Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug: Trivy doesn't check COPY instructions when scanning image history #5370

Open
nikpivkin opened this issue Oct 12, 2023 · 3 comments
Open

bug: Trivy doesn't check COPY instructions when scanning image history #5370

nikpivkin opened this issue Oct 12, 2023 · 3 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. target/container-image Issues relating to container image scanning

Comments

@nikpivkin
Copy link
Contributor

Dockefile:

FROM golang:1.21 as builder
WORKDIR /src
COPY <<EOF ./main.go
package main

import "fmt"

func main() {
  fmt.Println("hello, world")
}
EOF
RUN go build -o /bin/hello ./main.go
RUN touch test

FROM scratch
COPY --from=builder /src/test /bin/hello /bin/hello
CMD ["/bin/hello"]

Trivy output:

trivy i --image-config-scanners config test-img -d
2023-10-12T21:15:52.174+0700    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-10-12T21:15:52.174+0700    DEBUG   Ignore statuses {"statuses": null}
2023-10-12T21:15:52.193+0700    DEBUG   cache dir:  /Users/tososomaru/Library/Caches/trivy
2023-10-12T21:15:52.194+0700    DEBUG   DB update was skipped because the local DB is the latest
2023-10-12T21:15:52.194+0700    DEBUG   DB Schema: 2, UpdatedAt: 2023-10-12 12:16:39.10633075 +0000 UTC, NextUpdate: 2023-10-12 18:16:39.10633025 +0000 UTC, DownloadedAt: 2023-10-12 13:13:01.680098 +0000 UTC
2023-10-12T21:15:52.194+0700    DEBUG   Module dir: /Users/tososomaru/.trivy/modules
2023-10-12T21:15:52.194+0700    INFO    Container image config scanners: ["config"]
2023-10-12T21:15:52.194+0700    INFO    Vulnerability scanning is enabled
2023-10-12T21:15:52.194+0700    DEBUG   Vulnerability type:  [os library]
2023-10-12T21:15:52.194+0700    INFO    Misconfiguration scanning is enabled
2023-10-12T21:15:52.194+0700    DEBUG   Policies successfully loaded from disk
2023-10-12T21:15:52.194+0700    INFO    Secret scanning is enabled
2023-10-12T21:15:52.194+0700    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-10-12T21:15:52.194+0700    INFO    Please see also https://aquasecurity.github.io/trivy/v0.45/docs/scanner/secret/#recommendation for faster secret detection
2023-10-12T21:15:52.204+0700    DEBUG   No secret config detected: trivy-secret.yaml
2023-10-12T21:15:52.228+0700    DEBUG   No secret config detected: trivy-secret.yaml
2023-10-12T21:15:52.228+0700    DEBUG   Image ID: sha256:ec7d3aa2a177e91d34f8cb76a3afadf278087a7e86ea1b4677ae08c338381d8d
2023-10-12T21:15:52.228+0700    DEBUG   Diff IDs: [sha256:5a3cfe8450ed53acc071efbe93dacdb55759237fb190699aaccd90c30c09cc94]
2023-10-12T21:15:52.228+0700    DEBUG   Base Layers: []
2023-10-12T21:15:52.240+0700    DEBUG   Missing image ID in cache: sha256:ec7d3aa2a177e91d34f8cb76a3afadf278087a7e86ea1b4677ae08c338381d8d
2023-10-12T21:15:52.240+0700    DEBUG   Missing diff ID in cache: sha256:5a3cfe8450ed53acc071efbe93dacdb55759237fb190699aaccd90c30c09cc94
2023-10-12T21:15:52.281+0700    DEBUG   Scanning Dockerfile files for misconfigurations...
2023-10-12T21:15:52.281+0700    DEBUG   No secrets found in container image config
2023-10-12T21:15:52.297+0700    DEBUG   OS is not detected.
2023-10-12T21:15:52.297+0700    DEBUG   Detected OS: unknown
2023-10-12T21:15:52.297+0700    INFO    Number of language-specific files: 0

Image history:

docker image history test-img
IMAGE          CREATED         CREATED BY                                      SIZE      COMMENT
ec7d3aa2a177   2 minutes ago   CMD ["/bin/hello"]                              0B        buildkit.dockerfile.v0
<missing>      2 minutes ago   COPY /src/test /bin/hello /bin/hello # build…   1.85MB    buildkit.dockerfile.v0

I found that a similar problem has already occurred:

What did I expect?

CRITICAL: Slash is expected at the end of COPY command argument '/bin/hello'
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
When a COPY command has more than two arguments, the last one should end with a slash.

See https://avd.aquasec.com/misconfig/ds011
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 Dockerfile:16
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  16 [ COPY --from=builder /src/test /bin/hello /bin/hello
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
@nikpivkin nikpivkin added kind/bug Categorizes issue or PR as related to a bug. target/container-image Issues relating to container image scanning labels Oct 12, 2023
@nikpivkin
Copy link
Contributor Author

@simar7 @DmitriyLewen Scanning the Dockefile with the conf command yielded 3 results, while scanning the image history found no problems. It's okay that the number of results can vary?

trivy conf .
2023-10-12T21:23:33.794+0700    INFO    Misconfiguration scanning is enabled
2023-10-12T21:23:34.348+0700    INFO    Detected config files: 1

Dockerfile (dockerfile)

Tests: 26 (SUCCESSES: 23, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 1, CRITICAL: 1)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


CRITICAL: Slash is expected at the end of COPY command argument '/bin/hello'
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
When a COPY command has more than two arguments, the last one should end with a slash.

See https://avd.aquasec.com/misconfig/ds011
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 Dockerfile:16
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  16 [ COPY --from=builder /src/test /bin/hello /bin/hello
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


LOW: Add HEALTHCHECK instruction in your Dockerfile
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds026
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

@simar7
Copy link
Member

simar7 commented Oct 12, 2023

It is an interesting point but as per my understanding during image scanning the final layer is the one that gets evaluated (correct me if I'm wrong though).

@knqyf263
Copy link
Collaborator

It's okay that the number of results can vary?

No, it should be detected if the image history contains the layer. It's okay not to detect misconfiguration in the first stage because it cannot be seen in the image history (e.g. COPY <<EOF ./main.go).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. target/container-image Issues relating to container image scanning
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@simar7 @knqyf263 @nikpivkin