image misconfiguration incorrect reports COPY command has more than two arguments #5959

candrews · 2024-01-17T15:39:26Z

candrews
Jan 17, 2024

IDs

When a COPY command has more than two arguments, the last one should end with a slash.

Description

Trivy is incorrectly reporting that the Dockerfile COPY command has more than 2 arguments and therefore the last one should end with a slash, when in fact the COPY has only 2 arguments.

$ docker run -it aquasec/trivy:0.48.3 image --scanners misconfig --image-config-scanners misconfig eclipse-temurin:21-jre-alpine@sha256:9a21ac97b76e52f4b58d5d6c7fdd459cd600cce8724a31fc0a2b4346b35bced2
2024-01-17T15:38:22.314Z	INFO	Container image config scanners: ["misconfig"]
2024-01-17T15:38:22.314Z	INFO	Misconfiguration scanning is enabled
2024-01-17T15:38:22.314Z	INFO	Need to update the built-in policies
2024-01-17T15:38:22.314Z	INFO	Downloading the built-in policies...
44.93 KiB / 44.93 KiB [-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% ? p/s 0s
2024-01-17T15:38:29.074Z	INFO	Detected config files: 1

eclipse-temurin:21-jre-alpine@sha256:9a21ac97b76e52f4b58d5d6c7fdd459cd600cce8724a31fc0a2b4346b35bced2 (dockerfile)

Tests: 26 (SUCCESSES: 23, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 1, CRITICAL: 1)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


CRITICAL: Slash is expected at the end of COPY command argument '/__cacert_entrypoint.sh'
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
When a COPY command has more than two arguments, the last one should end with a slash.

See https://avd.aquasec.com/misconfig/ds011
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 eclipse-temurin:21-jre-alpine@sha256:9a21ac97b76e52f4b58d5d6c7fdd459cd600cce8724a31fc0a2b4346b35bced2:8
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   8 [ COPY file:8b8864b3e02a33a579dc216fd51b28a6047bc8eeaa03045b258980fe0cf7fcb3 in /__cacert_entrypoint.sh
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


LOW: Add HEALTHCHECK instruction in your Dockerfile
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds026
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

The output even shows that the COPY command has 2 arguments:

   8 [ COPY file:8b8864b3e02a33a579dc216fd51b28a6047bc8eeaa03045b258980fe0cf7fcb3 in /__cacert_entrypoint.sh

Reproduction Steps

1. `docker run -it aquasec/trivy:0.48.3 image --scanners misconfig --image-config-scanners misconfig eclipse-temurin:21-jre-alpine@sha256:9a21ac97b76e52f4b58d5d6c7fdd459cd600cce8724a31fc0a2b4346b35bced2`

Target

Container Image

Scanner

Misconfiguration

Target OS

No response

Debug Output

$ docker run -it aquasec/trivy:0.48.3 image --scanners misconfig --image-config-scanners misconfig eclipse-temurin:21-jre-alpine@sha256:9a21ac97b76e52f4b58d5d6c7fdd459cd600cce8724a31fc0a2b4346b35bced2 --debug
2024-01-17T15:39:08.957Z	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-01-17T15:39:08.957Z	DEBUG	Ignore statuses	{"statuses": null}
2024-01-17T15:39:09.000Z	DEBUG	cache dir:  /root/.cache/trivy
2024-01-17T15:39:09.000Z	INFO	Container image config scanners: ["misconfig"]
2024-01-17T15:39:09.000Z	INFO	Misconfiguration scanning is enabled
2024-01-17T15:39:09.000Z	DEBUG	Failed to open the policy metadata: open /root/.cache/trivy/policy/metadata.json: no such file or directory
2024-01-17T15:39:09.000Z	INFO	Need to update the built-in policies
2024-01-17T15:39:09.000Z	INFO	Downloading the built-in policies...
2024-01-17T15:39:09.000Z	DEBUG	Using URL: ghcr.io/aquasecurity/trivy-policies:0 to load policy bundle
44.93 KiB / 44.93 KiB [-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% ? p/s 0s
2024-01-17T15:39:09.381Z	DEBUG	Digest of the built-in policies: sha256:f21e8e92a7b3f6042ef7acfd3b799afc1648536dc4111c4d5458bc16396f8332
2024-01-17T15:39:09.381Z	DEBUG	Policies successfully loaded from disk
2024-01-17T15:39:09.381Z	DEBUG	Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan]
2024-01-17T15:39:09.783Z	DEBUG	The nuget packages directory couldn't be found. License search disabled
2024-01-17T15:39:09.881Z	DEBUG	Image ID: sha256:b4914e3ddb9fa05c8af3baf74fbaef1144b3a122bb31e75a4d0cccf10c8b5a87
2024-01-17T15:39:09.881Z	DEBUG	Diff IDs: [sha256:9fe9a137fd002363ac64f5af66146702432b638a83ee0c5b620c40a9e433e813 sha256:7abd4b3fb4115914d6a18a0dddb160a34af9846edff3646538a3aea938eab0cc sha256:d36ff97037f74c0035aa5d253f1422bebf131e0c5f48152d01cd6428f22cf8b0 sha256:3db3cb64716a690aa3f1df0fd115eba38ca6f84c24719353b1df4ae54360679b sha256:815f5786cd2e0eae64edf17602ee757870ecead97c6d81e4e12a4f0e56ddaa80]
2024-01-17T15:39:09.881Z	DEBUG	Base Layers: [sha256:9fe9a137fd002363ac64f5af66146702432b638a83ee0c5b620c40a9e433e813]
2024-01-17T15:39:09.936Z	DEBUG	Missing image ID in cache: sha256:b4914e3ddb9fa05c8af3baf74fbaef1144b3a122bb31e75a4d0cccf10c8b5a87
2024-01-17T15:39:09.937Z	DEBUG	Missing diff ID in cache: sha256:9fe9a137fd002363ac64f5af66146702432b638a83ee0c5b620c40a9e433e813
2024-01-17T15:39:09.937Z	DEBUG	Missing diff ID in cache: sha256:815f5786cd2e0eae64edf17602ee757870ecead97c6d81e4e12a4f0e56ddaa80
2024-01-17T15:39:09.937Z	DEBUG	Missing diff ID in cache: sha256:3db3cb64716a690aa3f1df0fd115eba38ca6f84c24719353b1df4ae54360679b
2024-01-17T15:39:09.937Z	DEBUG	Missing diff ID in cache: sha256:d36ff97037f74c0035aa5d253f1422bebf131e0c5f48152d01cd6428f22cf8b0
2024-01-17T15:39:09.937Z	DEBUG	Missing diff ID in cache: sha256:7abd4b3fb4115914d6a18a0dddb160a34af9846edff3646538a3aea938eab0cc
2024-01-17T15:39:10.129Z	DEBUG	Skipping directory: dev
2024-01-17T15:39:10.729Z	DEBUG	Skipping directory: proc
2024-01-17T15:39:10.736Z	DEBUG	Skipping directory: sys
2024-01-17T15:39:15.191Z	DEBUG	Scanning Dockerfile files for misconfigurations...
2024-01-17T15:39:15.192Z	DEBUG	[misconf] 39:15.192625849 dockerfile.scanner.rego          Overriding filesystem for policies!
2024-01-17T15:39:15.229Z	DEBUG	[misconf] 39:15.229398901 dockerfile.scanner.rego          Loaded 188 policies from disk.
2024-01-17T15:39:15.229Z	DEBUG	[misconf] 39:15.229780454 dockerfile.scanner.rego          Overriding filesystem for data!
2024-01-17T15:39:15.531Z	DEBUG	[misconf] 39:15.531608496 dockerfile.scanner.rego          Scanning 1 inputs...
2024-01-17T15:39:15.564Z	DEBUG	No secrets found in container image config
2024-01-17T15:39:15.587Z	INFO	Detected config files: 1
2024-01-17T15:39:15.587Z	DEBUG	Scanned config file: eclipse-temurin:21-jre-alpine@sha256:9a21ac97b76e52f4b58d5d6c7fdd459cd600cce8724a31fc0a2b4346b35bced2

eclipse-temurin:21-jre-alpine@sha256:9a21ac97b76e52f4b58d5d6c7fdd459cd600cce8724a31fc0a2b4346b35bced2 (dockerfile)

Tests: 26 (SUCCESSES: 23, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 1, CRITICAL: 1)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


CRITICAL: Slash is expected at the end of COPY command argument '/__cacert_entrypoint.sh'
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
When a COPY command has more than two arguments, the last one should end with a slash.

See https://avd.aquasec.com/misconfig/ds011
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 eclipse-temurin:21-jre-alpine@sha256:9a21ac97b76e52f4b58d5d6c7fdd459cd600cce8724a31fc0a2b4346b35bced2:8
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   8 [ COPY file:8b8864b3e02a33a579dc216fd51b28a6047bc8eeaa03045b258980fe0cf7fcb3 in /__cacert_entrypoint.sh
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


LOW: Add HEALTHCHECK instruction in your Dockerfile
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds026
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Version

Version: 0.48.3

Checklist

Read the documentation regarding wrong detection
Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

candrews · 2024-01-17T15:41:56Z

candrews
Jan 17, 2024
Author

The problem appears to be in https://github.com/aquasecurity/trivy-policies/blob/main/checks/docker/copy_with_more_than_two_arguments_not_ending_with_slash.rego - @simar7 appears to be the individual working in that area.

0 replies

candrews · 2024-01-17T16:32:10Z

candrews
Jan 17, 2024
Author

Here's the relevant line in the Dockerfile that produces that image: https://github.com/adoptium/containers/blob/a6be406db8c418753541b409fcc06dde5db99308/21/jre/alpine/Dockerfile#L79

0 replies

candrews · 2024-01-17T17:08:15Z

candrews
Jan 17, 2024
Author

I submitted a pull requests at aquasecurity/trivy-checks#56 which (once someone helps me get it right) will fix this issue.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

image misconfiguration incorrect reports COPY command has more than two arguments #5959

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 3 comments

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

Select a reply

image misconfiguration incorrect reports COPY command has more than two arguments #5959

candrews Jan 17, 2024

IDs

Description

Reproduction Steps

Target

Scanner

Target OS

Debug Output

Version

Checklist

Replies: 3 comments

candrews Jan 17, 2024 Author

candrews Jan 17, 2024 Author

candrews Jan 17, 2024 Author

candrews
Jan 17, 2024

candrews
Jan 17, 2024
Author

candrews
Jan 17, 2024
Author

candrews
Jan 17, 2024
Author