Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update(query): add cwe infos to dockerCompose queries #7164

Merged
merged 23 commits into from
Sep 20, 2024
+177 −136
Merged

update(query): add cwe infos to dockerCompose queries #7164

Show file tree
Hide file tree
Changes from 19 commits
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
57323f9
add cwe infos to dockerCompose queries
ArturRibeiro-CX Jun 28, 2024
6799bf0
Merge branch 'master' into AST-45283-dockerCompose
ArturRibeiro-CX Jun 28, 2024
5b0e44b
add cloudProvider common to all queries
ArturRibeiro-CX Jun 28, 2024
c80dade
add oldSeverity field to queries metadata
ArturRibeiro-CX Jun 28, 2024
a0101e3
add cloudProvider and cwe field to e2e tests after query update
ArturRibeiro-CX Jun 28, 2024
92bb36b
Merge branch 'master' into AST-45283-dockerCompose
ArturRibeiro-CX Jul 1, 2024
ed42baa
remove cwe info from volume has sensitive host directory
ArturRibeiro-CX Jul 1, 2024
5862043
Merge branch 'master' into AST-45283-dockerCompose
ArturRibeiro-CX Jul 1, 2024
aa24137
Merge branch 'master' into AST-45283-dockerCompose
ArturRibeiro-CX Jul 4, 2024
e42dfbf
Merge branch 'master' into AST-45283-dockerCompose
ArturRibeiro-CX Jul 5, 2024
fe9366d
Merge branch 'master' of https://github.com/Checkmarx/kics into AST-4…
ArturRibeiro-CX Jul 8, 2024
a3a0a15
revert addition of cwe and fix unit test samples
ArturRibeiro-CX Jul 8, 2024
8caf103
add cwe as a required field to queries metadata
ArturRibeiro-CX Jul 16, 2024
d56133f
Merge branch 'master' into AST-45283-dockerCompose
ArturRibeiro-CX Jul 16, 2024
acc0ce9
Merge branch 'master' into AST-45283-dockerCompose
cx-ruiaraujo Jul 22, 2024
ae095d2
Merge branch 'master' into AST-45283-dockerCompose
ArturRibeiro-CX Aug 19, 2024
c383ea6
Merge branch 'master' into AST-45283-dockerCompose
ArturRibeiro-CX Sep 13, 2024
f996447
Merge branch 'master' into AST-45283-dockerCompose
ArturRibeiro-CX Sep 18, 2024
ccccbf5
Merge branch 'master' of https://github.com/Checkmarx/kics into AST-4…
ArturRibeiro-CX Sep 19, 2024
712492e
update versions to fix cx_one vulnerabilities
ArturRibeiro-CX Sep 20, 2024
ac3c736
Merge branch 'master' of https://github.com/Checkmarx/kics into AST-4…
ArturRibeiro-CX Sep 20, 2024
b13e8f5
dummy pr for checkmarx scan
ArturRibeiro-CX Sep 20, 2024
e46131f
trigger cxOne pipeline
ArturRibeiro-CX Sep 20, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion .github/scripts/queries-validator/metadata-schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,8 @@
"descriptionUrl",
"cloudProvider",
"platform",
"descriptionID"
"descriptionID",
"cwe"
],
"properties": {
"id": {
Expand Down
4 changes: 3 additions & 1 deletion assets/queries/dockerCompose/cgroup_not_default/metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,7 @@
"descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#cgroup_parent",
"platform": "DockerCompose",
"descriptionID": "b3657456",
"cwe": ""
"oldSeverity": "MEDIUM",
"cloudProvider": "common",
"cwe": "400"
}
3 changes: 2 additions & 1 deletion assets/queries/dockerCompose/container_capabilities_unrestricted/metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
"descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#cap_add-cap_drop",
"platform": "DockerCompose",
"descriptionID": "1ddab108",
"cwe": "",
"cloudProvider": "common",
"cwe": "400",
"oldSeverity": "LOW"
}
4 changes: 3 additions & 1 deletion assets/queries/dockerCompose/container_traffic_not_bound_to_host_interface/metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,7 @@
"descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#ports",
"platform": "DockerCompose",
"descriptionID": "909d1bcd",
"cwe": ""
"oldSeverity": "MEDIUM",
"cloudProvider": "common",
"cwe": "693"
}
4 changes: 3 additions & 1 deletion assets/queries/dockerCompose/cpus_not_limited/metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,7 @@
"descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#resources",
"platform": "DockerCompose",
"descriptionID": "d58d94a1",
"cwe": ""
"oldSeverity": "LOW",
"cloudProvider": "common",
"cwe": "400"
}
6 changes: 4 additions & 2 deletions assets/queries/dockerCompose/default_seccomp_profile_disabled/metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,11 @@
"queryName": "Default Seccomp Profile Disabled",
"severity": "MEDIUM",
"category": "Resource Management",
"descriptionText": "Seccomp offers a whitelist of common system calls, blocking all others. Having less kernel exposed to an app then increases security.",
"descriptionText": "Seccomp offers a whitelist of common system calls, blocking all others. This reduces the kernel's exposure to the application, thereby increasing security.",
"descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#security_opt",
"platform": "DockerCompose",
"descriptionID": "3702d7fb",
"cwe": ""
"cloudProvider": "common",
"oldSeverity": "MEDIUM",
"cwe": "269"
}
4 changes: 3 additions & 1 deletion assets/queries/dockerCompose/docker_socket_mounted_in_container/metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,7 @@
"descriptionUrl": "https://docs.docker.com/compose/compose-file/#volumes",
"platform": "DockerCompose",
"descriptionID": "8acc9d24",
"cwe": ""
"oldSeverity": "HIGH",
"cloudProvider": "common",
"cwe": "284"
}
4 changes: 3 additions & 1 deletion assets/queries/dockerCompose/healthcheck_not_set/metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,7 @@
"descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#healthcheck",
"platform": "DockerCompose",
"descriptionID": "449b7c5c",
"cwe": ""
"oldSeverity": "MEDIUM",
"cloudProvider": "common",
"cwe": "703"
}
4 changes: 3 additions & 1 deletion assets/queries/dockerCompose/host_namespace_is_shared/metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,7 @@
"descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#pid",
"platform": "DockerCompose",
"descriptionID": "39a43177",
"cwe": ""
"oldSeverity": "MEDIUM",
"cloudProvider": "common",
"cwe": "250"
}
4 changes: 3 additions & 1 deletion assets/queries/dockerCompose/memory_not_limited/metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,7 @@
"descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#resources",
"platform": "DockerCompose",
"descriptionID": "8fcb9f7d",
"cwe": ""
"oldSeverity": "MEDIUM",
"cloudProvider": "common",
"cwe": "770"
}
4 changes: 3 additions & 1 deletion assets/queries/dockerCompose/no_new_privileges_not_set/metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,7 @@
"descriptionUrl": "https://docs.docker.com/engine/reference/run/#security-configuration",
"platform": "DockerCompose",
"descriptionID": "be48e182",
"cwe": ""
"oldSeverity": "HIGH",
"cloudProvider": "common",
"cwe": "250"
}
4 changes: 3 additions & 1 deletion assets/queries/dockerCompose/pids_limit_not_set/metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,7 @@
"descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#domainname-hostname-ipc-mac_address-privileged-read_only-shm_size-stdin_open-tty-user-working_dir",
"platform": "DockerCompose",
"descriptionID": "2d241407",
"cwe": ""
"oldSeverity": "MEDIUM",
"cloudProvider": "common",
"cwe": "770"
}
4 changes: 3 additions & 1 deletion assets/queries/dockerCompose/privileged_containers_enabled/metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,7 @@
"descriptionUrl": "https://docs.docker.com/compose/compose-file/#privileged",
"platform": "DockerCompose",
"descriptionID": "029f6145",
"cwe": ""
"oldSeverity": "HIGH",
"cloudProvider": "common",
"cwe": "250"
}
4 changes: 3 additions & 1 deletion assets/queries/dockerCompose/privileged_ports_mapped_in_container/metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,7 @@
"descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#cap_add-cap_drop",
"platform": "DockerCompose",
"descriptionID": "686dd55f",
"cwe": ""
"cloudProvider": "common",
"oldSeverity": "MEDIUM",
"cwe": "269"
}
4 changes: 3 additions & 1 deletion assets/queries/dockerCompose/restart_policy_on_failure_not_set_to_5/metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,7 @@
"descriptionUrl": "https://docs.docker.com/config/containers/start-containers-automatically/#use-a-restart-policy",
"platform": "DockerCompose",
"descriptionID": "d21fff2e",
"cwe": ""
"oldSeverity": "MEDIUM",
"cloudProvider": "common",
"cwe": "693"
}
4 changes: 3 additions & 1 deletion assets/queries/dockerCompose/security_opt_not_set/metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,7 @@
"descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#security_opt",
"platform": "DockerCompose",
"descriptionID": "83fb7a65",
"cwe": ""
"cloudProvider": "common",
"oldSeverity": "MEDIUM",
"cwe": "693"
}
4 changes: 3 additions & 1 deletion assets/queries/dockerCompose/shared_host_ipc_namespace/metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,7 @@
"descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#domainname-hostname-ipc-mac_address-privileged-read_only-shm_size-stdin_open-tty-user-working_dir",
"platform": "DockerCompose",
"descriptionID": "987dc2d7",
"cwe": ""
"oldSeverity": "MEDIUM",
"cloudProvider": "common",
"cwe": "668"
}
4 changes: 3 additions & 1 deletion assets/queries/dockerCompose/shared_host_network_namespace/metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,7 @@
"descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#network_mode",
"platform": "DockerCompose",
"descriptionID": "25acba10",
"cwe": ""
"cloudProvider": "common",
"oldSeverity": "MEDIUM",
"cwe": "668"
}
4 changes: 3 additions & 1 deletion assets/queries/dockerCompose/shared_host_user_namespace/metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,7 @@
"descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#userns_mode",
"platform": "DockerCompose",
"descriptionID": "b7859ec8",
"cwe": ""
"oldSeverity": "MEDIUM",
"cloudProvider": "common",
"cwe": "668"
}
5 changes: 4 additions & 1 deletion assets/queries/dockerCompose/shared_volumes_between_containers/metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,5 +6,8 @@
"descriptionText": "Volumes shared between containers can cause data corruption or can be used to share malicious files between containers.",
"descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#volumes",
"platform": "DockerCompose",
"descriptionID": "574aa3ab"
"descriptionID": "574aa3ab",
"oldSeverity": "INFO",
"cloudProvider": "common",
"cwe": "693"
}
2 changes: 1 addition & 1 deletion assets/queries/dockerCompose/volume_has_sensitive_host_directory/metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,4 +10,4 @@
"oldSeverity": "HIGH",
"cloudProvider": "common",
"cwe": "668"
}
}
2 changes: 2 additions & 0 deletions assets/queries/dockerCompose/volume_has_sensitive_host_directory/test/negative2.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
version: '3'

services:
image: docker
volumes:
wordpress-db-data:
driver: local-persist
Expand Down
4 changes: 3 additions & 1 deletion assets/queries/dockerCompose/volume_has_sensitive_host_directory/test/positive3.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
version: '3'

services:
image: docker
volumes:
wordpress-db-data:
driver: local-persist
Expand All @@ -9,4 +11,4 @@ volumes:
wp-content:
driver: local-persist
driver_opts:
mountpoint: /var/data
mountpoint: /var/data
2 changes: 1 addition & 1 deletion ...ries/dockerCompose/volume_has_sensitive_host_directory/test/positive_expected_result.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
{
"queryName": "Volume Has Sensitive Host Directory",
"severity": "HIGH",
"line": 12,
"line": 14,
"filename": "positive3.yaml"
},
{
Expand Down
4 changes: 3 additions & 1 deletion assets/queries/dockerCompose/volume_mounted_in_multiple_containers/metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,7 @@
"descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#volumes",
"platform": "DockerCompose",
"descriptionID": "1c7ca167",
"cwe": ""
"cloudProvider": "common",
"oldSeverity": "HIGH",
"cwe": "668"
}
2 changes: 2 additions & 0 deletions e2e/fixtures/E2E_CLI_096_RESULT.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,8 @@
"query_url": "https://docs.docker.com/compose/compose-file/compose-file-v3/#resources",
"severity": "MEDIUM",
"platform": "DockerCompose",
"cwe": "770",
"cloud_provider": "COMMON",
"category": "Resource Management",
"experimental": false,
"description": "Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory",
Expand Down
2 changes: 2 additions & 0 deletions e2e/fixtures/E2E_CLI_097_RESULT.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,8 @@
"query_url": "https://docs.docker.com/compose/compose-file/compose-file-v3/#resources",
"severity": "MEDIUM",
"platform": "DockerCompose",
"cwe": "770",
"cloud_provider": "COMMON",
"category": "Resource Management",
"experimental": false,
"description": "Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory",
Expand Down
Loading