fix non-raw-regex-pattern and some issues in linting

assets/libraries/dockerfile.rego

@@ -46,15 +46,15 @@ getCommands(commands) = output {
 }
 
 withVersion(pack) {
-	regex.match("[A-Za-z0-9_\\+-]+[-:][$](.+)", pack)
+	regex.match(`[A-Za-z0-9_\+-]+[-:][$](.+)`, pack)
 }
 
 withVersion(pack) {
-	regex.match("[A-Za-z0-9_\\+-]+[:-]([0-9]+.)+[0-9]+", pack)
+	regex.match(`[A-Za-z0-9_\+-]+[:-]([0-9]+.)+[0-9]+`, pack)
 }
 
 withVersion(pack) {
-	regex.match("[A-Za-z0-9_\\+-]+~?=(.+)", pack)
+	regex.match(`[A-Za-z0-9_\+-]+~?=(.+)`, pack)
 }
 
 arrayContains(array, list) {

assets/queries/ansible/azure/cosmosdb_account_without_tags/query.rego

@@ -2,20 +2,22 @@ package Cx
 
 import data.generic.ansible as ansLib
 import data.generic.common as common_lib
+import future.keywords.in
 
 CxPolicy[result] {
 	task := ansLib.tasks[id][t]
 	modules := {"azure.azcollection.azure_rm_cosmosdbaccount", "azure_rm_cosmosdbaccount"}
-	cosmosdbaccount := task[modules[m]]
+	some m in modules
+	cosmosdbaccount := task[m]
 	ansLib.checkState(cosmosdbaccount)
 
 	not common_lib.valid_key(cosmosdbaccount, "tags")
 
 	result := {
 		"documentId": id,
-		"resourceType": modules[m],
+		"resourceType": m,
 		"resourceName": task.name,
-		"searchKey": sprintf("name={{%s}}.{{%s}}.tags", [task.name, modules[m]]),
+		"searchKey": sprintf("name={{%s}}.{{%s}}.tags", [task.name, m]),
 		"issueType": "MissingAttribute",
 		"keyExpectedValue": "azure_rm_cosmosdbaccount.tags should be defined",
 		"keyActualValue": "azure_rm_cosmosdbaccount.tags is undefined",

assets/queries/ansible/gcp/google_compute_network_using_firewall_allows_port_range/query.rego

@@ -10,7 +10,7 @@ CxPolicy[result] {
 	ans_lib.checkState(firewall)
 
 	common_lib.is_ingress(firewall)
-	regex.match("[0-9]+-[0-9]+", firewall.allowed[_].ports[_])
+	regex.match(`[0-9]+-[0-9]+`, firewall.allowed[_].ports[_])
 	firewall.allowed[_].ports[_] != "0-65535"
 
 	tk := ans_lib.tasks[id][_]

assets/queries/azureResourceManager/role_definitions_allow_custom_subscription_role_creation/query.rego

@@ -1,19 +1,20 @@
 package Cx
 
 import data.generic.common as common_lib
+import future.keywords.in
 
 CxPolicy[result] {
-	doc := input.document[i]
+	some doc in input.document
 	[path, value] = walk(doc)
 
 	value.type == "Microsoft.Authorization/roleDefinitions"
 
-	regex.match("/$|/subscriptions/[\\w\\d-]+$|\\[subscription\\(\\)\\.id\\]", value.properties.assignableScopes[a]) == true
+	regex.match(`/$|/subscriptions/[\w\d-]+$|\[subscription\(\)\.id\]`, value.properties.assignableScopes[a]) == true
 
 	allows_custom_roles_creation(value.properties.permissions[x].actions)
 
 	result := {
-		"documentId": input.document[i].id,
+		"documentId": doc.id,
 		"resourceType": value.type,
 		"resourceName": value.name,
 		"searchKey": sprintf("%s.name={{%s}}.properties.permissions.actions", [common_lib.concat_path(path), value.name]),

assets/queries/cicd/github/unpinned_actions_full_length_commit_sha/query.rego

@@ -1,15 +1,17 @@
 package Cx
 
 import data.generic.common as common_lib
+import future.keywords.in
 
 CxPolicy[result] {
-	uses := input.document[i].jobs[j].steps[k].uses
+	some doc in input.document
+	uses := doc.jobs[j].steps[k].uses
 	not isAllowed(uses)
 	not isPinned(uses)
 	not isRelative(uses)
 
 	result := {
-		"documentId": input.document[i].id,
+		"documentId": doc.id,
 		"searchKey": sprintf("uses={{%s}}", [uses]),
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": "Action pinned to a full length commit SHA.",
@@ -24,7 +26,7 @@ isAllowed(use) {
 }
 
 isPinned(use) {
-	regex.match("@[a-f0-9]{40}$", use)
+	regex.match(`@[a-f0-9]{40}$`, use)
 }
 
 isRelative(use) {

assets/queries/dockerfile/curl_or_wget_instead_of_add/query.rego

@@ -1,12 +1,15 @@
 package Cx
 
+import future.keywords.in
+
 CxPolicy[result] {
-	resource := input.document[i].command[name][j]
+	some doc in input.document
+	resource := doc.command[name][j]
 	resource.Cmd == "add"
 	httpRequestChecker(resource.Value)
 
 	result := {
-		"documentId": input.document[i].id,
+		"documentId": doc.id,
 		"searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]),
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": sprintf("Should use 'curl' or 'wget' to download %s", [resource.Value[0]]),
@@ -15,5 +18,5 @@ CxPolicy[result] {
 }
 
 httpRequestChecker(cmdValue) {
-	regex.match("https?://", cmdValue[_])
+	regex.match(`https?:/`, cmdValue[_])
 }

assets/queries/dockerfile/gem_install_without_version/query.rego

@@ -1,15 +1,17 @@
 package Cx
 
 import data.generic.dockerfile as dockerLib
+import future.keywords.in
 
 CxPolicy[result] {
-	resource := input.document[i].command[name][_]
+	some doc in input.document
+	resource := doc.command[name][_]
 	resource.Cmd == "run"
 
 	count(resource.Value) == 1
 	commands := resource.Value[0]
 
-	gem := regex.find_n("gem (-(-)?[a-zA-Z]+ *)*install", commands, -1)
+	gem := regex.find_n(`gem (-(-)?[a-zA-Z]+ *)*install`, commands, -1)
 	gem != null
 
 	packages := dockerLib.getPackages(commands, gem)
@@ -19,7 +21,7 @@ CxPolicy[result] {
 	analyzePackages(j, packages[j], packages, length)
 
 	result := {
-		"documentId": input.document[i].id,
+		"documentId": doc.id,
 		"searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]),
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": sprintf("%s is 'gem install <gem>:<version>'", [resource.Original]),
@@ -28,7 +30,8 @@ CxPolicy[result] {
 }
 
 CxPolicy[result] {
-	resource := input.document[i].command[name][_]
+	some doc in input.document
+	resource := doc.command[name][_]
 	resource.Cmd == "run"
 
 	count(resource.Value) > 1
@@ -37,11 +40,11 @@ CxPolicy[result] {
 
 	resource.Value[j] != "install"
 	resource.Value[j] != "gem"
-	regex.match("^[a-zA-Z]", resource.Value[j]) == true
+	regex.match(`^[a-zA-Z]`, resource.Value[j]) == true
 	not dockerLib.withVersion(resource.Value[j])
 
 	result := {
-		"documentId": input.document[i].id,
+		"documentId": doc.id,
 		"searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]),
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": sprintf("%s is 'gem install <gem>:<version>'", [resource.Original]),
@@ -51,13 +54,13 @@ CxPolicy[result] {
 
 analyzePackages(j, currentPackage, packages, length) {
 	j == length - 1
-	regex.match("^[a-zA-Z]", currentPackage) == true
+	regex.match(`^[a-zA-Z]`, currentPackage) == true
 	not dockerLib.withVersion(currentPackage)
 }
 
 analyzePackages(j, currentPackage, packages, length) {
 	j != length - 1
-	regex.match("^[a-zA-Z]", currentPackage) == true
+	regex.match(`^[a-zA-Z]`, currentPackage) == true
 	packages[j + 1] != "-v"
 	not dockerLib.withVersion(currentPackage)
 }

assets/queries/dockerfile/healthcheck_instruction_missing/query.rego

@@ -1,22 +1,25 @@
 package Cx
 
 import data.generic.dockerfile as dockerLib
+import future.keywords.in
 
 CxPolicy[result] {
-	resource := input.document[i].command[name]
+	some doc in input.document
+	resource := doc.command[name]
 	dockerLib.check_multi_stage(name, input.document[i].command)
 
-	not contains(resource, "healthcheck")
+	not healthcheck_exists(resource)
 
 	result := {
-		"documentId": input.document[i].id,
+		"documentId": doc.id,
 		"searchKey": sprintf("FROM={{%s}}", [name]),
 		"issueType": "MissingAttribute",
 		"keyExpectedValue": "Dockerfile should contain instruction 'HEALTHCHECK'",
 		"keyActualValue": "Dockerfile doesn't contain instruction 'HEALTHCHECK'",
 	}
 }
 
-contains(cmd, elem) {
-	cmd[_].Cmd = elem
-}
+healthcheck_exists(resource) {
+	some cmd in resource
+	cmd.Cmd == "healthcheck"
+}

assets/queries/dockerfile/image_version_not_explicit/query.rego

@@ -1,14 +1,17 @@
 package Cx
 
+import future.keywords.in
+
 CxPolicy[result] {
-	resource := input.document[i].command[name][_]
+	some doc in input.document
+	resource := doc.command[name][_]
 	resource.Cmd == "from"
 	not resource.Value[0] == "scratch"
 
 	versionNotExplicit(resource.Value)
 
 	result := {
-		"documentId": input.document[i].id,
+		"documentId": doc.id,
 		"searchKey": sprintf("FROM={{%s}}", [name]),
 		"issueType": "MissingAttribute",
 		"keyExpectedValue": sprintf("FROM %s:'version'", [resource.Value[0]]),
@@ -18,19 +21,20 @@ CxPolicy[result] {
 
 versionNotExplicit(cmd) {
 	count(cmd) == 1
-	regex.match("^\\$[{}A-z0-9-_+].*", cmd[0]) == false
+	regex.match(`^\$[{}A-z0-9-_+].*`, cmd[0]) == false
 	not contains(cmd[0], ":")
 }
 
 versionNotExplicit(cmd) {
 	count(cmd) == 1
-	regex.match("^\\$[{}A-z0-9-_+].*", cmd[0]) == true
-
-	resource := input.document[i].command[name][_]
+	regex.match(`^\$[{}A-z0-9-_+].*`, cmd[0]) == true
+	some doc in input.document
+	resource := doc.command[name][_]
 	not resource.Value[0] == "scratch"
 
 	possibilities := {"arg", "env"}
-	resource.Cmd == possibilities[j]
+	some possibility in possibilities
+	resource.Cmd == possibility
 
 	cmdClean := trim_prefix(cmd[0], "$")
 

assets/queries/dockerfile/missing_flag_from_dnf_install/query.rego

@@ -1,9 +1,11 @@
 package Cx
 
 import data.generic.dockerfile as dockerLib
+import future.keywords.in
 
 CxPolicy[result] {
-	resource := input.document[i].command[name][_]
+	some doc in input.document
+	resource := doc.command[name][_]
 	resource.Cmd == "run"
 	values := resource.Value[0]
 	commands = dockerLib.getCommands(values)
@@ -14,7 +16,7 @@ CxPolicy[result] {
 	not hasYesFlag(c)
 
 	result := {
-		"documentId": input.document[i].id,
+		"documentId": doc.id,
 		"searchKey": sprintf("FROM={{%s}}.RUN={{%s}}", [name, resource.Value[0]]),
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": "When running `dnf install`, `-y` or `--assumeyes` switch should be set to avoid build failure ",
@@ -37,5 +39,5 @@ hasInstallCommandWithoutFlag(command) = c {
 }
 
 hasYesFlag(command) {
-	regex.match("\\b(microdnf|dnf *install (-y|-[\\D]{1}y|-y[\\D]{1}|-yes|--assumeyes))\\b [\\w\\W]*", command)
+	regex.match(`\b(microdnf|dnf *install (-y|-[\D]{1}y|-y[\D]{1}|-yes|--assumeyes))\b [\w\W]*`, command)
 }

assets/queries/dockerfile/missing_version_specification_in_dnf_install/query.rego

@@ -1,9 +1,11 @@
 package Cx
 
 import data.generic.dockerfile as dockerLib
+import future.keywords.in
 
 CxPolicy[result] {
-	resource := input.document[i].command[name][_]
+	some doc in input.document
+	resource := doc.command[name][_]
 	resource.Cmd == "run"
 
 	count(resource.Value) == 1
@@ -20,7 +22,7 @@ CxPolicy[result] {
 	analyzePackages(j, packages[j], packages, length)
 
 	result := {
-		"documentId": input.document[i].id,
+		"documentId": doc.id,
 		"searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]),
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": "Package version should be specified when using 'dnf install'",
@@ -29,7 +31,8 @@ CxPolicy[result] {
 }
 
 CxPolicy[result] {
-	resource := input.document[i].command[name][_]
+	some doc in input.document
+	resource := doc.command[name][_]
 	resource.Cmd == "run"
 
 	count(resource.Value) > 1
@@ -39,11 +42,11 @@ CxPolicy[result] {
 	resource.Value[j] != "dnf"
 	regex.match("(in|rei)n?(stall)?", resource.Value[j]) == false
 
-	regex.match("^[a-zA-Z]", resource.Value[j]) == true
+	regex.match(`^[a-zA-Z]`, resource.Value[j]) == true
 	not dockerLib.withVersion(resource.Value[j])
 
 	result := {
-		"documentId": input.document[i].id,
+		"documentId": doc.id,
 		"searchKey": sprintf("FROM={{%s}}.{{%s}}", [name, resource.Original]),
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": "Package version should be specified when using 'dnf install'",
@@ -53,18 +56,18 @@ CxPolicy[result] {
 
 analyzePackages(j, currentPackage, packages, length) {
 	j == length - 1
-	regex.match("^[a-zA-Z]", currentPackage) == true
+	regex.match(`^[a-zA-Z]`, currentPackage) == true
 	not dockerLib.withVersion(currentPackage)
 }
 
 analyzePackages(j, currentPackage, packages, length) {
 	j != length - 1
-	regex.match("^[a-zA-Z]", currentPackage) == true
+	regex.match(`^[a-zA-Z]`, currentPackage) == true
 	packages[j + 1] != "-v"
 	not dockerLib.withVersion(currentPackage)
 }
 
 isDnf(command) {
 	contains(command[x], "dnf")
-	regex.match("(in|rei)n?(stall)?", command[j]) == true
+	regex.match(`(in|rei)n?(stall)?`, command[j]) == true
 }