Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(checks): handle file: and multi: in AVD-DS-0011 #56

Merged
merged 1 commit into from
Feb 7, 2024
Merged

fix(checks): handle file: and multi: in AVD-DS-0011 #56

merged 1 commit into from
Feb 7, 2024

Conversation

candrews
Copy link
Contributor

@candrews candrews commented Jan 17, 2024
edited
Loading

The reverse engineered Dockerfile of an image doesn't exactly match
the original Dockerfile. For example, it doesn't have the original
source files names. Instead, it uses file:<hash> in:
COPY file:8b8864b3e02a33a579dc216fd51b28a6047bc8eeaa03045b258980fe0cf7fcb3 in /__cacert_entrypoint.sh

Such commands should not trigger AVD-DS-0011.

@candrews candrews requested a review from simar7 as a code owner January 17, 2024 15:50
@candrews candrews marked this pull request as draft January 17, 2024 15:50
@candrews candrews changed the title fix: testing copy with file: arg fix(checks): Handle ADD file: in in AVD-DS-0011 Jan 17, 2024
@candrews
Copy link
Contributor Author

I've never used rego before and I'm having trouble grokking it and I'm very confident that the tests aren't actually running when I run make test so I doubt this works and I can't test it... but hopefully it's at least a good starting point and someone can help me complete it :)

@candrews candrews marked this pull request as ready for review January 17, 2024 17:07
@candrews candrews changed the title fix(checks): Handle ADD file: in in AVD-DS-0011 fix(checks): handle file: and multi: in AVD-DS-0011 Jan 17, 2024
@simar7
Copy link
Member

simar7 commented Jan 19, 2024

I've never used rego before and I'm having trouble grokking it and I'm very confident that the tests aren't actually running when I run make test so I doubt this works and I can't test it... but hopefully it's at least a good starting point and someone can help me complete it :)

You are right, the tests are in the process of being brought over to this repo. We'll take a look at your PRs once we merge the tests in to ensure nothing breaks.

@candrews
Copy link
Contributor Author

@simar7 can you please help me progress this MR?

I'm very eager to eliminate this false positive.

@simar7
Copy link
Member

simar7 commented Feb 2, 2024

@nikpivkin could you take a look?

@nikpivkin nikpivkin mentioned this pull request Feb 6, 2024
Merged
@nikpivkin
Copy link
Contributor

Hi @candrews !

Can you make the same recommendations as in this comment on this PR?

@candrews
fix(checks): handle file: and multi: in AVD-DS-0011
6009b14 
The reverse engineered `Dockerfile` of an image doesn't exactly match
the original `Dockerfile`. For example, it doesn't have the original
source files names. Instead, it uses `file:<hash> in`:
`COPY file:8b8864b3e02a33a579dc216fd51b28a6047bc8eeaa03045b258980fe0cf7fcb3 in /__cacert_entrypoint.sh`

Such commands should not trigger AVD-DS-0011.
@candrews
Copy link
Contributor Author

candrews commented Feb 6, 2024

Hi @candrews !

Can you make the same recommendations as in this comment on this PR?

Done!

Thank you very much for your help!

@simar7 simar7 merged commit 38c3895 into aquasecurity:main Feb 7, 2024
4 checks passed
@nikpivkin nikpivkin mentioned this pull request Mar 18, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nikpivkin nikpivkin nikpivkin approved these changes

@simar7 simar7 simar7 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@candrews @simar7 @nikpivkin