github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/docker/policies/same_alias_in_different_froms_test.rego (about) 1 package builtin.dockerfile.DS012 2 3 test_basic_denied { 4 r := deny with input as {"Stages": [ 5 {"Name": "baseImage as bi", "Commands": [ 6 { 7 "Cmd": "from", 8 "Value": ["baseImage"], 9 "StartLine": 1, 10 }, 11 { 12 "Cmd": "run", 13 "Value": ["Test"], 14 "StartLine": 2, 15 }, 16 ]}, 17 {"Name": "debian:jesse2 as build", "Commands": [ 18 { 19 "Cmd": "from", 20 "Value": [ 21 "debian:jesse2", 22 "as", 23 "build", 24 ], 25 "StartLine": 3, 26 }, 27 { 28 "Cmd": "run", 29 "Value": ["stuff"], 30 "StartLine": 4, 31 }, 32 ]}, 33 {"Name": "debian:jesse1 as build", "Commands": [ 34 { 35 "Cmd": "from", 36 "Value": [ 37 "debian:jesse1", 38 "as", 39 "build", 40 ], 41 "StartLine": 5, 42 }, 43 { 44 "Cmd": "run", 45 "Value": ["more_stuff"], 46 "StartLine": 6, 47 }, 48 ]}, 49 ]} 50 51 count(r) == 1 52 r[_].msg == "Duplicate aliases 'build' are found in different FROMs" 53 } 54 55 test_missed_alias_denied { 56 r := deny with input as {"Stages": [ 57 {"Name": "baseImage", "Commands": [ 58 { 59 "Cmd": "from", 60 "Value": ["baseImage"], 61 "StartLine": 1, 62 }, 63 { 64 "Cmd": "run", 65 "Value": ["Test"], 66 "StartLine": 2, 67 }, 68 ]}, 69 {"Name": "debian:jesse2 as build", "Commands": [ 70 { 71 "Cmd": "from", 72 "Value": [ 73 "debian:jesse2", 74 "as", 75 "build", 76 ], 77 "StartLine": 3, 78 }, 79 { 80 "Cmd": "run", 81 "Value": ["stuff"], 82 "StartLine": 4, 83 }, 84 ]}, 85 {"Name": "debian:jesse1 as build", "Commands": [ 86 { 87 "Cmd": "from", 88 "Value": [ 89 "debian:jesse1", 90 "as", 91 "build", 92 ], 93 "StartLine": 5, 94 }, 95 { 96 "Cmd": "run", 97 "Value": ["more_stuff"], 98 "StartLine": 6, 99 }, 100 ]}, 101 ]} 102 103 count(r) == 1 104 r[_].msg == "Duplicate aliases 'build' are found in different FROMs" 105 } 106 107 test_no_alias_allowed { 108 r := deny with input as {"Stages": [ 109 {"Name": "baseImage", "Commands": [ 110 { 111 "Cmd": "from", 112 "Value": ["baseImage"], 113 }, 114 { 115 "Cmd": "run", 116 "Value": ["Test"], 117 }, 118 ]}, 119 {"Name": "debian:jesse2", "Commands": [ 120 { 121 "Cmd": "from", 122 "Value": [ 123 "debian:jesse2", 124 "as", 125 "build", 126 ], 127 }, 128 { 129 "Cmd": "run", 130 "Value": ["stuff"], 131 }, 132 ]}, 133 ]} 134 135 count(r) == 0 136 } 137 138 test_extra_spaces_denied { 139 r := deny with input as {"Stages": [ 140 {"Name": "baseImage", "Commands": [ 141 { 142 "Cmd": "from", 143 "Value": ["baseImage"], 144 "StartLine": 1, 145 }, 146 { 147 "Cmd": "run", 148 "Value": ["Test"], 149 "StartLine": 2, 150 }, 151 ]}, 152 {"Name": "debian:jesse2 as build", "Commands": [ 153 { 154 "Cmd": "from", 155 "Value": [ 156 "debian:jesse2", 157 "as", 158 "build", 159 ], 160 "StartLine": 3, 161 }, 162 { 163 "Cmd": "run", 164 "Value": ["stuff"], 165 "StartLine": 4, 166 }, 167 ]}, 168 {"Name": "debian:jesse1 as build", "Commands": [ 169 { 170 "Cmd": "from", 171 "Value": [ 172 "debian:jesse1", 173 "as", 174 "build", 175 ], 176 "StartLine": 5, 177 }, 178 { 179 "Cmd": "run", 180 "Value": ["more_stuff"], 181 "StartLine": 6, 182 }, 183 ]}, 184 ]} 185 186 count(r) == 1 187 r[_].msg == "Duplicate aliases 'build' are found in different FROMs" 188 } 189 190 test_basic_allowed { 191 r := deny with input as {"Stages": [ 192 {"Name": "baseImage", "Commands": [ 193 { 194 "Cmd": "from", 195 "Value": ["baseImage"], 196 }, 197 { 198 "Cmd": "run", 199 "Value": ["Test"], 200 }, 201 ]}, 202 {"Name": "debian:jesse2 as build2", "Commands": [ 203 { 204 "Cmd": "from", 205 "Value": [ 206 "debian:jesse2", 207 "as", 208 "build", 209 ], 210 }, 211 { 212 "Cmd": "run", 213 "Value": ["stuff"], 214 }, 215 ]}, 216 {"Name": "debian:jesse1 as build1", "Commands": [ 217 { 218 "Cmd": "from", 219 "Value": [ 220 "debian:jesse1", 221 "as", 222 "build", 223 ], 224 }, 225 { 226 "Cmd": "run", 227 "Value": ["more_stuff"], 228 }, 229 ]}, 230 ]} 231 232 count(r) == 0 233 }