Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx.
FROM jenkins/jenkins:lts-jdk17
COPY --chown=jenkins:jenkins plugins.txt /usr/share/jenkins/ref/plugins.txt
RUN jenkins-plugin-cli -f /usr/share/jenkins/ref/plugins.txt
At no point are executable files copied, but the message states (confusingly) that executables need not be owned by others than root.
"It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership"
Having --chown in a dockerfile doesn't mean that something is an executable. The link to docker's documentation doesn't seem to have any elaboration on the matter.
Expected Behavior
Preferred: No rule hit Alternatively: a message that's appropriate.
Actual Behavior
https://github.com/jenkinsci/docker/blob/217e7c7264738531d869fb8991b8211dc976c785/README.md Consider the dockerfile content on this page:
At no point are executable files copied, but the message states (confusingly) that executables need not be owned by others than root. "It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership"
https://github.com/Checkmarx/kics/blob/ce3cbd0c18ef09ad6ad17e34d0e83e6eba47b470/assets/queries/dockerfile/chown_flag_exists/query.rego
Having --chown in a dockerfile doesn't mean that something is an executable. The link to docker's documentation doesn't seem to have any elaboration on the matter.
Steps to Reproduce the Problem
(Command line arguments and flags used)
Specifications
(N/A if not applicable)