Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(checks): AVD-DS-0015 FP about yum clean all missed #6776

Closed
1 of 2 tasks
simar7 opened this issue May 24, 2024 Discussed in #6772 · 0 comments · Fixed by aquasecurity/trivy-checks#135
Closed
1 of 2 tasks

fix(checks): AVD-DS-0015 FP about yum clean all missed #6776

simar7 opened this issue May 24, 2024 Discussed in #6772 · 0 comments · Fixed by aquasecurity/trivy-checks#135
Assignees
@nikpivkin
Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Milestone
v0.52.0

Comments

@simar7
Copy link
Member

simar7 commented May 24, 2024

Discussed in #6772

Originally posted by nurmukhametov May 24, 2024

IDs

yum clean all

Description

HIGH: 'yum clean all' is missed: if [ "$TBB" == "default" ]; then  yum -y install tbb tbb-devel && yum clean -y all; fi

Reproduction Steps

$ cat > Dockerfile
RUN if [ "$TBB" == "default" ]; then  yum -y install tbb tbb-devel && yum clean -y all; fi
$ trivy config .

Target

Container Image

Scanner

Misconfiguration

Target OS

No response

Debug Output

2024-05-24T05:05:43-07:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-05-24T05:05:43-07:00       DEBUG   Cache dir       dir="/nfs/site/home/anurmukh/.cache/trivy"
2024-05-24T05:05:43-07:00       INFO    Misconfiguration scanning is enabled
2024-05-24T05:05:43-07:00       DEBUG   Policies successfully loaded from disk
2024-05-24T05:05:43-07:00       DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-05-24T05:05:44-07:00       DEBUG   [nuget] The nuget packages directory couldn't be found. License search disabled
2024-05-24T05:05:44-07:00       DEBUG   Scanning files for misconfigurations... scanner="Dockerfile"
2024-05-24T05:05:44-07:00       DEBUG   [misconf] 05:44.216920727 dockerfile.scanner.rego          Overriding filesystem for checks!
2024-05-24T05:05:44-07:00       DEBUG   [misconf] 05:44.217608678 dockerfile.scanner.rego          Loaded 3 embedded libraries.
2024-05-24T05:05:44-07:00       DEBUG   [misconf] 05:44.255386892 dockerfile.scanner.rego          Loaded 191 embedded policies.
2024-05-24T05:05:44-07:00       DEBUG   [misconf] 05:44.407017610 dockerfile.scanner.rego          Loaded 189 policies from disk.
2024-05-24T05:05:44-07:00       DEBUG   [misconf] 05:44.407458557 dockerfile.scanner.rego          Overriding filesystem for data!
2024-05-24T05:05:44-07:00       DEBUG   [misconf] 05:44.623679262 dockerfile.scanner.rego          Scanning 1 inputs...
2024-05-24T05:05:44-07:00       DEBUG   OS is not detected.
2024-05-24T05:05:44-07:00       INFO    Detected config files   num=1
2024-05-24T05:05:44-07:00       DEBUG   Scanned config file     path="Dockerfile"
                                                                                                                                                                                                                                                            Dockerfile (dockerfile)

Tests: 26 (SUCCESSES: 23, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________


HIGH: 'yum clean all' is missed: if [ "$TBB" == "default" ]; then  yum -y install tbb tbb-devel && yum clean -y all; fi
____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________You should use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size.

See https://avd.aquasec.com/misconfig/ds015
____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________ Dockerfile:1
____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________   1 [ RUN if [ "$TBB" == "default" ]; then  yum -y install tbb tbb-devel && yum clean -y all; fi
____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

                                                                                                                                                                                                                                                            LOW: Add HEALTHCHECK instruction in your Dockerfile
____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.
                                                                                                                                                                                                                                                            See https://avd.aquasec.com/misconfig/ds026
____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

Version

Version: 0.51.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-05-24 06:12:01.989181315 +0000 UTC
  NextUpdate: 2024-05-24 12:12:01.989180995 +0000 UTC
  DownloadedAt: 2024-05-24 11:45:32.826253586 +0000 UTC
Check Bundle:
  Digest: sha256:1df8ade71efc830877ca3b1130f83e0c6368e3a45b0d4c0f0418955501644054
  DownloadedAt: 2024-05-24 11:49:15.653545668 +0000 UTC

Checklist
@simar7 simar7 added kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning labels May 24, 2024
@nikpivkin nikpivkin mentioned this issue May 25, 2024
Merged
@simar7 simar7 added this to the v0.52.0 milestone May 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nikpivkin nikpivkin

Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Projects
Trivy Roadmap
Archived in project
Milestone
v0.52.0
Development

Successfully merging a pull request may close this issue.

fix(rego): improve AVD-DS-0015 nikpivkin/trivy-policies
2 participants
@simar7 @nikpivkin