DKL-LI-0001 erroneously reported for Wolfi images

[jemag]

Description

Dockle currently reports DKL-LI-0001 as a potential problems with Wolfi images from chainguard:

This is however not a problem with Wolfi images as it cannot be used for escalation (see chainguard's explanation here). It seems that overall CVE-2019-5021 is contentious and it should perhaps have been disputed originally. I think it might make sense to remove DKL-LI-0001 from Dockle completely.

What did you expect to happen? No checkpoint triggered

What happened instead? Checkpoint triggered

Output of run with -debug:

2023-08-22T17:21:11.781-0400    DEBUG   There is no .dockleignore file
2023-08-22T17:21:11.781-0400    DEBUG   Skipped update confirmation
2023-08-22T17:21:11.781-0400    DEBUG   Start assessments...
2023-08-22T17:21:18.356-0400    DEBUG   Start scan : password files
2023-08-22T17:21:18.356-0400    DEBUG   Start scan : /etc/passwd
2023-08-22T17:21:18.356-0400    DEBUG   Start scan : /etc/group
2023-08-22T17:21:18.357-0400    DEBUG   Start scan : /etc/hosts
2023-08-22T17:21:18.357-0400    DEBUG   Start scan : credential files
2023-08-22T17:21:18.357-0400    DEBUG   Scan start : config file
2023-08-22T17:21:18.358-0400    DEBUG   Scan start : DOCKER_CONTENT_TRUST
2023-08-22T17:21:18.358-0400    DEBUG   Start scan : cache files
2023-08-22T17:21:18.358-0400    DEBUG   End assessments...
FATAL   - DKL-LI-0001: Avoid empty password
        * No password user found! username : root
WARN    - DKL-DI-0006: Avoid latest tag
        * Avoid 'latest' tag
INFO    - CIS-DI-0005: Enable Content trust for Docker
        * export DOCKER_CONTENT_TRUST=1 before docker pull/build
INFO    - CIS-DI-0006: Add HEALTHCHECK instruction to the container image
        * not found HEALTHCHECK statement

Output of dockle -v:

dockle version 0.4.13

Additional details (base image name, container registry info...): cgr.dev/chainguard/jre:latest