Skip to content
This repository was archived by the owner on Feb 16, 2022. It is now read-only.
This repository was archived by the owner on Feb 16, 2022. It is now read-only.

DS002 triggered in multistage build using single USER in the last stage #147

Open
Open
DS002 triggered in multistage build using single USER in the last stage#147
@daliborfilus

Description

@daliborfilus
daliborfilus
opened on Jan 26, 2022

I have multiple multi-stage Dockerfiles, where I use root user in the first stages and then I switch to non-privileged user only in the final stage (i.e. where it matters, since all the previous stages are discarded/ omitted from the final image).

FROM eclipse-temurin:17-jdk-focal AS parent

FROM ubuntu:focal AS build
USER root

ENV JAVA_HOME=/opt/java/openjdk
COPY --from=parent $JAVA_HOME $JAVA_HOME
ENV PATH="${JAVA_HOME}/bin:${PATH}"

RUN apt install ...
RUN run build
RUN [start postgres (requires root), run integration tests, stop postgres, cleanup...]

FROM eclipse-temurin:17-jdk-focal
RUN useradd -m -d /opt -s /bin/bash -g root myuser
RUN chown -R myuser /opt
USER myuser
COPY --from=build ....
CMD ["java", ...]

Trivy complains:

trivy --cache-dir .trivycache/ fs --exit-code 1 --no-progress --severity HIGH,CRITICAL --security-checks=vuln,config .
Dockerfile (dockerfile)
=======================
Tests: 17 (SUCCESSES: 16, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)
+---------------------------+------------+-----------+----------+------------------------------------------+
|           TYPE            | MISCONF ID |   CHECK   | SEVERITY |                 MESSAGE                  |
+---------------------------+------------+-----------+----------+------------------------------------------+
| Dockerfile Security Check |   DS002    | root user |   HIGH   | Last USER command in                     |
|                           |            |           |          | Dockerfile should not be 'root'          |
|                           |            |           |          | -->avd.aquasec.com/appshield/ds002       |
+---------------------------+------------+-----------+----------+------------------------------------------+

The same situation (although with different message) repeats if I remove the USER root, so it's not a problem with that.
It seems to me that Trivy doesn't like the fact that I don't have USER xyz in the first stage, where I don't really need/want that.

The same situation also happens in one of my other Dockerfiles, where I have 3 stages. Does this mean I should have USER xyz in all stages? I don't really want to...

Is this a bug or is this an expected behavior?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions