Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug: docker history analyzer exports instructions with build arguments without processing #8277

Open
2 tasks
nikpivkin opened this issue Jan 22, 2025 · 0 comments
Open
2 tasks

bug: docker history analyzer exports instructions with build arguments without processing #8277

nikpivkin opened this issue Jan 22, 2025 · 0 comments
Assignees
@nikpivkin
Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Milestone
v0.59.0

Comments

@nikpivkin
Copy link
Contributor

Discussed in #8276

Originally posted by nikpivkin January 22, 2025

Description

If the instruction uses build arguments, the analyzer does not cut the |1 NAME= /bin/sh -c prefix, and the value passed to Rego has the following form: |1 NAME= /bin/sh -c echo $NAME.

Example for the RUN instruction:

TRACE | | | Unify {"Cmd": "run", "EndLine": 2, "Flags": [], "JSON": false, "Original": "RUN |1 NAME= /bin/sh -c echo $NAME", "Path": "Dockerfile", "Stage": 0, "StartLine": 2, "SubCmd": "", "Value": ["|1 NAME= /bin/sh -c echo $NAME"]} = instruction

Desired Behavior

Instructions must be exported without the prefix |1 NAME= /bin/sh -c.

Actual Behavior

Instructions are exported in full

Reproduction Steps

1.Build image from Dockerfile:

FROM alpine
ARG NAME
RUN echo $NAME

2. Run trivy with `--trace` flag:
```bash
❯ trivy image --image-config-scanners misconfig test-img --trace
3.
...

Target

None

Scanner

None

Output Format

None

Mode

None

Debug Output

2025-01-22T17:37:30+06:00       INFO    [image] Container image config scanners scanners=[misconfig]
...
ID: DS026
File: test-img
Namespace: builtin.dockerfile.DS026
Query: data.builtin.dockerfile.DS026.deny
Message: Add HEALTHCHECK instruction in your Dockerfile
TRACE Enter data.builtin.dockerfile.DS026.deny = _
TRACE | Eval data.builtin.dockerfile.DS026.deny = _
TRACE | Unify data.builtin.dockerfile.DS026.deny = _
TRACE | Index data.builtin.dockerfile.DS026.deny (matched 1 rule)
TRACE | Enter data.builtin.dockerfile.DS026.deny
TRACE | | Eval __local5872__ = data.lib.docker.healthcheck
TRACE | | Unify __local5872__ = data.lib.docker.healthcheck
TRACE | | Index data.lib.docker.healthcheck (matched 1 rule)
TRACE | | Enter data.lib.docker.healthcheck
TRACE | | | Eval instruction = input.Stages[_].Commands[_]
TRACE | | | Unify instruction = input.Stages[_].Commands[_]
TRACE | | | Unify 0 = _
TRACE | | | Unify 0 = _
TRACE | | | Unify {"Cmd": "run", "EndLine": 2, "Flags": [], "JSON": false, "Original": "RUN |1 NAME= /bin/sh -c echo $NAME", "Path": "Dockerfile", "Stage": 0, "StartLine": 2, "SubCmd": "", "Value": ["|1 NAME= /bin/sh -c echo $NAME"]} = instruction
TRACE | | | Eval instruction.Cmd = "healthcheck"
TRACE | | | Unify instruction.Cmd = "healthcheck"
TRACE | | | Unify "run" = "healthcheck"
TRACE | | | Fail instruction.Cmd = "healthcheck"
TRACE | | | Redo instruction = input.Stages[_].Commands[_]
TRACE | | Unify set() = __local5872__
TRACE | | Eval count(__local5872__, __local4672__)
TRACE | | Unify __local4672__ = 0
TRACE | | Eval __local4672__ = 0
TRACE | | Unify 0 = 0
TRACE | | Eval msg = "Add HEALTHCHECK instruction in your Dockerfile"
TRACE | | Unify msg = "Add HEALTHCHECK instruction in your Dockerfile"
TRACE | | Eval result.new(msg, {}, __local4673__)
TRACE | | Unify __local4673__ = {"endline": 0, "explicit": false, "filepath": "", "fskey": "", "managed": true, "msg": "Add HEALTHCHECK instruction in your Dockerfile", "parent": null, "resource": "", "sourceprefix": "", "startline": 0}
TRACE | | Eval res = __local4673__
TRACE | | Unify res = {"endline": 0, "explicit": false, "filepath": "", "fskey": "", "managed": true, "msg": "Add HEALTHCHECK instruction in your Dockerfile", "parent": null, "resource": "", "sourceprefix": "", "startline": 0}
TRACE | | Exit data.builtin.dockerfile.DS026.deny
TRACE | Redo data.builtin.dockerfile.DS026.deny
TRACE | | Redo res = __local4673__
TRACE | | Redo result.new(msg, {}, __local4673__)
TRACE | | Redo msg = "Add HEALTHCHECK instruction in your Dockerfile"
TRACE | | Redo __local4672__ = 0
TRACE | | Redo count(__local5872__, __local4672__)
TRACE | | Redo __local5872__ = data.lib.docker.healthcheck
TRACE | Unify {{"endline": 0, "explicit": false, "filepath": "", "fskey": "", "managed": true, "msg": "Add HEALTHCHECK instruction in your Dockerfile", "parent": null, "resource": "", "sourceprefix": "", "startline": 0}} = _
TRACE | Exit data.builtin.dockerfile.DS026.deny = _
TRACE Redo data.builtin.dockerfile.DS026.deny = _
TRACE | Redo data.builtin.dockerfile.DS026.deny = _
TRACE

Operating System

m1

Version

Version: 0.58.0

Checklist
@nikpivkin nikpivkin added kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning labels Jan 22, 2025
@simar7 simar7 added this to the v0.59.0 milestone Jan 22, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nikpivkin nikpivkin

Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Projects
Trivy Roadmap
Status: No status
Milestone
v0.59.0
Development

No branches or pull requests
2 participants
@simar7 @nikpivkin