From dff46bdcfd77209aafbf7bd88afc6d4d0e1deed6 Mon Sep 17 00:00:00 2001 From: "Loris S." <91723853+loris-s-sonarsource@users.noreply.github.com> Date: Tue, 7 Jan 2025 14:53:28 +0100 Subject: [PATCH 1/2] Modify S3649(Python): Fix logic error (#4598) --- rules/S3649/python/how-to-fix-it/sqlalchemy.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/S3649/python/how-to-fix-it/sqlalchemy.adoc b/rules/S3649/python/how-to-fix-it/sqlalchemy.adoc index f839c894393..8fa14bfd944 100644 --- a/rules/S3649/python/how-to-fix-it/sqlalchemy.adoc +++ b/rules/S3649/python/how-to-fix-it/sqlalchemy.adoc @@ -27,7 +27,7 @@ import sqlalchemy @app.route('/example') def get_users(): user = request.args["user"] - conn = sqlalchemy.create_engine(connection_string) + engine = sqlalchemy.create_engine(connection_string) conn = engine.connect() conn.execute("SELECT user FROM users WHERE user = '" + user + "'") # Noncompliant @@ -43,7 +43,7 @@ import sqlalchemy @app.route('/example') def get_users(): user = request.args["user"] - conn = sqlalchemy.create_engine(connection_string) + engine = sqlalchemy.create_engine(connection_string) metadata = sqlalchemy.MetaData(bind=conn, reflect=True) users = metadata.tables['users'] conn = engine.connect() From dd2372c5813dbb1fcf68f1f1981f253f7e13b320 Mon Sep 17 00:00:00 2001 From: Rudy Regazzoni <110470341+rudy-regazzoni-sonarsource@users.noreply.github.com> Date: Wed, 8 Jan 2025 15:06:48 +0100 Subject: [PATCH 2/2] Update rules/S7019/docker/rule.adoc Co-authored-by: Jonas Wielage --- rules/S7019/docker/rule.adoc | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/rules/S7019/docker/rule.adoc b/rules/S7019/docker/rule.adoc index 5a8ea3935ae..c5bcb11806b 100644 --- a/rules/S7019/docker/rule.adoc +++ b/rules/S7019/docker/rule.adoc @@ -10,14 +10,16 @@ This can cause problems when trying to gracefully stop containers because the ma Moreover, the exec form provides more control and predictability over the execution of the command. It does not invoke a command shell, which means it does not have the potential side effects of shell processing. -Although, the exec form does not allow shell features such as variable expansion, piping (`|`) and command chaining (`&&`, `||`, `;`). -In case you need to use these features, there is few alternatives: -- create a wrapper script -- explicitly specify the shell with the `SHELL` instruction before the `CMD` or `ENTRYPOINT` instruction === Exceptions -As mentioned above, this rule will not raise an issue if the `SHELL` instruction is used before the `CMD` or `ENTRYPOINT` instruction, as we consider this is a conscious decision. +The exec form does not allow shell features such as variable expansion, piping (`|`) and command chaining (`&&`, `||`, `;`). +In case you need to use these features, there are a few alternatives: +* Creation of a wrapper script +* Explicitly specify the shell to use with the `SHELL` instruction before `CMD` or `ENTRYPOINT` + + +This rule will not raise an issue if the `SHELL` instruction is used before the `CMD` or `ENTRYPOINT` instruction, as we consider this a conscious decision. == How to fix it