diff --git a/remediation/docker/securedockerfile.go b/remediation/docker/securedockerfile.go index 3c954a56..b198718d 100644 --- a/remediation/docker/securedockerfile.go +++ b/remediation/docker/securedockerfile.go @@ -53,6 +53,12 @@ func SecureDockerFile(inputDockerFile string, opts ...DockerfileConfig) (*Secure var image string var tag string isPinned := false + + // Check if image is exempted (skip pinning) + if len(exemptedImages) > 0 && pin.ActionExists(temp, exemptedImages) { + continue + } + if strings.Contains(temp, ":") && !strings.Contains(temp, "sha256") { // case activates if image like: python:3.7 split := strings.Split(temp, ":") @@ -76,11 +82,6 @@ func SecureDockerFile(inputDockerFile string, opts ...DockerfileConfig) (*Secure isPinned = true } - // Check if image is exempted (skip pinning) - if len(exemptedImages) > 0 && pin.ActionExists(image, exemptedImages) { - continue - } - if !isPinned { sha, err := getSHA(image, tag) if err != nil { diff --git a/remediation/docker/securedockerfile_test.go b/remediation/docker/securedockerfile_test.go index a842ab1f..22d7615b 100644 --- a/remediation/docker/securedockerfile_test.go +++ b/remediation/docker/securedockerfile_test.go @@ -39,6 +39,14 @@ func TestSecureDockerFile(t *testing.T) { httpmock.RegisterResponder("GET", "https://index.docker.io/v2/library/python/manifests/3.7", httpmock.NewStringResponder(200, resp)) + httpmock.RegisterResponder("GET", "https://index.docker.io/v2/library/amazonlinux/manifests/2", httpmock.NewStringResponder(200, resp)) + httpmock.RegisterResponder("GET", "https://index.docker.io/v2/library/amazonlinux/manifests/2023", httpmock.NewStringResponder(200, resp)) + + httpmock.RegisterResponder("GET", "https://public.ecr.aws/v2/", + httpmock.NewStringResponder(200, `{ + }`)) + httpmock.RegisterResponder("GET", "https://public.ecr.aws/v2/amazonlinux/amazonlinux/manifests/2023", httpmock.NewStringResponder(200, resp)) + tests := []struct { fileName string isChanged bool @@ -48,8 +56,10 @@ func TestSecureDockerFile(t *testing.T) { {fileName: "Dockerfile-not-pinned", isChanged: true, useExemptConfig: false}, {fileName: "Dockerfile-not-pinned-as", isChanged: true, useExemptConfig: false}, {fileName: "Dockerfile-multiple-images", isChanged: true, useExemptConfig: false}, - {fileName: "Dockerfile-exempted", isChanged: false, exemptedImages: []string{"python"}, useExemptConfig: true}, - {fileName: "Dockerfile-exempted-wildcard", isChanged: true, exemptedImages: []string{"amazon*", "alpine"}, useExemptConfig: true}, + {fileName: "Dockerfile-exempted", isChanged: false, exemptedImages: []string{"python:3.7"}, useExemptConfig: true}, + {fileName: "Dockerfile-exempted-wildcard", isChanged: true, exemptedImages: []string{"amazon*", "alpine:*"}, useExemptConfig: true}, + {fileName: "Dockerfile-imageandtag-exempted", isChanged: true, exemptedImages: []string{"amazonlinux:2"}, useExemptConfig: true}, + {fileName: "Dockerfile-imageandtag-exempted-2", isChanged: true, exemptedImages: []string{"public.ecr.aws/amazonlinux/amazonlinux:2023"}, useExemptConfig: true}, } for _, test := range tests { diff --git a/remediation/workflow/pin/pinactions_test.go b/remediation/workflow/pin/pinactions_test.go index f71082f9..70ccf1df 100644 --- a/remediation/workflow/pin/pinactions_test.go +++ b/remediation/workflow/pin/pinactions_test.go @@ -453,10 +453,28 @@ func TestActionExists(t *testing.T) { t.Errorf("ActionExists returned true for actions/checkout/something") } + result = ActionExists("amazonlinux:2023", []string{"amazonlinux:*"}) + t.Log(result) + if !result { + t.Errorf("ActionExists returned true for amazonlinux:2023") + } + result = ActionExists("step-security/checkout-release/something", []string{"*/checkout-*"}) t.Log(result) if !result { - t.Errorf("ActionExists returned true for actions/checkout/something") + t.Errorf("ActionExists returned true for step-security/checkout-release/something") + } + + result = ActionExists("amazonlinux:2023", []string{"amazonlinux:2023"}) + t.Log(result) + if !result { + t.Errorf("ActionExists returned true for amazonlinux:2023") + } + + result = ActionExists("amazonlinux:2023", []string{"amazonlinux*"}) + t.Log(result) + if !result { + t.Errorf("ActionExists returned true for amazonlinux:2023") } } diff --git a/testfiles/dockerfiles/input/Dockerfile-imageandtag-exempted b/testfiles/dockerfiles/input/Dockerfile-imageandtag-exempted new file mode 100644 index 00000000..4f6976e6 --- /dev/null +++ b/testfiles/dockerfiles/input/Dockerfile-imageandtag-exempted @@ -0,0 +1,11 @@ +FROM --platform=linux/x86_64 amazonlinux:2 + +FROM --platform=linux/x86_64 amazonlinux:2023 as build_env + +FROM python:3.7 + +RUN apt-get update && apt-get install -y vim + +WORKDIR /app + +FROM public.ecr.aws/amazonlinux/amazonlinux:2023 \ No newline at end of file diff --git a/testfiles/dockerfiles/input/Dockerfile-imageandtag-exempted-2 b/testfiles/dockerfiles/input/Dockerfile-imageandtag-exempted-2 new file mode 100644 index 00000000..bb88dd60 --- /dev/null +++ b/testfiles/dockerfiles/input/Dockerfile-imageandtag-exempted-2 @@ -0,0 +1,11 @@ +FROM --platform=linux/x86_64 amazonlinux:2023 as build_env + +FROM --platform=linux/x86_64 amazonlinux:2 as base + +FROM python:3.7 + +RUN apt-get update && apt-get install -y vim + +WORKDIR /app + +FROM public.ecr.aws/amazonlinux/amazonlinux:2023 \ No newline at end of file diff --git a/testfiles/dockerfiles/output/Dockerfile-imageandtag-exempted b/testfiles/dockerfiles/output/Dockerfile-imageandtag-exempted new file mode 100644 index 00000000..1325850e --- /dev/null +++ b/testfiles/dockerfiles/output/Dockerfile-imageandtag-exempted @@ -0,0 +1,11 @@ +FROM --platform=linux/x86_64 amazonlinux:2 + +FROM --platform=linux/x86_64 amazonlinux:2023@sha256:5fb6f4b9d73ddeb0e431c938bee25c69157a1e3c880a81ff72c43a8055628de5 as build_env + +FROM python:3.7@sha256:5fb6f4b9d73ddeb0e431c938bee25c69157a1e3c880a81ff72c43a8055628de5 + +RUN apt-get update && apt-get install -y vim + +WORKDIR /app + +FROM public.ecr.aws/amazonlinux/amazonlinux:2023@sha256:5fb6f4b9d73ddeb0e431c938bee25c69157a1e3c880a81ff72c43a8055628de5 \ No newline at end of file diff --git a/testfiles/dockerfiles/output/Dockerfile-imageandtag-exempted-2 b/testfiles/dockerfiles/output/Dockerfile-imageandtag-exempted-2 new file mode 100644 index 00000000..29d2d783 --- /dev/null +++ b/testfiles/dockerfiles/output/Dockerfile-imageandtag-exempted-2 @@ -0,0 +1,11 @@ +FROM --platform=linux/x86_64 amazonlinux:2023@sha256:5fb6f4b9d73ddeb0e431c938bee25c69157a1e3c880a81ff72c43a8055628de5 as build_env + +FROM --platform=linux/x86_64 amazonlinux:2@sha256:5fb6f4b9d73ddeb0e431c938bee25c69157a1e3c880a81ff72c43a8055628de5 as base + +FROM python:3.7@sha256:5fb6f4b9d73ddeb0e431c938bee25c69157a1e3c880a81ff72c43a8055628de5 + +RUN apt-get update && apt-get install -y vim + +WORKDIR /app + +FROM public.ecr.aws/amazonlinux/amazonlinux:2023 \ No newline at end of file