Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(misconf): improve AVD-DS-0017 rule #5643

Closed
2 tasks
nikpivkin opened this issue Nov 23, 2023 Discussed in #5641 · 1 comment
Closed
2 tasks

feat(misconf): improve AVD-DS-0017 rule #5643

nikpivkin opened this issue Nov 23, 2023 Discussed in #5641 · 1 comment
Assignees
@nikpivkin
Labels
kind/feature Categorizes issue or PR as related to a new feature. scan/misconfiguration Issues relating to misconfiguration scanning
Milestone
v0.51.0

Comments

@nikpivkin
Copy link
Contributor

The list of package managers should be specified in the rule

Discussed in #5641

Originally posted by magnusja November 23, 2023

Description

Having sbt update in a dockerfile results in

HIGH: The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.

It is an odd thing to assume that. I feel like that this is true for apt, but other than that? Maybe you should be explicit about the actual package manager which follow this approach.

Desired Behavior

This error should not happen. Especially because the only thing I can do is to ignore the whole Dockerfile and not only that particular command. Or is there a way to do so?

Actual Behavior

See description

Reproduction Steps

1. Have a scala project
2. Use sbt
3. Call sbt update

Target

None

Scanner

None

Output Format

None

Mode

None

Debug Output

I dont know man is this really necessary??

Operating System

CI

Version

Not sure runs somewhere in our CI

Checklist
@nikpivkin nikpivkin added kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning kind/feature Categorizes issue or PR as related to a new feature. and removed kind/bug Categorizes issue or PR as related to a bug. labels Nov 23, 2023
@simar7 simar7 added this to the v0.51.0 milestone Mar 9, 2024
@nikpivkin nikpivkin mentioned this issue Mar 13, 2024
Merged
@nikpivkin
Copy link
Contributor Author

@simar7 PR in trivy-policies has been merged

@simar7 simar7 closed this as completed Mar 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nikpivkin nikpivkin

Labels
kind/feature Categorizes issue or PR as related to a new feature. scan/misconfiguration Issues relating to misconfiguration scanning
Projects
Trivy Roadmap
Archived in project
Milestone
v0.51.0
Development

No branches or pull requests
2 participants
@simar7 @nikpivkin