From a1e1a0a50df886d2b20e7f3cb75968e845442f3b Mon Sep 17 00:00:00 2001
From: Mike Ritter <mike.ritter@target.com>
Date: Mon, 26 Feb 2018 16:26:36 -0600
Subject: [PATCH] fixed variable expansion and added test for container
 exclusion

Signed-off-by: Mike Ritter <mike.ritter@target.com>
---
 docker-bench-security.sh     |  6 +++---
 tests/5_container_runtime.sh | 17 +++++++++++++----
 2 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/docker-bench-security.sh b/docker-bench-security.sh
index 6a0a4ba..ab32924 100755
--- a/docker-bench-security.sh
+++ b/docker-bench-security.sh
@@ -38,7 +38,7 @@ usage () {
   -h           optional  Print this help message
   -l FILE      optional  Log output in FILE
   -c CHECK     optional  Comma delimited list of specific check(s)
-  -x EXCLUDE   optional  Comma delimited list of patterns within a container to exclude from check
+  -x EXCLUDE   optional  Comma delimited list of patterns within a container name to exclude from check
 EOF
 }
 
@@ -92,7 +92,7 @@ main () {
     containers=$(docker ps | sed '1d' | awk '{print $NF}')
   else
     pattern=$(echo "$exclude" | sed 's/,/|/g')
-    containers=$(docker ps | sed '1d' | grep -Ev '$pattern' | awk '{print $NF}')
+    containers=$(docker ps | sed '1d' | grep -Ev "$pattern" | awk '{print $NF}')
   fi
   # If there is a container with label docker_bench_security, memorize it:
   benchcont="nil"
@@ -107,7 +107,7 @@ main () {
     containers=$(docker ps | sed '1d' |  awk '{print $NF}' | grep -v "$benchcont")
   else
     pattern=$(echo "$exclude" | sed 's/,/|/g')
-    containers=$(docker ps | sed '1d' | grep -Ev "$pattern" | awk '{print $NF}' | grep -v "$benchcont")
+    containers=$(docker ps | sed '1d' | awk '{print $NF}' | grep -Ev "$pattern" | grep -v "$benchcont")
   fi
 
   if [ -z "$containers" ]; then
diff --git a/tests/5_container_runtime.sh b/tests/5_container_runtime.sh
index 1eec675..06ec355 100644
--- a/tests/5_container_runtime.sh
+++ b/tests/5_container_runtime.sh
@@ -990,7 +990,14 @@ check_5_29() {
       docker0Containers=$(docker network inspect --format='{{ range $k, $v := .Containers }} {{ $k }} {{ end }}' "$net" | \
         sed -e 's/^ //' -e 's/  /\n/g' 2>/dev/null)
 
-      if [ -n "$docker0Containers" ]; then
+      for c in $docker0Containers; do
+        cName=$(docker inspect --format '{{.Name}}' "$c" 2>/dev/null | sed 's/\///g')
+        if [ -n "$exclude" ]; then
+          pattern=$(echo "$exclude" | sed 's/,/|/g')
+          if echo "$cName" | grep -q "$pattern"; then
+            continue
+          fi
+        fi
         if [ $fail -eq 0 ]; then
           info "$check_5_29"
           logjson "5.29" "INFO"
@@ -1001,10 +1008,12 @@ check_5_29() {
             cName=$(docker inspect --format '{{.Name}}' "$c" 2>/dev/null | sed 's/\///g')
           else
             pattern=$(echo "$exclude" | sed 's/,/|/g')
-            cName=$(docker inspect --format '{{.Name}}' "$c" 2>/dev/null | sed 's/\///g' | grep -Ev '$pattern' )
+            cName=$(docker inspect --format '{{.Name}}' "$c" 2>/dev/null | sed 's/\///g' | grep -Ev "$pattern" )
+          fi
+          if ! [ -z "$cName" ]; then
+            info "     * Container in docker0 network: $cName"
+            logjson "5.29" "INFO: $c"
           fi
-          info "     * Container in docker0 network: $cName"
-          logjson "5.29" "INFO: $c"
         done
       fi
       currentScore=$((currentScore + 0))