-
Notifications
You must be signed in to change notification settings - Fork 180
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(veinmind-iac): add dockerfile security detection (#228)
* feat(plugins): add ftp protocol support in plugin docs(plugins): fix Readme table bug * docs(plugins): add ftp protocol support in plugin * feat(plugins): update dependency version * feat(plugins): add ftp protocol support in weekpass plugin * Refactor(plugins-weakpass): change Mod name to Service name mapping from one-to-one to one-to-many * Test(plugins-weakpass): Add unit tests for ftp service * Test(plugins-weakpass): Add unit tests for ftp service * feat(veinmind-iac): add dockerfile security detection * test(veinmind-iac): add dockerfile security detection tests * fix(veinmind-iac): fix format bug * Test(veinmind-iac): Add unit tests for dockerfile detection
- Loading branch information
Showing
83 changed files
with
1,058 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
12 changes: 12 additions & 0 deletions
12
plugins/go/veinmind-iac/rules/dockerfile/add_with_change_parent_directory.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
package brightMirror.dockerfile | ||
|
||
import future.keywords.in | ||
import data.common | ||
|
||
risks[res]{ | ||
inner:= input[_] | ||
inner.Cmd=="add" | ||
some val in inner.Value | ||
contains(val,"../") | ||
res := common.result(inner,"DF-015") | ||
} |
21 changes: 21 additions & 0 deletions
21
plugins/go/veinmind-iac/rules/dockerfile/apk_add_missing_clean.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
package brightMirror.dockerfile | ||
|
||
import data.common | ||
|
||
get_apk[output] { | ||
run := input[_] | ||
run.Cmd=="run" | ||
arg := run.Value[0] | ||
regex.match("apk (-[a-zA-Z]+\\s*)*add", arg) | ||
not contains_no_cache(arg) | ||
output=run | ||
} | ||
|
||
risks[res] { | ||
output := get_apk[_] | ||
res:=common.result(output, "DF-026") | ||
} | ||
|
||
contains_no_cache(cmd) { | ||
split(cmd, " ")[_] == "--no-cache" | ||
} |
15 changes: 15 additions & 0 deletions
15
plugins/go/veinmind-iac/rules/dockerfile/cmd_multiple.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
package brightMirror.dockerfile | ||
|
||
import data.common | ||
|
||
risks[res] { | ||
count(get_cmd) > 1 | ||
obj := [cmd | cmd := get_cmd[_]; true] | ||
res := common.result(obj[1], "DF-016") | ||
} | ||
|
||
get_cmd[inner] { | ||
inner := input[_] | ||
inner.Cmd == "cmd" | ||
} | ||
|
29 changes: 29 additions & 0 deletions
29
plugins/go/veinmind-iac/rules/dockerfile/copy_from_self.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
package brightMirror.dockerfile | ||
|
||
import data.common | ||
|
||
find_alias_from_copy[out]{ | ||
inner:=input[_] | ||
inner.Cmd=="copy" | ||
flags:=inner.Flags[_] | ||
contains(flags,"from") | ||
parts := split(flags, "=") | ||
is_equal(inner.Stage,parts[1]) | ||
out:=inner | ||
} | ||
|
||
is_equal(stage,alias)=allow{ | ||
inner:=input[_] | ||
inner.Stage==stage | ||
inner.Cmd="from" | ||
val:=inner.Value | ||
val[i]="as" | ||
current_alias:=val[i+1] | ||
current_alias==alias | ||
allow=true | ||
} | ||
|
||
risks[res]{ | ||
out:=find_alias_from_copy[_] | ||
res:= common.result(out, "DF-019") | ||
} |
13 changes: 13 additions & 0 deletions
13
plugins/go/veinmind-iac/rules/dockerfile/copy_missing_link.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
package brightMirror.dockerfile | ||
|
||
import future.keywords.every | ||
import data.common | ||
|
||
risks[res] { | ||
inner := input[_] | ||
inner.Cmd == "copy" | ||
every flag in inner.Flags{ | ||
flag !="--link" | ||
} | ||
res := common.result(inner, "DF-020") | ||
} |
26 changes: 26 additions & 0 deletions
26
plugins/go/veinmind-iac/rules/dockerfile/dnf_install_missing_clean.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
package brightMirror.dockerfile | ||
|
||
import data.common | ||
|
||
dnf_install_regex := `(dnf install)|(dnf in)|(dnf reinstall)|(dnf rei)|(dnf install-n)|(dnf install-na)|(dnf install-nevra)` | ||
dnf_regex = sprintf("(%s).*dnf.*clean.*all", [dnf_install_regex]) | ||
|
||
get_dnf[output] { | ||
run:=input[_] | ||
run.Cmd=="run" | ||
arg := run.Value[0] | ||
|
||
regex.match(dnf_install_regex, arg) | ||
|
||
not contains_clean_after_dnf(arg) | ||
output := run | ||
} | ||
|
||
risks[res] { | ||
output := get_dnf[_] | ||
res:=common.result(output, "DF-027") | ||
} | ||
|
||
contains_clean_after_dnf(cmd) { | ||
regex.match(dnf_regex, cmd) | ||
} |
15 changes: 15 additions & 0 deletions
15
plugins/go/veinmind-iac/rules/dockerfile/entrypoint_multiple.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
package brightMirror.dockerfile | ||
|
||
import future.keywords.in | ||
import data.common | ||
|
||
risks[res] { | ||
count(get_entrypoint) > 1 | ||
obj := [entrypoint | entrypoint := get_entrypoint[_]; true] | ||
res := common.result(obj[1], "DF-017") | ||
} | ||
|
||
get_entrypoint[inner] { | ||
inner := input[_] | ||
inner.Cmd == "entrypoint" | ||
} |
31 changes: 31 additions & 0 deletions
31
plugins/go/veinmind-iac/rules/dockerfile/from_alias_multiple.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
package brightMirror.dockerfile | ||
|
||
import future.keywords.in | ||
import data.common | ||
|
||
get_aliased_name[output] { | ||
inner:=input[_] | ||
inner.Cmd=="from" | ||
value:=inner.Value | ||
value[i]=="as" | ||
output={ | ||
"cmd":inner, | ||
"startLine":inner.StartLine, | ||
"alias":value[i+1] | ||
} | ||
} | ||
|
||
checkDuplicate[output]{ | ||
alias1:=get_aliased_name[_] | ||
alias2:=get_aliased_name[_] | ||
alias1.startLine!=alias2.startLine | ||
alias1.alias==alias2.alias | ||
output:=alias1.cmd | ||
} | ||
|
||
risks[res]{ | ||
count(checkDuplicate)>1 | ||
finalResults:=[finalResult|finalResult:=checkDuplicate[_]] | ||
index:=count(finalResults)-1 | ||
res:=common.result(finalResults[index],"DF-018") | ||
} |
Oops, something went wrong.