tomoyamachi
commented
1 year ago Thank you for your recommendation. I'll think about it.
Open dyferx opened 1 year ago
tomoyamachi
commented
1 year ago Thank you for your recommendation. I'll think about it.
jorgelc
commented
1 year ago I would like to upvote this. For my team, dockle is flagging ADD statements from an upstream image, so it is not even in our control to change that behaviour.
andrealmar
commented
1 year ago +1 on that. Dockle is breaking our pipelines raising a FATAL because we are using an official ubuntu:latest image and this image has the ADD instruction: https://hub.docker.com/layers/library/ubuntu/mantic/images/sha256-3853398d8cefdc1c02ca82cd809ab3ab3851728da0de68325389b7e53eb26acd?context=explore
We have Gitlab CICD pipeline where we are building our docker images. One of the job in the workflow is Dockle scans. When vulnerability with status Fatal is found, pipeline stops and image is not pushed to the registry.
In my Dockerfiles i'm using ADD command to download software into the image, for example:
ADD https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip ./
Dockle finds FATAL vulnerability: CIS-DI-0009 and this breaks our pipelines.
In my opinion CIS-DI-0009 shouldn't have FATAL status. We can use wget or curl instead, but then we need wget or curl inside the image, what is increasing image size. Downloading software from internet using wget or curl has the same security level like ADD and for Dockle this is not FATAL vulnerability.
Description for CIS-DI-0009 is as following: ADD instruction introduces risks such as adding malicious files from URLs without scanning and unpacking procedure vulnerabilities.
If my understanding is right, this makes not much sense in Dockle because source for dockle is docker image not dockerfile, so we have downloaded files inside the image.