We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Originally posted by nE0sIghT April 18, 2024
ds017
Hello!
Today ds017 false-positive started to alert in the apt-mirror2 project: https://gitlab.com/apt-mirror2/apt-mirror2/-/jobs/6651671307
There is apt-get -y install immediate after apt-get update: https://gitlab.com/apt-mirror2/apt-mirror2/-/blob/master/.devcontainer/Dockerfile?ref_type=heads#L10
apt-get -y install
apt-get update
I'm unsure, looks like something like this:
RUN \ sed -i -e 's#Types: deb#Types: deb deb-src#' /etc/apt/sources.list.d/debian.sources ;\ apt-get update ;\ apt-get -y install \ bash-completion \ coreutils \ git \ git-gui \ gitk \ sudo \ ;\
Filesystem
Misconfiguration
No response
$ trivy fs . --debug 2024-04-17T18:27:01.731Z DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"] 2024-04-17T18:27:01.732Z WARN '--scanners config' is deprecated. Use '--scanners misconfig' instead. See https://github.com/aquasecurity/trivy/discussions/5586 for the detail. 2024-04-17T18:27:01.732Z DEBUG Ignore statuses {"statuses": null} 2024-04-17T18:27:01.739Z DEBUG cache dir: .trivy 2024-04-17T18:27:01.739Z DEBUG There is no valid metadata file: unable to open a file: open .trivy/db/metadata.json: no such file or directory 2024-04-17T18:27:01.739Z INFO Need to update DB 2024-04-17T18:27:01.739Z INFO DB Repository: ghcr.io/aquasecurity/trivy-db:2 2024-04-17T18:27:01.739Z INFO Downloading DB... 2024-04-17T18:27:01.739Z DEBUG no metadata file 22.55 MiB / 45.08 MiB [------------------------------>______________________________] 50.03% ? p/s ?45.08 MiB / 45.08 MiB [----------------------------------------------------------->] 100.00% ? p/s ?45.08 MiB / 45.08 MiB [----------------------------------------------------------->] 100.00% ? p/s ?45.08 MiB / 45.08 MiB [---------------------------------------------->] 100.00% 37.76 MiB p/s ETA 0s45.08 MiB / 45.08 MiB [---------------------------------------------->] 100.00% 37.76 MiB p/s ETA 0s45.08 MiB / 45.08 MiB [---------------------------------------------->] 100.00% 37.76 MiB p/s ETA 0s45.08 MiB / 45.08 MiB [---------------------------------------------->] 100.00% 35.32 MiB p/s ETA 0s45.08 MiB / 45.08 MiB [-------------------------------------------------] 100.00% 33.91 MiB p/s 1.5s2024-04-17T18:27:03.508Z DEBUG Updating database metadata... 2024-04-17T18:27:03.508Z DEBUG DB Schema: 2, UpdatedAt: 2024-04-17 18:10:22.688774415 +0000 UTC, NextUpdate: 2024-04-18 00:10:22.688773955 +0000 UTC, DownloadedAt: 2024-04-17 18:27:03.508654817 +0000 UTC 2024-04-17T18:27:03.508Z INFO Vulnerability scanning is enabled 2024-04-17T18:27:03.509Z DEBUG Vulnerability type: [os library] 2024-04-17T18:27:03.509Z INFO Misconfiguration scanning is enabled 2024-04-17T18:27:03.509Z DEBUG Failed to open the policy metadata: open .trivy/policy/metadata.json: no such file or directory 2024-04-17T18:27:03.509Z INFO Need to update the built-in policies 2024-04-17T18:27:03.509Z INFO Downloading the built-in policies... 2024-04-17T18:27:03.509Z DEBUG Using URL: ghcr.io/aquasecurity/trivy-policies:0 to load policy bundle 50.41 KiB / 50.41 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-04-17T18:27:03.754Z DEBUG Digest of the built-in policies: sha256:aa1640957b796d93a0ffc5d91237ee6b7ed9467b8f1825279384d29f91b9e590 2024-04-17T18:27:03.755Z DEBUG Policies successfully loaded from disk 2024-04-17T18:27:03.755Z DEBUG Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot] 2024-04-17T18:27:03.757Z DEBUG The nuget packages directory couldn't be found. License search disabled 2024-04-17T18:27:03.773Z DEBUG Walk the file tree rooted at '.' in parallel 2024-04-17T18:27:03.781Z DEBUG Scanning Dockerfile files for misconfigurations... 2024-04-17T18:27:03.782Z DEBUG [misconf] 27:03.782145142 dockerfile.scanner.rego Overriding filesystem for policies! 2024-04-17T18:27:03.853Z DEBUG [misconf] 27:03.853425923 dockerfile.scanner.rego Loaded 194 policies from disk. 2024-04-17T18:27:03.854Z DEBUG [misconf] 27:03.854138346 dockerfile.scanner.rego Overriding filesystem for data! 2024-04-17T18:27:04.487Z DEBUG [misconf] 27:04.487903172 dockerfile.scanner.rego Scanning 2 inputs... 2024-04-17T18:27:04.602Z DEBUG OS is not detected. 2024-04-17T18:27:04.602Z DEBUG Detected OS: unknown 2024-04-17T18:27:04.602Z INFO Number of language-specific files: 1 2024-04-17T18:27:04.602Z INFO Detecting pip vulnerabilities... 2024-04-17T18:27:04.602Z DEBUG Detecting library vulnerabilities, type: pip, path: requirements.txt 2024-04-17T18:27:04.603Z INFO Detected config files: 2 2024-04-17T18:27:04.603Z DEBUG Scanned config file: Dockerfile 2024-04-17T18:27:04.603Z DEBUG Scanned config file: .devcontainer/Dockerfile 2024-04-17T18:27:04.605Z DEBUG Found an ignore file: .trivyignore 2024-04-17T18:27:04.605Z DEBUG Ignored {"id": "DS002", "path": ".devcontainer/Dockerfile"} 2024-04-17T18:27:04.605Z DEBUG Ignored {"id": "DS026", "path": ".devcontainer/Dockerfile"} 2024-04-17T18:27:04.605Z DEBUG Ignored {"id": "DS029", "path": ".devcontainer/Dockerfile"} 2024-04-17T18:27:04.605Z DEBUG Ignored {"id": "DS002", "path": "Dockerfile"} 2024-04-17T18:27:04.605Z DEBUG Ignored {"id": "DS026", "path": "Dockerfile"} 2024-04-17T18:27:04.605Z DEBUG Ignored {"id": "DS029", "path": "Dockerfile"} .devcontainer/Dockerfile (dockerfile) ===================================== Tests: 27 (SUCCESSES: 23, FAILURES: 1, EXCEPTIONS: 3) Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0) HIGH: The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement. ════════════════════════════════════════ The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement. See https://avd.aquasec.com/misconfig/ds017 ──────────────────────────────────────── .devcontainer/Dockerfile:8-23 ──────────────────────────────────────── 8 ┌ RUN \ 9 │ sed -i -e 's#Types: deb#Types: deb deb-src#' /etc/apt/sources.list.d/debian.sources ;\ 10 │ apt-get update ;\ 11 │ apt-get -y install \ 12 │ bash-completion \ 13 │ coreutils \ 14 │ git \ 15 │ git-gui \ 16 └ gitk \ .. ──────────────────────────────────────── Dockerfile (dockerfile) ======================= Tests: 27 (SUCCESSES: 24, FAILURES: 0, EXCEPTIONS: 3) Failures: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
$ trivy --version Version: 0.50.1
-f json
The text was updated successfully, but these errors were encountered:
trivy: temoprary disable ds017
f16224a
See-Also: aquasecurity/trivy#6516
trivy: temporary disable ds017
6867a66
Successfully merging a pull request may close this issue.
Discussed in #6515
Originally posted by nE0sIghT April 18, 2024
IDs
ds017
Description
Hello!
Today ds017 false-positive started to alert in the apt-mirror2 project: https://gitlab.com/apt-mirror2/apt-mirror2/-/jobs/6651671307
There is
apt-get -y install
immediate afterapt-get update
: https://gitlab.com/apt-mirror2/apt-mirror2/-/blob/master/.devcontainer/Dockerfile?ref_type=heads#L10Reproduction Steps
I'm unsure, looks like something like this:
Target
Filesystem
Scanner
Misconfiguration
Target OS
No response
Debug Output
Version
Checklist
-f json
that shows data sources and confirmed that the security advisory in data sources was correctThe text was updated successfully, but these errors were encountered: