dockle
dockle copied to clipboard
DKL-LI-0001 erroneously reported for Wolfi images
Description
Dockle currently reports DKL-LI-0001 as a potential problems with Wolfi images from chainguard:
This is however not a problem with Wolfi images as it cannot be used for escalation (see chainguard's explanation here). It seems that overall CVE-2019-5021 is contentious and it should perhaps have been disputed originally. I think it might make sense to remove DKL-LI-0001
from Dockle completely.
What did you expect to happen? No checkpoint triggered
What happened instead? Checkpoint triggered
Output of run with -debug
:
2023-08-22T17:21:11.781-0400 DEBUG There is no .dockleignore file
2023-08-22T17:21:11.781-0400 DEBUG Skipped update confirmation
2023-08-22T17:21:11.781-0400 DEBUG Start assessments...
2023-08-22T17:21:18.356-0400 DEBUG Start scan : password files
2023-08-22T17:21:18.356-0400 DEBUG Start scan : /etc/passwd
2023-08-22T17:21:18.356-0400 DEBUG Start scan : /etc/group
2023-08-22T17:21:18.357-0400 DEBUG Start scan : /etc/hosts
2023-08-22T17:21:18.357-0400 DEBUG Start scan : credential files
2023-08-22T17:21:18.357-0400 DEBUG Scan start : config file
2023-08-22T17:21:18.358-0400 DEBUG Scan start : DOCKER_CONTENT_TRUST
2023-08-22T17:21:18.358-0400 DEBUG Start scan : cache files
2023-08-22T17:21:18.358-0400 DEBUG End assessments...
FATAL - DKL-LI-0001: Avoid empty password
* No password user found! username : root
WARN - DKL-DI-0006: Avoid latest tag
* Avoid 'latest' tag
INFO - CIS-DI-0005: Enable Content trust for Docker
* export DOCKER_CONTENT_TRUST=1 before docker pull/build
INFO - CIS-DI-0006: Add HEALTHCHECK instruction to the container image
* not found HEALTHCHECK statement
Output of dockle -v
:
dockle version 0.4.13
Additional details (base image name, container registry info...): cgr.dev/chainguard/jre:latest