goodwithtech / dockle

Container Image Linter for Security, Helping build the Best-Practice Docker Image, Easy to start
https://containers.goodwith.tech/
Apache License 2.0
2.77k stars 139 forks source link

"DKL-DI-0005: Clear apt-get caches" occurs in non-apt distros #151

Closed KEINOS closed 3 years ago

KEINOS commented 3 years ago

Description

What did you expect to happen?

What happened instead?

Output of run with -debug:

output log ```shellsession $ docker pull golang:1.17.1-alpine alpine: Pulling from library/golang Digest: sha256:13919fb9091f6667cb375d5fdf016ecd6d3a5d5995603000d422b04583de4ef9 Status: Downloaded newer image for golang:alpine docker.io/library/golang:alpine $ dockle -v dockle version 0.4.0 $ dockle --debug golang:1.17.1-alpine 2021-09-11T19:22:50.284+0900 DEBUG Add new ignore code: DKL-DI-0006 2021-09-11T19:22:50.284+0900 DEBUG Add new ignore code: CIS-DI-0005 2021-09-11T19:22:50.284+0900 DEBUG Fetch latest version from github 2021-09-11T19:22:50.732+0900 DEBUG Start assessments... 2021-09-11T19:23:01.288+0900 DEBUG Start scan : password files 2021-09-11T19:23:01.288+0900 DEBUG Start scan : /etc/passwd 2021-09-11T19:23:01.288+0900 DEBUG Start scan : /etc/group 2021-09-11T19:23:01.288+0900 DEBUG Start scan : /etc/hosts 2021-09-11T19:23:01.289+0900 DEBUG Start scan : credential files 2021-09-11T19:23:01.289+0900 DEBUG Scan start : config file 2021-09-11T19:23:01.291+0900 DEBUG Scan start : DOCKER_CONTENT_TRUST 2021-09-11T19:23:01.291+0900 DEBUG Start scan : cache files 2021-09-11T19:23:01.291+0900 DEBUG End assessments... FATAL - CIS-DI-0010: Do not store credential in ENVIRONMENT vars/files * Suspicious file extension found : etc/ssl/certs/ca-cert-Izenpe.com.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-certSIGN_ROOT_CA.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-Comodo_AAA_Services_root.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-thawte_Primary_Root_CA.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-Cybertrust_Global_Root.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-COMODO_RSA_Certification_Authority.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-OISTE_WISeKey_Global_Root_GC_CA.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-QuoVadis_Root_CA_3.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-IdenTrust_Public_Sector_Root_CA_1.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-USERTrust_RSA_Certification_Authority.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-DST_Root_CA_X3.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-GeoTrust_Global_CA.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-Amazon_Root_CA_4.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-SwissSign_Gold_CA_-_G2.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-GeoTrust_Primary_Certification_Authority.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-DigiCert_Assured_ID_Root_CA.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-GeoTrust_Universal_CA.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-E-Tugra_Certification_Authority.pem (You can suppress it with "-ae pem") * Suspicious file extension found : usr/local/go/src/crypto/tls/testdata/example-cert.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-TrustCor_RootCert_CA-2.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-DigiCert_High_Assurance_EV_Root_CA.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-emSign_ECC_Root_CA_-_G3.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-Security_Communication_RootCA2.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-EC-ACC.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-NetLock_Arany_=Class_Gold=_Főtanúsítvány.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-Go_Daddy_Root_Certificate_Authority_-_G2.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/cert.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-AC_RAIZ_FNMT-RCM.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-QuoVadis_Root_CA_1_G3.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-GeoTrust_Primary_Certification_Authority_-_G3.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-Amazon_Root_CA_2.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-SSL.com_Root_Certification_Authority_RSA.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-ISRG_Root_X1.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-Buypass_Class_3_Root_CA.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-Global_Chambersign_Root_-_2008.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-TrustCor_RootCert_CA-1.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-Network_Solutions_Certificate_Authority.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-Chambers_of_Commerce_Root_-_2008.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-Hongkong_Post_Root_CA_1.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-Security_Communication_Root_CA.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-GTS_Root_R4.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-GeoTrust_Universal_CA_2.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-Staat_der_Nederlanden_Root_CA_-_G2.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-GeoTrust_Primary_Certification_Authority_-_G2.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-Baltimore_CyberTrust_Root.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-CFCA_EV_ROOT.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-thawte_Primary_Root_CA_-_G3.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-UCA_Extended_Validation_Root.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-Secure_Global_CA.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-GTS_Root_R3.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-Hongkong_Post_Root_CA_3.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-TWCA_Root_Certification_Authority.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-Hellenic_Academic_and_Research_Institutions_RootCA_2015.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-COMODO_Certification_Authority.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-DigiCert_Assured_ID_Root_G2.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-LuxTrust_Global_Root_2.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-Certigna.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-DigiCert_Trusted_Root_G4.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-Taiwan_GRCA.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-Sonera_Class_2_Root_CA.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-TWCA_Global_Root_CA.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-Starfield_Root_Certificate_Authority_-_G2.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-emSign_Root_CA_-_C1.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-Entrust_Root_Certification_Authority_-_EC1.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-Certum_Trusted_Network_CA.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-emSign_ECC_Root_CA_-_C3.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-Staat_der_Nederlanden_Root_CA_-_G3.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-OISTE_WISeKey_Global_Root_GB_CA.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-IdenTrust_Commercial_Root_CA_1.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-GlobalSign_Root_CA.pem (You can suppress it with "-ae pem") * Suspicious file extension found : usr/local/go/src/crypto/tls/testdata/example-key.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-Starfield_Class_2_CA.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-Hellenic_Academic_and_Research_Institutions_RootCA_2011.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-Certigna_Root_CA.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-USERTrust_ECC_Certification_Authority.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-T-TeleSec_GlobalRoot_Class_3.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-COMODO_ECC_Certification_Authority.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-QuoVadis_Root_CA_2_G3.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-GlobalSign_Root_CA_-_R6.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-XRamp_Global_CA_Root.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-AffirmTrust_Networking.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-Entrust_Root_Certification_Authority.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-QuoVadis_Root_CA_3_G3.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-SSL.com_Root_Certification_Authority_ECC.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-GTS_Root_R1.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-DigiCert_Global_Root_CA.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-TrustCor_ECA-1.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-GTS_Root_R2.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-T-TeleSec_GlobalRoot_Class_2.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-AffirmTrust_Premium_ECC.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-AffirmTrust_Commercial.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-SwissSign_Silver_CA_-_G2.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-ACCVRAIZ1.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-Trustis_FPS_Root_CA.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-SecureTrust_CA.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-GlobalSign_ECC_Root_CA_-_R5.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-GlobalSign_Root_CA_-_R2.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-DigiCert_Global_Root_G3.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-VeriSign_Universal_Root_Certification_Authority.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-QuoVadis_Root_CA_2.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-Amazon_Root_CA_3.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-Microsec_e-Szigno_Root_CA_2009.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-Entrust.net_Premium_2048_Secure_Server_CA.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-Starfield_Services_Root_Certificate_Authority_-_G2.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-D-TRUST_Root_Class_3_CA_2_EV_2009.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-Entrust_Root_Certification_Authority_-_G4.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-Entrust_Root_Certification_Authority_-_G2.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-UCA_Global_G2_Root.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-emSign_Root_CA_-_G1.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-SZAFIR_ROOT_CA2.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-Go_Daddy_Class_2_CA.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-AffirmTrust_Premium.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-D-TRUST_Root_Class_3_CA_2_2009.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-GlobalSign_Root_CA_-_R3.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-CA_Disig_Root_R2.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-SSL.com_EV_Root_Certification_Authority_ECC.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-Atos_TrustedRoot_2011.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-thawte_Primary_Root_CA_-_G2.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-GlobalSign_ECC_Root_CA_-_R4.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-EE_Certification_Centre_Root_CA.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-Staat_der_Nederlanden_EV_Root_CA.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-Amazon_Root_CA_1.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-DigiCert_Global_Root_G2.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-OISTE_WISeKey_Global_Root_GA_CA.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-Buypass_Class_2_Root_CA.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-TeliaSonera_Root_CA_v1.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-Certum_Trusted_Network_CA_2.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-SecureSign_RootCA11.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-QuoVadis_Root_CA.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-SSL.com_EV_Root_Certification_Authority_RSA_R2.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-Actalis_Authentication_Root_CA.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-DigiCert_Assured_ID_Root_G3.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-GDCA_TrustAUTH_R5_ROOT.pem (You can suppress it with "-ae pem") * Suspicious file extension found : etc/ssl/certs/ca-cert-ePKI_Root_Certification_Authority.pem (You can suppress it with "-ae pem") FATAL - DKL-DI-0005: Clear apt-get caches * Use 'rm -rf /var/lib/apt/lists' after 'apt-get install|update' : /bin/sh -c set -eux; apk add --no-cache --virtual .fetch-deps gnupg; arch="$(apk --print-arch)"; url=; case "$arch" in 'x86_64') export GOARCH='amd64' GOOS='linux'; ;; 'armhf') export GOARCH='arm' GOARM='6' GOOS='linux'; ;; 'armv7') export GOARCH='arm' GOARM='7' GOOS='linux'; ;; 'aarch64') export GOARCH='arm64' GOOS='linux'; ;; 'x86') export GO386='softfloat' GOARCH='386' GOOS='linux'; ;; 'ppc64le') export GOARCH='ppc64le' GOOS='linux'; ;; 's390x') export GOARCH='s390x' GOOS='linux'; ;; *) echo >&2 "error: unsupported architecture '$arch' (likely packaging update needed)"; exit 1 ;; esac; build=; if [ -z "$url" ]; then build=1; url='https://dl.google.com/go/go1.17.1.src.tar.gz'; sha256='49dc08339770acd5613312db8c141eaf61779995577b89d93b541ef83067e5b1'; fi; wget -O go.tgz.asc "$url.asc"; wget -O go.tgz "$url"; echo "$sha256 *go.tgz" | sha256sum -c -; GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; gpg --batch --keyserver keyserver.ubuntu.com --recv-keys 'EB4C 1BFD 4F04 2F6D DDCC EC91 7721 F63B D38B 4796'; gpg --batch --verify go.tgz.asc go.tgz; gpgconf --kill all; rm -rf "$GNUPGHOME" go.tgz.asc; tar -C /usr/local -xzf go.tgz; rm go.tgz; if [ -n "$build" ]; then apk add --no-cache --virtual .build-deps bash gcc go musl-dev ; ( cd /usr/local/go/src; export GOROOT_BOOTSTRAP="$(go env GOROOT)" GOHOSTOS="$GOOS" GOHOSTARCH="$GOARCH"; ./make.bash; ); apk del --no-network .build-deps; go install std; rm -rf /usr/local/go/pkg/*/cmd /usr/local/go/pkg/bootstrap /usr/local/go/pkg/obj /usr/local/go/pkg/tool/*/api /usr/local/go/pkg/tool/*/go_bootstrap /usr/local/go/src/cmd/dist/dist ; fi; apk del --no-network .fetch-deps; go version WARN - CIS-DI-0001: Create a user for the container * Last user should not be root INFO - CIS-DI-0006: Add HEALTHCHECK instruction to the container image * not found HEALTHCHECK statement INFO - DKL-LI-0003: Only put necessary files * unnecessary file : usr/local/go/src/crypto/elliptic/internal/fiat/Dockerfile IGNORE - CIS-DI-0005: Enable Content trust for Docker ```

Output of dockle -v:

$ dockle -v
dockle version 0.4.0

Additional details (base image name, container registry info...):

I inserted the line break to be readable as below. Doesn't go install line seems to cause the mal-detection of apt-get install? somehow, maybe?

$ dockle golang:1.17.1-alpine
FATAL   - CIS-DI-0010: Do not store credential in ENVIRONMENT vars/files
**(snip)**
**(snip)**
**(snip)**
FATAL   - DKL-DI-0005: Clear apt-get caches
    * Use 'rm -rf /var/lib/apt/lists' after 'apt-get install|update' :
    /bin/sh -c set -eux; \
    apk add --no-cache --virtual .fetch-deps gnupg; \
    arch="$(apk --print-arch)"; \
    url=; \
    case "$arch" in \
        'x86_64') \
            export GOARCH='amd64' GOOS='linux'; \
            ;; \
        'armhf') \
            export GOARCH='arm' GOARM='6' GOOS='linux'; \
            ;; \
        'armv7') \
            export GOARCH='arm' GOARM='7' GOOS='linux'; \
            ;; \
        'aarch64') \
            export GOARCH='arm64' GOOS='linux'; \
            ;; \
        'x86') \
            export GO386='softfloat' GOARCH='386' GOOS='linux'; \
            ;; \
        'ppc64le') \
            export GOARCH='ppc64le' GOOS='linux'; \
            ;; \
        's390x') \
            export GOARCH='s390x' GOOS='linux'; \
            ;; \
        *) echo >&2 "error: unsupported architecture '$arch' (likely packaging update needed)"; exit 1 ;; \
    esac; \
    build=; \
    if [ -z "$url" ]; then \
        build=1; \
        url='https://dl.google.com/go/go1.17.1.src.tar.gz'; \
        sha256='49dc08339770acd5613312db8c141eaf61779995577b89d93b541ef83067e5b1'; \
    fi; \
    \
    wget -O go.tgz.asc "$url.asc"; \
    wget -O go.tgz "$url"; \
    echo "$sha256 *go.tgz" | sha256sum -c -; \
    \
    GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \
    gpg --batch --keyserver keyserver.ubuntu.com --recv-keys 'EB4C 1BFD 4F04 2F6D DDCC EC91 7721 F63B D38B 4796'; \
    gpg --batch --verify go.tgz.asc go.tgz; \
    gpgconf --kill all; \
    rm -rf "$GNUPGHOME" go.tgz.asc; \
    \
    tar -C /usr/local -xzf go.tgz; \
    rm go.tgz; \
    \
    if [ -n "$build" ]; then \
        apk add --no-cache --virtual .build-deps \
            bash \
            gcc \
            go \
            musl-dev \
        ; \
        \
        ( \
            cd /usr/local/go/src; \
            export GOROOT_BOOTSTRAP="$(go env GOROOT)" GOHOSTOS="$GOOS" GOHOSTARCH="$GOARCH"; \
            ./make.bash; \
        ); \
        \
        apk del --no-network .build-deps; \
        \
        go install std; \
        \
        rm -rf \
            /usr/local/go/pkg/*/cmd \
            /usr/local/go/pkg/bootstrap \
            /usr/local/go/pkg/obj \
            /usr/local/go/pkg/tool/*/api \
            /usr/local/go/pkg/tool/*/go_bootstrap \
            /usr/local/go/src/cmd/dist/dist \
        ; \
    fi; \
    \
    apk del --no-network .fetch-deps; \
    \
    go version
WARN    - CIS-DI-0001: Create a user for the container
    * Last user should not be root
INFO    - CIS-DI-0006: Add HEALTHCHECK instruction to the container image
    * not found HEALTHCHECK statement
INFO    - DKL-LI-0003: Only put necessary files
    * unnecessary file : usr/local/go/src/crypto/elliptic/internal/fiat/Dockerfile 
tomoyamachi commented 3 years ago

@KEINOS This bug has been fixed in v0.4.1. Thank you for the report!

KEINOS commented 3 years ago

@tomoyamachi

That was quick !! Amazing!! Thank you!