From dd987c8d880acc028a66806a5903d50d91760583 Mon Sep 17 00:00:00 2001 From: Arpit Jain Date: Thu, 4 Jun 2026 07:50:43 +0900 Subject: [PATCH] fix(dockerfile): flag unpinned dnf packages followed by a flag The missing_version_specification_in_dnf_install query treated a package token as version-pinned whenever the next token was '-v', via the clause packages[plus(j, 1)] != "-v". In dnf, '-v' means verbose, not a version, so 'RUN dnf install zip -v' (zip is not pinned) wrongly passed the check, a false negative. Drop the '-v' special case and decide solely on whether the package itself carries a version (dockerLib.withVersion). Pinned packages such as 'dnf install zip-3.0 -v' still pass, so no new false positive is introduced. Adds positive and negative test cases covering a flag that follows the package name. Closes #7306 Signed-off-by: Arpit Jain --- .../query.rego | 8 -------- .../test/negative.dockerfile | 1 + .../test/positive.dockerfile | 2 ++ .../test/positive_expected_result.json | 10 ++++++++++ 4 files changed, 13 insertions(+), 8 deletions(-) diff --git a/assets/queries/dockerfile/missing_version_specification_in_dnf_install/query.rego b/assets/queries/dockerfile/missing_version_specification_in_dnf_install/query.rego index 0d50a1ebde0..f31bc0dfbd2 100644 --- a/assets/queries/dockerfile/missing_version_specification_in_dnf_install/query.rego +++ b/assets/queries/dockerfile/missing_version_specification_in_dnf_install/query.rego @@ -52,18 +52,10 @@ CxPolicy[result] { } analyzePackages(j, currentPackage, packages, length) { - j == length - 1 regex.match("^[a-zA-Z]", currentPackage) == true not dockerLib.withVersion(currentPackage) } -analyzePackages(j, currentPackage, packages, length) { - j != length - 1 - regex.match("^[a-zA-Z]", currentPackage) == true - packages[plus(j, 1)] != "-v" - not dockerLib.withVersion(currentPackage) -} - isDnf(command) { contains(command[x], "dnf") regex.match("(in|rei)n?(stall)?", command[j]) == true diff --git a/assets/queries/dockerfile/missing_version_specification_in_dnf_install/test/negative.dockerfile b/assets/queries/dockerfile/missing_version_specification_in_dnf_install/test/negative.dockerfile index 9d46a45a320..5523f2b8ce2 100644 --- a/assets/queries/dockerfile/missing_version_specification_in_dnf_install/test/negative.dockerfile +++ b/assets/queries/dockerfile/missing_version_specification_in_dnf_install/test/negative.dockerfile @@ -1,6 +1,7 @@ FROM fedora:latest RUN dnf -y update && dnf -y install httpd-2.24.2 && dnf clean all RUN ["dnf", "install", "httpd-2.24.2"] +RUN dnf install -v zip-3.0 COPY index.html /var/www/html/index.html EXPOSE 80 ENTRYPOINT /usr/sbin/httpd -DFOREGROUND diff --git a/assets/queries/dockerfile/missing_version_specification_in_dnf_install/test/positive.dockerfile b/assets/queries/dockerfile/missing_version_specification_in_dnf_install/test/positive.dockerfile index 5dd1df62d51..8b5a95d2c7d 100644 --- a/assets/queries/dockerfile/missing_version_specification_in_dnf_install/test/positive.dockerfile +++ b/assets/queries/dockerfile/missing_version_specification_in_dnf_install/test/positive.dockerfile @@ -1,6 +1,8 @@ FROM fedora:latest RUN dnf -y update && dnf -y install httpd && dnf clean all RUN ["dnf", "install", "httpd"] +RUN dnf install -v -y zip +RUN dnf install zip -v COPY index.html /var/www/html/index.html EXPOSE 80 ENTRYPOINT /usr/sbin/httpd -DFOREGROUND diff --git a/assets/queries/dockerfile/missing_version_specification_in_dnf_install/test/positive_expected_result.json b/assets/queries/dockerfile/missing_version_specification_in_dnf_install/test/positive_expected_result.json index 53dca70b9fb..a63217c3331 100644 --- a/assets/queries/dockerfile/missing_version_specification_in_dnf_install/test/positive_expected_result.json +++ b/assets/queries/dockerfile/missing_version_specification_in_dnf_install/test/positive_expected_result.json @@ -8,5 +8,15 @@ "queryName": "Missing Version Specification In dnf install", "severity": "MEDIUM", "line": 3 + }, + { + "queryName": "Missing Version Specification In dnf install", + "severity": "MEDIUM", + "line": 4 + }, + { + "queryName": "Missing Version Specification In dnf install", + "severity": "MEDIUM", + "line": 5 } ]