SONARIAC-2441 Reshape docker grammar and parse Shell code (#616)

GitOrigin-RevId: 449faa5e8e3ac7879b9fe88c74ee70552cf74b83

Author: rudy-regazzoni-sonarsource

iac-extensions/docker/src/main/java/org/sonar/iac/docker/checks/LongRunInstructionCheck.java

@@ -24,6 +24,8 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
+import java.util.function.Predicate;
+import java.util.regex.Pattern;
 import java.util.stream.Collectors;
 import java.util.stream.IntStream;
 import org.sonar.check.Rule;
@@ -36,6 +38,7 @@
 import org.sonar.iac.common.extension.visitors.TreeContext;
 import org.sonar.iac.common.extension.visitors.TreeVisitor;
 import org.sonar.iac.docker.tree.api.Argument;
+import org.sonar.iac.docker.tree.api.ArgumentList;
 import org.sonar.iac.docker.tree.api.ExpandableStringCharacters;
 import org.sonar.iac.docker.tree.api.ExpandableStringLiteral;
 import org.sonar.iac.docker.tree.api.Expression;
@@ -49,6 +52,7 @@ public class LongRunInstructionCheck implements IacCheck {
   public static final int DEFAULT_MAX_LENGTH = 120;
   public static final int MIN_WORD_TO_TRIGGER = 7;
   private static final String MESSAGE = "Split this RUN instruction line into multiple lines.";
+  private static final Predicate<String> HAS_URL = Pattern.compile("\\b((https?|ftp)://|(www|ftp)\\.)\\S++").asPredicate();
 
   @RuleProperty(
     key = "maxLength",
@@ -115,10 +119,36 @@ private static Map<Integer, Integer> countWordsPerLine(RunInstruction runInstruc
     Map<Integer, Integer> wordsPerLine = new HashMap<>();
     incrementWordCountOnLine(wordsPerLine, runInstruction.keyword());
     runInstruction.options().forEach(flag -> incrementWordCountOnLine(wordsPerLine, flag));
-    runInstruction.arguments().forEach(argument -> incrementWordCountOnLine(wordsPerLine, argument));
+    if (runInstruction.code() instanceof SyntaxToken syntaxToken) {
+      incrementWordCountOnLine(wordsPerLine, syntaxToken.textRange().start().line(), countWordsInString(syntaxToken.value()));
+    } else if (runInstruction.code() instanceof ArgumentList argumentList) {
+      argumentList.arguments().forEach(argument -> incrementWordCountOnLine(wordsPerLine, argument));
+    }
     return wordsPerLine;
   }
 
+  private static int countWordsInString(String text) {
+    // 1. Fast fail for null or empty
+    if (text.isEmpty()) {
+      return 0;
+    }
+    int count = 0;
+    boolean isWord = false;
+    int length = text.length();
+    for (int i = 0; i < length; i++) {
+      char c = text.charAt(i);
+      // 2. Check if the character is whitespace (equivalent to \s)
+      if (Character.isWhitespace(c)) {
+        isWord = false;
+      } else if (!isWord) {
+        // 3. If we weren't in a word, and now we are, increment count
+        count++;
+        isWord = true;
+      }
+    }
+    return count;
+  }
+
   private static void incrementWordCountOnLine(Map<Integer, Integer> wordsPerLine, Tree tree) {
     if (tree.textRange().start().line() != tree.textRange().end().line()) {
       incrementWordCountOnLine(wordsPerLine, tree.textRange().start().line());
@@ -130,15 +160,26 @@ private static void incrementWordCountOnLine(Map<Integer, Integer> wordsPerLine,
     wordsPerLine.merge(line, 1, Integer::sum);
   }
 
+  private static void incrementWordCountOnLine(Map<Integer, Integer> wordsPerLine, int line, int wordCount) {
+    wordsPerLine.merge(line, wordCount, Integer::sum);
+  }
+
   private static Set<Integer> getLinesWithUrl(RunInstruction runInstruction) {
-    return runInstruction.arguments().stream()
-      .filter(LongRunInstructionCheck::isArgumentUrl)
-      .flatMap((Argument urlArgument) -> {
-        int startLine = urlArgument.textRange().start().line();
-        int endLine = urlArgument.textRange().end().line();
-        return IntStream.rangeClosed(startLine, endLine).boxed();
-      })
-      .collect(Collectors.toSet());
+    if (runInstruction.code() instanceof SyntaxToken syntaxToken) {
+      if (HAS_URL.test(syntaxToken.value())) {
+        return Set.of(syntaxToken.textRange().start().line());
+      }
+    } else if (runInstruction.code() instanceof ArgumentList argumentList) {
+      return argumentList.arguments().stream()
+        .filter(LongRunInstructionCheck::isArgumentUrl)
+        .flatMap((Argument urlArgument) -> {
+          int startLine = urlArgument.textRange().start().line();
+          int endLine = urlArgument.textRange().end().line();
+          return IntStream.rangeClosed(startLine, endLine).boxed();
+        })
+        .collect(Collectors.toSet());
+    }
+    return Set.of();
   }
 
   private static boolean isArgumentUrl(Argument argument) {

iac-extensions/docker/src/main/java/org/sonar/iac/docker/checks/MalformedJsonInExecCheck.java

@@ -27,7 +27,9 @@
 import org.sonar.iac.common.api.checks.InitContext;
 import org.sonar.iac.docker.symbols.ArgumentResolution;
 import org.sonar.iac.docker.tree.api.Argument;
+import org.sonar.iac.docker.tree.api.ShellCode;
 import org.sonar.iac.docker.tree.api.ShellForm;
+import org.sonar.iac.docker.tree.api.SyntaxToken;
 
 @Rule(key = "S7030")
 public class MalformedJsonInExecCheck implements IacCheck {
@@ -41,6 +43,7 @@ public class MalformedJsonInExecCheck implements IacCheck {
   @Override
   public void initialize(InitContext init) {
     init.register(ShellForm.class, MalformedJsonInExecCheck::checkShellForm);
+    init.register(ShellCode.class, MalformedJsonInExecCheck::checkShellCode);
   }
 
   private static void checkShellForm(CheckContext ctx, ShellForm shellForm) {
@@ -49,8 +52,18 @@ private static void checkShellForm(CheckContext ctx, ShellForm shellForm) {
     }
   }
 
+  private static void checkShellCode(CheckContext ctx, ShellCode<?> shellCode) {
+    if (shellCode.code() instanceof SyntaxToken syntaxToken && looksLikeExecForm(syntaxToken.value())) {
+      ctx.reportIssue(syntaxToken, MESSAGE);
+    }
+  }
+
   private static boolean isMalformedExec(ShellForm shellForm) {
     String command = resolveFullCommand(shellForm.arguments());
+    return looksLikeExecForm(command);
+  }
+
+  private static boolean looksLikeExecForm(@Nullable String command) {
     return command != null && command.startsWith("[") && !EXCLUDE_TOO_LONG_AFTER_OBJECT.test(command) && !EXCLUDE_NO_QUOTES.test(command);
   }
 

iac-extensions/docker/src/main/java/org/sonar/iac/docker/checks/PosixPermissionCheck.java

@@ -28,6 +28,7 @@
 import org.sonar.iac.docker.checks.utils.ArgumentChmod;
 import org.sonar.iac.docker.symbols.ArgumentResolution;
 import org.sonar.iac.docker.tree.api.Argument;
+import org.sonar.iac.docker.tree.api.ArgumentList;
 import org.sonar.iac.docker.tree.api.RunInstruction;
 import org.sonar.iac.docker.tree.api.TransferInstruction;
 
@@ -43,10 +44,12 @@ public void initialize(InitContext init) {
   }
 
   private static void checkRunChmodPermission(CheckContext ctx, RunInstruction runInstruction) {
-    for (ArgumentChmod chmod : ArgumentChmod.extractChmodsFromArguments(runInstruction.arguments())) {
-      if (chmod.hasPermission("o+w") || chmod.hasPermission("g+s") || chmod.hasPermission("u+s")) {
-        TextRange textRange = TextRanges.merge(List.of(chmod.chmodArg.textRange(), chmod.permissionsArg.textRange()));
-        ctx.reportIssue(textRange, MESSAGE);
+    if (runInstruction.code() instanceof ArgumentList argumentList) {
+      for (ArgumentChmod chmod : ArgumentChmod.extractChmodsFromArguments(argumentList.arguments())) {
+        if (chmod.hasPermission("o+w") || chmod.hasPermission("g+s") || chmod.hasPermission("u+s")) {
+          TextRange textRange = TextRanges.merge(List.of(chmod.chmodArg.textRange(), chmod.permissionsArg.textRange()));
+          ctx.reportIssue(textRange, MESSAGE);
+        }
       }
     }
   }

iac-extensions/docker/src/main/java/org/sonar/iac/docker/checks/ShellExpansionsInCommandCheck.java

@@ -17,7 +17,6 @@
 package org.sonar.iac.docker.checks;
 
 import java.util.Collection;
-import java.util.EnumSet;
 import java.util.List;
 import java.util.Set;
 import org.sonar.check.Rule;
@@ -29,13 +28,7 @@
 import org.sonar.iac.docker.checks.utils.CommandDetector;
 import org.sonar.iac.docker.checks.utils.command.SeparatedList;
 import org.sonar.iac.docker.symbols.ArgumentResolution;
-import org.sonar.iac.docker.tree.api.CmdInstruction;
-import org.sonar.iac.docker.tree.api.CommandInstruction;
-import org.sonar.iac.docker.tree.api.DockerTree;
-import org.sonar.iac.docker.tree.api.EntrypointInstruction;
-import org.sonar.iac.docker.tree.api.RunInstruction;
-
-import static org.sonar.iac.docker.checks.utils.CheckUtils.ignoringSpecificForms;
+import org.sonar.iac.docker.tree.api.HasArguments;
 
 @Rule(key = "S6573")
 public class ShellExpansionsInCommandCheck implements IacCheck {
@@ -47,21 +40,13 @@ public class ShellExpansionsInCommandCheck implements IacCheck {
     "--",
     // pattern matching in for loops is not a subject to the issue
     "for");
-  /**
-   * We don't run the check on heredoc form or exec form.
-   * Here document are not supported with CommandDetector, so we don't run the check on them.
-   * Unlike the shell form, the exec form does not invoke a command shell. This means that normal shell processing does not happen.
-   */
-  private static final Set<DockerTree.Kind> EXCLUDED_FORMS = EnumSet.of(DockerTree.Kind.EXEC_FORM, DockerTree.Kind.HEREDOCUMENT);
 
   @Override
   public void initialize(InitContext init) {
-    init.register(RunInstruction.class, ignoringSpecificForms(EXCLUDED_FORMS, ShellExpansionsInCommandCheck::check));
-    init.register(CmdInstruction.class, ignoringSpecificForms(EXCLUDED_FORMS, ShellExpansionsInCommandCheck::check));
-    init.register(EntrypointInstruction.class, ignoringSpecificForms(EXCLUDED_FORMS, ShellExpansionsInCommandCheck::check));
+    // TODO SONARIAC-2462
   }
 
-  private static void check(CheckContext ctx, CommandInstruction cmd) {
+  private static void check(CheckContext ctx, HasArguments cmd) {
     SeparatedList<List<ArgumentResolution>, String> splitCommands = ArgumentResolutionSplitter.splitCommands(CheckUtils.resolveInstructionArguments(cmd));
     CommandDetector shellExpansionDetector = CommandDetector.builder()
       .with(ShellExpansionsInCommandCheck::isShellExpansion)

iac-extensions/docker/src/main/java/org/sonar/iac/docker/checks/ShellFormOverExecFormCheck.java

@@ -30,12 +30,10 @@
 import org.sonar.iac.docker.symbols.ArgumentResolution;
 import org.sonar.iac.docker.tree.api.Argument;
 import org.sonar.iac.docker.tree.api.Body;
-import org.sonar.iac.docker.tree.api.CmdInstruction;
-import org.sonar.iac.docker.tree.api.CommandInstruction;
 import org.sonar.iac.docker.tree.api.DockerImage;
 import org.sonar.iac.docker.tree.api.DockerTree;
-import org.sonar.iac.docker.tree.api.EntrypointInstruction;
 import org.sonar.iac.docker.tree.api.ShellInstruction;
+import org.sonar.iac.docker.tree.api.TransferInstruction;
 import org.sonar.iac.docker.tree.api.Variable;
 
 import static org.sonar.iac.docker.tree.TreeUtils.getDockerImageName;
@@ -46,9 +44,6 @@ public class ShellFormOverExecFormCheck implements IacCheck {
 
   private static final String DEFAULT_MESSAGE = "Replace this shell form with exec form.";
   private static final String WRAPPING_SCRIPT_MESSAGE = "Consider wrapping this instruction in a script file and call it with exec form.";
-  private static final Set<Class<? extends CommandInstruction>> classes = Set.of(
-    CmdInstruction.class,
-    EntrypointInstruction.class);
   private static final Pattern UNSUPPORTED_FEATURES_IN_EXEC_FORM = Pattern.compile("&&|\\|\\||\\||;");
 
   private final ShellInstructionsInfo checkContext = new ShellInstructionsInfo();
@@ -59,7 +54,7 @@ public void initialize(InitContext init) {
     init.register(Body.class, this::initFileAnalysis);
     init.register(DockerImage.class, this::resetShellInstruction);
     init.register(ShellInstruction.class, this::tagDockerImageWithShellInstruction);
-    classes.forEach(klass -> init.register(klass, this::checkCommandInstructionForm));
+    // TODO SONARIAC-2460
   }
 
   private void initFileAnalysis(CheckContext ctx, Body body) {
@@ -76,23 +71,23 @@ private void tagDockerImageWithShellInstruction(CheckContext ctx, ShellInstructi
     getDockerImageName(shellInstruction).ifPresent(checkContext.imageNameWithShellInstruction::add);
   }
 
-  private void checkCommandInstructionForm(CheckContext ctx, CommandInstruction commandInstruction) {
-    if (commandInstruction.getKindOfArgumentList() == DockerTree.Kind.SHELL_FORM && !checkContext.hasShellInstructionInCurrentImage
-      && !hasAnyParentDockerImageWithShellInstruction(commandInstruction)
-      && !commandInstruction.parent().is(DockerTree.Kind.HEALTHCHECK)) {
-      var firstArg = commandInstruction.arguments().get(0);
-      var lastArg = commandInstruction.arguments().get(commandInstruction.arguments().size() - 1);
+  private void checkCommandInstructionForm(CheckContext ctx, TransferInstruction tr) {
+    if (tr.srcsAndDest().getKind() == DockerTree.Kind.SHELL_FORM && !checkContext.hasShellInstructionInCurrentImage
+      && !hasAnyParentDockerImageWithShellInstruction(tr)
+      && !tr.parent().is(DockerTree.Kind.HEALTHCHECK)) {
+      var firstArg = tr.srcsAndDest().arguments().get(0);
+      var lastArg = tr.srcsAndDest().arguments().get(tr.srcsAndDest().arguments().size() - 1);
       var textRange = TextRanges.mergeElementsWithTextRange(List.of(firstArg, lastArg));
       var message = DEFAULT_MESSAGE;
-      if (containFeatureNotSupportedByExecForm(commandInstruction)) {
+      if (containFeatureNotSupportedByExecForm(tr)) {
         message = WRAPPING_SCRIPT_MESSAGE;
       }
       ctx.reportIssue(textRange, message);
     }
   }
 
-  private boolean hasAnyParentDockerImageWithShellInstruction(CommandInstruction commandInstruction) {
-    return getParentDockerImageName(commandInstruction)
+  private boolean hasAnyParentDockerImageWithShellInstruction(TransferInstruction transferInstruction) {
+    return getParentDockerImageName(transferInstruction)
       .map((String parentDockerImageName) -> {
         if (hasShellInstruction(parentDockerImageName)) {
           return true;
@@ -107,8 +102,8 @@ private boolean hasShellInstruction(String imageName) {
     return checkContext.imageNameWithShellInstruction.contains(imageName);
   }
 
-  private static boolean containFeatureNotSupportedByExecForm(CommandInstruction commandInstruction) {
-    for (Argument arg : commandInstruction.arguments()) {
+  private static boolean containFeatureNotSupportedByExecForm(TransferInstruction transferInstruction) {
+    for (Argument arg : transferInstruction.srcsAndDest().arguments()) {
       if (hasVariableReference(arg)) {
         return true;
       }

iac-extensions/docker/src/main/java/org/sonar/iac/docker/checks/SortedArgumentListCheck.java

@@ -24,7 +24,7 @@
 import org.sonar.iac.common.api.checks.InitContext;
 import org.sonar.iac.docker.checks.utils.CommandDetector;
 import org.sonar.iac.docker.symbols.ArgumentResolution;
-import org.sonar.iac.docker.tree.api.DockerTree;
+import org.sonar.iac.docker.tree.api.ArgumentList;
 import org.sonar.iac.docker.tree.api.RunInstruction;
 
 @Rule(key = "S7018")
@@ -65,18 +65,14 @@ public void initialize(InitContext init) {
   }
 
   private static void checkRunInstruction(CheckContext ctx, RunInstruction runInstruction) {
-    if (runInstruction.getKindOfArgumentList() == DockerTree.Kind.HEREDOCUMENT) {
-      // TODO SONARIAC-1557 Heredoc should be treated as multiple instructions
-      // Otherwise, it's not clear where to stop the matcher, and the next command can be captured.
-      return;
+    if (runInstruction.code() instanceof ArgumentList argumentList) {
+      var argumentResolutions = argumentList.arguments().stream().map(ArgumentResolution::of).toList();
+      COMMAND_DETECTORS.stream()
+        .map(it -> it.search(argumentResolutions))
+        .filter(it -> !it.isEmpty())
+        .flatMap(List::stream)
+        .forEach(command -> checkInstallationCommand(ctx, command));
     }
-
-    var argumentResolutions = runInstruction.arguments().stream().map(ArgumentResolution::of).toList();
-    COMMAND_DETECTORS.stream()
-      .map(it -> it.search(argumentResolutions))
-      .filter(it -> !it.isEmpty())
-      .flatMap(List::stream)
-      .forEach(command -> checkInstallationCommand(ctx, command));
   }
 
   private static void checkInstallationCommand(CheckContext ctx, CommandDetector.Command command) {

iac-extensions/docker/src/main/java/org/sonar/iac/docker/checks/UnencryptedProtocolCheck.java

@@ -24,9 +24,10 @@
 import org.sonar.iac.docker.symbols.ArgumentResolution;
 import org.sonar.iac.docker.tree.api.AddInstruction;
 import org.sonar.iac.docker.tree.api.Argument;
-import org.sonar.iac.docker.tree.api.CommandInstruction;
+import org.sonar.iac.docker.tree.api.CodeInstruction;
 
 import static org.sonar.iac.common.checks.network.UrlUtils.isUnencryptedUrl;
+import static org.sonar.iac.docker.checks.utils.CheckUtils.codeToArgumentList;
 import static org.sonar.iac.docker.tree.api.DockerTree.Kind.ADD;
 import static org.sonar.iac.docker.tree.api.DockerTree.Kind.CMD;
 import static org.sonar.iac.docker.tree.api.DockerTree.Kind.ENTRYPOINT;
@@ -39,11 +40,11 @@ public class UnencryptedProtocolCheck implements IacCheck {
 
   @Override
   public void initialize(InitContext init) {
-    init.register(CommandInstruction.class, (ctx, commandInstruction) -> {
+    init.register(CodeInstruction.class, (ctx, commandInstruction) -> {
       if (!commandInstruction.is(ADD, ENTRYPOINT, CMD, RUN)) {
         return;
       }
-      checkUnencryptedProtocols(ctx, commandInstruction.arguments());
+      codeToArgumentList(commandInstruction).ifPresent(argumentList -> checkUnencryptedProtocols(ctx, argumentList.arguments()));
     });
 
     init.register(AddInstruction.class, (ctx, add) -> {

iac-extensions/docker/src/main/java/org/sonar/iac/docker/checks/UnsecureConnectionCheck.java

@@ -26,6 +26,8 @@
 import org.sonar.iac.docker.symbols.ArgumentResolution;
 import org.sonar.iac.docker.tree.api.RunInstruction;
 
+import static org.sonar.iac.docker.checks.utils.CheckUtils.codeToArgumentList;
+
 @Rule(key = "S4830")
 public class UnsecureConnectionCheck implements IacCheck {
 
@@ -49,9 +51,11 @@ public void initialize(InitContext init) {
   }
 
   private static void checkRun(CheckContext ctx, RunInstruction runInstruction) {
-    List<ArgumentResolution> resolvedArgument = runInstruction.arguments().stream().map(ArgumentResolution::of).toList();
+    codeToArgumentList(runInstruction).ifPresent(argumentList -> {
+      List<ArgumentResolution> resolvedArgument = argumentList.arguments().stream().map(ArgumentResolution::of).toList();
 
-    SENSITIVE_CURL_COMMAND.search(resolvedArgument).forEach(command -> ctx.reportIssue(command, MESSAGE));
-    SENSITIVE_WGET_COMMAND.search(resolvedArgument).forEach(command -> ctx.reportIssue(command, MESSAGE));
+      SENSITIVE_CURL_COMMAND.search(resolvedArgument).forEach(command -> ctx.reportIssue(command, MESSAGE));
+      SENSITIVE_WGET_COMMAND.search(resolvedArgument).forEach(command -> ctx.reportIssue(command, MESSAGE));
+    });
   }
 }

iac-extensions/docker/src/main/java/org/sonar/iac/docker/checks/VariableReferenceOutsideOfQuotesCheck.java

@@ -22,8 +22,9 @@
 import org.sonar.iac.common.api.checks.InitContext;
 import org.sonar.iac.docker.symbols.ArgumentResolution;
 import org.sonar.iac.docker.tree.api.Argument;
+import org.sonar.iac.docker.tree.api.ArgumentList;
 import org.sonar.iac.docker.tree.api.CmdInstruction;
-import org.sonar.iac.docker.tree.api.CommandInstruction;
+import org.sonar.iac.docker.tree.api.CodeInstruction;
 import org.sonar.iac.docker.tree.api.DockerTree;
 import org.sonar.iac.docker.tree.api.EntrypointInstruction;
 import org.sonar.iac.docker.tree.api.Expression;
@@ -43,8 +44,14 @@ public void initialize(InitContext init) {
     init.register(EntrypointInstruction.class, VariableReferenceOutsideOfQuotesCheck::checkVariableReference);
   }
 
-  private static void checkVariableReference(CheckContext ctx, CommandInstruction commandInstruction) {
-    for (Argument argument : commandInstruction.arguments()) {
+  private static void checkVariableReference(CheckContext ctx, CodeInstruction codeInstruction) {
+    if (codeInstruction.code() instanceof ArgumentList argumentList) {
+      checkVariableReference(ctx, argumentList);
+    }
+  }
+
+  private static void checkVariableReference(CheckContext ctx, ArgumentList argumentList) {
+    for (Argument argument : argumentList.arguments()) {
       for (Expression expression : argument.expressions()) {
         if (expression.is(DockerTree.Kind.REGULAR_VARIABLE) && !isVariableDefinedWithDoubleQuotes((RegularVariable) expression)) {
           ctx.reportIssue(expression, MESSAGE);