14,953
edits
Troubleshooting of Sonar issue: Difference between revisions
Jump to navigation
Jump to search
+ This image might run with root as the default user. Make sure it is safe here.
(+ This image might run with root as the default user. Make sure it is safe here.) |
|||
| Line 1: | Line 1: | ||
Troubleshooting of SonarQube issue | |||
{{Draft}} | {{Draft}} | ||
== How to resolve "Add a new line at the end of this file." == | == SonarQube issues == | ||
=== How to resolve "Add a new line at the end of this file." === | |||
Error message: Files should contain an empty newline at the end<ref>[https://gist.github.com/OleksiyRudenko/d51388345ea55767b7672307fe35adf3 Why should text files end with a newline?]</ref> | Error message: Files should contain an empty newline at the end<ref>[https://gist.github.com/OleksiyRudenko/d51388345ea55767b7672307fe35adf3 Why should text files end with a newline?]</ref> | ||
| Line 52: | Line 54: | ||
* Usage {{kbd | key=<nowiki>./add_newline_to_php_files.sh /path/to/php/directory_of_scripts</nowiki>}} | * Usage {{kbd | key=<nowiki>./add_newline_to_php_files.sh /path/to/php/directory_of_scripts</nowiki>}} | ||
== How to resolve "Define and throw a dedicated exception instead of using a generic one" == | === How to resolve "Define and throw a dedicated exception instead of using a generic one" === | ||
Error condition which met "Define and throw a dedicated exception instead of using a generic one" <ref>[https://cwe.mitre.org/data/definitions/397 CWE - CWE-397: Declaration of Throws for Generic Exception (4.12)]</ref> | Error condition which met "Define and throw a dedicated exception instead of using a generic one" <ref>[https://cwe.mitre.org/data/definitions/397 CWE - CWE-397: Declaration of Throws for Generic Exception (4.12)]</ref> | ||
| Line 70: | Line 72: | ||
</pre> | </pre> | ||
== How to resolve "Merge this if statement with the enclosing one." == | === How to resolve "Merge this if statement with the enclosing one." === | ||
Example of Code Not Meeting Standards | Example of Code Not Meeting Standards | ||
<pre> | <pre> | ||
| Line 111: | Line 113: | ||
</pre> | </pre> | ||
== How to resolve "Method visibility should be explicitly declared" == | === How to resolve "Method visibility should be explicitly declared" === | ||
Possible solution | Possible solution | ||
| Line 119: | Line 121: | ||
* Replace with: {{kbd | key=<nowiki>$1public function$3</nowiki>}} | * Replace with: {{kbd | key=<nowiki>$1public function$3</nowiki>}} | ||
== How to resolve "replace all tab characters in this file by sequences of white-spaces (Tabulation characters should not be used)" == | === How to resolve "replace all tab characters in this file by sequences of white-spaces (Tabulation characters should not be used)" === | ||
Solution: Using the editor which supports [[Regular expression | regular expression]]<ref>[https://community.sonarsource.com/t/replace-all-tab-characters-in-this-file-by-sequences-of-white-spaces-error-in-sonarcloud-t-sql/40078 Replace all tab characters in this file by sequences of white-spaces - Error in SonarCloud T-SQL - SonarCloud - Sonar Community]</ref> | Solution: Using the editor which supports [[Regular expression | regular expression]]<ref>[https://community.sonarsource.com/t/replace-all-tab-characters-in-this-file-by-sequences-of-white-spaces-error-in-sonarcloud-t-sql/40078 Replace all tab characters in this file by sequences of white-spaces - Error in SonarCloud T-SQL - SonarCloud - Sonar Community]</ref> | ||
* Replace {{kbd | key=<nowiki>\t</nowiki>}} | * Replace {{kbd | key=<nowiki>\t</nowiki>}} | ||
* with {{kbd | key=<nowiki> </nowiki>}} (four whitespaces) | * with {{kbd | key=<nowiki> </nowiki>}} (four whitespaces) | ||
== How to resolve "Refactor this function to reduce its Cognitive Complexity from XX to the 15 allowed." == | === How to resolve "Refactor this function to reduce its Cognitive Complexity from XX to the 15 allowed." === | ||
Possible solution<ref>[https://www.compozelabs.com/post/avoiding-and-fix-spaghetti-code How to fix your spaghetti code (and avoid it in the first place) | Compoze Labs]</ref><ref>[https://en.wikipedia.org/wiki/Spaghetti_code Spaghetti code - Wikipedia]</ref> | Possible solution<ref>[https://www.compozelabs.com/post/avoiding-and-fix-spaghetti-code How to fix your spaghetti code (and avoid it in the first place) | Compoze Labs]</ref><ref>[https://en.wikipedia.org/wiki/Spaghetti_code Spaghetti code - Wikipedia]</ref> | ||
| Line 130: | Line 132: | ||
* Avoid nested conditionals | * Avoid nested conditionals | ||
* Simplify boolean expressions | * Simplify boolean expressions | ||
=== How to resolve "This image might run with root as the default user. Make sure it is safe here." === | |||
'''🛑 Problem Condition''' | |||
During the CI/CD process, security scanning tools such as Anchore or Checkmarx report the following warning: | |||
<pre> | |||
This image might run with root as the default user. Make sure it is safe here. | |||
</pre> | |||
This warning appears because the Docker image is configured to run as the <code>root</code> user by default, which poses a potential security risk—especially in production or publicly exposed environments. | |||
'''✅ Solution''' | |||
Modify the <code>Dockerfile</code> to create a non-root user and configure the container to run using this user. Here's a general example: | |||
<pre> | |||
FROM alpine:3.19 | |||
# Create a non-root user and group = | |||
RUN addgroup -S appgroup && adduser -S appuser -G appgroup | |||
# Create the working directory and set permissions = | |||
RUN mkdir -p /app && chown -R appuser:appgroup /app | |||
# Copy application files = | |||
COPY app /app | |||
WORKDIR /app | |||
# Switch to the non-root user = | |||
USER appuser | |||
# Expose application port (if applicable) = | |||
EXPOSE 80 | |||
# Start your application (example only) = | |||
CMD ["your-app-command"] | |||
</pre> | |||
'''💡 Explanation''' | |||
By default, Docker containers run as the "root" user, which increases the risk of privilege escalation if an attacker exploits a vulnerability. To avoid the risk by creating a dedicated, unprivileged user and ensuring that your application directory has the correct ownership and permissions. Then, you configure the container to run under this non-root user. | |||
References | |||
* [https://www.docker.com/blog/understanding-the-docker-user-instruction/ Understanding the Docker USER Instruction | Docker] | |||
* [https://docs.docker.com/engine/security/rootless/ Rootless mode | Docker Docs] | |||
* [https://medium.com/@Kfir-G/securing-docker-non-root-user-best-practices-5784ac25e755 Securing Docker: Non-Root User Best Practices | by Kfir Gisman | Medium] | |||
== Unresolved issues == | == Unresolved issues == | ||
| Line 149: | Line 200: | ||
[[Category: PHP]] | [[Category: PHP]] | ||
[[Category: Security]] | [[Category: Security]] | ||
[[Category: Revised with LLMs]] | |||