Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(report): don't mark misconfig passed tests as failed in junit.tpl #5767

Merged
merged 1 commit into from
Dec 12, 2023

Conversation

DmitriyLewen
Copy link
Contributor

@DmitriyLewen DmitriyLewen commented Dec 8, 2023

Description

See #5766

Before:

<?xml version="1.0" ?>
<testsuites name="trivy">
    <testsuite tests="0" failures="0" name="Dockerfile" errors="0" skipped="0" time="">
        <properties>
            <property name="type" value="dockerfile"></property>
        </properties>
    </testsuite>
    <testsuite tests="26" failures="26" name="Dockerfile" errors="0" skipped="0" time="">
        <properties>
            <property name="type" value="dockerfile"></property>
        </properties>
        <testcase classname="Dockerfile Security Check" name="[MEDIUM] DS001" time="">
            <failure message="&#39;:latest&#39; tag used" type="description">When using a &#39;FROM&#39; statement you should use a specific tag to avoid uncontrolled behavior when the image is updated.</failure>
        </testcase>
        <testcase classname="Dockerfile Security Check" name="[HIGH] DS002" time="">
            <failure message="Image user should not be &#39;root&#39;" type="description">Running containers with &#39;root&#39; user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a &#39;USER&#39; statement to the Dockerfile.</failure>
        </testcase>
        <testcase classname="Dockerfile Security Check" name="[LOW] DS026" time="">
            <failure message="No HEALTHCHECK defined" type="description">You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.</failure>
        </testcase>
        <testcase classname="Dockerfile Security Check" name="[MEDIUM] DS004" time="">
            <failure message="Port 22 exposed" type="description">Exposing port 22 might allow users to SSH into the container.</failure>
        </testcase>
        <testcase classname="Dockerfile Security Check" name="[LOW] DS005" time="">
            <failure message="ADD instead of COPY" type="description">You should use COPY instead of ADD unless you want to extract a tar file. Note that an ADD command will extract a tar file, which adds the risk of Zip-based vulnerabilities. Accordingly, it is advised to use a COPY command, which does not extract tar files.</failure>
        </testcase>
        <testcase classname="Dockerfile Security Check" name="[CRITICAL] DS006" time="">
            <failure message="COPY &#39;--from&#39; referring to the current image" type="description">COPY &#39;--from&#39; should not mention the current FROM alias, since it is impossible to copy from itself.</failure>
        </testcase>
        <testcase classname="Dockerfile Security Check" name="[CRITICAL] DS007" time="">
            <failure message="Multiple ENTRYPOINT instructions listed" type="description">There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTRYPOINT instruction in the Dockerfile will have an effect.</failure>
        </testcase>
        <testcase classname="Dockerfile Security Check" name="[CRITICAL] DS008" time="">
            <failure message="Exposed port out of range" type="description">UNIX ports outside the range 0-65535 are exposed.</failure>
        </testcase>
        <testcase classname="Dockerfile Security Check" name="[HIGH] DS009" time="">
            <failure message="WORKDIR path not absolute" type="description">For clarity and reliability, you should always use absolute paths for your WORKDIR.</failure>
        </testcase>
        <testcase classname="Dockerfile Security Check" name="[CRITICAL] DS010" time="">
            <failure message="RUN using &#39;sudo&#39;" type="description">Avoid using &#39;RUN&#39; with &#39;sudo&#39; commands, as it can lead to unpredictable behavior.</failure>
        </testcase>
        <testcase classname="Dockerfile Security Check" name="[CRITICAL] DS011" time="">
            <failure message="COPY with more than two arguments not ending with slash" type="description">When a COPY command has more than two arguments, the last one should end with a slash.</failure>
        </testcase>
        <testcase classname="Dockerfile Security Check" name="[CRITICAL] DS012" time="">
            <failure message="Duplicate aliases defined in different FROMs" type="description">Different FROMs can&#39;t have the same alias defined.</failure>
        </testcase>
        <testcase classname="Dockerfile Security Check" name="[MEDIUM] DS013" time="">
            <failure message="&#39;RUN cd ...&#39; to change directory" type="description">Use WORKDIR instead of proliferating instructions like &#39;RUN cd … &amp;&amp; do-something&#39;, which are hard to read, troubleshoot, and maintain.</failure>
        </testcase>
        <testcase classname="Dockerfile Security Check" name="[LOW] DS014" time="">
            <failure message="RUN using &#39;wget&#39; and &#39;curl&#39;" type="description">Avoid using both &#39;wget&#39; and &#39;curl&#39; since these tools have the same effect.</failure>
        </testcase>
        <testcase classname="Dockerfile Security Check" name="[HIGH] DS015" time="">
            <failure message="&#39;yum clean all&#39; missing" type="description">You should use &#39;yum clean all&#39; after using a &#39;yum install&#39; command to clean package cached data and reduce image size.</failure>
        </testcase>
        <testcase classname="Dockerfile Security Check" name="[HIGH] DS016" time="">
            <failure message="Multiple CMD instructions listed" type="description">There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect.</failure>
        </testcase>
        <testcase classname="Dockerfile Security Check" name="[HIGH] DS017" time="">
            <failure message="&#39;RUN &lt;package-manager&gt; update&#39; instruction alone" type="description">The instruction &#39;RUN &lt;package-manager&gt; update&#39; should always be followed by &#39;&lt;package-manager&gt; install&#39; in the same RUN statement.</failure>
        </testcase>
        <testcase classname="Dockerfile Security Check" name="[HIGH] DS019" time="">
            <failure message="&#39;dnf clean all&#39; missing" type="description">Cached package data should be cleaned after installation to reduce image size.</failure>
        </testcase>
        <testcase classname="Dockerfile Security Check" name="[HIGH] DS020" time="">
            <failure message="&#39;zypper clean&#39; missing" type="description">The layer and image size should be reduced by deleting unneeded caches after running zypper.</failure>
        </testcase>
        <testcase classname="Dockerfile Security Check" name="[HIGH] DS021" time="">
            <failure message="&#39;apt-get&#39; missing &#39;-y&#39; to avoid manual input" type="description">&#39;apt-get&#39; calls should use the flag &#39;-y&#39; to avoid manual user input.</failure>
        </testcase>
        <testcase classname="Dockerfile Security Check" name="[HIGH] DS022" time="">
            <failure message="Deprecated MAINTAINER used" type="description">MAINTAINER has been deprecated since Docker 1.13.0.</failure>
        </testcase>
        <testcase classname="Dockerfile Security Check" name="[MEDIUM] DS023" time="">
            <failure message="Multiple HEALTHCHECK defined" type="description">Providing more than one HEALTHCHECK instruction per stage is confusing and error-prone.</failure>
        </testcase>
        <testcase classname="Dockerfile Security Check" name="[HIGH] DS024" time="">
            <failure message="&#39;apt-get dist-upgrade&#39; used" type="description">&#39;apt-get dist-upgrade&#39; upgrades a major version so it doesn&#39;t make more sense in Dockerfile.</failure>
        </testcase>
        <testcase classname="Dockerfile Security Check" name="[HIGH] DS025" time="">
            <failure message="&#39;apk add&#39; is missing &#39;--no-cache&#39;" type="description">You should use &#39;apk add&#39; with &#39;--no-cache&#39; to clean package cached data and reduce image size.</failure>
        </testcase>
        <testcase classname="Dockerfile Security Check" name="[HIGH] DS027" time="">
            <failure message="&#39;microdnf clean all&#39; missing" type="description">Cached package data should be cleaned after installation to reduce image size.</failure>
        </testcase>
        <testcase classname="Dockerfile Security Check" name="[HIGH] DS029" time="">
            <failure message="&#39;apt-get&#39; missing &#39;--no-install-recommends&#39;" type="description">&#39;apt-get&#39; install should use &#39;--no-install-recommends&#39; to minimize image size.</failure>
        </testcase>
    </testsuite>
</testsuites>

After:

<?xml version="1.0" ?>
<testsuites name="trivy">
    <testsuite tests="0" failures="0" name="Dockerfile" errors="0" skipped="0" time="">
        <properties>
            <property name="type" value="dockerfile"></property>
        </properties>
    </testsuite>
    <testsuite tests="26" failures="3" name="Dockerfile" errors="0" skipped="0" time="">
        <properties>
            <property name="type" value="dockerfile"></property>
        </properties>
        <testcase classname="Dockerfile Security Check" name="[MEDIUM] DS001" time="">
            <failure message="&#39;:latest&#39; tag used" type="description">When using a &#39;FROM&#39; statement you should use a specific tag to avoid uncontrolled behavior when the image is updated.</failure>
        </testcase>
        <testcase classname="Dockerfile Security Check" name="[HIGH] DS002" time="">
            <failure message="Image user should not be &#39;root&#39;" type="description">Running containers with &#39;root&#39; user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a &#39;USER&#39; statement to the Dockerfile.</failure>
        </testcase>
        <testcase classname="Dockerfile Security Check" name="[LOW] DS026" time="">
            <failure message="No HEALTHCHECK defined" type="description">You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.</failure>
        </testcase>
        <testcase classname="Dockerfile Security Check" name="[MEDIUM] DS004" time="">
        </testcase>
        <testcase classname="Dockerfile Security Check" name="[LOW] DS005" time="">
        </testcase>
        <testcase classname="Dockerfile Security Check" name="[CRITICAL] DS006" time="">
        </testcase>
        <testcase classname="Dockerfile Security Check" name="[CRITICAL] DS007" time="">
        </testcase>
        <testcase classname="Dockerfile Security Check" name="[CRITICAL] DS008" time="">
        </testcase>
        <testcase classname="Dockerfile Security Check" name="[HIGH] DS009" time="">
        </testcase>
        <testcase classname="Dockerfile Security Check" name="[CRITICAL] DS010" time="">
        </testcase>
        <testcase classname="Dockerfile Security Check" name="[CRITICAL] DS011" time="">
        </testcase>
        <testcase classname="Dockerfile Security Check" name="[CRITICAL] DS012" time="">
        </testcase>
        <testcase classname="Dockerfile Security Check" name="[MEDIUM] DS013" time="">
        </testcase>
        <testcase classname="Dockerfile Security Check" name="[LOW] DS014" time="">
        </testcase>
        <testcase classname="Dockerfile Security Check" name="[HIGH] DS015" time="">
        </testcase>
        <testcase classname="Dockerfile Security Check" name="[HIGH] DS016" time="">
        </testcase>
        <testcase classname="Dockerfile Security Check" name="[HIGH] DS017" time="">
        </testcase>
        <testcase classname="Dockerfile Security Check" name="[HIGH] DS019" time="">
        </testcase>
        <testcase classname="Dockerfile Security Check" name="[HIGH] DS020" time="">
        </testcase>
        <testcase classname="Dockerfile Security Check" name="[HIGH] DS021" time="">
        </testcase>
        <testcase classname="Dockerfile Security Check" name="[HIGH] DS022" time="">
        </testcase>
        <testcase classname="Dockerfile Security Check" name="[MEDIUM] DS023" time="">
        </testcase>
        <testcase classname="Dockerfile Security Check" name="[HIGH] DS024" time="">
        </testcase>
        <testcase classname="Dockerfile Security Check" name="[HIGH] DS025" time="">
        </testcase>
        <testcase classname="Dockerfile Security Check" name="[HIGH] DS027" time="">
        </testcase>
        <testcase classname="Dockerfile Security Check" name="[HIGH] DS029" time="">
        </testcase>
    </testsuite>
</testsuites>

Related issues

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@DmitriyLewen DmitriyLewen self-assigned this Dec 8, 2023
@DmitriyLewen DmitriyLewen changed the title fix(template): don't mark passed tests as failed in junit.tpl fix(report): don't mark misconfig passed tests as failed in junit.tpl Dec 8, 2023
@DmitriyLewen
Copy link
Contributor Author

Hello @simar @nikpivkin

I have created a small update for misconfigs for junit.tpl.
If you have time, please take a look.

Thank you in advance!

@DmitriyLewen DmitriyLewen marked this pull request as ready for review December 8, 2023 08:26
Copy link
Contributor

@nikpivkin nikpivkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Copy link
Member

@simar7 simar7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice, thank!

@jamesatribal
Copy link

Hi Dmitriy,

Thanks for looking into this and coming up with a solution so promptly.

Looks good to me, thanks!

Cheers,
James

@knqyf263 knqyf263 added this pull request to the merge queue Dec 12, 2023
Merged via the queue into main with commit be5a550 Dec 12, 2023
13 of 14 checks passed
@knqyf263 knqyf263 deleted the fix/junit-pass-tests branch December 12, 2023 12:51
@knqyf263 knqyf263 modified the milestone: v0.48.1 Dec 17, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Trivy JUnit template (@contrib/junit.tpl) does not consider pass results?
5 participants