Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug(chown): chown flag is checked for non-executable files #7157

Open
korhojoa opened this issue Jun 26, 2024 · 0 comments
Open

bug(chown): chown flag is checked for non-executable files #7157

korhojoa opened this issue Jun 26, 2024 · 0 comments
Labels
bug Something isn't working community Community contribution docker Docker query dockerfile query New query feature

Comments

@korhojoa
Copy link

Expected Behavior

Preferred: No rule hit
Alternatively: a message that's appropriate.

Actual Behavior

https://github.com/jenkinsci/docker/blob/217e7c7264738531d869fb8991b8211dc976c785/README.md
Consider the dockerfile content on this page:

FROM jenkins/jenkins:lts-jdk17
COPY --chown=jenkins:jenkins plugins.txt /usr/share/jenkins/ref/plugins.txt
RUN jenkins-plugin-cli -f /usr/share/jenkins/ref/plugins.txt

At no point are executable files copied, but the message states (confusingly) that executables need not be owned by others than root.
"It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership"

https://github.com/Checkmarx/kics/blob/ce3cbd0c18ef09ad6ad17e34d0e83e6eba47b470/assets/queries/dockerfile/chown_flag_exists/query.rego

Having --chown in a dockerfile doesn't mean that something is an executable. The link to docker's documentation doesn't seem to have any elaboration on the matter.

Steps to Reproduce the Problem

(Command line arguments and flags used)

  1. Have --chown in a dockerfile
  2. kics scan --path .
  3. see incorrect conclusions represented

Specifications

(N/A if not applicable)

  • Version: 2.0.1
  • Platform: x86_64
  • Subsystem: N/A
@korhojoa korhojoa added bug Something isn't working community Community contribution labels Jun 26, 2024
@github-actions github-actions bot added query New query feature docker Docker query dockerfile labels Jun 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working community Community contribution docker Docker query dockerfile query New query feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@korhojoa