search

aquasecurity / microscanner

Scan your container images for package vulnerabilities with Aqua Security
859 stars 108 forks source link

Vulnerable image successfully builds #13

Closed SyraD closed 5 years ago

SyraD commented 5 years ago

Following https://blog.aquasec.com/microscanner-free-image-vulnerability-scanner-for-developers

Vulnerable image successfully builds.

$ docker build --build-arg=token=xxx --no-cache .
  },
  "vulnerability_summary": {
    "total": 28,
    "high": 8,
    "medium": 12,
    "low": 8,
    "negligible": 28,
    "sensitive": 0,
    "malware": 0,
    "score_average": 4.6607146,
    "max_score": 10,
    "max_fixable_score": 10,
    "max_fixable_severity": "high"
  },
  "scan_options": {},
  "initiating_user": "token",
  "data_date": 1541291317
}
The command '/bin/sh -c /microscanner ${token}' returned a non-zero code: 4

The image builds:

$ docker images
REPOSITORY                                      TAG                 IMAGE ID            CREATED             SIZE
<none>                                          <none>              f4a69a796f74        26 seconds ago      378MB
$ docker inspect f4a69a79
...
Env": [
                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
                "GPG_KEYS=xxx"
                "MONGO_MAJOR=3.2",
                "MONGO_VERSION=3.2.1"
            ],
            "Cmd": [
                "mongod"
            ],
lizrice commented 5 years ago

The fact that microscanner returns a non-zero code is failling the docker build, and the final image isn't being created, but it seems that Docker is creating an intermediate image that doesn't get removed. I reproduced the same thing without microscanner as follows:

Dockerfile

FROM mongo:3.2.1
RUN echo hello # This forces an intermediate image different from mongo:3.2.1
RUN exit 4

Build:

$ docker build -f Dockerfile.test .
Sending build context to Docker daemon  27.24MB
Step 1/3 : FROM mongo:3.2.1
 ---> 7e350b877a9a
Step 2/3 : RUN echo hello
 ---> Running in 9e7a5c4b2ba9
hello
Removing intermediate container 9e7a5c4b2ba9
 ---> 099c83cf7c11
Step 3/3 : RUN exit 4
 ---> Running in 6a2b69c29d5b
The command '/bin/sh -c exit 4' returned a non-zero code: 4

$ docker image ls
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
<none>              <none>              099c83cf7c11        8 seconds ago       317MB
mongo               3.2.1               7e350b877a9a        2 years ago         317MB

$ docker ps -a
CONTAINER ID        IMAGE               COMMAND                 CREATED             STATUS                     PORTS               NAMES
6a2b69c29d5b        099c83cf7c11        "/bin/sh -c 'exit 4'"   2 minutes ago       Exited (4) 2 minutes ago                       sad_proskuriakova

This demonstrates that it's not a microscanner issue but a Docker build issue so I'll close this here. Please re-open if you disagree.