feat(dockerfile): Add CKV2_DOCKER_17 for chpasswd (#5441)

Add CKV2_DOCKER_17

Co-authored-by: Anton Grübel <[email protected]>

checkov/dockerfile/checks/graph_checks/RunChpasswd.yaml

@@ -0,0 +1,24 @@
+metadata:
+  id: "CKV2_DOCKER_17"
+  name: "Ensure that 'chpasswd' is not used to set or remove passwords"
+  category: "APPLICATION_SECURITY"
+definition:
+    and:
+    - cond_type: attribute
+      resource_types:
+        - RUN
+      attribute: value
+      operator: not_starting_with
+      value: "chpasswd "
+    - cond_type: attribute
+      resource_types:
+        - RUN
+      attribute: value
+      operator: not_contains
+      value: " chpasswd "
+    - cond_type: attribute
+      resource_types:
+        - RUN
+      attribute: value
+      operator: not_ending_with
+      value: " chpasswd"

tests/dockerfile/graph_builder/checks/resources/RunChpasswd/expected.yaml

@@ -0,0 +1,10 @@
+pass:
+  - 'pass/Dockerfile.RUN'
+fail:
+  - 'fail/Dockerfile.RUN'
+  - 'fail/Dockerfile.RUN'
+  - 'fail/Dockerfile.RUN'
+  - 'fail/Dockerfile.RUN'
+  - 'fail/Dockerfile.RUN'
+evaluated_keys:
+  - 'value'

tests/dockerfile/graph_builder/checks/resources/RunChpasswd/fail/Dockerfile

@@ -0,0 +1,8 @@
+FROM ubuntu:20.04
+RUN echo 'root:root' | chpasswd
+RUN echo 'root:' | chpasswd
+RUN apt-get update && echo "someuser:somepasswd" | chpasswd && echo "lol"
+RUN apt-get update ;\
+    apt-get clean ; \
+    echo 'root:root' | chpasswd
+RUN chpasswd < input.txt

tests/dockerfile/graph_builder/checks/resources/RunChpasswd/pass/Dockerfile

@@ -0,0 +1,2 @@
+FROM ubuntu:20.04
+RUN chgrp root /etc/passwd

tests/dockerfile/graph_builder/checks/test_yaml_policies.py

@@ -91,6 +91,9 @@ def test_RunYumConfigManagerSslVerify(self):
     def test_EnvPipTrustedHost(self):
         self.go("EnvPipTrustedHost")
 
+    def test_RunChpasswd(self):
+        self.go("RunChpasswd")
+
     def test_registry_load(self):
         registry = self.get_checks_registry()
         self.assertGreater(len(registry.checks), 0)

tests/dockerfile/image_referencer/test_runner_dockerfile_resources.py

@@ -41,7 +41,7 @@ def test_simple_dockerfile(mocker: MockerFixture):
     sca_image_report = next(report for report in reports if report.check_type == CheckType.SCA_IMAGE)
 
     assert len(tf_report.resources) == 1
-    assert len(tf_report.passed_checks) == 20
+    assert len(tf_report.passed_checks) == 21
     assert len(tf_report.failed_checks) == 2
     assert len(tf_report.skipped_checks) == 0
     assert len(tf_report.parsing_errors) == 0
@@ -93,7 +93,7 @@ def test_multi_stage_dockerfile(mocker: MockerFixture):
     sca_image_report = next(report for report in reports if report.check_type == CheckType.SCA_IMAGE)
 
     assert len(tf_report.resources) == 1
-    assert len(tf_report.passed_checks) == 36
+    assert len(tf_report.passed_checks) == 38
     assert len(tf_report.failed_checks) == 2
     assert len(tf_report.skipped_checks) == 0
     assert len(tf_report.parsing_errors) == 0
@@ -136,7 +136,7 @@ def test_multi_platform_dockerfile(mocker: MockerFixture):
     sca_image_report = next(report for report in reports if report.check_type == CheckType.SCA_IMAGE)
 
     assert len(tf_report.resources) == 1
-    assert len(tf_report.passed_checks) == 29
+    assert len(tf_report.passed_checks) == 30
     assert len(tf_report.failed_checks) == 3
     assert len(tf_report.skipped_checks) == 0
     assert len(tf_report.parsing_errors) == 0