fix(misconf): disable DS016 check for image history analyzer (#7540)

nikpivkin · web-flow · commit de40df9408d6 · 2024-09-30T04:50:53.000Z
Signed-off-by: nikpivkin &lt;nikita.pivkin@smartforce.io&gt;
diff --git a/pkg/fanal/analyzer/imgconf/dockerfile/dockerfile.go b/pkg/fanal/analyzer/imgconf/dockerfile/dockerfile.go
@@ -16,6 +16,10 @@ import (
 	"github.com/aquasecurity/trivy/pkg/misconf"
 )
 
+var disabledChecks = []string{
+	"DS016", // See https://github.com/aquasecurity/trivy/issues/7368
+}
+
 const analyzerVersion = 1
 
 func init() {
@@ -27,6 +31,7 @@ type historyAnalyzer struct {
 }
 
 func newHistoryAnalyzer(opts analyzer.ConfigAnalyzerOptions) (analyzer.ConfigAnalyzer, error) {
+	opts.MisconfScannerOption.DisabledCheckIDs = append(opts.MisconfScannerOption.DisabledCheckIDs, disabledChecks...)
 	s, err := misconf.NewScanner(detection.FileTypeDockerfile, opts.MisconfScannerOption)
 	if err != nil {
 		return nil, xerrors.Errorf("misconfiguration scanner error: %w", err)
diff --git a/pkg/fanal/analyzer/imgconf/dockerfile/dockerfile_test.go b/pkg/fanal/analyzer/imgconf/dockerfile/dockerfile_test.go
@@ -284,6 +284,47 @@ func Test_historyAnalyzer_Analyze(t *testing.T) {
 				Config: nil,
 			},
 		},
+		{
+			name: "DS016 check not detected",
+			input: analyzer.ConfigAnalysisInput{
+				Config: &v1.ConfigFile{
+					Config: v1.Config{
+						Healthcheck: &v1.HealthConfig{
+							Test:     []string{"CMD-SHELL", "curl --fail http://localhost:3000 || exit 1"},
+							Interval: time.Second * 10,
+							Timeout:  time.Second * 3,
+						},
+					},
+					History: []v1.History{
+						{
+							// duplicate command from another layer
+							CreatedBy:  `/bin/sh -c #(nop) CMD [\"/bin/bash\"]`,
+							EmptyLayer: true,
+						},
+						{
+							CreatedBy: "/bin/sh -c #(nop) ADD file:e4d600fc4c9c293efe360be7b30ee96579925d1b4634c94332e2ec73f7d8eca1 in /",
+						},
+						{
+							CreatedBy: `HEALTHCHECK &{["CMD-SHELL" "curl --fail http://localhost:3000 || exit 1"] "10s" "3s" "0s" '\x00'}`,
+						},
+						{
+							CreatedBy:  `USER user`,
+							EmptyLayer: true,
+						},
+						{
+							CreatedBy:  `/bin/sh -c #(nop)  CMD [\"/bin/sh\"]`,
+							EmptyLayer: true,
+						},
+					},
+				},
+			},
+			want: &analyzer.ConfigAnalysisResult{
+				Misconfiguration: &types.Misconfiguration{
+					FileType: types.Dockerfile,
+					FilePath: "Dockerfile",
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
diff --git a/pkg/misconf/scanner.go b/pkg/misconf/scanner.go
@@ -74,6 +74,8 @@ type ScannerOption struct {
 
 	FilePatterns      []string
 	ConfigFileSchemas []*ConfigFileSchema
+
+	DisabledCheckIDs []string
 }
 
 func (o *ScannerOption) Sort() {
@@ -212,6 +214,7 @@ func scannerOptions(t detection.FileType, opt ScannerOption) ([]options.ScannerO
 		rego.WithEmbeddedPolicies(!opt.DisableEmbeddedPolicies),
 		rego.WithEmbeddedLibraries(!opt.DisableEmbeddedLibraries),
 		options.ScannerWithIncludeDeprecatedChecks(opt.IncludeDeprecatedChecks),
+		rego.WithDisabledCheckIDs(opt.DisabledCheckIDs...),
 	}
 
 	policyFS, policyPaths, err := CreatePolicyFS(opt.PolicyPaths)

Original file line number	Diff line number	Diff line change
`@@ -74,6 +74,8 @@ type ScannerOption struct {`
`74`	`74`
`75`	`75`	`FilePatterns []string`
`76`	`76`	`ConfigFileSchemas []*ConfigFileSchema`
	`77`	`+`
	`78`	`+ DisabledCheckIDs []string`
`77`	`79`	`}`
`78`	`80`
`79`	`81`	`func (o *ScannerOption) Sort() {`
`@@ -212,6 +214,7 @@ func scannerOptions(t detection.FileType, opt ScannerOption) ([]options.ScannerO`
`212`	`214`	`rego.WithEmbeddedPolicies(!opt.DisableEmbeddedPolicies),`
`213`	`215`	`rego.WithEmbeddedLibraries(!opt.DisableEmbeddedLibraries),`
`214`	`216`	`options.ScannerWithIncludeDeprecatedChecks(opt.IncludeDeprecatedChecks),`
	`217`	`+ rego.WithDisabledCheckIDs(opt.DisabledCheckIDs...),`
`215`	`218`	`}`
`216`	`219`
`217`	`220`	`policyFS, policyPaths, err := CreatePolicyFS(opt.PolicyPaths)`