ds017 false-positive (apt-mirror2) #6515

nE0sIghT · 2024-04-17T18:28:47Z

nE0sIghT
Apr 17, 2024

IDs

ds017

Description

Hello!

Today ds017 false-positive started to alert in the apt-mirror2 project: https://gitlab.com/apt-mirror2/apt-mirror2/-/jobs/6651671307

There is apt-get -y install immediate after apt-get update: https://gitlab.com/apt-mirror2/apt-mirror2/-/blob/master/.devcontainer/Dockerfile?ref_type=heads#L10

Reproduction Steps

I'm unsure, looks like something like this:

RUN \
    sed -i -e 's#Types: deb#Types: deb deb-src#' /etc/apt/sources.list.d/debian.sources ;\
    apt-get update ;\
    apt-get -y install \
        bash-completion \
        coreutils \
        git \
        git-gui \
        gitk \
        sudo \
    ;\

Target

Filesystem

Scanner

Misconfiguration

Target OS

No response

Debug Output

$ trivy fs . --debug
2024-04-17T18:27:01.731Z	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-04-17T18:27:01.732Z	WARN	'--scanners config' is deprecated. Use '--scanners misconfig' instead. See https://github.com/aquasecurity/trivy/discussions/5586 for the detail.
2024-04-17T18:27:01.732Z	DEBUG	Ignore statuses	{"statuses": null}
2024-04-17T18:27:01.739Z	DEBUG	cache dir:  .trivy
2024-04-17T18:27:01.739Z	DEBUG	There is no valid metadata file: unable to open a file: open .trivy/db/metadata.json: no such file or directory
2024-04-17T18:27:01.739Z	INFO	Need to update DB
2024-04-17T18:27:01.739Z	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db:2
2024-04-17T18:27:01.739Z	INFO	Downloading DB...
2024-04-17T18:27:01.739Z	DEBUG	no metadata file
22.55 MiB / 45.08 MiB [------------------------------>______________________________] 50.03% ? p/s ?45.08 MiB / 45.08 MiB [----------------------------------------------------------->] 100.00% ? p/s ?45.08 MiB / 45.08 MiB [----------------------------------------------------------->] 100.00% ? p/s ?45.08 MiB / 45.08 MiB [---------------------------------------------->] 100.00% 37.76 MiB p/s ETA 0s45.08 MiB / 45.08 MiB [---------------------------------------------->] 100.00% 37.76 MiB p/s ETA 0s45.08 MiB / 45.08 MiB [---------------------------------------------->] 100.00% 37.76 MiB p/s ETA 0s45.08 MiB / 45.08 MiB [---------------------------------------------->] 100.00% 35.32 MiB p/s ETA 0s45.08 MiB / 45.08 MiB [-------------------------------------------------] 100.00% 33.91 MiB p/s 1.5s2024-04-17T18:27:03.508Z	DEBUG	Updating database metadata...
2024-04-17T18:27:03.508Z	DEBUG	DB Schema: 2, UpdatedAt: 2024-04-17 18:10:22.688774415 +0000 UTC, NextUpdate: 2024-04-18 00:10:22.688773955 +0000 UTC, DownloadedAt: 2024-04-17 18:27:03.508654817 +0000 UTC
2024-04-17T18:27:03.508Z	INFO	Vulnerability scanning is enabled
2024-04-17T18:27:03.509Z	DEBUG	Vulnerability type:  [os library]
2024-04-17T18:27:03.509Z	INFO	Misconfiguration scanning is enabled
2024-04-17T18:27:03.509Z	DEBUG	Failed to open the policy metadata: open .trivy/policy/metadata.json: no such file or directory
2024-04-17T18:27:03.509Z	INFO	Need to update the built-in policies
2024-04-17T18:27:03.509Z	INFO	Downloading the built-in policies...
2024-04-17T18:27:03.509Z	DEBUG	Using URL: ghcr.io/aquasecurity/trivy-policies:0 to load policy bundle
50.41 KiB / 50.41 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-04-17T18:27:03.754Z	DEBUG	Digest of the built-in policies: sha256:aa1640957b796d93a0ffc5d91237ee6b7ed9467b8f1825279384d29f91b9e590
2024-04-17T18:27:03.755Z	DEBUG	Policies successfully loaded from disk
2024-04-17T18:27:03.755Z	DEBUG	Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-04-17T18:27:03.757Z	DEBUG	The nuget packages directory couldn't be found. License search disabled
2024-04-17T18:27:03.773Z	DEBUG	Walk the file tree rooted at '.' in parallel
2024-04-17T18:27:03.781Z	DEBUG	Scanning Dockerfile files for misconfigurations...
2024-04-17T18:27:03.782Z	DEBUG	[misconf] 27:03.782145142 dockerfile.scanner.rego          Overriding filesystem for policies!
2024-04-17T18:27:03.853Z	DEBUG	[misconf] 27:03.853425923 dockerfile.scanner.rego          Loaded 194 policies from disk.
2024-04-17T18:27:03.854Z	DEBUG	[misconf] 27:03.854138346 dockerfile.scanner.rego          Overriding filesystem for data!
2024-04-17T18:27:04.487Z	DEBUG	[misconf] 27:04.487903172 dockerfile.scanner.rego          Scanning 2 inputs...
2024-04-17T18:27:04.602Z	DEBUG	OS is not detected.
2024-04-17T18:27:04.602Z	DEBUG	Detected OS: unknown
2024-04-17T18:27:04.602Z	INFO	Number of language-specific files: 1
2024-04-17T18:27:04.602Z	INFO	Detecting pip vulnerabilities...
2024-04-17T18:27:04.602Z	DEBUG	Detecting library vulnerabilities, type: pip, path: requirements.txt
2024-04-17T18:27:04.603Z	INFO	Detected config files: 2
2024-04-17T18:27:04.603Z	DEBUG	Scanned config file: Dockerfile
2024-04-17T18:27:04.603Z	DEBUG	Scanned config file: .devcontainer/Dockerfile
2024-04-17T18:27:04.605Z	DEBUG	Found an ignore file: .trivyignore
2024-04-17T18:27:04.605Z	DEBUG	Ignored	{"id": "DS002", "path": ".devcontainer/Dockerfile"}
2024-04-17T18:27:04.605Z	DEBUG	Ignored	{"id": "DS026", "path": ".devcontainer/Dockerfile"}
2024-04-17T18:27:04.605Z	DEBUG	Ignored	{"id": "DS029", "path": ".devcontainer/Dockerfile"}
2024-04-17T18:27:04.605Z	DEBUG	Ignored	{"id": "DS002", "path": "Dockerfile"}
2024-04-17T18:27:04.605Z	DEBUG	Ignored	{"id": "DS026", "path": "Dockerfile"}
2024-04-17T18:27:04.605Z	DEBUG	Ignored	{"id": "DS029", "path": "Dockerfile"}
.devcontainer/Dockerfile (dockerfile)
=====================================
Tests: 27 (SUCCESSES: 23, FAILURES: 1, EXCEPTIONS: 3)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
HIGH: The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.
════════════════════════════════════════
The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.
See https://avd.aquasec.com/misconfig/ds017
────────────────────────────────────────
 .devcontainer/Dockerfile:8-23
────────────────────────────────────────
   8 ┌ RUN \
   9 │     sed -i -e 's#Types: deb#Types: deb deb-src#' /etc/apt/sources.list.d/debian.sources ;\
  10 │     apt-get update ;\
  11 │     apt-get -y install \
  12 │         bash-completion \
  13 │         coreutils \
  14 │         git \
  15 │         git-gui \
  16 └         gitk \
  ..   
────────────────────────────────────────
Dockerfile (dockerfile)
=======================
Tests: 27 (SUCCESSES: 24, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Version

$ trivy --version
Version: 0.50.1

Checklist

Read the documentation regarding wrong detection
Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

nikpivkin · 2024-04-18T03:53:16Z

nikpivkin
Apr 18, 2024
Maintainer

Hi @nE0sIghT !

Track #6516 .

Just wondering why commands are separated by semicolons and not by &&?

1 reply

nE0sIghT Apr 18, 2024
Author

Hi!

I use

SHELL ["/bin/bash", "-exo", "pipefail", "-c"]

So there is no need in the &&

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ds017 false-positive (apt-mirror2) #6515

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

ds017 false-positive (apt-mirror2) #6515

nE0sIghT Apr 17, 2024

IDs

Description

Reproduction Steps

Target

Scanner

Target OS

Debug Output

Version

Checklist

Replies: 1 comment · 1 reply

nikpivkin Apr 18, 2024 Maintainer

nE0sIghT Apr 18, 2024 Author

nE0sIghT
Apr 17, 2024

Replies: 1 comment 1 reply

nikpivkin
Apr 18, 2024
Maintainer

nE0sIghT Apr 18, 2024
Author