Skip to content
This repository has been archived by the owner on Feb 16, 2022. It is now read-only.

DS018 ("alias is not defined in previous stages") triggered by COPY --from=external-image #146

Open
daliborfilus opened this issue Jan 26, 2022 · 0 comments
Open

DS018 ("alias is not defined in previous stages") triggered by COPY --from=external-image #146

daliborfilus opened this issue Jan 26, 2022 · 0 comments

Comments

@daliborfilus
Copy link

Description

The validation for https://avd.aquasec.com/appshield/ds018/ is invalid, since having a reference to external image is valid and supported, see https://docs.docker.com/develop/develop-images/multistage-build/#use-an-external-image-as-a-stage

Trivy could check if the COPY --from= argument refers to an existing image and skip this check,
OR it could decrease the severity from HIGH to MEDIUM (or even lower),
OR it could just stop checking for this, if it's not possible to differentiate between references to regular images and build stages.

Buildah also supports references to external images "as stages" via this syntax.

What did you expect to happen?

I don't expect this Dockerfile to raise DS018:

FROM ubuntu:20.04
ENV JAVA_HOME=/opt/java/openjdk
COPY --from=eclipse-temurin:17-jdk-focal $JAVA_HOME $JAVA_HOME

but it does.

What happened instead?

Got the error DS018.

Output of run with -debug:

Dockerfile (dockerfile)
=======================
Tests: 17 (SUCCESSES: 15, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)
+---------------------------+------------+------------------------------------------+----------+------------------------------------------+
|           TYPE            | MISCONF ID |                  CHECK                   | SEVERITY |                 MESSAGE                  |
+---------------------------+------------+------------------------------------------+----------+------------------------------------------+
| Dockerfile Security Check |   DS002    | root user                                |   HIGH   | Last USER command in                     |
|                           |            |                                          |          | Dockerfile should not be 'root'          |
|                           |            |                                          |          | -->avd.aquasec.com/appshield/ds002       |
+                           +------------+------------------------------------------+          +------------------------------------------+
|                           |   DS018    | 'COPY --from' refers to alias not        |          | The alias                                |
|                           |            | defined previously                       |          | '--from=eclipse-temurin:17-jdk-focal'    |
|                           |            |                                          |          | is not defined in the previous stages    |
|                           |            |                                          |          | -->avd.aquasec.com/appshield/ds018       |
+---------------------------+------------+------------------------------------------+----------+------------------------------------------+

Output of trivy -v:

Version: 0.22.0

Additional details (base image name, container registry info...):

The output is from trivy docker image docker.io/aquasec/trivy:latest (sha256:c6f6e688)
@daliborfilus daliborfilus mentioned this issue Jan 26, 2022
Closed
@daliborfilus daliborfilus changed the title FS config scan MISCONF DS018 ("the alias is not defined in previous stages") is not valid when using COPY --from=external-image DS018 ("alias is not defined in previous stages") triggered by COPY --from=external-image Jan 26, 2022
@baldwicc baldwicc mentioned this issue Mar 31, 2022
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@daliborfilus