github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/docker/policies/run_using_wget_and_curl.rego (about) 1 # METADATA 2 # title: "RUN using 'wget' and 'curl'" 3 # description: "Avoid using both 'wget' and 'curl' since these tools have the same effect." 4 # scope: package 5 # schemas: 6 # - input: schema["dockerfile"] 7 # related_resources: 8 # - https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run 9 # custom: 10 # id: DS014 11 # avd_id: AVD-DS-0014 12 # severity: LOW 13 # short_code: standardise-remote-get 14 # recommended_action: "Pick one util, either 'wget' or 'curl'" 15 # input: 16 # selector: 17 # - type: dockerfile 18 package builtin.dockerfile.DS014 19 20 import data.lib.docker 21 22 deny[res] { 23 wget := get_tool_usage(docker.run[_], "wget") 24 curl := get_tool_usage(docker.run[_], "curl") 25 26 count(wget) > 0 27 count(curl) > 0 28 29 cmd := wget[0] 30 31 msg := "Shouldn't use both curl and wget" 32 res := result.new(msg, cmd) 33 } 34 35 # chained commands 36 # e.g. RUN curl http://example.com 37 get_tool_usage(cmd, cmd_name) = r { 38 count(cmd.Value) == 1 39 40 commands_list = regex.split(`\s*&&\s*`, cmd.Value[0]) 41 42 reg_exp = sprintf("^( )*%s", [cmd_name]) 43 44 r := [x | 45 instruction := commands_list[_] 46 47 #install is allowed (it may be required by installed app) 48 not contains(instruction, "install ") 49 regex.match(reg_exp, instruction) 50 x := cmd 51 ] 52 } 53 54 # JSON array is specified 55 # e.g. RUN ["curl", "http://example.com"] 56 get_tool_usage(cmd, cmd_name) = cmd { 57 count(cmd.Value) > 1 58 59 cmd.Value[0] == cmd_name 60 }