Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: add note about disabled DS016 check #7724

Merged
merged 2 commits into from
Oct 16, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions docs/docs/target/container_image.md
Original file line number Diff line number Diff line change
Expand Up @@ -154,6 +154,8 @@ See https://avd.aquasec.com/misconfig/ds026
!!! tip
You can see how each layer is created with `docker history`.

The [AVD-DS-0016](https://avd.aquasec.com/misconfig/dockerfile/general/avd-ds-0016/) check is disabled for this scan type, see [issue](https://github.com/aquasecurity/trivy/issues/7368) for details.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This text looks nondescript. I assume users will simply skip this information.
Maybe we want to highlight it in a note/warning or make a table with rules disabled?
@knqyf263 wdyt?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Making a table sounds like a good idea, but I'm not sure we'll add more disabled checks. A table might be too much just for a single check.
I think it's enough as we're showing the logs, but using tables or bullet points would also be good. I'll leave it to you two.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's fine as is. We can revisit it if we have more disabled checks in the future.


### Secrets
Trivy detects secrets on the configuration of container images.
The image config is converted into JSON and Trivy scans the file for secrets.
Expand Down
9 changes: 6 additions & 3 deletions pkg/fanal/analyzer/imgconf/dockerfile/dockerfile.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,11 @@ import (
"github.com/aquasecurity/trivy/pkg/misconf"
)

var disabledChecks = []string{
"DS016", // See https://github.com/aquasecurity/trivy/issues/7368
var disabledChecks = []misconf.DisabledCheck{
{
ID: "DS016", Scanner: string(analyzer.TypeHistoryDockerfile),
Reason: "See https://github.com/aquasecurity/trivy/issues/7368",
},
}

const analyzerVersion = 1
Expand All @@ -31,7 +34,7 @@ type historyAnalyzer struct {
}

func newHistoryAnalyzer(opts analyzer.ConfigAnalyzerOptions) (analyzer.ConfigAnalyzer, error) {
opts.MisconfScannerOption.DisabledCheckIDs = append(opts.MisconfScannerOption.DisabledCheckIDs, disabledChecks...)
opts.MisconfScannerOption.DisabledChecks = append(opts.MisconfScannerOption.DisabledChecks, disabledChecks...)
s, err := misconf.NewScanner(detection.FileTypeDockerfile, opts.MisconfScannerOption)
if err != nil {
return nil, xerrors.Errorf("misconfiguration scanner error: %w", err)
Expand Down
25 changes: 19 additions & 6 deletions pkg/misconf/scanner.go
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,12 @@ var enablediacTypes = map[detection.FileType]types.ConfigType{
detection.FileTypeYAML: types.YAML,
}

type DisabledCheck struct {
ID string
Scanner string // For logging
Reason string // For logging
}

type ScannerOption struct {
Trace bool
RegoOnly bool
Expand All @@ -74,9 +80,9 @@ type ScannerOption struct {
FilePatterns []string
ConfigFileSchemas []*ConfigFileSchema

DisabledCheckIDs []string
SkipFiles []string
SkipDirs []string
DisabledChecks []DisabledCheck
SkipFiles []string
SkipDirs []string
}

func (o *ScannerOption) Sort() {
Expand Down Expand Up @@ -133,6 +139,7 @@ func NewScanner(t detection.FileType, opt ScannerOption) (*Scanner, error) {
}

func (s *Scanner) Scan(ctx context.Context, fsys fs.FS) ([]types.Misconfiguration, error) {
ctx = log.WithContextPrefix(ctx, log.PrefixMisconfiguration)
newfs, err := s.filterFS(fsys)
if err != nil {
return nil, xerrors.Errorf("fs filter error: %w", err)
Expand All @@ -141,12 +148,12 @@ func (s *Scanner) Scan(ctx context.Context, fsys fs.FS) ([]types.Misconfiguratio
return nil, nil
}

log.Debug("Scanning files for misconfigurations...", log.String("scanner", s.scanner.Name()))
log.DebugContext(ctx, "Scanning files for misconfigurations...", log.String("scanner", s.scanner.Name()))
results, err := s.scanner.ScanFS(ctx, newfs, ".")
if err != nil {
var invalidContentError *cfparser.InvalidContentError
if errors.As(err, &invalidContentError) {
log.Error("scan was broken with InvalidContentError", s.scanner.Name(), log.Err(err))
log.ErrorContext(ctx, "scan was broken with InvalidContentError", s.scanner.Name(), log.Err(err))
return nil, nil
}
return nil, xerrors.Errorf("scan config error: %w", err)
Expand Down Expand Up @@ -211,11 +218,17 @@ func (s *Scanner) filterFS(fsys fs.FS) (fs.FS, error) {
}

func scannerOptions(t detection.FileType, opt ScannerOption) ([]options.ScannerOption, error) {
disabledCheckIDs := lo.Map(opt.DisabledChecks, func(check DisabledCheck, _ int) string {
log.Info("Check disabled", log.Prefix(log.PrefixMisconfiguration), log.String("ID", check.ID),
log.String("scanner", check.Scanner), log.String("reason", check.Reason))
return check.ID
})

opts := []options.ScannerOption{
rego.WithEmbeddedPolicies(!opt.DisableEmbeddedPolicies),
rego.WithEmbeddedLibraries(!opt.DisableEmbeddedLibraries),
options.ScannerWithIncludeDeprecatedChecks(opt.IncludeDeprecatedChecks),
rego.WithDisabledCheckIDs(opt.DisabledCheckIDs...),
rego.WithDisabledCheckIDs(disabledCheckIDs...),
}

policyFS, policyPaths, err := CreatePolicyFS(opt.PolicyPaths)
Expand Down