Merge pull request Checkmarx#7117 from Checkmarx/AST-43980

fix(query): revert changes in the 'platform_flag_with_from' query
liorj-orca · Jun 12, 2024 · e649f84 · e649f84
2 parents e83ddfc + 5025b12
commit e649f84
Show file tree

Hide file tree

Showing 6 changed files with 11 additions and 11 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM --platform=linux/amd64 cgr.dev/chainguard/go@sha256:38db527239c4b33c6ebd1751007041e33cdf81de45f2195b1a60816eb351def1 as build_env
+FROM cgr.dev/chainguard/go@sha256:38db527239c4b33c6ebd1751007041e33cdf81de45f2195b1a60816eb351def1 as build_env
 
 # Copy the source from the current directory to the Working Directory inside the container
 WORKDIR /app
@@ -31,7 +31,7 @@ USER nonroot
 # Runtime image
 # Ignore no User Cmd since KICS container is stopped afer scan
 # kics-scan ignore-line
-FROM --platform=linux/amd64 cgr.dev/chainguard/git@sha256:9dc48ca2f9b643fffece0d7079f4e3b0b40e343de1c8f0f583db551d3df3c419
+FROM cgr.dev/chainguard/git@sha256:9dc48ca2f9b643fffece0d7079f4e3b0b40e343de1c8f0f583db551d3df3c419
 
 ENV TERM xterm-256color
 

diff --git a/assets/queries/dockerfile/using_platform_with_from/metadata.json b/assets/queries/dockerfile/using_platform_with_from/metadata.json
@@ -1,9 +1,9 @@
 {
   "id": "b16e8501-ef3c-44e1-a543-a093238099c9",
   "queryName": "Using Platform Flag with FROM Command",
-  "severity": "LOW",
+  "severity": "INFO",
   "category": "Best Practices",
-  "descriptionText": "'FROM' instruction should use the flag '--platform'",
+  "descriptionText": "'FROM' instruction should not use the flag '--platform'",
   "descriptionUrl": "https://docs.docker.com/engine/reference/builder/#from",
   "platform": "Dockerfile",
   "descriptionID": "5bd0baab",

diff --git a/assets/queries/dockerfile/using_platform_with_from/query.rego b/assets/queries/dockerfile/using_platform_with_from/query.rego
@@ -5,15 +5,14 @@ import data.generic.common as common_lib
 CxPolicy[result] {
 	resource := input.document[i].command[name][_]
 
-	common_lib.contains_element(resource.Value, "as")
-    contains(resource.Cmd, "from")
-	not common_lib.contains_with_size(resource.Flags, "--platform")
+	contains(resource.Flags[j], "--platform")
+	contains(resource.Cmd, "from")
 
 	result := {
 		"documentId": input.document[i].id,
 		"searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": sprintf("FROM={{%s}}.{{%s}} should use the flag '--platform'", [name, resource.Original]),
-		"keyActualValue": sprintf("FROM={{%s}}.{{%s}} not use the flag '--platform'", [name, resource.Original]),
+		"keyExpectedValue": sprintf("FROM={{%s}}.{{%s}} should not use the '--platform' flag", [name, resource.Original]),
+		"keyActualValue": sprintf("FROM={{%s}}.{{%s}} is using the '--platform' flag", [name, resource.Original]),
 	}
 }
diff --git a/...atform_with_from/test/positive.dockerfile → ...tform_with_from/test/negative1.dockerfile b/...atform_with_from/test/positive.dockerfile → ...tform_with_from/test/negative1.dockerfile
diff --git a/...atform_with_from/test/negative.dockerfile → ...tform_with_from/test/positive1.dockerfile b/...atform_with_from/test/negative.dockerfile → ...tform_with_from/test/positive1.dockerfile
diff --git a/assets/queries/dockerfile/using_platform_with_from/test/positive_expected_result.json b/assets/queries/dockerfile/using_platform_with_from/test/positive_expected_result.json
@@ -1,7 +1,8 @@
 [
   {
     "queryName": "Using Platform Flag with FROM Command",
-    "severity": "LOW",
-    "line": 6
+    "severity": "INFO",
+    "line": 6,
+    "fileName": "positive1.dockerfile"
   }
 ]