From 444c23805989cba3ebdd79d578388f8f6626f596 Mon Sep 17 00:00:00 2001
From: Rudy Regazzoni
 <110470341+rudy-regazzoni-sonarsource@users.noreply.github.com>
Date: Wed, 8 Jan 2025 15:19:38 +0100
Subject: [PATCH] SONARIAC-1856 Modify S7019: add EXEC alternatives and
 exceptions (#4597)

* SONARIAC-1856 Update S7019 content

* Remove script example

* Fix id

* Update rules/S7019/docker/rule.adoc

Co-authored-by: Jonas Wielage <jonas.wielage@sonarsource.com>

* Address review comment

---------

Co-authored-by: Jonas Wielage <jonas.wielage@sonarsource.com>
---
 rules/S7019/docker/rule.adoc | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/rules/S7019/docker/rule.adoc b/rules/S7019/docker/rule.adoc
index b58061fac80..5afb753b2b5 100644
--- a/rules/S7019/docker/rule.adoc
+++ b/rules/S7019/docker/rule.adoc
@@ -10,6 +10,17 @@ This can cause problems when trying to gracefully stop containers because the ma
 Moreover, the exec form provides more control and predictability over the execution of the command.
 It does not invoke a command shell, which means it does not have the potential side effects of shell processing.
 
+
+=== Exceptions
+
+The exec form does not allow shell features such as variable expansion, piping (`|`) and command chaining (`&&`, `||`, `;`).
+In case you need to use these features, there are a few alternatives:
+* Creation of a wrapper script
+* Explicitly specify the shell to use with the `SHELL` instruction before `CMD` or `ENTRYPOINT`
+
+
+This rule will not raise an issue if the `SHELL` instruction is used before the `CMD` or `ENTRYPOINT` instruction, as we consider this a conscious decision.
+
 == How to fix it
 
 === Code examples
@@ -22,6 +33,14 @@ FROM scratch
 ENTRYPOINT echo "Welcome!"
 ----
 
+[source,docker,diff-id=2,diff-type=noncompliant]
+----
+FROM scratch
+ENTRYPOINT echo "Long script with chaining commands" \
+  && echo "Welcome!" \
+  && echo "Goodbye"
+----
+
 ==== Compliant solution
 
 [source,docker,diff-id=1,diff-type=compliant]
@@ -30,6 +49,21 @@ FROM scratch
 ENTRYPOINT ["echo", "Welcome!"]
 ----
 
+[source,docker,diff-id=2,diff-type=compliant]
+----
+FROM scratch
+SHELL ["/bin/bash", "-c"]
+ENTRYPOINT echo "Long script with chaining commands" \
+  && echo "Welcome!" \
+  && echo "Goodbye"
+----
+
+[source,docker,diff-id=2,diff-type=compliant]
+----
+FROM scratch
+ENTRYPOINT ["/entrypoint.sh"]
+----
+
 == Resources
 === Documentation