From bc1fe07e0145ecf31a1960ecd3ab69b5ff4d0d19 Mon Sep 17 00:00:00 2001 From: Romeu Silva <200940189+cx-romeu-silva@users.noreply.github.com> Date: Fri, 13 Jun 2025 17:38:49 +0100 Subject: [PATCH 1/2] fix(query): fix fp for missing_flag_from_dnf_install --- .../missing_flag_from_dnf_install/query.rego | 2 +- .../test/negative4.dockerfile | 26 +++++++++++++++++++ 2 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 assets/queries/dockerfile/missing_flag_from_dnf_install/test/negative4.dockerfile diff --git a/assets/queries/dockerfile/missing_flag_from_dnf_install/query.rego b/assets/queries/dockerfile/missing_flag_from_dnf_install/query.rego index 639ce3d41d1..e397cf41452 100644 --- a/assets/queries/dockerfile/missing_flag_from_dnf_install/query.rego +++ b/assets/queries/dockerfile/missing_flag_from_dnf_install/query.rego @@ -37,5 +37,5 @@ hasInstallCommandWithoutFlag(command) = c { } hasYesFlag(command) { - regex.match("\\b(microdnf|dnf *install (-y|-[\\D]{1}y|-y[\\D]{1}|-yes|--assumeyes))\\b [\\w\\W]*", command) + regex.match("\\b((tdnf|microdnf|dnf) *install (-y|-[\\D]{1}y|-y[\\D]{1}|-yes|--assumeyes))\\b [\\w\\W]*", command) } diff --git a/assets/queries/dockerfile/missing_flag_from_dnf_install/test/negative4.dockerfile b/assets/queries/dockerfile/missing_flag_from_dnf_install/test/negative4.dockerfile new file mode 100644 index 00000000000..b98f1213e89 --- /dev/null +++ b/assets/queries/dockerfile/missing_flag_from_dnf_install/test/negative4.dockerfile @@ -0,0 +1,26 @@ +ARG BASE_CONTAINER_REGISTRY + +# Base the installer on the Azure CLI image as we require the tool +# to download the psa-check from the UniversalPackage feed. +# Additionally, the script to retrieve the Kubernetes schemas +# requires Python (yaml & requests) which are included by +# default in the Azure CLI image. +# hadolint ignore=DL3006 +FROM ${BASE_CONTAINER_REGISTRY:-mcr.microsoft.com}/azure-cli AS installer + +ARG AZP_URL +ARG AZP_TOKEN + +ARG DCP_INSTALLATION=infra-test + +ARG HADOLINT_VERSION=2.12.0 +ARG KUSTOMIZE_VERSION=5.5.0 +ARG KUBECONFORM_VERSION=0.6.7 +ARG FLYWAY_VERSION=11.1.0 + +RUN tdnf install -y \ + jq \ + tar \ + libicu \ + python3-requests \ + python3-yaml From 51c90cb500ea97f0a60007f2ea49f62dee2c5a63 Mon Sep 17 00:00:00 2001 From: Romeu Silva <200940189+cx-romeu-silva@users.noreply.github.com> Date: Mon, 16 Jun 2025 15:35:55 +0100 Subject: [PATCH 2/2] add positive tests for the microdnf and tdnf cases --- .../test/positive3.dockerfile | 5 ++++ .../test/positive4.dockerfile | 26 +++++++++++++++++++ .../test/positive_expected_result.json | 12 +++++++++ 3 files changed, 43 insertions(+) create mode 100644 assets/queries/dockerfile/missing_flag_from_dnf_install/test/positive3.dockerfile create mode 100644 assets/queries/dockerfile/missing_flag_from_dnf_install/test/positive4.dockerfile diff --git a/assets/queries/dockerfile/missing_flag_from_dnf_install/test/positive3.dockerfile b/assets/queries/dockerfile/missing_flag_from_dnf_install/test/positive3.dockerfile new file mode 100644 index 00000000000..53006e46fc4 --- /dev/null +++ b/assets/queries/dockerfile/missing_flag_from_dnf_install/test/positive3.dockerfile @@ -0,0 +1,5 @@ +FROM fedora:27 +RUN microdnf install \ + openssl-libs-1:1.1.1k-6.el8_5.x86_64 \ + zlib-1.2.11-18.el8_5.x86_64 \ + && microdnf clean all diff --git a/assets/queries/dockerfile/missing_flag_from_dnf_install/test/positive4.dockerfile b/assets/queries/dockerfile/missing_flag_from_dnf_install/test/positive4.dockerfile new file mode 100644 index 00000000000..4bc589dc2dd --- /dev/null +++ b/assets/queries/dockerfile/missing_flag_from_dnf_install/test/positive4.dockerfile @@ -0,0 +1,26 @@ +ARG BASE_CONTAINER_REGISTRY + +# Base the installer on the Azure CLI image as we require the tool +# to download the psa-check from the UniversalPackage feed. +# Additionally, the script to retrieve the Kubernetes schemas +# requires Python (yaml & requests) which are included by +# default in the Azure CLI image. +# hadolint ignore=DL3006 +FROM ${BASE_CONTAINER_REGISTRY:-mcr.microsoft.com}/azure-cli AS installer + +ARG AZP_URL +ARG AZP_TOKEN + +ARG DCP_INSTALLATION=infra-test + +ARG HADOLINT_VERSION=2.12.0 +ARG KUSTOMIZE_VERSION=5.5.0 +ARG KUBECONFORM_VERSION=0.6.7 +ARG FLYWAY_VERSION=11.1.0 + +RUN tdnf install \ + jq \ + tar \ + libicu \ + python3-requests \ + python3-yaml diff --git a/assets/queries/dockerfile/missing_flag_from_dnf_install/test/positive_expected_result.json b/assets/queries/dockerfile/missing_flag_from_dnf_install/test/positive_expected_result.json index f88c836d03a..8ca30d102d6 100644 --- a/assets/queries/dockerfile/missing_flag_from_dnf_install/test/positive_expected_result.json +++ b/assets/queries/dockerfile/missing_flag_from_dnf_install/test/positive_expected_result.json @@ -22,5 +22,17 @@ "severity": "LOW", "line": 10, "fileName": "positive2.dockerfile" + }, + { + "queryName": "Missing Flag From Dnf Install", + "severity": "LOW", + "line": 2, + "fileName": "positive3.dockerfile" + }, + { + "queryName": "Missing Flag From Dnf Install", + "severity": "LOW", + "line": 21, + "fileName": "positive4.dockerfile" } ] \ No newline at end of file