Skip to content

Commit

Permalink
fix(misconf): disable DS016 check for image history analyzer (#7540)
Browse files Browse the repository at this point in the history
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
  • Loading branch information
nikpivkin authored Sep 30, 2024
1 parent efdb68d commit de40df9
Show file tree
Hide file tree
Showing 3 changed files with 49 additions and 0 deletions.
5 changes: 5 additions & 0 deletions pkg/fanal/analyzer/imgconf/dockerfile/dockerfile.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,10 @@ import (
"github.com/aquasecurity/trivy/pkg/misconf"
)

var disabledChecks = []string{
"DS016", // See https://github.com/aquasecurity/trivy/issues/7368
}

const analyzerVersion = 1

func init() {
Expand All @@ -27,6 +31,7 @@ type historyAnalyzer struct {
}

func newHistoryAnalyzer(opts analyzer.ConfigAnalyzerOptions) (analyzer.ConfigAnalyzer, error) {
opts.MisconfScannerOption.DisabledCheckIDs = append(opts.MisconfScannerOption.DisabledCheckIDs, disabledChecks...)
s, err := misconf.NewScanner(detection.FileTypeDockerfile, opts.MisconfScannerOption)
if err != nil {
return nil, xerrors.Errorf("misconfiguration scanner error: %w", err)
Expand Down
41 changes: 41 additions & 0 deletions pkg/fanal/analyzer/imgconf/dockerfile/dockerfile_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -284,6 +284,47 @@ func Test_historyAnalyzer_Analyze(t *testing.T) {
Config: nil,
},
},
{
name: "DS016 check not detected",
input: analyzer.ConfigAnalysisInput{
Config: &v1.ConfigFile{
Config: v1.Config{
Healthcheck: &v1.HealthConfig{
Test: []string{"CMD-SHELL", "curl --fail http://localhost:3000 || exit 1"},
Interval: time.Second * 10,
Timeout: time.Second * 3,
},
},
History: []v1.History{
{
// duplicate command from another layer
CreatedBy: `/bin/sh -c #(nop) CMD [\"/bin/bash\"]`,
EmptyLayer: true,
},
{
CreatedBy: "/bin/sh -c #(nop) ADD file:e4d600fc4c9c293efe360be7b30ee96579925d1b4634c94332e2ec73f7d8eca1 in /",
},
{
CreatedBy: `HEALTHCHECK &{["CMD-SHELL" "curl --fail http://localhost:3000 || exit 1"] "10s" "3s" "0s" '\x00'}`,
},
{
CreatedBy: `USER user`,
EmptyLayer: true,
},
{
CreatedBy: `/bin/sh -c #(nop) CMD [\"/bin/sh\"]`,
EmptyLayer: true,
},
},
},
},
want: &analyzer.ConfigAnalysisResult{
Misconfiguration: &types.Misconfiguration{
FileType: types.Dockerfile,
FilePath: "Dockerfile",
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
Expand Down
3 changes: 3 additions & 0 deletions pkg/misconf/scanner.go
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,8 @@ type ScannerOption struct {

FilePatterns []string
ConfigFileSchemas []*ConfigFileSchema

DisabledCheckIDs []string
}

func (o *ScannerOption) Sort() {
Expand Down Expand Up @@ -212,6 +214,7 @@ func scannerOptions(t detection.FileType, opt ScannerOption) ([]options.ScannerO
rego.WithEmbeddedPolicies(!opt.DisableEmbeddedPolicies),
rego.WithEmbeddedLibraries(!opt.DisableEmbeddedLibraries),
options.ScannerWithIncludeDeprecatedChecks(opt.IncludeDeprecatedChecks),
rego.WithDisabledCheckIDs(opt.DisabledCheckIDs...),
}

policyFS, policyPaths, err := CreatePolicyFS(opt.PolicyPaths)
Expand Down

0 comments on commit de40df9

Please sign in to comment.