true
+#   input:
+#     selector:
+#     - type: dockerfile
+package lib.cmdutil
+
+import rego.v1
+
+is_tool(tokens, tool) if tokens[0] == tool
+
+is_command(tokens, command) if {
+	no_flags := [t | some t in tokens; not startswith(t, "-")]
+	no_flags[1] == command
+}
+
+has_flag(tokens, flag) if {
+	some token in tokens
+	flag == token
+}
+
+to_command_string(value) := concat(" ", value)
diff --git a/lib/docker/cmdutil_test.rego b/lib/docker/cmdutil_test.rego
@@ -0,0 +1,23 @@
+package lib.cmdutil_test
+
+import rego.v1
+
+import data.lib.cmdutil
+
+cmd := ["apk", "-q", "add", "--no-cache", "bash"]
+
+test_is_tool if {
+	cmdutil.is_tool(cmd, "apk")
+	not cmdutil.is_tool(cmd, "apt")
+}
+
+test_is_command if {
+	cmdutil.is_command(cmd, "add")
+	not cmdutil.is_command(cmd, "apk")
+	not cmdutil.is_command(cmd, "bash")
+}
+
+test_has_flag if {
+	cmdutil.has_flag(cmd, "--no-cache")
+	not cmdutil.has_flag(cmd, "--foo")
+}