cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon snyk

[🐛] Snyk reports all issues as introduced by last base image in a multi-stage Dockerfile

Open mkielar opened this issue 3 years ago • 2 comments

Issue

When a Dockerfile contains multiple targets, snyk fails to properly discover base image.

→ snyk --version
1.842.0 (standalone)

Reproduce

Take this Dockerfile:

FROM python:3.9 as python
FROM hello-world as hello

Then build the images:

docker build --tag me-testing-python:latest --target python .
docker build --tag me-testing-hello:latest --target hello .

Then run snyk for the python image:

snyk container test --file=Dockerfile me-testing-python:latest

Actual behaviour

Running snyk for me-testing-python:latest prints this:

✗ Critical severity vulnerability found in aom/libaom0
  Description: Buffer Overflow
  Info: https://snyk.io/vuln/SNYK-DEBIAN11-AOM-1300249
  Introduced through: imagemagick@8:6.9.11.60+dfsg-1.3
  From: imagemagick@8:6.9.11.60+dfsg-1.3 > imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1.3 > imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1.3 > libheif/[email protected] > aom/[email protected]
  Image layer: Introduced by your base image (hello-world)

You can see the Image layer is wrongly reported as Image layer: Introduced by your base image (hello-world).

Now, remove the hello target from Dockerfile:

FROM python:3.9 as python

and rerun the

snyk container test --file=Dockerfile me-testing-python:latest

This links the vulnerability with base image properly:

✗ Critical severity vulnerability found in aom/libaom0
  Description: Buffer Overflow
  Info: https://snyk.io/vuln/SNYK-DEBIAN11-AOM-1300249
  Introduced through: imagemagick@8:6.9.11.60+dfsg-1.3
  From: imagemagick@8:6.9.11.60+dfsg-1.3 > imagemagick/imagemagick-6.q16@8:6.9.11.60+dfsg-1.3 > imagemagick/libmagickcore-6.q16-6@8:6.9.11.60+dfsg-1.3 > libheif/[email protected] > aom/[email protected]
  Image layer: Introduced by your base image (python:3.9)

You can see the Image layer is okay now.

Expected behaviour

The vulnerability should be reported against proper base image, regardless of the number of targets in the Dockerfile.

mkielar avatar May 17 '22 11:05 mkielar

Perhaps allowing to pass built-time arguments to snyk would help, if that would also allow passing --target <target> flag? (https://github.com/snyk/cli/issues/2170)?

mkielar avatar May 17 '22 11:05 mkielar 

→ snyk --version
1.931.0 (standalone)

Same behaviour.

mkielar avatar May 17 '22 11:05 mkielar