kics icon indicating copy to clipboard operation
kics copied to clipboard

Published 20 hours ago verified publisher icon Checkmarx

bug(query): false positive from dockerfile/apt_get_install_lists_were_not_deleted

Open rossi-fi opened this issue 1 year ago • 2 comments

It's common to use DEBIAN_FRONTEND=noninteractive apt-get install package. However the variable causes a false positive even though the install command is followed by cleanup.

Expected Behavior

No vulnerabilities reported

Actual Behavior

Apt Get Install Lists Were Not Deleted

Workaround

Remove variable from apt-get install and precede it with dpkg-reconfigure debconf --frontend=noninteractive

rossi-fi avatar Feb 20 '24 08:02 rossi-fi

Hi @rossi-fi! I created the following code sample for this issue, which doesn't reproduce the false positive:

FROM busyboxneg6 ARG DEBIAN_FRONTEND=noninteractive RUN apt-get update;
apt-get install --no-install-recommends -y python;
apt-get clean

Do you think it covers it?

EduardoSemanas avatar Feb 22 '24 11:02 EduardoSemanas

Hi @EduardoSemanas

Using ARG to declare the variable is a valid workaround to avoid the false positive. Ideally the rules could be modified so one doesn't need to code around tool behaviour.

rossi-fi avatar Mar 26 '24 10:03 rossi-fi