avd-ds-0025 is too permissive

[rittneje]

Description

avd-ds-0025 only checks that the RUN instruction that has apk add also has --no-cache in there somewhere. It does not check that the flag is specifically being passed to apk add.

Desired Behavior

It should check which arguments are going to which commands.

Actual Behavior

It is too permissive and easily fooled.

Reproduction Steps

FROM alpine:3.21
RUN apk upgrade --no-cache && apk add curl

$ docker run --rm -it -v $PWD:$PWD:ro -w $PWD aquasec/trivy:0.58.2 config Dockerfile
2025-01-21T05:01:05Z    INFO    [misconfig] Misconfiguration scanning is enabled
2025-01-21T05:01:05Z    INFO    [misconfig] Need to update the built-in checks
2025-01-21T05:01:05Z    INFO    [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [--------------------------------------------------------------------------------------------------------------------------] 100.00% 764.00 KiB p/s 400ms
2025-01-21T05:01:08Z    INFO    Detected config files   num=1

Target

Filesystem

Scanner

Misconfiguration

Output Format

None

Mode

Standalone

Debug Output

2025-01-21T05:01:52Z    DEBUG   No plugins loaded
2025-01-21T05:01:52Z    DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-01-21T05:01:52Z    DEBUG   Cache dir       dir="/root/.cache/trivy"
2025-01-21T05:01:52Z    DEBUG   Cache dir       dir="/root/.cache/trivy"
2025-01-21T05:01:52Z    DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-01-21T05:01:52Z    INFO    [misconfig] Misconfiguration scanning is enabled
2025-01-21T05:01:52Z    DEBUG   [misconfig] Failed to open the check metadata   err="open /root/.cache/trivy/policy/metadata.json: no such file or directory"
2025-01-21T05:01:52Z    INFO    [misconfig] Need to update the built-in checks
2025-01-21T05:01:52Z    INFO    [misconfig] Downloading the built-in checks...
2025-01-21T05:01:52Z    DEBUG   [misconfig] Loading check bundle        repository="mirror.gcr.io/aquasec/trivy-checks:1"
160.80 KiB / 160.80 KiB [-----------------------------------------------------------------------------------------------------------------------------------] 100.00% ? p/s 100ms
2025-01-21T05:01:54Z    DEBUG   [misconfig] Digest of the built-in checks       digest="sha256:f6901e03f486a48f47aa17a78d89d18e6c31ded82aff83ed19d0d73935a1a059"
2025-01-21T05:01:54Z    DEBUG   [misconfig] Checks successfully loaded from disk
2025-01-21T05:01:54Z    DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2025-01-21T05:01:54Z    DEBUG   Initializing scan cache...      type="memory"
2025-01-21T05:01:54Z    DEBUG   [misconfig] Scanning files for misconfigurations...     scanner="Dockerfile"
2025-01-21T05:01:54Z    DEBUG   [rego] Overriding filesystem for checks
2025-01-21T05:01:54Z    DEBUG   [rego] Embedded libraries are loaded    count=15
2025-01-21T05:01:54Z    DEBUG   [rego] Embedded checks are loaded       count=511
2025-01-21T05:01:55Z    DEBUG   [rego] Checks from disk are loaded      count=526
2025-01-21T05:01:55Z    DEBUG   [rego] Overriding filesystem for data
2025-01-21T05:01:55Z    DEBUG   [dockerfile scanner] Scanning files...  count=1
2025-01-21T05:01:55Z    DEBUG   [rego] Scanning inputs  count=1
2025-01-21T05:01:55Z    DEBUG   OS is not detected.
2025-01-21T05:01:55Z    INFO    Detected config files   num=1
2025-01-21T05:01:55Z    DEBUG   Scanned config file     file_path="Dockerfile"
2025-01-21T05:01:55Z    DEBUG   Found an ignore file    file_path=".trivyignore"
2025-01-21T05:01:55Z    DEBUG   Ignored id="AVD-DS-0002" target="Dockerfile"
2025-01-21T05:01:55Z    DEBUG   Ignored id="AVD-DS-0026" target="Dockerfile"
2025-01-21T05:01:55Z    DEBUG   [vex] VEX filtering is disabled

Operating System

docker container

Version

Version: 0.58.2

Checklist

• Run trivy clean --all
• Read the troubleshooting

[simar7]

hi @rittneje thanks - track #8268