appshield icon indicating copy to clipboard operation
appshield copied to clipboard

Published 20 hours ago verified publisher icon aquasecurity

DS018 ("alias is not defined in previous stages") triggered by COPY --from=external-image

Open daliborfilus opened this issue 3 years ago • 0 comments

Description

The validation for https://avd.aquasec.com/appshield/ds018/ is invalid, since having a reference to external image is valid and supported, see https://docs.docker.com/develop/develop-images/multistage-build/#use-an-external-image-as-a-stage

Trivy could check if the COPY --from= argument refers to an existing image and skip this check, OR it could decrease the severity from HIGH to MEDIUM (or even lower), OR it could just stop checking for this, if it's not possible to differentiate between references to regular images and build stages.

Buildah also supports references to external images "as stages" via this syntax.

What did you expect to happen?

I don't expect this Dockerfile to raise DS018:

FROM ubuntu:20.04
ENV JAVA_HOME=/opt/java/openjdk
COPY --from=eclipse-temurin:17-jdk-focal $JAVA_HOME $JAVA_HOME

but it does.

What happened instead?

Got the error DS018.

Output of run with -debug:

Dockerfile (dockerfile)
=======================
Tests: 17 (SUCCESSES: 15, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)
+---------------------------+------------+------------------------------------------+----------+------------------------------------------+
|           TYPE            | MISCONF ID |                  CHECK                   | SEVERITY |                 MESSAGE                  |
+---------------------------+------------+------------------------------------------+----------+------------------------------------------+
| Dockerfile Security Check |   DS002    | root user                                |   HIGH   | Last USER command in                     |
|                           |            |                                          |          | Dockerfile should not be 'root'          |
|                           |            |                                          |          | -->avd.aquasec.com/appshield/ds002       |
+                           +------------+------------------------------------------+          +------------------------------------------+
|                           |   DS018    | 'COPY --from' refers to alias not        |          | The alias                                |
|                           |            | defined previously                       |          | '--from=eclipse-temurin:17-jdk-focal'    |
|                           |            |                                          |          | is not defined in the previous stages    |
|                           |            |                                          |          | -->avd.aquasec.com/appshield/ds018       |
+---------------------------+------------+------------------------------------------+----------+------------------------------------------+

Output of trivy -v:

Version: 0.22.0

Additional details (base image name, container registry info...):

The output is from trivy docker image docker.io/aquasec/trivy:latest (sha256:c6f6e688)

daliborfilus avatar Jan 26 '22 00:01 daliborfilus