-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #19 from advanced-security/compose
Add Compose support
- Loading branch information
Showing
4 changed files
with
92 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| name: "Dependency Review" | ||
| on: | ||
| pull_request: | ||
|
|
||
| permissions: | ||
| contents: read | ||
| pull-requests: write | ||
|
|
||
| jobs: | ||
| dependency-review: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: "Checkout Repository" | ||
| uses: actions/checkout@v3 | ||
| - name: "Dependency Review" | ||
| uses: actions/dependency-review-action@v3 | ||
| with: | ||
| comment-summary-in-pr: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,56 @@ | ||
| private import codeql.iac.YAML | ||
| private import codeql.files.FileSystem | ||
|
|
||
| /** | ||
| * A Compose file node. | ||
| */ | ||
| private class Node extends YamlNode { | ||
| Node() { | ||
| this.getFile().getBaseName() = | ||
| [ | ||
| // Compose | ||
| "compose.yml", "compose.yaml", | ||
| // Docker | ||
| "docker-compose.yml", "docker-compose.yaml", | ||
| // Podman | ||
| "podman-compose.yml", "podman-compose.yaml", | ||
| ] | ||
| } | ||
| } | ||
|
|
||
| /** | ||
| * Docker / Podman Compose file. | ||
| */ | ||
| class Compose extends Node, YamlDocument, YamlMapping { | ||
| /** | ||
| * Returns the version of the Compose file. | ||
| */ | ||
| string getApiVersion() { | ||
| result = this.lookup("version").toString().regexpReplaceAll("('|\")", "") | ||
| } | ||
|
|
||
| /** | ||
| * Returns the services defined in the Compose file. | ||
| */ | ||
| ComposeService getServices() { result = this.lookup("services").getAChildNode() } | ||
| } | ||
|
|
||
| /** | ||
| * A service defined in a Compose file. | ||
| */ | ||
| class ComposeService extends YamlMapping { | ||
| Compose compose; | ||
|
|
||
| /** | ||
| * Compose Service | ||
| */ | ||
| ComposeService() { compose.lookup("services").getAChildNode() = this } | ||
|
|
||
| /** | ||
| * Returns the name of the service. | ||
| */ | ||
| string getName() { | ||
| result = this.lookup("container_name").toString() | ||
| // TODO get parent key name | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| /** | ||
| * @name Using old version of Compose | ||
| * @description Compose files with pinned version | ||
| * @kind problem | ||
| * @problem.severity note | ||
| * @security-severity 1.0 | ||
| * @precision very-high | ||
| * @id iac/containers/latest-images | ||
| * @tags maintainability | ||
| */ | ||
|
|
||
| import iac | ||
|
|
||
| from Compose compose | ||
| where compose.getApiVersion() = ["2", "3"] | ||
| select compose, "pinned version of Compose spec" |