Query bug: "Copy With More Than Two Arguments Not Ending With Slash"

[tspearconquest]

Found a bug? You're welcome to

• Please make sure to:
  • Describe in details what the problem is
  • Attach a log file with relevant data preferably in DEBUG level (--log-level=DEBUG)
  • Attach the scanned sample files, anonymize the data if the original file cannot be provided
  • When attaching files to the issue make sure they are properly formatted

Expected Behavior

When running KICS against a dockerfile with a line such as below, I expect KICS to not report against the query mentioned in the subject:

COPY --from=example-stage --chown=0:0 /some/path /some/path

Actual Behavior

Copy With More Than Two Arguments Not Ending With Slash, Severity: HIGH, Results: 1

Steps to Reproduce the Problem

(Command line arguments and flags used)

1. Make a dockerfile which uses 2 flags to the COPY command, as well as the source and destination paths. Such flags as --chown and --from
2. Run KICS

I will provide my full Dockerfile in the first comment

[tspearconquest]

Dockerfile:

ARG BUILDER_VERSION
ARG BUILDER_TYPE
ARG IMAGE_VERSION
ARG PACKAGE_VERSION
### Build from source
FROM golang:1.19.5-alpine as prep
# I use a customized golang image to perform builds without root privileges, but have modified this dockerfile to reflect the upstream golang image, don't use this Dockerfile to try to build anything, as it may not work

RUN apk --quiet --update --no-cache add \
    build-base==0.5-r3 \
    git==2.36.4-r0 \
 && mkdir -p /go/.cache /go/src /home/golang \
 && chown 65532:65532 /go/.cache /go/bin /go/src /home/golang

# Switch to user for build
USER 65532

FROM prep as tflint-deps
USER 65532

ARG GOCACHE=/go/.cache GOMODCACHE=/go/.cache
ARG IMAGE_VERSION

RUN mkdir -p /go/src/github.com/terraform-linters \
 && git -C /go/src/github.com/terraform-linters clone -b "v${IMAGE_VERSION}" --depth 1 https://github.com/terraform-linters/tflint.git \
 && cd /go/src/github.com/terraform-linters/tflint \
 && go mod tidy \
 && go mod download

FROM tflint-deps as tflint-builder
USER 65532

WORKDIR /go/src/github.com/terraform-linters/tflint

RUN make

FROM prep as tflint-plugin-azurerm-deps
USER 65532

ARG GOCACHE=/go/.cache GOMODCACHE=/go/.cache
ARG PACKAGE_VERSION

RUN mkdir -p /go/src/github.com/terraform-linters \
 && git -C /go/src/github.com/terraform-linters clone -b "v${PACKAGE_VERSION}" --depth 1 https://github.com/terraform-linters/tflint-ruleset-azurerm.git \
 && cd /go/src/github.com/terraform-linters/tflint-ruleset-azurerm \
 && go mod tidy \
 && go mod download

FROM tflint-plugin-azurerm-deps as tflint-plugin-azurerm-builder
USER 65532

WORKDIR /go/src/github.com/terraform-linters/tflint-ruleset-azurerm

RUN make

FROM alpine:${BUILDER_VERSION}${BUILDER_TYPE} as image
USER 0

RUN addgroup -S -g 65532 tflint \
 && adduser -S -D -H -u 65532 -g 65532 tflint \
 && mkdir -p /home/tflint/.tflint.d/plugins \
 && chown -R tflint:tflint /home/tflint/.tflint.d

## The 2 lines below are the ones causing KICS to flag the COPY commands.
## The KICS query needs to do more than simply check the number of arguments to the COPY command.
## It needs to also consider whether the extra arguments are flags to the copy command or are paths.
## If multiple source paths are provided, then yes this would be a valid finding.
## In my case, I am only providing one source path, but KICS doesn't identify that; instead it only counts the args
## and then presents the query in the output (incorrectly)

COPY --from=tflint-builder --chown 0:0 /go/src/github.com/terraform-linters/tflint/dist/tflint /usr/local/bin/tflint
COPY --from=tflint-plugin-azurerm-builder --chown=0:0 /go/src/github.com/terraform-linters/tflint-ruleset-azurerm/tflint-ruleset-azurerm /home/tflint/.tflint.d/plugins

ENV PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

USER 65532

ENTRYPOINT [ "tflint" ]
WORKDIR /data

[tspearconquest]

Issue was mine, I missed an = sign in the first COPY line --chown flag. Once added, this no longer comes.