Skip to content
This repository has been archived by the owner on Feb 16, 2022. It is now read-only.

DS002 triggered in multistage build using single USER in the last stage #147

Open
daliborfilus opened this issue Jan 26, 2022 · 0 comments
Open

DS002 triggered in multistage build using single USER in the last stage #147

daliborfilus opened this issue Jan 26, 2022 · 0 comments

Comments

@daliborfilus
Copy link

daliborfilus commented Jan 26, 2022
edited
Loading

I have multiple multi-stage Dockerfiles, where I use root user in the first stages and then I switch to non-privileged user only in the final stage (i.e. where it matters, since all the previous stages are discarded/ omitted from the final image).

FROM eclipse-temurin:17-jdk-focal AS parent

FROM ubuntu:focal AS build
USER root

ENV JAVA_HOME=/opt/java/openjdk
COPY --from=parent $JAVA_HOME $JAVA_HOME
ENV PATH="${JAVA_HOME}/bin:${PATH}"

RUN apt install ...
RUN run build
RUN [start postgres (requires root), run integration tests, stop postgres, cleanup...]

FROM eclipse-temurin:17-jdk-focal
RUN useradd -m -d /opt -s /bin/bash -g root myuser
RUN chown -R myuser /opt
USER myuser
COPY --from=build ....
CMD ["java", ...]

Trivy complains:

trivy --cache-dir .trivycache/ fs --exit-code 1 --no-progress --severity HIGH,CRITICAL --security-checks=vuln,config .
Dockerfile (dockerfile)
=======================
Tests: 17 (SUCCESSES: 16, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)
+---------------------------+------------+-----------+----------+------------------------------------------+
|           TYPE            | MISCONF ID |   CHECK   | SEVERITY |                 MESSAGE                  |
+---------------------------+------------+-----------+----------+------------------------------------------+
| Dockerfile Security Check |   DS002    | root user |   HIGH   | Last USER command in                     |
|                           |            |           |          | Dockerfile should not be 'root'          |
|                           |            |           |          | -->avd.aquasec.com/appshield/ds002       |
+---------------------------+------------+-----------+----------+------------------------------------------+

The same situation (although with different message) repeats if I remove the USER root, so it's not a problem with that.
It seems to me that Trivy doesn't like the fact that I don't have USER xyz in the first stage, where I don't really need/want that.

The same situation also happens in one of my other Dockerfiles, where I have 3 stages. Does this mean I should have USER xyz in all stages? I don't really want to...

Is this a bug or is this an expected behavior?
@daliborfilus daliborfilus mentioned this issue Jan 26, 2022
Closed
@daliborfilus daliborfilus changed the title Docker multistage build using single USER in the last stage produces MISCONF DS002 DS002 triggered in multistage build using single USER in the last stage Jan 26, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@daliborfilus