Query "Apt Get Install Lists Were Not Deleted" for Docker does not detect deletion when seperated by `;` instead of `&&`

[malte-laukoetter]

Expected Behavior

When the deletion of the apt get install lists happens this is detected regardless of the way the bash commands are chained.

Actual Behavior

In cases the commands within a RUN instruction are separated by ; kics does not find the removal of the apt get install lists.

Example:

RUN set -eux; \
	apt-get update; \
	apt-get install -y --no-install-recommends package=0.0.0; \
	rm -rf /var/lib/apt/lists/*

This is a result of the way the query is currently implemented. The query splits the commands by separating them whenever a && is found. see: https://github.com/Checkmarx/kics/blob/master/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/query.rego#L23

Steps to Reproduce the Problem

1. Take the dockerfile for the official tomcat docker image (https://github.com/docker-library/tomcat/blob/29c3afc3135cf9464fa263762b63e0203a7fe178/10.1/jdk17/openjdk-slim-bullseye/Dockerfile)
2. Run kics
3. See that "Apt Get Install Lists Were Not Deleted" is reported
4. Confirm that the apt get install list is removed in line 125 of the Dockerfile (https://github.com/docker-library/tomcat/blob/29c3afc3135cf9464fa263762b63e0203a7fe178/10.1/jdk17/openjdk-slim-bullseye/Dockerfile#L125)

Specifications

• Version: v1.5.5
• Platform: Docker
• Subsystem: Dockerfile
• Query: df746b39-6564-4fed-bf85-e9c44382303c

[malte-laukoetter]

A similar problem also happens for other queries, for example, d3499f6d-1651-41bb-a9a7-de925fea487b detects a missing version when it is not the last command and the commands are separated by ;. If my looking at the source code indicates anything this will also happen atleast for the other version pinning queries (https://github.com/Checkmarx/kics/blob/master/assets/libraries/dockerfile.rego#L9).

[cx-miguel-dasilva]

Hi @Lergin
Thank you so much for contacting us and reporting this issue.
We are working on the problem, hope PR #5176 solves it!