-
Notifications
You must be signed in to change notification settings - Fork 389
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix dockerfile.security.missing-user rules #3448
base: develop
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change | ||||||||
---|---|---|---|---|---|---|---|---|---|---|
|
@@ -7,9 +7,10 @@ RUN git clone https://github.com/returntocorp/semgrep | |||||||||
RUN pip3 install semgrep | ||||||||||
|
||||||||||
# ruleid: missing-user-entrypoint | ||||||||||
USER non-root | ||||||||||
ENTRYPOINT semgrep -f p/xss | ||||||||||
|
||||||||||
# TODO: metavar bug | ||||||||||
# TODO: metavar ellipses bug | ||||||||||
# ok: missing-user-entrypoint | ||||||||||
ENTRYPOINT ["semgrep", "--config", "localfile", "targets"] | ||||||||||
Comment on lines
13
to
14
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||||||
|
||||||||||
USER non-root |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,6 +4,7 @@ rules: | |
- pattern: | | ||
ENTRYPOINT $...VARS | ||
- pattern-not-inside: | | ||
... | ||
USER $USER | ||
... | ||
Comment on lines
+7
to
9
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Not sure if this can be helped, but starting a pattern with an ellipses is very slow! (I think we have CI checks to not allow this) There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. To avoid a starting ellipses, maybe we could do something like this?
|
||
fix: | | ||
|
Original file line number | Diff line number | Diff line change | ||||||||
---|---|---|---|---|---|---|---|---|---|---|
|
@@ -6,12 +6,9 @@ FROM busybox | |||||||||
RUN git clone https://github.com/returntocorp/semgrep | ||||||||||
RUN pip3 install semgrep | ||||||||||
|
||||||||||
# ruleid: missing-user | ||||||||||
CMD semgrep -f p/xss | ||||||||||
|
||||||||||
# ruleid: missing-user | ||||||||||
CMD semgrep --config localfile targets | ||||||||||
|
||||||||||
# TODO: metavar ellipses bug | ||||||||||
# ok: missing-user | ||||||||||
# TODO: metavar ellipses bug, this should be a failure but is a false negative | ||||||||||
# ruleid: missing-user | ||||||||||
Comment on lines
+12
to
+13
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||||||
CMD ["semgrep", "--version"] |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,6 +4,7 @@ rules: | |
- pattern: | | ||
CMD $...VARS | ||
- pattern-not-inside: | | ||
... | ||
USER $USER | ||
... | ||
Comment on lines
+7
to
9
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. To avoid a starting ellipses, maybe we could do something like this?
|
||
fix: | | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For failing testcases that are related to the engine instead of the rule, we also have
todook
andtodoruleid
. This allows our tests to pass for now, and the rule in its current state to be published. But also allows our developers to verify what the intended behaviour is. If they make an engine update that fixes this problem, they will update the test syntax.