avd-ds-0001 thwarted by build args

[rittneje]

Description

We have Dockerfiles that reference build args to construct the registry prefix of the image.

Scanning such Dockerfiles never triggers avd-ds-0001.

Desired Behavior

The check ought to work even if we are using a build arg.

Actual Behavior

Trivy reports nothing.

Reproduction Steps

ARG REGISTRY

FROM ${REGISTRY}/ubuntu

$ docker run --rm -it -v $PWD:$PWD:ro -w $PWD aquasec/trivy:0.58.2 config Dockerfile
2025-01-21T04:40:12Z    INFO    [misconfig] Misconfiguration scanning is enabled
2025-01-21T04:40:12Z    INFO    [misconfig] Need to update the built-in checks
2025-01-21T04:40:12Z    INFO    [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [-----------------------------------------------------------------------------------------------------------------------------------] 100.00% ? p/s 100ms
2025-01-21T04:40:14Z    INFO    Detected config files   num=1

Target

Filesystem

Scanner

Misconfiguration

Output Format

None

Mode

Standalone

Debug Output

2025-01-21T04:47:07Z    DEBUG   No plugins loaded
2025-01-21T04:47:07Z    DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-01-21T04:47:07Z    DEBUG   Cache dir       dir="/root/.cache/trivy"
2025-01-21T04:47:07Z    DEBUG   Cache dir       dir="/root/.cache/trivy"
2025-01-21T04:47:07Z    DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-01-21T04:47:07Z    INFO    [misconfig] Misconfiguration scanning is enabled
2025-01-21T04:47:07Z    DEBUG   [misconfig] Failed to open the check metadata   err="open /root/.cache/trivy/policy/metadata.json: no such file or directory"
2025-01-21T04:47:07Z    INFO    [misconfig] Need to update the built-in checks
2025-01-21T04:47:07Z    INFO    [misconfig] Downloading the built-in checks...
2025-01-21T04:47:07Z    DEBUG   [misconfig] Loading check bundle        repository="mirror.gcr.io/aquasec/trivy-checks:1"
160.80 KiB / 160.80 KiB [-----------------------------------------------------------------------------------------------------------------------------------] 100.00% ? p/s 200ms
2025-01-21T04:47:09Z    DEBUG   [misconfig] Digest of the built-in checks       digest="sha256:f6901e03f486a48f47aa17a78d89d18e6c31ded82aff83ed19d0d73935a1a059"
2025-01-21T04:47:09Z    DEBUG   [misconfig] Checks successfully loaded from disk
2025-01-21T04:47:09Z    DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2025-01-21T04:47:09Z    DEBUG   Initializing scan cache...      type="memory"
2025-01-21T04:47:09Z    DEBUG   [misconfig] Scanning files for misconfigurations...     scanner="Dockerfile"
2025-01-21T04:47:10Z    DEBUG   [rego] Overriding filesystem for checks
2025-01-21T04:47:10Z    DEBUG   [rego] Embedded libraries are loaded    count=15
2025-01-21T04:47:10Z    DEBUG   [rego] Embedded checks are loaded       count=511
2025-01-21T04:47:10Z    DEBUG   [rego] Checks from disk are loaded      count=526
2025-01-21T04:47:10Z    DEBUG   [rego] Overriding filesystem for data
2025-01-21T04:47:10Z    DEBUG   [dockerfile scanner] Scanning files...  count=1
2025-01-21T04:47:10Z    DEBUG   [rego] Scanning inputs  count=1
2025-01-21T04:47:10Z    DEBUG   OS is not detected.
2025-01-21T04:47:10Z    INFO    Detected config files   num=1
2025-01-21T04:47:10Z    DEBUG   Scanned config file     file_path="Dockerfile"
2025-01-21T04:47:10Z    DEBUG   Found an ignore file    file_path=".trivyignore"
2025-01-21T04:47:10Z    DEBUG   Ignored id="AVD-DS-0002" target="Dockerfile"
2025-01-21T04:47:10Z    DEBUG   Ignored id="AVD-DS-0026" target="Dockerfile"
2025-01-21T04:47:10Z    DEBUG   [vex] VEX filtering is disabled

Operating System

docker container

Version

Version: 0.58.2

Checklist

• Run trivy clean --all
• Read the troubleshooting

[nikpivkin]

Hi @rittneje !

AVD-DS-0001 warns against the use of the latest tag.

[rittneje]

@nikpivkin Yes, it's supposed to, but as I mentioned doesn't work if FROM references a build arg.

Without build arg, implicit latest

FROM ubuntu

$ docker run --rm -it -v $PWD:$PWD:ro -w $PWD aquasec/trivy:0.58.2 config Dockerfile
2025-01-21T23:51:08Z    INFO    [misconfig] Misconfiguration scanning is enabled
2025-01-21T23:51:08Z    INFO    [misconfig] Need to update the built-in checks
2025-01-21T23:51:08Z    INFO    [misconfig] Downloading the built-in checks...
164.50 KiB / 164.50 KiB [-----------------------------------------------------------------------------------------------------------------------------------] 100.00% ? p/s 100ms
2025-01-21T23:51:10Z    INFO    Detected config files   num=1

Dockerfile (dockerfile)

Tests: 26 (SUCCESSES: 25, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

AVD-DS-0001 (MEDIUM): Specify a tag in the 'FROM' statement for image 'ubuntu'
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
When using a 'FROM' statement you should use a specific tag to avoid uncontrolled behavior when the image is updated.

See https://avd.aquasec.com/misconfig/ds001
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 Dockerfile:1
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1 [ FROM ubuntu
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Without build arg, explicit latest

FROM ubuntu:latest

$ docker run --rm -it -v $PWD:$PWD:ro -w $PWD aquasec/trivy:0.58.2 config Dockerfile
2025-01-21T23:52:59Z    INFO    [misconfig] Misconfiguration scanning is enabled
2025-01-21T23:52:59Z    INFO    [misconfig] Need to update the built-in checks
2025-01-21T23:52:59Z    INFO    [misconfig] Downloading the built-in checks...
164.50 KiB / 164.50 KiB [----------------------------------------------------------------------------------------------------------------------------] 100.00% 5.78 MiB p/s 200ms
2025-01-21T23:53:01Z    INFO    Detected config files   num=1

Dockerfile (dockerfile)

Tests: 26 (SUCCESSES: 25, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

AVD-DS-0001 (MEDIUM): Specify a tag in the 'FROM' statement for image 'ubuntu'
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
When using a 'FROM' statement you should use a specific tag to avoid uncontrolled behavior when the image is updated.

See https://avd.aquasec.com/misconfig/ds001
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 Dockerfile:1
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1 [ FROM ubuntu:latest
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

With build arg, implicit latest

ARG REGISTRY
FROM ${REGISTRY}/ubuntu

$ docker run --rm -it -v $PWD:$PWD:ro -w $PWD aquasec/trivy:0.58.2 config Dockerfile
2025-01-21T23:54:06Z    INFO    [misconfig] Misconfiguration scanning is enabled
2025-01-21T23:54:06Z    INFO    [misconfig] Need to update the built-in checks
2025-01-21T23:54:06Z    INFO    [misconfig] Downloading the built-in checks...
164.50 KiB / 164.50 KiB [-----------------------------------------------------------------------------------------------------------------------------------] 100.00% ? p/s 100ms
2025-01-21T23:54:09Z    INFO    Detected config files   num=1

With build arg, explicit latest

ARG REGISTRY
FROM ${REGISTRY}/ubuntu:latest

$ docker run --rm -it -v $PWD:$PWD:ro -w $PWD aquasec/trivy:0.58.2 config Dockerfile
2025-01-21T23:54:38Z    INFO    [misconfig] Misconfiguration scanning is enabled
2025-01-21T23:54:38Z    INFO    [misconfig] Need to update the built-in checks
2025-01-21T23:54:38Z    INFO    [misconfig] Downloading the built-in checks...
164.50 KiB / 164.50 KiB [-----------------------------------------------------------------------------------------------------------------------------------] 100.00% ? p/s 100ms
2025-01-21T23:54:40Z    INFO    Detected config files   num=1

[nikpivkin]

Thanks, I got it. I'll take a look.

[nikpivkin]

Track #8274