Scanning ubuntu:22.04 failed

[dtfans]

I scanned ubuntu:22.04 and got

FATAL   - CIS-DI-0009: Use COPY instead of ADD in Dockerfile
        * Use COPY : /bin/sh -c #(nop) ADD file:18e71f049606f6339ce7a995839623f50e6ec6474bfd0a3a7ca799db726f47f6 in /

This problem does not occur in ubuntu:jammy-20221130, even though it also has a "ADD file ... in /" layer.

IMAGE          CREATED        CREATED BY                                      SIZE      COMMENT
6b7dfa7e8fdb   2 months ago   /bin/sh -c #(nop)  CMD ["bash"]                 0B
<missing>      2 months ago   /bin/sh -c #(nop) ADD file:481dd2da6de715252…   77.8MB

But there were some new layers added to the latest ubuntu:22.04 image build (a.k.a ubuntu:jammy-20230126),
then we got CIS-DI-0009 from dockle.

IMAGE          CREATED       CREATED BY                                      SIZE      COMMENT
58db3edaf2be   2 weeks ago   /bin/sh -c #(nop)  CMD ["/bin/bash"]            0B
<missing>      2 weeks ago   /bin/sh -c #(nop) ADD file:18e71f049606f6339…   77.8MB
<missing>      2 weeks ago   /bin/sh -c #(nop)  LABEL org.opencontainers.…   0B
<missing>      2 weeks ago   /bin/sh -c #(nop)  LABEL org.opencontainers.…   0B
<missing>      2 weeks ago   /bin/sh -c #(nop)  ARG LAUNCHPAD_BUILD_ARCH     0B
<missing>      2 weeks ago   /bin/sh -c #(nop)  ARG RELEASE                  0B

It looks like a false alarm to me, since those "ARG" and "LABEL" layers are unlikely cause security issues, aren't them?

[tomoyamachi]

@dtfans Thank you for the report.
You're right. Dockle only ignores ADD in the first line now.

dockle/pkg/assessor/manifest/manifest.go

Line 173 in 3fbe4cf

if index != 0 && useADDstatement(cmdSlices) {

I will fix it.

[loganmarchione]

Just had the same issue.

 FATAL	- CIS-DI-0009: Use COPY instead of ADD in Dockerfile
	* Use COPY : /bin/sh -c #(nop) ADD file:18e71f049606f6339ce7a995839623f50e6ec6474bfd0a3a7ca799db726f47f6 in / 

[lior-orca]

@tomoyamachi are you going to address it soon?

[lior-orca]

@tomoyamachi we can probably have a similar logic to trivy -
https://github.com/aquasecurity/trivy/blob/3987a679f9520259a1b1474e81704b8aedce2ef7/pkg/fanal/artifact/image/image.go#L496

[tomoyamachi]

@dtfans @lior-orca @loganmarchione
After considering the matter, I think the current logic is acceptable.
The reason for this is that current ubuntu image is not built in accordance with best practices.

Trivy has the same problem as dockle.
Below is the Dockerfile for Ubuntu.

FROM scratch
ADD @@TARBALL@@ /
CMD ["bash"]

We can see that after the base image(scratch), a tar file is added using the ADD command.
I think it is up to the users to decide whether or not this tar file can be trusted.

Dockle does not understand whether a container image is official or not, and it only evaluates based on whether the container image is built according to best practices.

[lior-orca]

@tomoyamachi what prevents us from "guessing" the base layer, similar to trivy, which will resolve the issue

Trivy has similar issues opened, and I'm sure they will handle it over time

[tomoyamachi]

@lior-orca I'm sorry. I was wrong.
This issue has been fixed in version 0.4.13.