appshield icon indicating copy to clipboard operation
appshield copied to clipboard

Published 20 hours ago verified publisher icon aquasecurity

DS002 triggered in multistage build using single USER in the last stage

Open daliborfilus opened this issue 3 years ago • 0 comments

I have multiple multi-stage Dockerfiles, where I use root user in the first stages and then I switch to non-privileged user only in the final stage (i.e. where it matters, since all the previous stages are discarded/ omitted from the final image).

FROM eclipse-temurin:17-jdk-focal AS parent

FROM ubuntu:focal AS build
USER root

ENV JAVA_HOME=/opt/java/openjdk
COPY --from=parent $JAVA_HOME $JAVA_HOME
ENV PATH="${JAVA_HOME}/bin:${PATH}"

RUN apt install ...
RUN run build
RUN [start postgres (requires root), run integration tests, stop postgres, cleanup...]

FROM eclipse-temurin:17-jdk-focal
RUN useradd -m -d /opt -s /bin/bash -g root myuser
RUN chown -R myuser /opt
USER myuser
COPY --from=build ....
CMD ["java", ...]

Trivy complains:

trivy --cache-dir .trivycache/ fs --exit-code 1 --no-progress --severity HIGH,CRITICAL --security-checks=vuln,config .
Dockerfile (dockerfile)
=======================
Tests: 17 (SUCCESSES: 16, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)
+---------------------------+------------+-----------+----------+------------------------------------------+
|           TYPE            | MISCONF ID |   CHECK   | SEVERITY |                 MESSAGE                  |
+---------------------------+------------+-----------+----------+------------------------------------------+
| Dockerfile Security Check |   DS002    | root user |   HIGH   | Last USER command in                     |
|                           |            |           |          | Dockerfile should not be 'root'          |
|                           |            |           |          | -->avd.aquasec.com/appshield/ds002       |
+---------------------------+------------+-----------+----------+------------------------------------------+

The same situation (although with different message) repeats if I remove the USER root, so it's not a problem with that. It seems to me that Trivy doesn't like the fact that I don't have USER xyz in the first stage, where I don't really need/want that.

The same situation also happens in one of my other Dockerfiles, where I have 3 stages. Does this mean I should have USER xyz in all stages? I don't really want to...

Is this a bug or is this an expected behavior?

daliborfilus avatar Jan 26 '22 00:01 daliborfilus