2.0.14 Docker Compose inspections update

Author: NordCoderd

CHANGELOG.md

@@ -2,6 +2,14 @@
 
 # Cloud (IaC) Security Changelog
 
+## [2.0.14] 13-10-2025
+
+### Changed
+
+- Docker Compose inspections were rewritten to better YAML analyze approach
+
+Please support plugin by starring [GitHub repository](https://github.com/NordCoderd/cloud-security-plugin)
+
 ## [2.0.13] 21-09-2025
 
 Small cosmetic changes

build.gradle.kts

@@ -55,30 +55,32 @@ intellijPlatform {
         version = providers.gradleProperty("pluginVersion")
 
         // Extract the <!-- Plugin description --> section from README.md and provide for the plugin's manifest
-        description = providers.fileContents(layout.projectDirectory.file("README.md")).asText.map {
-            val start = "<!-- Plugin description -->"
-            val end = "<!-- Plugin description end -->"
-
-            with(it.lines()) {
-                if (!containsAll(listOf(start, end))) {
-                    throw GradleException("Plugin description section not found in README.md:\n$start ... $end")
+        description =
+            providers.fileContents(layout.projectDirectory.file("README.md")).asText.map {
+                val start = "<!-- Plugin description -->"
+                val end = "<!-- Plugin description end -->"
+
+                with(it.lines()) {
+                    if (!containsAll(listOf(start, end))) {
+                        throw GradleException("Plugin description section not found in README.md:\n$start ... $end")
+                    }
+                    subList(indexOf(start) + 1, indexOf(end)).joinToString("\n").let(::markdownToHTML)
                 }
-                subList(indexOf(start) + 1, indexOf(end)).joinToString("\n").let(::markdownToHTML)
             }
-        }
 
         val changelog = project.changelog // local variable for configuration cache compatibility
         // Get the latest available change notes from the changelog file
-        changeNotes = providers.gradleProperty("pluginVersion").map { pluginVersion ->
-            with(changelog) {
-                renderItem(
-                    (getOrNull(pluginVersion) ?: getUnreleased())
-                        .withHeader(false)
-                        .withEmptySections(false),
-                    Changelog.OutputType.HTML,
-                )
+        changeNotes =
+            providers.gradleProperty("pluginVersion").map { pluginVersion ->
+                with(changelog) {
+                    renderItem(
+                        (getOrNull(pluginVersion) ?: getUnreleased())
+                            .withHeader(false)
+                            .withEmptySections(false),
+                        Changelog.OutputType.HTML,
+                    )
+                }
             }
-        }
 
         ideaVersion {
             sinceBuild = providers.gradleProperty("pluginSinceBuild")
@@ -97,7 +99,8 @@ intellijPlatform {
         // The pluginVersion is based on the SemVer (https://semver.org) and supports pre-release labels, like 2.1.7-alpha.3
         // Specify pre-release label to publish the plugin in a custom Release Channel automatically. Read more:
         // https://plugins.jetbrains.com/docs/intellij/deployment.html#specifying-a-release-channel
-        channels = providers.gradleProperty("pluginVersion").map { listOf(it.substringAfter('-', "").substringBefore('.').ifEmpty { "default" }) }
+        channels =
+            providers.gradleProperty("pluginVersion").map { listOf(it.substringAfter('-', "").substringBefore('.').ifEmpty { "default" }) }
     }
 
     pluginVerification {
@@ -138,14 +141,15 @@ intellijPlatformTesting {
     runIde {
         register("runIdeForUiTests") {
             task {
-                jvmArgumentProviders += CommandLineArgumentProvider {
-                    listOf(
-                        "-Drobot-server.port=8082",
-                        "-Dide.mac.message.dialogs.as.sheets=false",
-                        "-Djb.privacy.policy.text=<!--999.999-->",
-                        "-Djb.consents.confirmation.enabled=false",
-                    )
-                }
+                jvmArgumentProviders +=
+                    CommandLineArgumentProvider {
+                        listOf(
+                            "-Drobot-server.port=8082",
+                            "-Dide.mac.message.dialogs.as.sheets=false",
+                            "-Djb.privacy.policy.text=<!--999.999-->",
+                            "-Djb.consents.confirmation.enabled=false",
+                        )
+                    }
             }
 
             plugins {

gradle.properties

@@ -1,7 +1,7 @@
 pluginGroup = dev.protsenko.securityLinter
 pluginName = Cloud (IaC) Security
 pluginRepositoryUrl = https://github.com/NordCoderd/cloud-security-plugin
-pluginVersion = 2.0.13
+pluginVersion = 2.0.14
 
 # Supported build number ranges and IntelliJ Platform versions -> https://plugins.jetbrains.com/docs/intellij/build-number-ranges.html
 pluginSinceBuild = 231

gradlew

@@ -3,7 +3,6 @@ package dev.protsenko.securityLinter.dockerCompose
 import com.intellij.codeInspection.LocalInspectionTool
 import com.intellij.codeInspection.ProblemHighlightType
 import com.intellij.codeInspection.ProblemsHolder
-import com.intellij.psi.PsiElement
 import com.intellij.psi.PsiElementVisitor
 import com.intellij.psi.PsiFile
 import dev.protsenko.securityLinter.core.DockerFileConstants.PROHIBITED_PORTS
@@ -16,16 +15,15 @@ import dev.protsenko.securityLinter.dockerCompose.DockerComposeConstants.PRIVILE
 import dev.protsenko.securityLinter.dockerCompose.DockerComposeConstants.USER_KEY_LITERAL
 import dev.protsenko.securityLinter.dockerCompose.DockerComposeConstants.supportedAttributes
 import dev.protsenko.securityLinter.utils.PortUtils
+import dev.protsenko.securityLinter.utils.YamlPath
 import dev.protsenko.securityLinter.utils.image.ImageAnalyzer
 import dev.protsenko.securityLinter.utils.image.ImageDefinitionCreator
-import org.jetbrains.yaml.navigation.YAMLQualifiedNameProvider
 import org.jetbrains.yaml.psi.YAMLFile
 import org.jetbrains.yaml.psi.YAMLKeyValue
+import org.jetbrains.yaml.psi.YAMLMapping
 import org.jetbrains.yaml.psi.YAMLSequenceItem
 
 class DockerComposeInspection : LocalInspectionTool() {
-    val provider = YAMLQualifiedNameProvider()
-
     override fun buildVisitor(
         holder: ProblemsHolder,
         isOnTheFly: Boolean,
@@ -34,81 +32,88 @@ class DockerComposeInspection : LocalInspectionTool() {
             override fun visitFile(file: PsiFile) {
                 if (file !is YAMLFile) return
                 if (!file.name.startsWith("docker", ignoreCase = true)) return
-                super.visitFile(file)
-            }
 
-            /**
-             * For more information about service attributes: https://docs.docker.com/reference/compose-file/services
-             */
-            override fun visitElement(element: PsiElement) {
-                if (element is YAMLKeyValue) {
-                    val fqn = provider.getQualifiedName(element) ?: return
-                    if (!fqn.startsWith("services")) return
+                val documents = file.documents
 
-                    val attributeName = element.key?.text ?: return
-                    if (attributeName !in supportedAttributes) return
-                    val attributeValue = element.value?.text?.trim() ?: return
+                for (document in documents) {
+                    val serviceMapping = YamlPath.findByYamlPath("services", document) as? YAMLMapping ?: return
+                    val serviceDefinitions =
+                        serviceMapping
+                            .children
+                            .filterIsInstance<YAMLKeyValue>()
+                            .map { it.value }
+                            .filterIsInstance<YAMLMapping>()
 
-                    when (attributeName) {
-                        // Analyzing image definition
-                        IMAGE_KEY_LITERAL -> {
-                            val imageDefinition = ImageDefinitionCreator.fromString(attributeValue, emptyMap())
-                            ImageAnalyzer.analyzeAndHighlight(imageDefinition, holder, element, emptyMap())
-                        }
+                    for (serviceDefinition in serviceDefinitions) {
+                        val serviceAttributes = serviceDefinition.children.filterIsInstance<YAMLKeyValue>()
+                        for (serviceAttribute in serviceAttributes) {
+                            val attributeName = serviceAttribute.key?.text ?: continue
+                            if (attributeName !in supportedAttributes) continue
+                            val attributeValue = serviceAttribute.value?.text ?: continue
 
-                        USER_KEY_LITERAL -> {
-                            if (PROHIBITED_USERS.contains(attributeValue.trim())) {
-                                val descriptor =
-                                    HtmlProblemDescriptor(
-                                        element,
-                                        SecurityPluginBundle.message("dfs002.documentation"),
-                                        SecurityPluginBundle.message("dfs002.root-user-is-used"),
-                                        ProblemHighlightType.ERROR,
-                                    )
+                            when (attributeName) {
+                                // Analyzing image definition
+                                IMAGE_KEY_LITERAL -> {
+                                    val imageDefinition = ImageDefinitionCreator.fromString(attributeValue, emptyMap())
+                                    ImageAnalyzer.analyzeAndHighlight(imageDefinition, holder, serviceAttribute, emptyMap())
+                                }
 
-                                holder.registerProblem(descriptor)
-                            }
-                        }
+                                USER_KEY_LITERAL -> {
+                                    if (PROHIBITED_USERS.contains(attributeValue.trim())) {
+                                        val descriptor =
+                                            HtmlProblemDescriptor(
+                                                serviceAttribute,
+                                                SecurityPluginBundle.message("dfs002.documentation"),
+                                                SecurityPluginBundle.message("dfs002.root-user-is-used"),
+                                                ProblemHighlightType.ERROR,
+                                            )
 
-                        PRIVILEGED_LITERAL -> {
-                            if (attributeValue == "true") {
-                                holder.registerProblem(
-                                    element,
-                                    SecurityPluginBundle.message("ds033.using-privileged"),
-                                    ProblemHighlightType.ERROR,
-                                )
-                            }
-                        }
+                                        holder.registerProblem(descriptor)
+                                    }
+                                }
+
+                                PRIVILEGED_LITERAL -> {
+                                    if (attributeValue == "true") {
+                                        holder.registerProblem(
+                                            serviceAttribute,
+                                            SecurityPluginBundle.message("ds033.using-privileged"),
+                                            ProblemHighlightType.ERROR,
+                                        )
+                                    }
+                                }
 
-                        PORTS_LITERAL -> {
-                            element.value?.children?.forEach {
-                                if (it is YAMLSequenceItem) {
-                                    var portsDefinitions = it.value?.text ?: return@forEach
-                                    // quotes at start and end should be trimmed
-                                    if (portsDefinitions.length > 2) {
-                                        portsDefinitions = portsDefinitions.substring(1, portsDefinitions.length - 1)
-                                        val containerPorts = PortUtils.parseContainerPorts(portsDefinitions)
-                                        containerPorts.forEach { containerPort ->
-                                            if (PROHIBITED_PORTS.contains(containerPort)) {
-                                                val descriptor =
-                                                    HtmlProblemDescriptor(
-                                                        it,
-                                                        SecurityPluginBundle.message("dfs011.documentation"),
-                                                        SecurityPluginBundle.message("dfs011.ssh-port-exposed"),
-                                                        ProblemHighlightType.ERROR,
-                                                        emptyArray(),
-                                                    )
+                                PORTS_LITERAL -> {
+                                    serviceAttribute.value?.children?.forEach {
+                                        if (it is YAMLSequenceItem) {
+                                            var portsDefinitions = it.value?.text ?: return@forEach
+                                            // quotes at start and end should be trimmed
+                                            if (portsDefinitions.length > 2) {
+                                                portsDefinitions =
+                                                    portsDefinitions.substring(1, portsDefinitions.length - 1)
+                                                val containerPorts = PortUtils.parseContainerPorts(portsDefinitions)
+                                                containerPorts.forEach { containerPort ->
+                                                    if (PROHIBITED_PORTS.contains(containerPort)) {
+                                                        val descriptor =
+                                                            HtmlProblemDescriptor(
+                                                                it,
+                                                                SecurityPluginBundle.message("dfs011.documentation"),
+                                                                SecurityPluginBundle.message("dfs011.ssh-port-exposed"),
+                                                                ProblemHighlightType.ERROR,
+                                                                emptyArray(),
+                                                            )
 
-                                                holder.registerProblem(descriptor)
+                                                        holder.registerProblem(descriptor)
+                                                    }
+                                                }
                                             }
                                         }
-                                    }
+                                        return@forEach
+                                    } ?: return
                                 }
-                                return@forEach
-                            } ?: return
-                        }
 
-                        else -> return
+                                else -> return
+                            }
+                        }
                     }
                 }
             }

src/main/kotlin/dev/protsenko/securityLinter/dockerCompose/DockerComposeInspection.kt

@@ -3,6 +3,12 @@ version: '3.1'
 services:
   db:
     <error descr="Missing version tag
+When using image you should use a specific tag to avoid uncontrolled behavior when the image is updated.">image: mysql</error>
+    restart: always
+    environment:
+      MYSQL_ROOT_PASSWORD: example
+  extended-service:
+    <error descr="Missing version tag
 When using image you should use a specific tag to avoid uncontrolled behavior when the image is updated.">image: mysql</error>
     restart: always
     environment: