goodwithtech / dockle

Container Image Linter for Security, Helping build the Best-Practice Docker Image, Easy to start
https://containers.goodwith.tech/
Apache License 2.0
2.8k stars 139 forks source link

Scanning ubuntu:22.04 failed #220

Closed dtfans closed 1 year ago

dtfans commented 1 year ago

I scanned ubuntu:22.04 and got

FATAL   - CIS-DI-0009: Use COPY instead of ADD in Dockerfile
        * Use COPY : /bin/sh -c #(nop) ADD file:18e71f049606f6339ce7a995839623f50e6ec6474bfd0a3a7ca799db726f47f6 in /

This problem does not occur in ubuntu:jammy-20221130, even though it also has a "ADD file ... in /" layer.

IMAGE          CREATED        CREATED BY                                      SIZE      COMMENT
6b7dfa7e8fdb   2 months ago   /bin/sh -c #(nop)  CMD ["bash"]                 0B
<missing>      2 months ago   /bin/sh -c #(nop) ADD file:481dd2da6de715252…   77.8MB

But there were some new layers added to the latest ubuntu:22.04 image build (a.k.a ubuntu:jammy-20230126), then we got CIS-DI-0009 from dockle.

IMAGE          CREATED       CREATED BY                                      SIZE      COMMENT
58db3edaf2be   2 weeks ago   /bin/sh -c #(nop)  CMD ["/bin/bash"]            0B
<missing>      2 weeks ago   /bin/sh -c #(nop) ADD file:18e71f049606f6339…   77.8MB
<missing>      2 weeks ago   /bin/sh -c #(nop)  LABEL org.opencontainers.…   0B
<missing>      2 weeks ago   /bin/sh -c #(nop)  LABEL org.opencontainers.…   0B
<missing>      2 weeks ago   /bin/sh -c #(nop)  ARG LAUNCHPAD_BUILD_ARCH     0B
<missing>      2 weeks ago   /bin/sh -c #(nop)  ARG RELEASE                  0B

It looks like a false alarm to me, since those "ARG" and "LABEL" layers are unlikely cause security issues, aren't them?

tomoyamachi commented 1 year ago

@dtfans Thank you for the report. You're right. Dockle only ignores ADD in the first line now. https://github.com/goodwithtech/dockle/blob/3fbe4cf09cfdf6cae0172151418491a81ee7acae/pkg/assessor/manifest/manifest.go#L173 I will fix it.

loganmarchione commented 1 year ago

Just had the same issue.

 FATAL  - CIS-DI-0009: Use COPY instead of ADD in Dockerfile
    * Use COPY : /bin/sh -c #(nop) ADD file:18e71f049606f6339ce7a995839623f50e6ec6474bfd0a3a7ca799db726f47f6 in / 
lior-orca commented 1 year ago

@tomoyamachi are you going to address it soon?

lior-orca commented 1 year ago

@tomoyamachi we can probably have a similar logic to trivy - https://github.com/aquasecurity/trivy/blob/3987a679f9520259a1b1474e81704b8aedce2ef7/pkg/fanal/artifact/image/image.go#L496

tomoyamachi commented 1 year ago

@dtfans @lior-orca @loganmarchione After considering the matter, I think the current logic is acceptable. The reason for this is that current ubuntu image is not built in accordance with best practices.

Trivy has the same problem as dockle. Below is the Dockerfile for Ubuntu.

FROM scratch
ADD @@TARBALL@@ /
CMD ["bash"]

We can see that after the base image(scratch), a tar file is added using the ADD command. I think it is up to the users to decide whether or not this tar file can be trusted.

Dockle does not understand whether a container image is official or not, and it only evaluates based on whether the container image is built according to best practices.

lior-orca commented 1 year ago

@tomoyamachi what prevents us from "guessing" the base layer, similar to trivy, which will resolve the issue

Trivy has similar issues opened, and I'm sure they will handle it over time

tomoyamachi commented 1 year ago

@lior-orca I'm sorry. I was wrong. This issue has been fixed in version 0.4.13.