Feat(Query): Privileged Containers Enabled for Docker Compose (Checkm…

…arx#5029)

* query privileged containers dCompose

* query privileged containers dCompose

* query privileged containers dCompose 2

* query privileged containers dCompose

* validates samples, changed query to match them

assets/queries/dockerCompose/privileged_containers_enabled/metadata.json

@@ -0,0 +1,10 @@
+{
+    "id": "ae5b6871-7f45-42e0-bb4c-ab300c4d2026",
+    "queryName": "Privileged Containers Enabled",
+    "severity": "HIGH",
+    "category": "Resource Management",
+    "descriptionText": "Privileged containers should be used with extreme caution, they have all of the capabilities that the linux kernel offers for docker.",
+    "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#domainname-hostname-ipc-mac_address-privileged-read_only-shm_size-stdin_open-tty-user-working_dir",
+    "platform": "DockerCompose",
+    "descriptionID": "029f6145"
+  }

assets/queries/dockerCompose/privileged_containers_enabled/query.rego

@@ -0,0 +1,19 @@
+package Cx
+
+import data.generic.common as common_lib
+
+CxPolicy[result] {
+	resource := input.document[i]
+	service_parameters := resource.services[name]	
+    privileged := service_parameters.privileged    
+ 	privileged == true
+
+	result := {
+		"documentId": sprintf("%s", [resource.id]),
+		"searchKey": sprintf("services.%s.privileged",[name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": "Docker compose file to have 'privileged' attribute set to false or not set",
+		"keyActualValue": "Docker compose file has 'privileged' attribute as true",
+		"searchLine":  common_lib.build_search_line(["services", name, "privileged"], []),
+	}
+}

assets/queries/dockerCompose/privileged_containers_enabled/test/negative1.yaml

@@ -0,0 +1,9 @@
+version: "3.9"
+
+services:
+  webapp:
+    build:
+      context: ./dir
+      dockerfile: Dockerfile-alternate
+      args:
+        buildno: 1

assets/queries/dockerCompose/privileged_containers_enabled/test/negative2.yaml

@@ -0,0 +1,13 @@
+version: "3.9"
+
+services:
+  webapp:
+    build:
+      context: ./dir
+      dockerfile: Dockerfile-alternate
+      args:
+        buildno: 1
+    ports:
+      - "8080:8080"
+      - "3000:3000"
+    privileged: false

assets/queries/dockerCompose/privileged_containers_enabled/test/positive1.yaml

@@ -0,0 +1,10 @@
+version: "3.9"
+
+services:
+  webapp:
+    build:
+      context: ./dir
+      dockerfile: Dockerfile-alternate
+      args:
+        buildno: 1
+    privileged: true

assets/queries/dockerCompose/privileged_containers_enabled/test/positive2.yaml

@@ -0,0 +1,15 @@
+version: "3.9"
+
+services:
+  webapp:
+    build:
+      context: ./dir
+      dockerfile: Dockerfile-alternate
+      args:
+        buildno: 1
+    ports:
+      - "8080:8080"
+      - "3000:3000"
+    privileged: true
+    cap_drop:
+      - all

assets/queries/dockerCompose/privileged_containers_enabled/test/positive_expected_result.json

@@ -0,0 +1,14 @@
+[
+    {
+      "queryName": "Privileged Containers Enabled",
+      "severity": "HIGH",
+      "line": 10,
+      "filename": "positive1.yaml"
+    },
+    {
+        "queryName": "Privileged Containers Enabled",
+        "severity": "HIGH",
+        "line": 13,
+        "filename": "positive2.yaml"
+    }
+]