defsec: bug: false positive for DS0017 for arbitrary update command

Describe the bug There is a false positive for the following Dockerfile line

RUN /bin/sh /scripts/someScript.sh update

HIGH: The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.

To Reproduce Steps to reproduce the behavior:

  1. Write a Dockerfile with the above statement
  2. run trivy config

Expected behavior There should be no finding about this line Output of your tfsec command with --debug flag

2023-03-28T15:16:41.815Z	INFO	Detected config files: 1
Dockerfile (dockerfile)
=======================
Tests: 21 (SUCCESSES: 20, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (MEDIUM: 0, HIGH: 1, CRITICAL: 0)
HIGH: The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.
════════════════════════════════════════
The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.
See https://avd.aquasec.com/misconfig/ds017
────────────────────────────────────────
 Dockerfile:8
────────────────────────────────────────
   8 [ RUN /bin/sh /scripts/someScript.sh update
────────────────────────────────────────

System Info / $ trivy -v Version: 0.38.3

About this issue

  • Original URL
  • State: open
  • Created a year ago
  • Comments: 15 (3 by maintainers)

Most upvoted comments

After raising the PR, I was suprised to see, that I need to sign a CLA, this will take a while, because I have already completed our internal contribution process and was under the impression, that there is no CLA for this repo. As an improvement for future contributors, it would really help if the CLA would be included in the contribution guidelines.

We are only allowed to sign CLAs after a lawyer has looked into it.

I would suggest, that we switch the rule to a more targeted approach, and add all the known package managers into the rule, that would prevent false-positive matches. So the rule would only trigger, if either update or --update AND a package manager command like apt-get, apk, … is found.

Right, this makes sense as depending on the package manger options will be different. As you said we need to consider both of them to make a decision. At first we can start with apt and apk to begin with.

What do you think? If that would be a way to move forward, we could prepare a first draft of a PR and start collecting package managers.

Sure! I’m happy to review any PRs you may have.

ah you’re right. Yeah this is a bug separate from the other one.