misconfig: HIGH: There are X duplicate CMD instructions falsely #7320

candrews · 2024-08-08T18:39:40Z

candrews
Aug 8, 2024

IDs

ds016

Description

Trivy misconfiguration scan incorrectly reports duplicate CMD instructions for some docker images.

Trivy seems to be looking for CMD instructions in all of the layers of the docker image. Instead, it should only be looking at the final image.

Here's an example:

$ docker run -it aquasec/trivy:0.54.1 image --scanners misconfig --image-config-scanners misconfig registry.access.redhat.com/ubi8/python-312:1-16.1721725207
registry.access.redhat.com/ubi8/python-312:1-16.1721725207 (dockerfile)

Tests: 28 (SUCCESSES: 24, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 1, CRITICAL: 2)

CRITICAL: Slash is expected at the end of COPY command argument '$STI_SCRIPTS_PATH'
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
When a COPY command has more than two arguments, the last one should end with a slash.

See https://avd.aquasec.com/misconfig/ds011
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 registry.access.redhat.com/ubi8/python-312:1-16.1721725207:66
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  66 [ COPY dir:bbef9bf403af8fa6579452e0550bf6bb61326be94d87e66c82243095f8aeb446 in $STI_SCRIPTS_PATH
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


CRITICAL: Slash is expected at the end of COPY command argument '/opt/wheels'
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
When a COPY command has more than two arguments, the last one should end with a slash.

See https://avd.aquasec.com/misconfig/ds011
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 registry.access.redhat.com/ubi8/python-312:1-16.1721725207:68
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  68 [ COPY dir:5e283e09fcde7e88f28a5bf961c010f21e93095558bf27569a97b3a49fb19e30 in /opt/wheels
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


HIGH: There are 3 duplicate CMD instructions
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect.

See https://avd.aquasec.com/misconfig/ds016
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 registry.access.redhat.com/ubi8/python-312:1-16.1721725207:35
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  35 [ CMD ["base-usage"]
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


LOW: Add HEALTHCHECK instruction in your Dockerfile
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds026
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

The Dockerfile for this image can be seen at https://catalog.redhat.com/software/containers/ubi8/python-312/657c12cade3664622a12ed50?container-tabs=dockerfile - it contains exactly 1 CMD so it does not violate the https://avd.aquasec.com/misconfig/ds016 rule.

Reproduction Steps

1. `docker run -it aquasec/trivy:0.54.1 image --scanners misconfig --image-config-scanners misconfig registry.access.redhat.com/ubi8/python-312:1-16.1721725207`

Actual: "HIGH: There are 3 duplicate CMD instructions" is reported

Expected: No such finding should be reported

Target

Container Image

Scanner

Misconfiguration

Target OS

No response

Debug Output

$ docker run -it aquasec/trivy:0.54.1 image --debug --scanners misconfig --image-config-scanners misconfig registry.access.redhat.com/ubi8/python-312:1-16.1721725207
2024-08-08T18:38:05Z	DEBUG	Cache dir	dir="/root/.cache/trivy"
2024-08-08T18:38:05Z	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-08-08T18:38:05Z	DEBUG	Ignore statuses	statuses=[]
2024-08-08T18:38:05Z	INFO	[image] Container image config scanners	scanners=[misconfig]
2024-08-08T18:38:05Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-08T18:38:05Z	DEBUG	Failed to open the check metadata	err="open /root/.cache/trivy/policy/metadata.json: no such file or directory"
2024-08-08T18:38:05Z	INFO	Need to update the built-in policies
2024-08-08T18:38:05Z	INFO	Downloading the built-in policies...
2024-08-08T18:38:05Z	DEBUG	Loading check bundle	repository="ghcr.io/aquasecurity/trivy-checks:0"
74.86 KiB / 74.86 KiB [-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% ? p/s 0s
2024-08-08T18:38:05Z	DEBUG	Digest of the built-in policies	digest="sha256:ef2d9ad4fce0f933b20a662004d7e55bf200987c180e7f2cd531af631f408bb3"
2024-08-08T18:38:05Z	DEBUG	[misconfig] Policies successfully loaded from disk
2024-08-08T18:38:05Z	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-08-08T18:38:05Z	DEBUG	Initializing scan cache...	type="fs"
2024-08-08T18:38:07Z	DEBUG	[image] Detected image ID	image_id="sha256:5d3de3428a507c1567a2bb2fe4f5bda919ac8babb04b621538b74d7fd265f3ff"
2024-08-08T18:38:07Z	DEBUG	[image] Detected diff ID	diff_ids=[sha256:41fdab9a4e32b1a427aef2d9537ed8c34cae55ba76471c1a3b1e2a31819dacd6 sha256:09057cb70b4cc786df3b5a67120db8120d9ae445772ef020c90ad01af2b44032 sha256:4e29796b4201fba751b920fb5db529ac2be5dc80ea177b53d7c6e89a3cdc0e03 sha256:a8119cf37e14df02ad14d42e557dd886b3345c3859f2a568018e9f090411c5da]
2024-08-08T18:38:07Z	DEBUG	[image] Detected base layers	diff_ids=[]
2024-08-08T18:38:07Z	DEBUG	[image] Missing image ID in cache	image_id="sha256:5d3de3428a507c1567a2bb2fe4f5bda919ac8babb04b621538b74d7fd265f3ff"
2024-08-08T18:38:07Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:41fdab9a4e32b1a427aef2d9537ed8c34cae55ba76471c1a3b1e2a31819dacd6"
2024-08-08T18:38:07Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:09057cb70b4cc786df3b5a67120db8120d9ae445772ef020c90ad01af2b44032"
2024-08-08T18:38:07Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:4e29796b4201fba751b920fb5db529ac2be5dc80ea177b53d7c6e89a3cdc0e03"
2024-08-08T18:38:07Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:a8119cf37e14df02ad14d42e557dd886b3345c3859f2a568018e9f090411c5da"
2024-08-08T18:38:26Z	INFO	[python] License acquired from METADATA classifiers may be subject to additional terms	name="chardet" version="3.0.4"
2024-08-08T18:38:26Z	INFO	[python] License acquired from METADATA classifiers may be subject to additional terms	name="decorator" version="4.2.1"
2024-08-08T18:38:26Z	INFO	[python] License acquired from METADATA classifiers may be subject to additional terms	name="idna" version="2.5"
2024-08-08T18:38:26Z	INFO	[python] License acquired from METADATA classifiers may be subject to additional terms	name="iniparse" version="0.4"
2024-08-08T18:38:26Z	INFO	[python] License acquired from METADATA classifiers may be subject to additional terms	name="pyinotify" version="0.9.6"
2024-08-08T18:38:26Z	INFO	[python] License acquired from METADATA classifiers may be subject to additional terms	name="python-dateutil" version="2.6.1"
2024-08-08T18:38:26Z	INFO	[python] License acquired from METADATA classifiers may be subject to additional terms	name="requests" version="2.20.0"
2024-08-08T18:38:26Z	INFO	[python] License acquired from METADATA classifiers may be subject to additional terms	name="setuptools" version="39.2.0"
2024-08-08T18:38:26Z	INFO	[python] License acquired from METADATA classifiers may be subject to additional terms	name="six" version="1.11.0"
2024-08-08T18:38:26Z	INFO	[python] License acquired from METADATA classifiers may be subject to additional terms	name="urllib3" version="1.24.2"
2024-08-08T18:38:26Z	INFO	[python] License acquired from METADATA classifiers may be subject to additional terms	name="dbus-python" version="1.2.4"
2024-08-08T18:38:26Z	INFO	[python] License acquired from METADATA classifiers may be subject to additional terms	name="ethtool" version="0.14"
2024-08-08T18:38:26Z	INFO	[python] License acquired from METADATA classifiers may be subject to additional terms	name="gpg" version="1.13.1"
2024-08-08T18:38:26Z	INFO	[python] License acquired from METADATA classifiers may be subject to additional terms	name="libcomps" version="0.1.18"
2024-08-08T18:38:26Z	INFO	[python] License acquired from METADATA classifiers may be subject to additional terms	name="PyGObject" version="3.28.3"
2024-08-08T18:38:26Z	INFO	[python] License acquired from METADATA classifiers may be subject to additional terms	name="subscription-manager" version="1.28.42"
2024-08-08T18:38:26Z	INFO	[python] License acquired from METADATA classifiers may be subject to additional terms	name="systemd-python" version="234"
2024-08-08T18:38:28Z	INFO	[python] License acquired from METADATA classifiers may be subject to additional terms	name="pip" version="23.2.1"
2024-08-08T18:38:28Z	INFO	[python] License acquired from METADATA classifiers may be subject to additional terms	name="pip" version="23.2.1"
2024-08-08T18:38:28Z	DEBUG	Scanning files for misconfigurations...	scanner="Helm"
2024-08-08T18:38:28Z	DEBUG	[misconf] 38:28.426511724 helm.scanner.rego                Overriding filesystem for checks!
2024-08-08T18:38:28Z	DEBUG	[misconf] 38:28.427211969 helm.scanner.rego                Loaded 3 embedded libraries.
2024-08-08T18:38:28Z	DEBUG	[misconf] 38:28.458336582 helm.scanner.rego                Loaded 192 embedded policies.
2024-08-08T18:38:28Z	DEBUG	[misconf] 38:28.497282492 helm.scanner.rego                Loaded 195 checks from disk.
2024-08-08T18:38:28Z	DEBUG	[misconf] 38:28.497659261 helm.scanner.rego                Overriding filesystem for data!
2024-08-08T18:38:33Z	DEBUG	Scanning files for misconfigurations...	scanner="Helm"
2024-08-08T18:38:33Z	DEBUG	Scanning files for misconfigurations...	scanner="Dockerfile"
2024-08-08T18:38:33Z	DEBUG	[misconf] 38:33.344126645 dockerfile.scanner.rego          Overriding filesystem for checks!
2024-08-08T18:38:33Z	DEBUG	[misconf] 38:33.345946131 dockerfile.scanner.rego          Loaded 3 embedded libraries.
2024-08-08T18:38:33Z	DEBUG	[misconf] 38:33.392725788 dockerfile.scanner.rego          Loaded 192 embedded policies.
2024-08-08T18:38:33Z	DEBUG	[misconf] 38:33.444153749 dockerfile.scanner.rego          Loaded 195 checks from disk.
2024-08-08T18:38:33Z	DEBUG	[misconf] 38:33.444480747 dockerfile.scanner.rego          Overriding filesystem for data!
2024-08-08T18:38:33Z	DEBUG	[misconf] 38:33.725209384 dockerfile.scanner.rego          Scanning 1 inputs...
2024-08-08T18:38:33Z	DEBUG	No secrets found in container image config
2024-08-08T18:38:33Z	INFO	Detected config files	num=1
2024-08-08T18:38:33Z	DEBUG	Scanned config file	file_path="registry.access.redhat.com/ubi8/python-312:1-16.1721725207"
2024-08-08T18:38:33Z	DEBUG	[vex] VEX filtering is disabled

registry.access.redhat.com/ubi8/python-312:1-16.1721725207 (dockerfile)

Tests: 28 (SUCCESSES: 24, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 1, CRITICAL: 2)

CRITICAL: Slash is expected at the end of COPY command argument '$STI_SCRIPTS_PATH'
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
When a COPY command has more than two arguments, the last one should end with a slash.

See https://avd.aquasec.com/misconfig/ds011
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 registry.access.redhat.com/ubi8/python-312:1-16.1721725207:66
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  66 [ COPY dir:bbef9bf403af8fa6579452e0550bf6bb61326be94d87e66c82243095f8aeb446 in $STI_SCRIPTS_PATH
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


CRITICAL: Slash is expected at the end of COPY command argument '/opt/wheels'
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
When a COPY command has more than two arguments, the last one should end with a slash.

See https://avd.aquasec.com/misconfig/ds011
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 registry.access.redhat.com/ubi8/python-312:1-16.1721725207:68
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  68 [ COPY dir:5e283e09fcde7e88f28a5bf961c010f21e93095558bf27569a97b3a49fb19e30 in /opt/wheels
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


HIGH: There are 3 duplicate CMD instructions
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect.

See https://avd.aquasec.com/misconfig/ds016
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 registry.access.redhat.com/ubi8/python-312:1-16.1721725207:35
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  35 [ CMD ["base-usage"]
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


LOW: Add HEALTHCHECK instruction in your Dockerfile
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds026
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Version

0.54.1

Checklist

Read the documentation regarding wrong detection
Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

simar7 · 2024-08-08T21:43:24Z

simar7
Aug 8, 2024
Maintainer

I believe this is due to the fact that Trivy scans the final merged layer for any problems. In this case the dockerfile doesn't contain the issues you are looking at but most likely the base image (and it's layers) do. Correct me if I'm wrong @knqyf263.

2 replies

knqyf263 Aug 9, 2024
Maintainer

Yes, but the final image has all the history.

$ docker history registry.access.redhat.com/ubi8/python-312:1-16.1721725207 | grep CMD
<missing>      2 weeks ago   /bin/sh -c #(nop) CMD $STI_SCRIPTS_PATH/usage    0B
<missing>      6 weeks ago   /bin/sh -c #(nop) CMD ["base-usage"]             0B
<missing>      6 weeks ago   /bin/sh -c #(nop) CMD ["/bin/bash"]              0B

We currently apply all checks to image metadata scanning, but some checks probably don't make sense.
@simar7 Is it possible to disable this check only when scanning images?

simar7 Aug 22, 2024
Maintainer

Makes sense - I've opened #7368 to track.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

misconfig: HIGH: There are X duplicate CMD instructions falsely #7320

{{title}}

Replies: 1 comment 2 replies

{{title}}

{{title}}

{{title}}

Select a reply

misconfig: HIGH: There are X duplicate CMD instructions falsely #7320

candrews Aug 8, 2024

IDs

Description

Reproduction Steps

Target

Scanner

Target OS

Debug Output

Version

Checklist

Replies: 1 comment · 2 replies

simar7 Aug 8, 2024 Maintainer

knqyf263 Aug 9, 2024 Maintainer

simar7 Aug 22, 2024 Maintainer

candrews
Aug 8, 2024

Replies: 1 comment 2 replies

simar7
Aug 8, 2024
Maintainer

knqyf263 Aug 9, 2024
Maintainer

simar7 Aug 22, 2024
Maintainer