fix(misconf): disable DS016 check for image history analyzer (#7540)

Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
aquasecurity · Sep 30, 2024 · de40df9 · de40df9
1 parent efdb68d
commit de40df9
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 0 deletions.
diff --git a/pkg/fanal/analyzer/imgconf/dockerfile/dockerfile.go b/pkg/fanal/analyzer/imgconf/dockerfile/dockerfile.go
@@ -16,6 +16,10 @@ import (
  "github.com/aquasecurity/trivy/pkg/misconf"
 )
 
+var disabledChecks = []string{
+ "DS016", // See https://github.com/aquasecurity/trivy/issues/7368
+}
+
 const analyzerVersion = 1
 
 func init() {
@@ -27,6 +31,7 @@ type historyAnalyzer struct {
 }
 
 func newHistoryAnalyzer(opts analyzer.ConfigAnalyzerOptions) (analyzer.ConfigAnalyzer, error) {
+ opts.MisconfScannerOption.DisabledCheckIDs = append(opts.MisconfScannerOption.DisabledCheckIDs, disabledChecks...)
  s, err := misconf.NewScanner(detection.FileTypeDockerfile, opts.MisconfScannerOption)
  if err != nil {
  return nil, xerrors.Errorf("misconfiguration scanner error: %w", err)

diff --git a/pkg/fanal/analyzer/imgconf/dockerfile/dockerfile_test.go b/pkg/fanal/analyzer/imgconf/dockerfile/dockerfile_test.go
@@ -284,6 +284,47 @@ func Test_historyAnalyzer_Analyze(t *testing.T) {
  Config: nil,
  },
  },
+ {
+ name: "DS016 check not detected",
+ input: analyzer.ConfigAnalysisInput{
+ Config: &v1.ConfigFile{
+ Config: v1.Config{
+ Healthcheck: &v1.HealthConfig{
+ Test: []string{"CMD-SHELL", "curl --fail http://localhost:3000 || exit 1"},
+ Interval: time.Second * 10,
+ Timeout: time.Second * 3,
+ },
+ },
+ History: []v1.History{
+ {
+ // duplicate command from another layer
+ CreatedBy: `/bin/sh -c #(nop) CMD [\"/bin/bash\"]`,
+ EmptyLayer: true,
+ },
+ {
+ CreatedBy: "/bin/sh -c #(nop) ADD file:e4d600fc4c9c293efe360be7b30ee96579925d1b4634c94332e2ec73f7d8eca1 in /",
+ },
+ {
+ CreatedBy: `HEALTHCHECK &{["CMD-SHELL" "curl --fail http://localhost:3000 || exit 1"] "10s" "3s" "0s" '\x00'}`,
+ },
+ {
+ CreatedBy: `USER user`,
+ EmptyLayer: true,
+ },
+ {
+ CreatedBy: `/bin/sh -c #(nop) CMD [\"/bin/sh\"]`,
+ EmptyLayer: true,
+ },
+ },
+ },
+ },
+ want: &analyzer.ConfigAnalysisResult{
+ Misconfiguration: &types.Misconfiguration{
+ FileType: types.Dockerfile,
+ FilePath: "Dockerfile",
+ },
+ },
+ },
  }
  for _, tt := range tests {
  t.Run(tt.name, func(t *testing.T) {

diff --git a/pkg/misconf/scanner.go b/pkg/misconf/scanner.go
@@ -74,6 +74,8 @@ type ScannerOption struct {
 
  FilePatterns []string
  ConfigFileSchemas []*ConfigFileSchema
+
+ DisabledCheckIDs []string
 }
 
 func (o *ScannerOption) Sort() {
@@ -212,6 +214,7 @@ func scannerOptions(t detection.FileType, opt ScannerOption) ([]options.ScannerO
  rego.WithEmbeddedPolicies(!opt.DisableEmbeddedPolicies),
  rego.WithEmbeddedLibraries(!opt.DisableEmbeddedLibraries),
  options.ScannerWithIncludeDeprecatedChecks(opt.IncludeDeprecatedChecks),
+ rego.WithDisabledCheckIDs(opt.DisabledCheckIDs...),
  }
 
  policyFS, policyPaths, err := CreatePolicyFS(opt.PolicyPaths)