Skip to content

Commit

Permalink
Merge pull request #7164 from Checkmarx/AST-45283-dockerCompose
Browse files Browse the repository at this point in the history
update(query): add cwe infos to dockerCompose queries
  • Loading branch information
ArturRibeiro-CX authored Sep 20, 2024
2 parents 21234ad + e46131f commit 399513d
Show file tree
Hide file tree
Showing 30 changed files with 177 additions and 136 deletions.
3 changes: 2 additions & 1 deletion .github/scripts/queries-validator/metadata-schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,8 @@
"descriptionUrl",
"cloudProvider",
"platform",
"descriptionID"
"descriptionID",
"cwe"
],
"properties": {
"id": {
Expand Down
4 changes: 2 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -264,7 +264,7 @@ KICS is used by various companies and organizations, some are listed below. If y
- [Keptn](https://github.com/keptn) / [Keptn Lifecycle Toolkit](https://keptn.sh)

**Keeping Infrastructure as Code Secure!**

---

© 2024 Checkmarx Ltd. All Rights Reserved.
© 2024 Checkmarx Ltd. All Rights Reserved.
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,7 @@
"descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#cgroup_parent",
"platform": "DockerCompose",
"descriptionID": "b3657456",
"cwe": ""
"oldSeverity": "MEDIUM",
"cloudProvider": "common",
"cwe": "400"
}
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
"descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#cap_add-cap_drop",
"platform": "DockerCompose",
"descriptionID": "1ddab108",
"cwe": "",
"cloudProvider": "common",
"cwe": "400",
"oldSeverity": "LOW"
}
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,7 @@
"descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#ports",
"platform": "DockerCompose",
"descriptionID": "909d1bcd",
"cwe": ""
"oldSeverity": "MEDIUM",
"cloudProvider": "common",
"cwe": "693"
}
4 changes: 3 additions & 1 deletion assets/queries/dockerCompose/cpus_not_limited/metadata.json
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,7 @@
"descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#resources",
"platform": "DockerCompose",
"descriptionID": "d58d94a1",
"cwe": ""
"oldSeverity": "LOW",
"cloudProvider": "common",
"cwe": "400"
}
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,11 @@
"queryName": "Default Seccomp Profile Disabled",
"severity": "MEDIUM",
"category": "Resource Management",
"descriptionText": "Seccomp offers a whitelist of common system calls, blocking all others. Having less kernel exposed to an app then increases security.",
"descriptionText": "Seccomp offers a whitelist of common system calls, blocking all others. This reduces the kernel's exposure to the application, thereby increasing security.",
"descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#security_opt",
"platform": "DockerCompose",
"descriptionID": "3702d7fb",
"cwe": ""
"cloudProvider": "common",
"oldSeverity": "MEDIUM",
"cwe": "269"
}
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,7 @@
"descriptionUrl": "https://docs.docker.com/compose/compose-file/#volumes",
"platform": "DockerCompose",
"descriptionID": "8acc9d24",
"cwe": ""
"oldSeverity": "HIGH",
"cloudProvider": "common",
"cwe": "284"
}
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,7 @@
"descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#healthcheck",
"platform": "DockerCompose",
"descriptionID": "449b7c5c",
"cwe": ""
"oldSeverity": "MEDIUM",
"cloudProvider": "common",
"cwe": "703"
}
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,7 @@
"descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#pid",
"platform": "DockerCompose",
"descriptionID": "39a43177",
"cwe": ""
"oldSeverity": "MEDIUM",
"cloudProvider": "common",
"cwe": "250"
}
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,7 @@
"descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#resources",
"platform": "DockerCompose",
"descriptionID": "8fcb9f7d",
"cwe": ""
"oldSeverity": "MEDIUM",
"cloudProvider": "common",
"cwe": "770"
}
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,7 @@
"descriptionUrl": "https://docs.docker.com/engine/reference/run/#security-configuration",
"platform": "DockerCompose",
"descriptionID": "be48e182",
"cwe": ""
"oldSeverity": "HIGH",
"cloudProvider": "common",
"cwe": "250"
}
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,7 @@
"descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#domainname-hostname-ipc-mac_address-privileged-read_only-shm_size-stdin_open-tty-user-working_dir",
"platform": "DockerCompose",
"descriptionID": "2d241407",
"cwe": ""
"oldSeverity": "MEDIUM",
"cloudProvider": "common",
"cwe": "770"
}
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,7 @@
"descriptionUrl": "https://docs.docker.com/compose/compose-file/#privileged",
"platform": "DockerCompose",
"descriptionID": "029f6145",
"cwe": ""
"oldSeverity": "HIGH",
"cloudProvider": "common",
"cwe": "250"
}
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,7 @@
"descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#cap_add-cap_drop",
"platform": "DockerCompose",
"descriptionID": "686dd55f",
"cwe": ""
"cloudProvider": "common",
"oldSeverity": "MEDIUM",
"cwe": "269"
}
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,7 @@
"descriptionUrl": "https://docs.docker.com/config/containers/start-containers-automatically/#use-a-restart-policy",
"platform": "DockerCompose",
"descriptionID": "d21fff2e",
"cwe": ""
"oldSeverity": "MEDIUM",
"cloudProvider": "common",
"cwe": "693"
}
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,7 @@
"descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#security_opt",
"platform": "DockerCompose",
"descriptionID": "83fb7a65",
"cwe": ""
"cloudProvider": "common",
"oldSeverity": "MEDIUM",
"cwe": "693"
}
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,7 @@
"descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#domainname-hostname-ipc-mac_address-privileged-read_only-shm_size-stdin_open-tty-user-working_dir",
"platform": "DockerCompose",
"descriptionID": "987dc2d7",
"cwe": ""
"oldSeverity": "MEDIUM",
"cloudProvider": "common",
"cwe": "668"
}
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,7 @@
"descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#network_mode",
"platform": "DockerCompose",
"descriptionID": "25acba10",
"cwe": ""
"cloudProvider": "common",
"oldSeverity": "MEDIUM",
"cwe": "668"
}
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,7 @@
"descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#userns_mode",
"platform": "DockerCompose",
"descriptionID": "b7859ec8",
"cwe": ""
"oldSeverity": "MEDIUM",
"cloudProvider": "common",
"cwe": "668"
}
Original file line number Diff line number Diff line change
Expand Up @@ -6,5 +6,8 @@
"descriptionText": "Volumes shared between containers can cause data corruption or can be used to share malicious files between containers.",
"descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#volumes",
"platform": "DockerCompose",
"descriptionID": "574aa3ab"
"descriptionID": "574aa3ab",
"oldSeverity": "INFO",
"cloudProvider": "common",
"cwe": "693"
}
Original file line number Diff line number Diff line change
Expand Up @@ -10,4 +10,4 @@
"oldSeverity": "HIGH",
"cloudProvider": "common",
"cwe": "668"
}
}
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
version: '3'

services:
image: docker
volumes:
wordpress-db-data:
driver: local-persist
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
version: '3'

services:
image: docker
volumes:
wordpress-db-data:
driver: local-persist
Expand All @@ -9,4 +11,4 @@ volumes:
wp-content:
driver: local-persist
driver_opts:
mountpoint: /var/data
mountpoint: /var/data
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
{
"queryName": "Volume Has Sensitive Host Directory",
"severity": "HIGH",
"line": 12,
"line": 14,
"filename": "positive3.yaml"
},
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,7 @@
"descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#volumes",
"platform": "DockerCompose",
"descriptionID": "1c7ca167",
"cwe": ""
"cloudProvider": "common",
"oldSeverity": "HIGH",
"cwe": "668"
}
2 changes: 2 additions & 0 deletions e2e/fixtures/E2E_CLI_096_RESULT.json
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,8 @@
"query_url": "https://docs.docker.com/compose/compose-file/compose-file-v3/#resources",
"severity": "MEDIUM",
"platform": "DockerCompose",
"cwe": "770",
"cloud_provider": "COMMON",
"category": "Resource Management",
"experimental": false,
"description": "Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory",
Expand Down
2 changes: 2 additions & 0 deletions e2e/fixtures/E2E_CLI_097_RESULT.json
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,8 @@
"query_url": "https://docs.docker.com/compose/compose-file/compose-file-v3/#resources",
"severity": "MEDIUM",
"platform": "DockerCompose",
"cwe": "770",
"cloud_provider": "COMMON",
"category": "Resource Management",
"experimental": false,
"description": "Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory",
Expand Down
Loading

0 comments on commit 399513d

Please sign in to comment.