github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/docker/policies/apt_get_missing_yes_flag_to_avoid_manual_input_test.rego (about)

     1  package builtin.dockerfile.DS021
     2  
     3  test_denied {
     4  	r := deny with input as {"Stages": [{"Name": "node:12", "Commands": [
     5  		{
     6  			"Cmd": "from",
     7  			"Value": ["node:12"],
     8  		},
     9  		{
    10  			"Cmd": "run",
    11  			"Value": ["apt-get install python=2.7"],
    12  		},
    13  	]}]}
    14  
    15  	count(r) == 1
    16  	r[_].msg == "'-y' flag is missed: 'apt-get install python=2.7'"
    17  }
    18  
    19  test_json_array_denied {
    20  	r := deny with input as {"Stages": [{"Name": "node:12", "Commands": [
    21  		{
    22  			"Cmd": "from",
    23  			"Value": ["node:12"],
    24  		},
    25  		{
    26  			"Cmd": "run",
    27  			"Value": [
    28  				"apt-get",
    29  				"install",
    30  				"apt-utils",
    31  			],
    32  		},
    33  	]}]}
    34  
    35  	count(r) == 1
    36  	r[_].msg == "'-y' flag is missed: 'apt-get install apt-utils'"
    37  }
    38  
    39  test_allowed {
    40  	r := deny with input as {"Stages": [{"Name": "node:12", "Commands": [
    41  		{
    42  			"Cmd": "from",
    43  			"Value": ["node:12"],
    44  		},
    45  		{
    46  			"Cmd": "run",
    47  			"Value": ["apt-get -fmy install apt-utils"],
    48  		},
    49  	]}]}
    50  
    51  	count(r) == 0
    52  }
    53  
    54  test_with_short_flags_behind_allowed {
    55  	r := deny with input as {"Stages": [{"Name": "node:12", "Commands": [
    56  		{
    57  			"Cmd": "from",
    58  			"Value": ["node:12"],
    59  		},
    60  		{
    61  			"Cmd": "run",
    62  			"Value": ["apt-get install -fmy apt-utils"],
    63  		},
    64  	]}]}
    65  
    66  	count(r) == 0
    67  }
    68  
    69  test_with_long_flags_behind_allowed {
    70  	r := deny with input as {"Stages": [{"Name": "node:12", "Commands": [
    71  		{
    72  			"Cmd": "from",
    73  			"Value": ["node:12"],
    74  		},
    75  		{
    76  			"Cmd": "run",
    77  			"Value": ["apt-get install --assume-yes apt-utils"],
    78  		},
    79  	]}]}
    80  
    81  	count(r) == 0
    82  }
    83  
    84  test_json_array_short_flag_allowed {
    85  	r := deny with input as {"Stages": [{"Name": "node:12", "Commands": [
    86  		{
    87  			"Cmd": "from",
    88  			"Value": ["node:12"],
    89  		},
    90  		{
    91  			"Cmd": "run",
    92  			"Value": [
    93  				"apt-get",
    94  				"-fmy",
    95  				"install",
    96  				"apt-utils",
    97  			],
    98  		},
    99  	]}]}
   100  
   101  	count(r) == 0
   102  }
   103  
   104  test_json_array_long_flag_allowed {
   105  	r := deny with input as {"Stages": [{"Name": "node:12", "Commands": [
   106  		{
   107  			"Cmd": "from",
   108  			"Value": ["node:12"],
   109  		},
   110  		{
   111  			"Cmd": "run",
   112  			"Value": [
   113  				"apt-get",
   114  				"--yes",
   115  				"-q",
   116  				"install",
   117  				"apt-utils",
   118  			],
   119  		},
   120  	]}]}
   121  
   122  	count(r) == 0
   123  }
   124  
   125  test_chained_allowed {
   126  	r := deny with input as {"Stages": [{"Name": "node:12", "Commands": [
   127  		{
   128  			"Cmd": "from",
   129  			"Value": ["node:12"],
   130  		},
   131  		{
   132  			"Cmd": "run",
   133  			"Value": ["apt-get update && apt-get -y install apt-utils"],
   134  		},
   135  	]}]}
   136  
   137  	count(r) == 0
   138  }
   139  
   140  test_flags_after_pkgs_allowed {
   141  	r := deny with input as {"Stages": [{"Name": "debian:11-slim", "Commands": [
   142  		{
   143  			"Cmd": "from",
   144  			"Value": ["debian:11-slim"],
   145  		},
   146  		{
   147  			"Cmd": "run",
   148  			"Value": ["apt-get update && apt-get install tzdata postgresql-10 -y && rm -rf /var/lib/apt/lists/*"],
   149  		},
   150  	]}]}
   151  	count(r) == 0
   152  }