DS031 is being incorrectly detected in a Dockerfile #7828

pdrylo · 2024-10-30T13:37:21Z

pdrylo
Oct 30, 2024

IDs

DS031

Description

Me and my team are having issues after downloading the latest DB today (30.10.2024), where checking for Dockerfile misconfigurations shows DS031 for an "empty" Dockerfile (with only one FROM statement and nothing else).

Are we doing something wrong here? If so, please shout! It doesn't change the fact that it breaks our pipelines at this very moment and is also easy to replicate. I don't want to ignore this through .trivyignore as I see a value in this rule but for the time being this is the only solution.

Additionally, is there a way to pin to specific DB version and keep it updated, for example, with renovate? So we can get back to a previous DB version if something fails with the latest one?

Thanks

Reproduction Steps

1. Download latest trivy (0.56.2).
2. Install it and clean all local trivy caches with `trivy clean --all`.
3. Create simple Dockerfile, for example:


FROM ubuntu:20.04


4. Run trivy: `trivy fs --scanners misconfig --debug Dockerfile`

Target

Filesystem

Scanner

Misconfiguration

Target OS

No response

Debug Output

$ trivy fs --scanners misconfig --debug Dockerfile
2024-10-30T14:21:15+01:00       DEBUG   No plugins loaded
2024-10-30T14:21:15+01:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2024-10-30T14:21:15+01:00       DEBUG   Cache dir       dir="/home/pdrylo/.cache/trivy"
2024-10-30T14:21:15+01:00       DEBUG   Cache dir       dir="/home/pdrylo/.cache/trivy"
2024-10-30T14:21:15+01:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-10-30T14:21:15+01:00       DEBUG   Ignore statuses statuses=[]
2024-10-30T14:21:15+01:00       INFO    [misconfig] Misconfiguration scanning is enabled
2024-10-30T14:21:15+01:00       DEBUG   [misconfig] Checks successfully loaded from disk
2024-10-30T14:21:15+01:00       DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-10-30T14:21:15+01:00       DEBUG   Initializing scan cache...      type="memory"
2024-10-30T14:21:15+01:00       DEBUG   Scanning files for misconfigurations... scanner="Dockerfile"
2024-10-30T14:21:15+01:00       DEBUG   [rego] Overriding filesystem for checks
2024-10-30T14:21:15+01:00       DEBUG   [rego] Embedded libraries are loaded    count=13
2024-10-30T14:21:16+01:00       DEBUG   [rego] Embedded checks are loaded       count=508
2024-10-30T14:21:16+01:00       DEBUG   [rego] Checks from disk are loaded      count=524
2024-10-30T14:21:16+01:00       DEBUG   [rego] Overriding filesystem for data
2024-10-30T14:21:16+01:00       DEBUG   [rego] Scanning inputs  count=1
2024-10-30T14:21:16+01:00       DEBUG   OS is not detected.
2024-10-30T14:21:16+01:00       INFO    Detected config files   num=1
2024-10-30T14:21:16+01:00       DEBUG   Scanned config file     file_path="Dockerfile"
2024-10-30T14:21:16+01:00       DEBUG   [vex] VEX filtering is disabled

Dockerfile (dockerfile)

Tests: 41 (SUCCESSES: 26, FAILURES: 15, EXCEPTIONS: 0)
Failures: 15 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 1, CRITICAL: 13)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


LOW: Add HEALTHCHECK instruction in your Dockerfile
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds026
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


CRITICAL: (?i)(?:_|^)(?:apikey|auth|credential|credentials|key|passwd|password|psw|pword|secret|token|usr)(?:_|$)
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Passing secrets via `build-args` or envs or copying secret files can leak them out

See https://avd.aquasec.com/misconfig/ds031
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


CRITICAL: apikey
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Passing secrets via `build-args` or envs or copying secret files can leak them out

See https://avd.aquasec.com/misconfig/ds031
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


CRITICAL: auth
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Passing secrets via `build-args` or envs or copying secret files can leak them out

See https://avd.aquasec.com/misconfig/ds031
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


CRITICAL: credential
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Passing secrets via `build-args` or envs or copying secret files can leak them out

See https://avd.aquasec.com/misconfig/ds031
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


CRITICAL: credentials
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Passing secrets via `build-args` or envs or copying secret files can leak them out

See https://avd.aquasec.com/misconfig/ds031
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


CRITICAL: key
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Passing secrets via `build-args` or envs or copying secret files can leak them out

See https://avd.aquasec.com/misconfig/ds031
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


CRITICAL: passwd
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Passing secrets via `build-args` or envs or copying secret files can leak them out

See https://avd.aquasec.com/misconfig/ds031
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


CRITICAL: password
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Passing secrets via `build-args` or envs or copying secret files can leak them out

See https://avd.aquasec.com/misconfig/ds031
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


CRITICAL: psw
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Passing secrets via `build-args` or envs or copying secret files can leak them out

See https://avd.aquasec.com/misconfig/ds031
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


CRITICAL: pword
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Passing secrets via `build-args` or envs or copying secret files can leak them out

See https://avd.aquasec.com/misconfig/ds031
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


CRITICAL: secret
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Passing secrets via `build-args` or envs or copying secret files can leak them out

See https://avd.aquasec.com/misconfig/ds031
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


CRITICAL: token
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Passing secrets via `build-args` or envs or copying secret files can leak them out

See https://avd.aquasec.com/misconfig/ds031
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


CRITICAL: usr
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Passing secrets via `build-args` or envs or copying secret files can leak them out

See https://avd.aquasec.com/misconfig/ds031
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Version

$ trivy --version
Version: 0.56.2
Check Bundle:
  Digest: sha256:2ed7e46361a869fff0499f44b05ee88cc54fa48b1643d75ea3734f88b2677c51
  DownloadedAt: 2024-10-30 13:14:00.137153154 +0000 UTC

Checklist

Read the documentation regarding wrong detection
Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

Answered by simar7

Oct 31, 2024

This was a bug which we have patched here aquasecurity/trivy-checks#283

We've released a new bundle which should take care of this:

rm -rf ~/Library/Caches/trivy/  && trivy  config . 
2024-10-30T18:09:19-06:00       INFO    [misconfig] Misconfiguration scanning is enabled
2024-10-30T18:09:19-06:00       INFO    [misconfig] Need to update the built-in checks
2024-10-30T18:09:19-06:00       INFO    [misconfig] Downloading the built-in checks...
160.60 KiB / 160.60 KiB [------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% ? p/s 200ms
2024-10-30T18:09:21-06:00       INF…

View full answer

huczas · 2024-10-30T13:51:44Z

huczas
Oct 30, 2024

We have the same issue in all pipelines. Also this url is err404 https://avd.aquasec.com/misconfig/ds031

0 replies

caiohasouza · 2024-10-30T19:39:38Z

caiohasouza
Oct 30, 2024

+1

0 replies

AErmie · 2024-10-30T20:48:49Z

AErmie
Oct 30, 2024

I tried reverting to a previous version of Trivy (specifically v0.56.1) but the results are the same. Does anyone know of a temp rollback version we can use?

If it's related to a database version, I don't see CLI options to control the target DB version.

0 replies

simar7 · 2024-10-31T00:10:59Z

simar7
Oct 31, 2024
Maintainer

This was a bug which we have patched here aquasecurity/trivy-checks#283

We've released a new bundle which should take care of this:

rm -rf ~/Library/Caches/trivy/  && trivy  config . 
2024-10-30T18:09:19-06:00       INFO    [misconfig] Misconfiguration scanning is enabled
2024-10-30T18:09:19-06:00       INFO    [misconfig] Need to update the built-in checks
2024-10-30T18:09:19-06:00       INFO    [misconfig] Downloading the built-in checks...
160.60 KiB / 160.60 KiB [------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% ? p/s 200ms
2024-10-30T18:09:21-06:00       INFO    Detected config files   num=1

Dockerfile (dockerfile)

Tests: 28 (SUCCESSES: 26, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


LOW: Add HEALTHCHECK instruction in your Dockerfile
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds026
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Upgrading to the new checks-bundle should take care of this. You can try trivy clean -a to clear up the bundle and download the latest bundle.

4 replies

isuftin Oct 31, 2024

trivy clean --all && trivy config . also worked for us

pdrylo Oct 31, 2024
Author

Thanks @simar7, I appreciate fast fix! Any suggestion if the following is possible at all?

Additionally, is there a way to pin to specific DB version and keep it updated, for example, with renovate? So we can get back to a previous DB version if something fails with the latest one?

Much obliged

simar7 Nov 1, 2024
Maintainer

@pdrylo all versions are available to download individually https://github.com/aquasecurity/trivy-checks/pkgs/container/trivy-checks/versions

By default, Trivy downloads the v1 tag which moves as newer releases are published. You can always use a previously released version via the --checks-bundle-repository flag

--checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "ghcr.io/aquasecurity/trivy-checks:1")

pdrylo Nov 1, 2024
Author

Thanks! That's all I needed to know!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

DS031 is being incorrectly detected in a Dockerfile #7828

{{title}}

Replies: 4 comments 4 replies

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

DS031 is being incorrectly detected in a Dockerfile #7828

pdrylo Oct 30, 2024

IDs

Description

Reproduction Steps

Target

Scanner

Target OS

Debug Output

Version

Checklist

Replies: 4 comments · 4 replies

huczas Oct 30, 2024

caiohasouza Oct 30, 2024

AErmie Oct 30, 2024

simar7 Oct 31, 2024 Maintainer

isuftin Oct 31, 2024

pdrylo Oct 31, 2024 Author

simar7 Nov 1, 2024 Maintainer

pdrylo Nov 1, 2024 Author

pdrylo
Oct 30, 2024

Replies: 4 comments 4 replies

huczas
Oct 30, 2024

caiohasouza
Oct 30, 2024

AErmie
Oct 30, 2024

simar7
Oct 31, 2024
Maintainer

pdrylo Oct 31, 2024
Author

simar7 Nov 1, 2024
Maintainer

pdrylo Nov 1, 2024
Author