From d4860565dd3f759fde4541c4553c8c62f301a158 Mon Sep 17 00:00:00 2001 From: Stephen Aghaulor Date: Fri, 2 Aug 2024 13:09:30 -0700 Subject: [PATCH] Fix dockerfile.security.missing-user rules - A `USER` directive can appear after the `CMD` or` ENTRYPOINT` directive and still be valid - Updated sample dockerfiles with code comments --- dockerfile/security/missing-user-entrypoint.dockerfile | 4 ++-- .../security/missing-user-entrypoint.fixed.dockerfile | 5 +++-- dockerfile/security/missing-user-entrypoint.yaml | 1 + dockerfile/security/missing-user.dockerfile | 7 ++----- dockerfile/security/missing-user.fixed.dockerfile | 7 ++----- dockerfile/security/missing-user.yaml | 1 + 6 files changed, 11 insertions(+), 14 deletions(-) diff --git a/dockerfile/security/missing-user-entrypoint.dockerfile b/dockerfile/security/missing-user-entrypoint.dockerfile index d3110f1814..de9fe40c12 100644 --- a/dockerfile/security/missing-user-entrypoint.dockerfile +++ b/dockerfile/security/missing-user-entrypoint.dockerfile @@ -9,6 +9,6 @@ RUN pip3 install semgrep # ruleid: missing-user-entrypoint ENTRYPOINT semgrep -f p/xss -# TODO: metavar bug -# ok: missing-user-entrypoint +# TODO: metavar ellipses bug, this should be a finding but is a false negative +# ruleid: missing-user-entrypoint ENTRYPOINT ["semgrep", "--config", "localfile", "targets"] diff --git a/dockerfile/security/missing-user-entrypoint.fixed.dockerfile b/dockerfile/security/missing-user-entrypoint.fixed.dockerfile index 170b6fd3bd..61ee3b400c 100644 --- a/dockerfile/security/missing-user-entrypoint.fixed.dockerfile +++ b/dockerfile/security/missing-user-entrypoint.fixed.dockerfile @@ -7,9 +7,10 @@ RUN git clone https://github.com/returntocorp/semgrep RUN pip3 install semgrep # ruleid: missing-user-entrypoint -USER non-root ENTRYPOINT semgrep -f p/xss -# TODO: metavar bug +# TODO: metavar ellipses bug # ok: missing-user-entrypoint ENTRYPOINT ["semgrep", "--config", "localfile", "targets"] + +USER non-root \ No newline at end of file diff --git a/dockerfile/security/missing-user-entrypoint.yaml b/dockerfile/security/missing-user-entrypoint.yaml index 659ddaa77c..cf2ea76961 100644 --- a/dockerfile/security/missing-user-entrypoint.yaml +++ b/dockerfile/security/missing-user-entrypoint.yaml @@ -4,6 +4,7 @@ rules: - pattern: | ENTRYPOINT $...VARS - pattern-not-inside: | + ... USER $USER ... fix: | diff --git a/dockerfile/security/missing-user.dockerfile b/dockerfile/security/missing-user.dockerfile index a089ea0e8d..6bcee188f0 100644 --- a/dockerfile/security/missing-user.dockerfile +++ b/dockerfile/security/missing-user.dockerfile @@ -6,12 +6,9 @@ FROM busybox RUN git clone https://github.com/returntocorp/semgrep RUN pip3 install semgrep -# ruleid: missing-user -CMD semgrep -f p/xss - # ruleid: missing-user CMD semgrep --config localfile targets -# TODO: metavar ellipses bug -# ok: missing-user +# TODO: metavar ellipses bug, this should be a failure but is a false negative +# ruleid: missing-user CMD ["semgrep", "--version"] diff --git a/dockerfile/security/missing-user.fixed.dockerfile b/dockerfile/security/missing-user.fixed.dockerfile index 90c753f54e..187f99ae28 100644 --- a/dockerfile/security/missing-user.fixed.dockerfile +++ b/dockerfile/security/missing-user.fixed.dockerfile @@ -6,14 +6,11 @@ FROM busybox RUN git clone https://github.com/returntocorp/semgrep RUN pip3 install semgrep -# ruleid: missing-user -USER non-root -CMD semgrep -f p/xss # ruleid: missing-user -USER non-root CMD semgrep --config localfile targets # TODO: metavar ellipses bug # ok: missing-user -CMD ["semgrep", "--version"] +CMD ["semgrep", "--config", "localfile", "targets"] +USER non-root \ No newline at end of file diff --git a/dockerfile/security/missing-user.yaml b/dockerfile/security/missing-user.yaml index accb35eb1e..dad7f51571 100644 --- a/dockerfile/security/missing-user.yaml +++ b/dockerfile/security/missing-user.yaml @@ -4,6 +4,7 @@ rules: - pattern: | CMD $...VARS - pattern-not-inside: | + ... USER $USER ... fix: |