bug: false positive AVD-DS-0011 #5392
Labels
kind/bug
Categorizes issue or PR as related to a bug.
scan/misconfiguration
Issues relating to misconfiguration scanning
Comments
|
Hi @vmarchese ! What are your versions of docker and Trivy? |
|
|
@vmarchese Thanks! Can you show the output of the |
btw, this is a "from scratch" image with a go executable inside. The Dockerfile snippet in question is: FROM scratch
WORKDIR /app
EXPOSE 8080 2112
# Import from builder.
COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
COPY --from=builder /etc/passwd /etc/passwd
COPY --from=builder /workspace/bin/server /app/server
COPY banner.txt /app/banner.txt
# Use an unprivileged user.
USER appuser
ENTRYPOINT ["/app/server"]I think the count of the COPY args could be fixed by filtering out the flags with something like: count_args := [ x | x := copy.Value[_]; not startswith(x, "--")]
cnt := count(count_args) -1 |
|
or better... cnt := count([ x | x := copy.Value[_]; not startswith(x, "--")]) -1 |
|
@vmarchese Strangely, I have not been able to reproduce the problem: FROM alpine as builder
COPY test.txt /workspace/bin/test.txt
FROM scratch
WORKDIR /app
COPY --from=builder /workspace/bin/test.txt /app/test.txttrivy image --image-config-scanners config test-img
2023-10-12T21:49:07.988+0700 INFO Container image config scanners: ["config"]
2023-10-12T21:49:07.989+0700 INFO Vulnerability scanning is enabled
2023-10-12T21:49:07.989+0700 INFO Misconfiguration scanning is enabled
2023-10-12T21:49:07.989+0700 INFO Secret scanning is enabled
2023-10-12T21:49:07.989+0700 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-10-12T21:49:07.989+0700 INFO Please see also https://aquasecurity.github.io/trivy/v0.45/docs/scanner/secret/#recommendation for faster secret detection
2023-10-12T21:49:08.100+0700 INFO Number of language-specific files: 0 |
|
I see a difference if I run trivy with With my image I have: |
|
@vmarchese trivy image --image-config-scanners config test-img
2023-10-12T22:03:47.237+0700 INFO Container image config scanners: ["config"]
2023-10-12T22:03:47.237+0700 INFO Vulnerability scanning is enabled
2023-10-12T22:03:47.237+0700 INFO Misconfiguration scanning is enabled
2023-10-12T22:03:47.237+0700 INFO Secret scanning is enabled
2023-10-12T22:03:47.237+0700 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-10-12T22:03:47.237+0700 INFO Please see also https://aquasecurity.github.io/trivy/v0.45/docs/scanner/secret/#recommendation for faster secret detection
2023-10-12T22:03:47.826+0700 INFO Number of language-specific files: 0
2023-10-12T22:03:47.826+0700 INFO Detected config files: 1
test-img (dockerfile)
Tests: 26 (SUCCESSES: 25, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
LOW: Add HEALTHCHECK instruction in your Dockerfile
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.
See https://avd.aquasec.com/misconfig/ds026
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────I think it needs to be investigated. Could you please share your full docker file? |
|
yes, sorry I had to hide some of the internal urls but it should not change anything. The build is done with Task and I have not included the relative task files... FROM golang:1.21.1-alpine3.18 AS builder
ARG GOPRIVATE=REDACTED
ARG GOINSECURE
ARG GONOPROXY
ARG GOPROXY=REDACTED
ARG projectKey
ARG version
LABEL builder=$projectKey
ENV projectKey=$projectKey
RUN apk update && \
apk add --no-cache git=2.40.1-r0 \
ca-certificates=20230506-r0 \
tzdata=2023c-r1 && \
update-ca-certificates && \
adduser -D -g '' appuser
WORKDIR /workspace/
ENV GOPRIVATE=$GOPRIVATE
ENV GOINSECURE=$GOINSECURE
ENV GONOPROXY=$GONOPROXY
ENV GOPROXY=$GOPROXY
ENV GO111MODULE=on
RUN go install github.com/go-task/task/v3/cmd/[email protected] &&\
go install github.com/mikefarah/yq/[email protected] &&\
go install github.com/deepmap/oapi-codegen/cmd/[email protected]
# Download dependencies
COPY app/go.mod app/go.mod
COPY app/go.sum app/go.sum
WORKDIR /workspace/app
RUN go mod download
WORKDIR /workspace/
# Copy git files
COPY .git .git
# Copy the build code
COPY pipeline.yaml pipeline.yaml
COPY Taskfile.yaml Taskfile.yaml
COPY .config .config
COPY app app
ENV VERSION=$version
# Build proto and source code
RUN CGO_ENABLED=0 GOOS=linux task src:build
FROM sonarsource/sonar-scanner-cli:4.7 AS sonarscanner
WORKDIR /check
COPY ./app ./code
ARG version
ARG projectKey
ARG qualityGates
ARG token
ARG server
ARG skipSonar
COPY . ./code
ENV SONAR_HOST_URL="$server"
RUN if [ "$skipSonar" = "" ]; \
then sonar-scanner \
-Dsonar.projectKey=$projectKey \
-Dsonar.projectVersion=$version \
-Dsonar.sources=./code \
-Dsonar.qualitygate.wait=$qualityGates \
-Dsonar.exclusions=**/*_test.go,**/*.pb.go \
-Dsonar.login=$token; \
else \
echo "-------------------------------"; \
echo "SKIPPING SONARQUBE CHECKS"; \
echo "-------------------------------"; \
fi
FROM scratch
WORKDIR /app
EXPOSE 8080 2112
# Import from builder.
COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
COPY --from=builder /etc/passwd /etc/passwd
COPY --from=builder /workspace/bin/server /app/server
COPY banner.txt /app/banner.txt
# Use an unprivileged user.
USER appuser
ENTRYPOINT ["/app/server"] |
|
uhm... I suspect it has something to do with our CI/CD environment Inspecting the images I get: On my Mac: The image built in docker (the one that has the errors) Nevertheless, I guess the rego rule should be fixed |
Our CI/CD system has docker 20.10.17 and I see in the layers that the maybe is that ? |
|
As a matter of fact this is the complete message: |
|
@vmarchese I reproduced this with 20.10.17 docker. |
nikpivkin
added
kind/bug
|
This is easily reproduced by disabling the BuildKit: DOCKER_BUILDKIT=0 docker build . -t test-img --no-cache
docker history test-img
IMAGE CREATED CREATED BY SIZE COMMENT
4a7104cf6b42 14 seconds ago /bin/sh -c #(nop) USER appuser 0B
541a645d2e47 14 seconds ago /bin/sh -c #(nop) COPY file:7e46c04ff62f9f5d… 4B
83f0e82295c3 14 seconds ago /bin/sh -c #(nop) WORKDIR /app 0B |
|
@simar7 This has been fixed in aquasecurity/trivy-checks#56 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Scanning an image for Dockerfile misconfiguration with the command
with a layered Dockerfile containing a
COPYcommand that copies a file from a builder layer as in:COPY --from=builder somefile /somepath/somefilefails with the message
It looks like the rego rule implemented in copy_with_more_than_two_arguments_not_ending_with_slash.rego does not take into account the
COPYcommand flagsTo Reproduce
Write a simple Dockerfile that copies a file from a builder image
The text was updated successfully, but these errors were encountered: