FS config scan MISCONF DS018 ("the alias is not defined in previous stages") is not valid when using COPY --from=external-image

[daliborfilus]

Description

The validation for https://avd.aquasec.com/appshield/ds018/ is invalid, since having a reference to external image is valid and supported, see https://docs.docker.com/develop/develop-images/multistage-build/#use-an-external-image-as-a-stage

Trivy could check if the COPY --from= argument refers to an existing image and skip this check,
OR it could decrease the severity from HIGH to MEDIUM (or even lower),
OR it could just stop checking for this, if it's not possible to differentiate between references to regular images and build stages.

Buildah also supports references to external images "as stages" via this syntax.

What did you expect to happen?

I don't expect this Dockerfile to raise DS018:

FROM ubuntu:20.04
ENV JAVA_HOME=/opt/java/openjdk
COPY --from=eclipse-temurin:17-jdk-focal $JAVA_HOME $JAVA_HOME

but it does.

What happened instead?

Got the error DS018.

Output of run with -debug:

Dockerfile (dockerfile)
=======================
Tests: 17 (SUCCESSES: 15, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)
+---------------------------+------------+------------------------------------------+----------+------------------------------------------+
|           TYPE            | MISCONF ID |                  CHECK                   | SEVERITY |                 MESSAGE                  |
+---------------------------+------------+------------------------------------------+----------+------------------------------------------+
| Dockerfile Security Check |   DS002    | root user                                |   HIGH   | Last USER command in                     |
|                           |            |                                          |          | Dockerfile should not be 'root'          |
|                           |            |                                          |          | -->avd.aquasec.com/appshield/ds002       |
+                           +------------+------------------------------------------+          +------------------------------------------+
|                           |   DS018    | 'COPY --from' refers to alias not        |          | The alias                                |
|                           |            | defined previously                       |          | '--from=eclipse-temurin:17-jdk-focal'    |
|                           |            |                                          |          | is not defined in the previous stages    |
|                           |            |                                          |          | -->avd.aquasec.com/appshield/ds018       |
+---------------------------+------------+------------------------------------------+----------+------------------------------------------+

Output of trivy -v:

Version: 0.22.0

Additional details (base image name, container registry info...):

The output is from trivy docker image docker.io/aquasec/trivy:latest (sha256:c6f6e688)

[knqyf263]

Thanks for raising an issue! Could you raise the issue in AppShield repository?

For suggestions or issues regarding policy content, please open an issue under AppShield, tfsec or cfsec repository.

https://aquasecurity.github.io/trivy/v0.22.0/misconfiguration/policy/builtin/

[daliborfilus]

No problem, created as aquasecurity/appshield#146.