forked from Checkmarx/kics
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Feat(Query): Default Seccomp Profile Disabled for docker compose (Che…
…ckmarx#5154) * query seccomp disabled * Update positive1.yaml * Update positive2.yaml * Update positive_expected_result.json * validated samples * updated P E R * Changed as requested * uncommented * updated P E R * changed as requested
- Loading branch information
1 parent
52d6d76
commit 51b9e1e
Showing
6 changed files
with
83 additions
and
0 deletions.
There are no files selected for viewing
10 changes: 10 additions & 0 deletions
10
assets/queries/dockerCompose/default_seccomp_profile_disabled/metadata.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| { | ||
| "id": "404fde2c-bc4b-4371-9747-7054132ac953", | ||
| "queryName": "Default Seccomp Profile Disabled", | ||
| "severity": "MEDIUM", | ||
| "category": "Resource Management", | ||
| "descriptionText": "Seccomp offers a whitelist of common system calls, blocking all others. Having less kernel exposed to an app then increases security.", | ||
| "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#security_opt", | ||
| "platform": "DockerCompose", | ||
| "descriptionID": "3702d7fb" | ||
| } |
20 changes: 20 additions & 0 deletions
20
assets/queries/dockerCompose/default_seccomp_profile_disabled/query.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| package Cx | ||
|
|
||
| import data.generic.common as common_lib | ||
|
|
||
| CxPolicy[result] { | ||
| resource := input.document[i] | ||
| service_parameters := resource.services[name] | ||
| sec_opt_array := service_parameters.security_opt | ||
| sec_opt := sec_opt_array[a] | ||
| contains(sec_opt,"seccomp:unconfined") | ||
|
|
||
| result := { | ||
| "documentId": sprintf("%s", [resource.id]), | ||
| "searchKey": sprintf("services.%s.security_opt",[name]), | ||
| "issueType": "IncorrectValue", | ||
| "keyExpectedValue": "Seccomp default profile to not be disabled.", | ||
| "keyActualValue": "Seccomp default profile is disabled.", | ||
| "searchLine": common_lib.build_search_line(["services", name, "security_opt", a], []), | ||
| } | ||
| } |
9 changes: 9 additions & 0 deletions
9
assets/queries/dockerCompose/default_seccomp_profile_disabled/test/negative1.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| version: "3.9" | ||
|
|
||
| services: | ||
| webapp: | ||
| build: | ||
| context: ./ | ||
| dockerfile: Dockerfile-alternate | ||
| args: | ||
| buildno: 1 |
16 changes: 16 additions & 0 deletions
16
assets/queries/dockerCompose/default_seccomp_profile_disabled/test/positive1.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| version: "3.8" | ||
|
|
||
| services: | ||
| demo: | ||
| image: not/a/real/image | ||
| cap_add: | ||
| - SYS_PTRACE | ||
| volumes: | ||
| - type: volume | ||
| source: not-a-real-source-docker | ||
| target: /var/lib/docker | ||
| security_opt: | ||
| - label:seccomp:unconfined | ||
|
|
||
| volumes: | ||
| not-a-real-source-docker: |
14 changes: 14 additions & 0 deletions
14
assets/queries/dockerCompose/default_seccomp_profile_disabled/test/positive2.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| version: "3.9" | ||
|
|
||
| networks: | ||
| backend: | ||
|
|
||
| services: | ||
| example: | ||
| build: . | ||
| security_opt: | ||
| - seccomp:unconfined | ||
| networks: | ||
| - backend | ||
| ports: | ||
| - "5002:5002" |
14 changes: 14 additions & 0 deletions
14
...queries/dockerCompose/default_seccomp_profile_disabled/test/positive_expected_result.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| [ | ||
| { | ||
| "queryName": "Default Seccomp Profile Disabled", | ||
| "severity": "MEDIUM", | ||
| "line": 13, | ||
| "filename": "positive1.yaml" | ||
| }, | ||
| { | ||
| "queryName": "Default Seccomp Profile Disabled", | ||
| "severity": "MEDIUM", | ||
| "line": 10, | ||
| "filename": "positive2.yaml" | ||
| } | ||
| ] |