Checkmarx · cx-artur-ribeiro · Jul 17, 2025 · Jul 9, 2025 · Jul 9, 2025 · Jul 9, 2025
diff --git a/assets/queries/dockerfile/image_version_not_explicit/query.rego b/assets/queries/dockerfile/image_version_not_explicit/query.rego
@@ -5,7 +5,7 @@ CxPolicy[result] {
 	resource.Cmd == "from"
 	not resource.Value[0] == "scratch"
 
-	versionNotExplicit(resource.Value)
+	versionNotExplicit(resource.Value,resource.EndLine)
 
 	result := {
 		"documentId": input.document[i].id,
@@ -16,13 +16,14 @@ CxPolicy[result] {
 	}
 }
 
-versionNotExplicit(cmd) {
+versionNotExplicit(cmd,line) {
 	count(cmd) == 1
 	regex.match("^\\$[{}A-z0-9-_+].*", cmd[0]) == false
 	not contains(cmd[0], ":")
+    count([x | x := input.document[i].command[name][_]; x.EndLine < line; build_name_exists(x, cmd[0])]) == 0
 }
 
-versionNotExplicit(cmd) {
+versionNotExplicit(cmd,_) {
 	count(cmd) == 1
 	regex.match("^\\$[{}A-z0-9-_+].*", cmd[0]) == true
 
@@ -39,11 +40,11 @@ versionNotExplicit(cmd) {
 	not contains(resource.Value[0], ":")
 }
 
-versionNotExplicit(cmd) {
+versionNotExplicit(cmd,line) {
 	count(cmd) > 1
 
 	not contains(cmd[0], ":")
-    count([x | x := input.document[i].command[name][_]; build_name_exists(x, cmd[0])]) == 0
+    count([x | x := input.document[i].command[name][_]; input.document[i].command[name][_].EndLine < line; build_name_exists(x, cmd[0])]) == 0
 }
 
 build_name_exists(resource, build_name){

diff --git a/assets/queries/dockerfile/image_version_not_explicit/test/negative3.dockerfile b/assets/queries/dockerfile/image_version_not_explicit/test/negative3.dockerfile
@@ -0,0 +1,5 @@
+FROM ubuntu@sha256:b59d21599a2b151e23eea5f6602f4af4d7d31c4e236d22bf0b62b86d2e386b8f as base
+RUN echo "base"
+
+FROM base
+RUN echo "stage1"
diff --git a/assets/queries/dockerfile/image_version_not_explicit/test/negative4.dockerfile b/assets/queries/dockerfile/image_version_not_explicit/test/negative4.dockerfile
@@ -0,0 +1,14 @@
+FROM ubuntu:22.04 AS test1
+RUN echo "depth1"
+
+FROM test1 AS test2
+RUN echo "depth2"
+
+FROM test2 AS test3
+RUN echo "depth3"
+
+FROM test3 AS test4
+RUN echo "depth4"
+
+FROM test4 
+RUN echo "depth5"
diff --git a/assets/queries/dockerfile/image_version_not_explicit/test/positive3.dockerfile b/assets/queries/dockerfile/image_version_not_explicit/test/positive3.dockerfile
@@ -0,0 +1,8 @@
+FROM ubuntu:22.04 AS test
+RUN echo "hello"
+
+FROM positive4 
+RUN echo "positive4"
+
+FROM positive42
+RUN echo "positive42"
diff --git a/assets/queries/dockerfile/image_version_not_explicit/test/positive4.dockerfile b/assets/queries/dockerfile/image_version_not_explicit/test/positive4.dockerfile
@@ -0,0 +1,17 @@
+FROM ubuntu:22.04 AS test1
+RUN echo "depth"
+
+FROM test1 AS test2
+RUN echo "depth"
+
+FROM test_fail_1
+RUN echo "depth"
+
+FROM test3 AS test_fail_2
+RUN echo "depth"
+
+FROM test2 AS test3
+RUN echo "depth"
+
+FROM test3 AS test_fail_1
+RUN echo "depth"
diff --git a/assets/queries/dockerfile/image_version_not_explicit/test/positive_expected_result.json b/assets/queries/dockerfile/image_version_not_explicit/test/positive_expected_result.json
@@ -10,5 +10,29 @@
 		"severity": "MEDIUM",
 		"fileName": "positive2.dockerfile",
 		"line": 7
+	},
+	{
+		"queryName": "Image Version Not Explicit",
+		"severity": "MEDIUM",
+		"fileName": "positive3.dockerfile",
+		"line": 4
+	},
+	{
+		"queryName": "Image Version Not Explicit",
+		"severity": "MEDIUM",
+		"fileName": "positive3.dockerfile",
+		"line": 7
+	},
+	{
+		"queryName": "Image Version Not Explicit",
+		"severity": "MEDIUM",
+		"fileName": "positive4.dockerfile",
+		"line": 7
+	},
+	{
+		"queryName": "Image Version Not Explicit",
+		"severity": "MEDIUM",
+		"fileName": "positive4.dockerfile",
+		"line": 10
 	}
 ]