search

anchore / anchore-engine

A service that analyzes docker images and scans for vulnerabilities
Apache License 2.0
1.58k stars 273 forks source link

False positives from effective_user trigger #1341

Open yyugh opened 2 years ago

yyugh commented 2 years ago

Is this a request for help?: Yes

Is this a BUG REPORT or a FEATURE REQUEST? (choose one): FEATURE REQUEST

Version of Anchore Engine and Anchore CLI if applicable: anchore-cli, version 0.9.4 anchore-engine, version 0.10.0

What happened: The effective_user trigger tends to generate false positives under the following situation.

When the effective_user trigger is used on an image that has the Dockerfile and inherits the last USER instruction from its parent image, the trigger will always report "User root found as effective user, which is explicity not allowed". (btw, there is a typo in the message). I guess this is because the trigger only checks the provided Dockerfile for the USER instruction, even though a USER instruction in the parent image can also ensure the container will not run as root.

What did you expect to happen: Ideally, by default, the effective_user trigger should check all layers of the image, including those belong to the parent images. I could achieve this effect by not providing the Dockerfile, but this will affect other triggers such as instruction which are configured with actual_dockerfile_only.

Any relevant log output from /var/log/anchore:

What docker images are you using:

How to reproduce the issue:

Anything else we need to know: