bug(query): wrong query - volume mount with os directory write permissions

After looking into the details of [Volume Mount With OS Directory Write Permissions](https://github.com/Checkmarx/kics/blob/4c8d0c995433f6f49dd4da12cf99c7efc0275314/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/query.rego), I came to the conclusion that this query is incorrect and does not make sense in its current form.

The query checks if the `mountPath` is at some location where sensitive host files could be located. The problem here is that the [mountPath](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes-1) is the "path within the container at which the volume should be mounted" and not related to the location on the host at all.

The correct check would be to verify the [hostPath.path](https://kubernetes.io/docs/reference/kubernetes-api/config-and-storage-resources/volume/#local-temporary-directory).

As the `hostPath` check is already covered by [Workload Mounting With Sensitive OS Directory](https://github.com/Checkmarx/kics/blob/e17c9797ba17ae037058900394b0f731a3283493/assets/queries/k8s/workload_mounting_with_sensitive_os_directory/query.rego), I believe that the best solution is to delete the incorrect rule without any replacement.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

bug(query): wrong query - volume mount with os directory write permissions #7542

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

bug(query): wrong query - volume mount with os directory write permissions #7542

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions