bug(dockerfile): unexpected pass for dnf -v option

[adisutanto]

Problem

Context missing_version_specification_in_dnf_install/query.rego:

analyzePackages(j, currentPackage, packages, length) {
    j != length - 1
    regex.match("^[a-zA-Z]", currentPackage) == true
    packages[plus(j, 1)] != "-v"
    not dockerLib.withVersion(currentPackage)
}

Meaning:

• The policy checks if the next value after the current package (packages[plus(j, 1)]) is not -v.
• If the next value is -v, the policy assumes a version is specified afterward (though the policy does not explicitly check what comes after -v, which is a potential gap).

In dnf install, -v is not used for version specification — it means verbose.
The policy might incorrectly assumes that -v indicates version pinning, which could cause false negatives (wrongly passing non-compliant code) (correct me if I'm wrong).

Expected Behavior

RUN dnf install -v -y zip line in Dockerfile should fail check (non-compliant) because there is no version pinning.

Actual Behavior

RUN dnf install -v -y zip line in Dockerfile passes check (compliant).

I apologise that I couldn't provide any debug log, sample file, steps to reproduce, specification.
I found this possible issue when I was trying to understand missing_version_specification_in_dnf_install rego with ChatGPT, and ChatGPT highlighted this bug for me (credit to ChatGPT).