goodwithtech / dockle Goto Github PK
View Code? Open in Web Editor NEWContainer Image Linter for Security, Helping build the Best-Practice Docker Image, Easy to start
Home Page: https://containers.goodwith.tech/
License: Apache License 2.0
Container Image Linter for Security, Helping build the Best-Practice Docker Image, Easy to start
Home Page: https://containers.goodwith.tech/
License: Apache License 2.0
I'm not familiar with English.
So I wanna fix incorrect phrases at README and messages.
Please PR me😄
Description
Exit-code should support an error level as well as exit code.
If exit-code is set to 1, it should have a level that will exit 1 on. Currently Info will exit 1 if exit-code is set, Ideally you could set the level so if i want WARN or greater then I would set --exit-code=1 --exit-level=warn, or if i only wanted to exit on fatal, exit-level would be set to fatal.
You currently host an image for dockle
on Docker Hub. It would be nice if you also hosted it on GitHub Container Registry. I want to use dockle
inside a GitHub Actions pipeline, and it will be faster to download the container image if the image is hosted on GitHub in the first place.
As homebrew now supports Linux environment, it'd be better to distribute linux bin on brew as well ._.
Description
Running a Dockle scan on a simple SCRATCH image reports a CVE for Alpine
What did you expect to happen?
Expected successful run without issue being reported
What happened instead?
FATAL - DKL-LI-0001: Avoid empty password
Output of run with -debug
:
2019-11-21T13:57:11.033-0700 DEBUG There is no .dockleignore file
2019-11-21T13:57:11.034-0700 DEBUG Fetch latest version from github
2019-11-21T13:57:11.219-0700 DEBUG Start assessments...
2019-11-21T13:57:11.225-0700 DEBUG Start scan : password files
2019-11-21T13:57:11.225-0700 DEBUG Start scan : /etc/passwd
2019-11-21T13:57:11.225-0700 DEBUG Start scan : /etc/group
2019-11-21T13:57:11.225-0700 DEBUG Start scan : /etc/hosts
2019-11-21T13:57:11.225-0700 DEBUG Start scan : credential files
2019-11-21T13:57:11.225-0700 DEBUG Scan start : config file
2019-11-21T13:57:11.226-0700 DEBUG Scan start : DOCKER_CONTENT_TRUST
2019-11-21T13:57:11.226-0700 DEBUG Start scan : cache files
2019-11-21T13:57:11.226-0700 DEBUG End assessments...
FATAL - DKL-LI-0001: Avoid empty password
*
INFO - CIS-DI-0005: Enable Content trust for Docker
* export DOCKER_CONTENT_TRUST=1 before docker pull/build
Output of dockle -v
:
dockle version 0.2.3
Additional details (base image name, container registry info...):
Dockerfile:
FROM scratch
COPY etc/ /etc/
USER myuser
HEALTHCHECK NONE
etc/group:
nogroup:x:65534:myuser
etc/passwd:
myuser:x:65534:65534::/dev/null:/bin/false
Description
FATAL - CIS-DI-0009: Use COPY instead of ADD in Dockerfile
* Use COPY : ADD https://github.com/jwilder/docker-gen/releases/download/0.7.4/docker-gen-linux-amd64-0.7.4.tar.gz /tmp/
* Use COPY : ADD https://github.com/just-containers/s6-overlay/releases/download/v1.22.1.0/s6-overlay-amd64.tar.gz /tmp/
* Use COPY : ADD https://raw.githubusercontent.com/diafygi/acme-tiny/5350420d35177eda733d85096433a24e55f8d00e/acme_tiny.py /bin/acme_tiny
This case ADD must be used.
What did you expect to happen?
What happened instead?
Output of run with -debug
:
(paste your output here)
Output of dockle -v
:
(paste your output here)
Additional details (base image name, container registry info...):
One of my personal pet-peeves is images using FROM ubuntu
, since this image usually contains far more than its dependant could even think to use and seriously clogs up /var
in disk-size restrained environments.
While this is hard to detect when included transitively, and of course not always a mistake, I'd argue that it is bad practice to use large dependency images when not necessary. This is easily overlooked, especially by newcomers. Many base images even support alpine
tags that should almost always be used, but are rarely the default.
This is also in line with some of the other suggested lints, which suggest installing only "necessary" packages, a rule that is almost always broken simply by depending on the ubuntu image.
Maybe it would be feasible to detect when a base image is larger than, say, 100MB, possibly by checking with a registry/local docker daemon/podman at run time?
In the Docker Best practices document, I could not find any instructions about HEALTHCHECK
.
I understand how it works and I know it is useful in some ways, but I don't think it is "essential".
I think WARNING would be good instead of FATAL.
In what point did you define the classification? :)
Description
After upgrading from v0.2.4
to v0.3.1
we recieve a FATAL error when running dockle.
What did you expect to happen?
I expected dockle to work as it currently does with v0.2.4.
What happened instead?
I recieved the following error:
circleci@c22b8c7913dd:~$ dockle $REDACTED
2020-08-17T12:33:56.018Z FATAL unable to initialize a image struct: failed to initialize source: Error reading manifest latest in docker.io/library/$REDACTED: errors:
denied: requested access to the resource is denied
unauthorized: authentication required
Output of run with -debug
:
circleci@c22b8c7913dd:~$ dockle -debug $REDACTED
2020-08-17T12:46:28.803Z DEBUG There is no .dockleignore file
2020-08-17T12:46:28.803Z DEBUG Fetch latest version from github
2020-08-17T12:46:33.872Z DEBUG Start assessments...
2020-08-17T12:46:33.917Z FATAL unable to initialize a image struct:
github.com/goodwithtech/deckoder/extractor/docker.newDockerExtractor
/go/pkg/mod/github.com/goodwithtech/[email protected]/extractor/docker/docker.go:73
- failed to initialize source:
github.com/goodwithtech/deckoder/extractor/image.NewImage
/go/pkg/mod/github.com/goodwithtech/[email protected]/extractor/image/image.go:86
- errors:
denied: requested access to the resource is denied
unauthorized: authentication required
Error reading manifest latest in docker.io/library/$REDACTED
github.com/containers/image/v5/docker.(*dockerImageSource).fetchManifest
/go/pkg/mod/github.com/containers/image/[email protected]/docker/docker_image_src.go:157
github.com/containers/image/v5/docker.(*dockerImageSource).ensureManifestIsLoaded
/go/pkg/mod/github.com/containers/image/[email protected]/docker/docker_image_src.go:183
github.com/containers/image/v5/docker.newImageSource
/go/pkg/mod/github.com/containers/image/[email protected]/docker/docker_image_src.go:87
github.com/containers/image/v5/docker.dockerReference.NewImageSource
/go/pkg/mod/github.com/containers/image/[email protected]/docker/docker_transport.go:144
github.com/goodwithtech/deckoder/extractor/image.newSource
/go/pkg/mod/github.com/goodwithtech/[email protected]/extractor/image/image.go:109
github.com/goodwithtech/deckoder/extractor/image.NewImage
/go/pkg/mod/github.com/goodwithtech/[email protected]/extractor/image/image.go:84
github.com/goodwithtech/deckoder/extractor/docker.newDockerExtractor
/go/pkg/mod/github.com/goodwithtech/[email protected]/extractor/docker/docker.go:71
github.com/goodwithtech/deckoder/extractor/docker.NewDockerExtractor
/go/pkg/mod/github.com/goodwithtech/[email protected]/extractor/docker/docker.go:57
github.com/goodwithtech/dockle/pkg/scanner.ScanImage
/go/src/github.com/goodwithtech/dockle/pkg/scanner/scan.go:30
github.com/goodwithtech/dockle/pkg.Run
/go/src/github.com/goodwithtech/dockle/pkg/run.go:71
github.com/urfave/cli.HandleAction
/go/pkg/mod/github.com/urfave/[email protected]/app.go:523
github.com/urfave/cli.(*App).Run
/go/pkg/mod/github.com/urfave/[email protected]/app.go:285
main.main
/go/src/github.com/goodwithtech/dockle/cmd/dockle/main.go:107
runtime.main
/usr/local/go/src/runtime/proc.go:203
runtime.goexit
/usr/local/go/src/runtime/asm_amd64.s:1357
circleci@c22b8c7913dd:~$
Output of dockle -v
:
dockle version 0.3.1
Additional details (base image name, container registry info...):
I redacted the name of our built container, the container is built on the local instance and visable when running docker images
. The container is pushed to Amazons ECR but this only happens after Dockle is run.
We don't have any issues running Dockle against other images on the same instance, it runs find against an official redis container.
If you need any additional info or want me to test something please let me know.
Description
It says Do not use update instructions such as apt-get update alone or in a single line in the Dockerfile.
but in fact there's no such an option for apt-get command.
# apt-get update --no-cache
E: Command line option --no-cache is not understood in combination with the other options
Maybe you're talking about apk command for Alpine?
What did you expect to happen?
What happened instead?
Output of run with -debug
:
(paste your output here)
Output of guard -v
:
(paste your output here)
Additional details (base image name, container registry info...):
Allocating a remote Docker Engine
Specified using docker layer caching, but build has not been whitelisted.
Contact CircleCI to be whitelisted
Assigned Docker Engine request id: 1234567
provisioning: ......
Remote Docker engine created. Using VM 'default-UUID'
Created container accessible with:
DOCKER_CERT_PATH=/tmp/docker-certs1234567
DOCKER_HOST=tcp://<IP>:2376
DOCKER_MACHINE_NAME=1234567
DOCKER_TLS_VERIFY=1
NO_PROXY=127.0.0.1,localhost,circleci-internal-outer-build-agent,<IP>:2376
Please, not only support UNIX sockets but do support TCP as well.
TL;DR
On macOS, when dockle
command is called inside a shell script, the scan fails as below, but running the same command directly in the terminal dockle
analyzes perfectly.
FATAL failed scan <my_image>:<my_tag>: %!w(<nil>):
Description
I have a simple shell script such as below, which builds the docker image then calls dockle
to analyze it. (The Docker container simply echoes "Hello World")
#!/bin/sh
# - Script Name: build.sh
export DOCKER_CONTENT_TRUST=1 && \
docker build --no-cache -t my_image:my_test . && \
dockle --debug --clear-cache my_image:my_test
The above shell script fails in the last line which dockle
is called. But running the last command directly like below, it works.
$ dockle --debug --clear-cache my_image:my_test
What did you expect to happen?
What happened instead?
dockle
is called inside the shell script.Output of run with -debug
:
2019-06-13T12:05:39.979+0900 DEBUG Fetch latest version from github
2019-06-13T12:05:41.007+0900 WARN A new version v0.1.1 is now available! You have v0.0.18.
2019-06-13T12:05:41.007+0900 INFO Removing image caches...
2019-06-13T12:05:41.008+0900 DEBUG Start assessments...
2019-06-13T12:05:41.233+0900 DEBUG Start scan : password files
2019-06-13T12:05:41.233+0900 DEBUG Start scan : /etc/passwd
2019-06-13T12:05:41.233+0900 DEBUG Start scan : /etc/group
2019-06-13T12:05:41.233+0900 DEBUG Start scan : /etc/hosts
2019-06-13T12:05:41.233+0900 DEBUG Start scan : credential files
2019-06-13T12:05:41.233+0900 DEBUG Scan start : config file
2019-06-13T12:05:41.233+0900 DEBUG Scan start : DOCKER_CONTENT_TRUST
2019-06-13T12:05:41.234+0900 FATAL failed scan my_image:my_test: %!w(<nil>):
github.com/goodwithtech/dockle/pkg/scanner.ScanImage
/go/src/github.com/goodwithtech/dockle/pkg/scanner/scan.go:53
Output of guard -v
:
How to produce the error:
Additional details (base image name, container registry info...):
It seems that assessor.GetAssessments()
is not returning the assessments
right when the image_name
was given in the shell script.
/bin/sh --version
: GNU bash, version 3.2.57(1)-release (x86_64-apple-darwin18)$ ./build.sh
Sending build context to Docker daemon 76.8kB
Step 1/6 : FROM alpine@sha256:769fddc7cc2f0a1c35abb2f91432e8beecf83916c421420e6a6da9f8975464b6
---> 055936d39205
Step 2/6 : COPY src /app
---> 886b6c29e463
Step 3/6 : RUN addgroup appgroup && adduser -S dockle appgroup
---> Running in edea519fb364
Removing intermediate container edea519fb364
---> 1f08283aea47
Step 4/6 : HEALTHCHECK --interval=1h --timeout=15s --start-period=5s --retries=2 CMD [ "/app/healthcheck.sh" ]
---> Running in 584193c4ada6
Removing intermediate container 584193c4ada6
---> 76975fea7a9a
Step 5/6 : CMD [ "/app/hello-world.sh" ]
---> Running in d6ee59afa44a
Removing intermediate container d6ee59afa44a
---> 2c75e3edfb9e
Step 6/6 : USER dockle
---> Running in bdcb1d4f926b
Removing intermediate container bdcb1d4f926b
---> 4481ee34427e
Successfully built 4481ee34427e
Successfully tagged my_image:my_test
Tagging alpine@sha256:769fddc7cc2f0a1c35abb2f91432e8beecf83916c421420e6a6da9f8975464b6 as alpine:latest
2019-06-13T12:34:07.573+0900 DEBUG Fetch latest version from github
2019-06-13T12:34:08.455+0900 WARN A new version v0.1.1 is now available! You have v0.0.18.
2019-06-13T12:34:08.455+0900 INFO Removing image caches...
2019-06-13T12:34:08.456+0900 DEBUG Start assessments...
2019-06-13T12:34:08.686+0900 DEBUG Start scan : password files
2019-06-13T12:34:08.686+0900 DEBUG Start scan : /etc/passwd
2019-06-13T12:34:08.686+0900 DEBUG Start scan : /etc/group
2019-06-13T12:34:08.686+0900 DEBUG Start scan : /etc/hosts
2019-06-13T12:34:08.686+0900 DEBUG Start scan : credential files
2019-06-13T12:34:08.686+0900 DEBUG Scan start : config file
2019-06-13T12:34:08.687+0900 DEBUG Scan start : DOCKER_CONTENT_TRUST
2019-06-13T12:34:08.687+0900 FATAL failed scan my_image:my_test: %!w(<nil>):
github.com/goodwithtech/dockle/pkg/scanner.ScanImage
/go/src/github.com/goodwithtech/dockle/pkg/scanner/scan.go:53
$
$ echo $?
1
$ # Same command in the shell script
$ dockle --debug --clear-cache my_image:my_test
2019-06-13T12:45:35.765+0900 DEBUG Fetch latest version from github
2019-06-13T12:45:36.792+0900 WARN A new version v0.1.1 is now available! You have v0.0.18.
2019-06-13T12:45:36.792+0900 INFO Removing image caches...
2019-06-13T12:45:36.793+0900 DEBUG Start assessments...
2019-06-13T12:45:37.043+0900 DEBUG Start scan : password files
2019-06-13T12:45:37.043+0900 DEBUG Start scan : /etc/passwd
2019-06-13T12:45:37.043+0900 DEBUG Start scan : /etc/group
2019-06-13T12:45:37.043+0900 DEBUG Start scan : /etc/hosts
2019-06-13T12:45:37.043+0900 DEBUG Start scan : credential files
2019-06-13T12:45:37.043+0900 DEBUG Scan start : config file
2019-06-13T12:45:37.043+0900 DEBUG Scan start : DOCKER_CONTENT_TRUST
2019-06-13T12:45:37.043+0900 DEBUG End assessments...
2019-06-13T12:45:37.043+0900 DEBUG There is no .dockleignore file
PASS - CIS-DI-0001: Create a user for the container
WARN - CIS-DI-0005: Enable Content trust for Docker
* export DOCKER_CONTENT_TRUST=1 before docker pull/build
PASS - CIS-DI-0006: Add HEALTHCHECK instruction to the container image
PASS - CIS-DI-0007: Do not use update instructions alone in the Dockerfile
PASS - CIS-DI-0008: Remove setuid and setgid permissions in the images
PASS - CIS-DI-0009: Use COPY instead of ADD in Dockerfile
PASS - CIS-DI-0010: Do not store secrets in ENVIRONMENT variables
PASS - CIS-DI-0010: Do not store secret files
PASS - DKL-DI-0001: Avoid sudo command
PASS - DKL-DI-0002: Avoid sensitive directory mounting
PASS - DKL-DI-0003: Avoid apt-get/apk/dist-upgrade
PASS - DKL-DI-0004: Use apk add with --no-cache
PASS - DKL-DI-0005: Clear apt-get caches
PASS - DKL-DI-0006: Avoid latest tag
PASS - DKL-LI-0001: Avoid empty password
PASS - DKL-LI-0002: Be unique UID
PASS - DKL-LI-0002: Be unique GROUP
$
$ echo $?
0
The best practice of avoiding apt-get upgrade
in Dockerfile has been removed from Docker's documentation. Dockle should also remove this check by default.
https://github.com/goodwithtech/dockle/blob/master/CHECKPOINT.md#dkl-di-0003
Hadolint has already removed this check. Please see the discussion in the following link.
I'd like to be able to do:
docker save ${IMAGE} | dockle --input /dev/stdin
or
docker save ${IMAGE} | dockle --input -
you get the idea...
Description
it fails to parse gitlab-ci repository local images.
container_linting:
stage: deploy
image: docker:stable
variables:
DOCKER_DRIVER: overlay2
allow_failure: true
services:
- docker:stable-dind
script:
- docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
- docker pull ${IMAGE_TAG}
- VERSION=$(wget -q "https://api.github.com/repos/goodwithtech/dockle/releases/latest" -O - | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
- docker run --rm goodwithtech/dockle:v${VERSION} -debug -f json ${IMAGE_TAG} > container-linting-report.json
artifacts:
paths: [container-linting-report.json]
What did you expect to happen?
It should find the local image.
What happened instead?
2019-12-24T18:23:12.094Z FATAL failed to analyze image: &{%!w(string=failed to extract files: &{%!w(string=failed to fetch manifest: &{%!w(string=error unmarshalling content: invalid character '<' looking for beginning of value)})})}
Output of run with -debug
:
none
Output of dockle -v
:
dockle version dev
Additional details (base image name, container registry info...):
$ docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
git.xxxxxx.com:4567/emanuelelevo/gitlab-templates/emanuelelevo docker-template da293e8e44e8 52 seconds ago 121MB
$ echo $IMAGE_TAG
git.xxxxxx.com:4567/emanuelelevo/gitlab-templates/emanuelelevo:docker-template
$ docker run --rm goodwithtech/dockle:v${VERSION} ${IMAGE_TAG}
2019-12-24T18:23:12.094Z FATAL failed to analyze image: &{%!w(string=failed to extract files: &{%!w(string=failed to fetch manifest: &{%!w(string=error unmarshalling content: invalid character '<' looking for beginning of value)})})}
Description
dockle's usage explains that insecure connection to the registry is possible by specifying the --insecure
option.
However, the --insecure
option does not provide an insecure connection.
What did you expect to happen?
Insecure connection shall be possible by specifying --insecure
options.
What happened instead?
The --insecure
option does not result in an insecure connection.
$ dockle --insecure $REDACTED
2021-02-01T08:47:34.137Z FATAL unable to initialize a image struct: failed to initialize source: error pinging docker registry $REDACTED: Get https://$REDACTED/v2/: x509: certificate signed by unknown authority
Output of run with -debug
:
$ dockle --debug --insecure $REDACTED
2021-02-01T08:26:24.777Z DEBUG Add new ignore code: CIS-DI-0006
2021-02-01T08:26:24.777Z DEBUG Fetch latest version from github
2021-02-01T08:26:25.451Z DEBUG Start assessments...
2021-02-01T08:26:25.466Z FATAL unable to initialize a image struct:
github.com/goodwithtech/deckoder/extractor/docker.newDockerExtractor
/go/pkg/mod/github.com/goodwithtech/[email protected]/extractor/docker/docker.go:73
- failed to initialize source:
github.com/goodwithtech/deckoder/extractor/image.NewImage
/go/pkg/mod/github.com/goodwithtech/[email protected]/extractor/image/image.go:86
- Get https://$REDACTED/v2/: x509: certificate signed by unknown authority
error pinging docker registry $REDACTED
github.com/containers/image/v5/docker.(*dockerClient).detectPropertiesHelper
/go/pkg/mod/github.com/containers/image/[email protected]/docker/docker_client.go:642
github.com/containers/image/v5/docker.(*dockerClient).detectProperties.func1
/go/pkg/mod/github.com/containers/image/[email protected]/docker/docker_client.go:675
sync.(*Once).doSlow
/usr/local/go/src/sync/once.go:66
sync.(*Once).Do
/usr/local/go/src/sync/once.go:57
github.com/containers/image/v5/docker.(*dockerClient).detectProperties
/go/pkg/mod/github.com/containers/image/[email protected]/docker/docker_client.go:675
github.com/containers/image/v5/docker.(*dockerClient).makeRequest
/go/pkg/mod/github.com/containers/image/[email protected]/docker/docker_client.go:395
github.com/containers/image/v5/docker.(*dockerImageSource).fetchManifest
/go/pkg/mod/github.com/containers/image/[email protected]/docker/docker_image_src.go:151
github.com/containers/image/v5/docker.(*dockerImageSource).ensureManifestIsLoaded
/go/pkg/mod/github.com/containers/image/[email protected]/docker/docker_image_src.go:183
github.com/containers/image/v5/docker.newImageSource
/go/pkg/mod/github.com/containers/image/[email protected]/docker/docker_image_src.go:87
github.com/containers/image/v5/docker.dockerReference.NewImageSource
/go/pkg/mod/github.com/containers/image/[email protected]/docker/docker_transport.go:144
github.com/goodwithtech/deckoder/extractor/image.newSource
/go/pkg/mod/github.com/goodwithtech/[email protected]/extractor/image/image.go:109
github.com/goodwithtech/deckoder/extractor/image.NewImage
/go/pkg/mod/github.com/goodwithtech/[email protected]/extractor/image/image.go:84
github.com/goodwithtech/deckoder/extractor/docker.newDockerExtractor
/go/pkg/mod/github.com/goodwithtech/[email protected]/extractor/docker/docker.go:71
github.com/goodwithtech/deckoder/extractor/docker.NewDockerExtractor
/go/pkg/mod/github.com/goodwithtech/[email protected]/extractor/docker/docker.go:57
github.com/goodwithtech/dockle/pkg/scanner.ScanImage
/go/src/github.com/goodwithtech/dockle/pkg/scanner/scan.go:30
github.com/goodwithtech/dockle/pkg.Run
/go/src/github.com/goodwithtech/dockle/pkg/run.go:71
github.com/urfave/cli.HandleAction
/go/pkg/mod/github.com/urfave/[email protected]/app.go:523
github.com/urfave/cli.(*App).Run
/go/pkg/mod/github.com/urfave/[email protected]/app.go:285
main.main
/go/src/github.com/goodwithtech/dockle/cmd/dockle/main.go:107
runtime.main
/usr/local/go/src/runtime/proc.go:203
runtime.goexit
/usr/local/go/src/runtime/asm_amd64.s:1357
Output of dockle -v
:
dockle version 0.3.1
Additional details (base image name, container registry info...):
Hello, I have a problem. I need to have exit code not equal to zero if dockle has WARN or FATAL output. I read about option -c and I used it. But, if I use if else
operator, if's always true but should have false. Could u explain how is it possible ?
I tried different status codes but they have doing nothing.
When you just want to quickly check if the latest version of this docker image is valid, it should be able to skip the latest tag check in some use cases.
it probably goes something like this :)
dockle hoge/fuga:latest --ignore-latest
e.g.) /.cache
, *template*
, Dockerfile*
, docker-compose.yml
After I install dockle, I got warning from brew doctor
Warning: Found Ruby file outside goodwithtech/dockle tap formula directory.
(/usr/local/Homebrew/Library/Taps/goodwithtech/homebrew-dockle/Formula):
/usr/local/Homebrew/Library/Taps/goodwithtech/homebrew-dockle/dockle.rb
PrivilegeAssessor is currently ignoring any path containing bin/
or usr/lib/
(excluding therefore /bin/
, /sbin/
, /usr/bin/
, /usr/lib
, but strange enough not /usr/sbin/
or /lib/
), but the misuse of SUID is higher to happen on executables in one of the ignored paths than someone else.
If crafting a malicious image with a SUID in it, I'd rather try to hide it under /usr/bin
or so than placing somewhere else, where someone looking at the root-filesystem might find it strange.
I therefore wouldn't ignore any path. The corresponding checkpoint (CIS-DI-0008) can be ignored with --ignore CIS-DI-0008
. Even if getting the issue reported, it's only INFO
level!
The next step would be making the paths to be ignored configurable.
Environment variables http_proxy, HTTP_PROXY, https_proxy, and HTTP_PROXY didn't work.
hi,
trying to use the dockle image directly in the bitbucket pipeline steps but not being able to fetch the artifact generated/ exported by the 1st step in the pipeline. the other pipeline steps with different docker images can use the .tar artifact from the 1 step but dockle image not being able to see it.
Not sure if this is dockle issue, but have you guys tried to run this in the bitbucket pipeline?
thanks
dockle version: 0.3.1
Currently if I use docker login to authenticate to a private registry, this will generate a config.json in ~/.docker/config.json. Dockle calls to the private registry will work properly after this config is created.
The problem arises when the config is not located in that exact location , that is when $DOCKER_CONFIG is different than ~/.docker
This is useful within CI/CD agents where the config.json may be be generated in a random temporary directory identified by DOCKER_CONFIG. This is also something that works with other similar tools like Trivy or Buildkit's buildctl.
Description
Is it possible to remove the IGNORE - [checkpoint code and discription]
output in normal mode? In debug mode, it's fine.
The reason for this request is to lower the amount of unnecessary output.
What did you expect to happen?
No output.
What happened instead?
Output of the ignored checkpoint code is displayed.
$ dockle --exit-code=1 --ignore CIS-DI-0005 123456789012.dkr.ecr.region.amazonaws.com/my-image:0.1.0
IGNORE - CIS-DI-0005: Enable Content trust for Docker
Output of dockle -v
:
$ dockle -v
dockle version 0.3.1
Description
dockle --input './Dockerfile'
does not work as expected like dockle $DOCKER_IMAGE_NAME
What did you expect to happen?
It should work?
What happened instead?
2020-08-21T12:33:21.470+0300 FATAL unable to initialize a image struct: failed to initialize source: failed to initialize: Error loading tar component manifest.json: archive/tar: invalid tar header
Output of run with -debug
:
2020-08-21T12:34:59.157+0300 DEBUG There is no .dockleignore file
2020-08-21T12:34:59.157+0300 DEBUG Fetch latest version from github
2020-08-21T12:35:00.701+0300 DEBUG Start assessments...
2020-08-21T12:35:00.705+0300 FATAL unable to initialize a image struct:
github.com/goodwithtech/deckoder/extractor/docker.newDockerExtractor
/go/pkg/mod/github.com/goodwithtech/[email protected]/extractor/docker/docker.go:73
- failed to initialize source:
github.com/goodwithtech/deckoder/extractor/image.NewImage
/go/pkg/mod/github.com/goodwithtech/[email protected]/extractor/image/image.go:86
- failed to initialize:
github.com/goodwithtech/deckoder/extractor/image.newSource
/go/pkg/mod/github.com/goodwithtech/[email protected]/extractor/image/image.go:118
- archive/tar: invalid tar header
Error loading tar component manifest.json
github.com/containers/image/v5/docker/tarfile.(*Source).readTarComponent
/go/pkg/mod/github.com/containers/image/[email protected]/docker/tarfile/src.go:209
github.com/containers/image/v5/docker/tarfile.(*Source).loadTarManifest
/go/pkg/mod/github.com/containers/image/[email protected]/docker/tarfile/src.go:269
github.com/containers/image/v5/docker/tarfile.(*Source).ensureCachedDataIsPresentPrivate
/go/pkg/mod/github.com/containers/image/[email protected]/docker/tarfile/src.go:232
github.com/containers/image/v5/docker/tarfile.(*Source).ensureCachedDataIsPresent.func1
/go/pkg/mod/github.com/containers/image/[email protected]/docker/tarfile/src.go:223
sync.(*Once).doSlow
/usr/local/go/src/sync/once.go:66
sync.(*Once).Do
/usr/local/go/src/sync/once.go:57
github.com/containers/image/v5/docker/tarfile.(*Source).ensureCachedDataIsPresent
/go/pkg/mod/github.com/containers/image/[email protected]/docker/tarfile/src.go:222
github.com/containers/image/v5/docker/tarfile.(*Source).GetManifest
/go/pkg/mod/github.com/containers/image/[email protected]/docker/tarfile/src.go:376
github.com/containers/image/v5/image.(*UnparsedImage).Manifest
/go/pkg/mod/github.com/containers/image/[email protected]/image/unparsed.go:46
github.com/containers/image/v5/image.FromUnparsedImage
/go/pkg/mod/github.com/containers/image/[email protected]/image/sourced.go:74
github.com/containers/image/v5/image.FromSource
/go/pkg/mod/github.com/containers/image/[email protected]/image/sourced.go:34
github.com/goodwithtech/deckoder/extractor/image.newSource
/go/pkg/mod/github.com/goodwithtech/[email protected]/extractor/image/image.go:116
github.com/goodwithtech/deckoder/extractor/image.NewImage
/go/pkg/mod/github.com/goodwithtech/[email protected]/extractor/image/image.go:84
github.com/goodwithtech/deckoder/extractor/docker.newDockerExtractor
/go/pkg/mod/github.com/goodwithtech/[email protected]/extractor/docker/docker.go:71
github.com/goodwithtech/deckoder/extractor/docker.NewDockerArchiveExtractor
/go/pkg/mod/github.com/goodwithtech/[email protected]/extractor/docker/docker.go:63
github.com/goodwithtech/dockle/pkg/scanner.ScanImage
/go/src/github.com/goodwithtech/dockle/pkg/scanner/scan.go:35
github.com/goodwithtech/dockle/pkg.Run
/go/src/github.com/goodwithtech/dockle/pkg/run.go:71
github.com/urfave/cli.HandleAction
/go/pkg/mod/github.com/urfave/[email protected]/app.go:523
github.com/urfave/cli.(*App).Run
/go/pkg/mod/github.com/urfave/[email protected]/app.go:285
main.main
/go/src/github.com/goodwithtech/dockle/cmd/dockle/main.go:107
runtime.main
/usr/local/go/src/runtime/proc.go:203
runtime.goexit
/usr/local/go/src/runtime/asm_amd64.s:1357
Output of dockle -v
:
dockle version 0.3.1
Making use of buildkit's mount caches to cache package caches is very useful for ensuring builds on local developer machines, when the layer cache is invalidated avoid needing to download every package that was downloaded the last time the layer was built locally if the same packages are to be used.
It would be great if Dockle could detect when such caches are in place and avoid flagging failure to use --no-cache
options for package installs because the cached files won't be present in the resulting image.
Example:
RUN --mount=type=cache,target=/var/cache/apk apk add --progress \
ca-certificates \
git \
python3 \
openssh \
openssl \
sshpass \
;
Or:
RUN --mount=type=cache,target=${HOME}/.cache set -xe \
&& pip3 install --upgrade pip \
&& pip3 install -r requirements.txt \
;
It's unclear whether based on scanning the image history only whether this will even be feasible, as I don't know if anything records the additional options passed to the RUN command that can be picked out. Calling docker history --no-trunc
on the image won't show the options, so perhaps it's not available.
In such a case it may only be possible to fully detect use of mount caches if dockle provides support to be provided the source Dockerfile to perform additional interrogation to identify this scenario.
The alternative is to inspect the file list of the corresponding layer and see if any files are present under the directory, using the absence to infer use of mount caching and downgrade the FATAL to SKIP?
Description
False warning for new version is avaible
"2021-04-20T20:00:29.138+0200 WARN A new version is now available! You have v0.3.11."
v03.11 is marked as latest version
What did you expect to happen?
No Warning.
Output of run with -debug
:
2021-04-20T20:00:29.138+0200 WARN A new version is now available! You have v0.3.11.
Output of dockle -v
:
dockle version 0.3.11
Description
On a clean virtual machine Dockle has started to throw an error with cache.
Supposedly it started after improper interruption of its execution.
What did you expect to happen?
After running dockle scanning process should start
What happened instead?
Dockle exited with "Failed to remove image layer cache" error
Output of run with -debug
:
:~/docker_tools$ ./dockle
2019-09-03T15:49:58.672Z FATAL failed to remove image layer cache
osboxes@osboxes:~/docker_tools$ ./dockle --debug
2019-09-03T15:50:25.783Z DEBUG There is no .dockleignore file
2019-09-03T15:50:25.784Z DEBUG Fetch latest version from github
2019-09-03T15:50:26.744Z FATAL failed to remove image layer cache:
github.com/goodwithtech/dockle/pkg.Run
/go/src/github.com/goodwithtech/dockle/pkg/run.go:43
Output of dockle -v
:
dockle version 0.1.16
Additional details (base image name, container registry info...):
Error is thrown even when running Dockle without parameters.
Is there any way to manually clear cache?
Hi all,
Hope you are all well !
In order to set easily a htpasswd filter, you could use gin-gonic like that
admin := router.Group("/", gin.BasicAuth(gin.Accounts{"[USERNAME]": "[PASSWORD]"}))
{
admin.Any("/*resources", gin.WrapH(mux))
}
Thanks in advance for any insights or inputs on that topic.
Cheers,
X
Dockle looking for maintainers.
If you are interested in becoming a maintainer, please reach out to me at the email/twitter on my GitHub profile.
Description
COPY sample.txt /app/sample.txt
RUN chmod u+s /app/sample.txt
RUN chmod u-s /app/sample.txt
This sample.txt
is not suid file, but Dockle sometimes detect to suid file.
※ Docker version 19.03.3, build a872fc2
This cause of symbolic linked layer.tar file.
├── 99dd0e6c897c668eaff4c7db78af46f0222de6002d826850b7ccf7647c734b52
│ ├── VERSION
│ ├── json
│ └── layer.tar #=> extract /app/sample.txt
├── 9e54adcf82bab951408ca086571b79a04f34afe2e5984f16a36147c3bd2bdff5
│ ├── VERSION
│ ├── json
│ └── layer.tar
├── cc9cb9922a613543e7600f4ad3101855d2dd2f04043e46dbf2824adb9aff886b
│ ├── VERSION
│ └── layer.tar -> ../99dd0e6c897c668eaff4c7db78af46f0222de6002d826850b7ccf7647c734b52/layer.tar
I can't reproduce simplified image.
symbolic linked Dockerfile
This Dockerfile create symbolic linked layer.tar.
FROM debian:jessie-slim
RUN apt-get update && apt-get install -y git
RUN useradd nopasswd -p ""
RUN chmod u+s /etc/shadow
RUN chmod g+s /etc/passwd
ADD credentials.json /app/credentials.json
COPY suid.txt /app/suid.txt
RUN chmod u+s /app/suid.txt
COPY guid.txt /app/guid.txt
RUN chmod g+s /app/guid.txt
COPY once-suid.txt /app/once-suid.txt
RUN chmod u+s /app/once-suid.txt
RUN chmod u-s /app/once-suid.txt
simplified PoC Dockerfile
This Dockerfile does not create symbolic linked layer.tar.
FROM debian:jessie-slim
COPY once-suid.txt /app/once-suid.txt
RUN chmod u+s /app/once-suid.txt
RUN chmod u-s /app/once-suid.txt
What happened instead?
Always not detect suid file.
Description
dockle miss identified the string ADD anywhere in a dockerfile as the ADD
instruction even though it is not at the beginning of a line.
In this specific case it thinks an env variable named RETHINKDB_CLUSTER_IP_ADDR
is an ADD
instruction.
This indicates an incorrect Dockerfile/docker history
parser.
Output of run with -debug
:
# dockle -debug mterron/rethinkdb
2019-07-10T20:15:24.504+1200 DEBUG Fetch latest version from github
2019-07-10T20:15:26.115+1200 DEBUG Start assessments...
2019-07-10T20:15:31.986+1200 DEBUG Start scan : password files
2019-07-10T20:15:31.994+1200 DEBUG Start scan : /etc/passwd
2019-07-10T20:15:31.996+1200 DEBUG Start scan : /etc/group
2019-07-10T20:15:31.997+1200 DEBUG Start scan : /etc/hosts
2019-07-10T20:15:31.998+1200 DEBUG Start scan : credential files
2019-07-10T20:15:31.999+1200 DEBUG Scan start : config file
2019-07-10T20:15:32.002+1200 DEBUG Scan start : DOCKER_CONTENT_TRUST
2019-07-10T20:15:32.011+1200 DEBUG End assessments...
2019-07-10T20:15:32.012+1200 DEBUG There is no .dockleignore file
WARN - CIS-DI-0001: Create a user for the container
* Last user should not be root
INFO - CIS-DI-0005: Enable Content trust for Docker
* export DOCKER_CONTENT_TRUST=1 before docker pull/build
WARN - CIS-DI-0006: Add HEALTHCHECK instruction to the container image
* not found HEALTHCHECK statement
PASS - CIS-DI-0007: Do not use update instructions alone in the Dockerfile
PASS - CIS-DI-0008: Remove setuid and setgid permissions in the images
FATAL - CIS-DI-0009: Use COPY instead of ADD in Dockerfile
* Use COPY : /bin/sh -c #(nop) ENTRYPOINT ["/bin/sh" "-c" "exec su-exec daemon:daemon rethinkdb --bind all -d /data -n ${HOSTNAME} --server-tag ${RETHINKDB_TAGS:=default} --join \"${RETHINKDB_CLUSTER_IP_ADDR:=$(nslookup ${RETHINKDB_SVC_NAME:=rethinkdb} 127.0.0.1 2>/dev/null | awk '{print $3}' | egrep -v \"(127.0.0.1|^$|$(hostname -i))\" | sort | head -1)}:${RETHINKDB_CLUSTER_PORT:=29015}\" --join-delay $((RANDOM%50+9)) --cluster-reconnect-timeout 600 --no-update-check"]
PASS - CIS-DI-0010: Do not store secrets in ENVIRONMENT variables
PASS - CIS-DI-0010: Do not store secret files
PASS - DKL-DI-0001: Avoid sudo command
PASS - DKL-DI-0002: Avoid sensitive directory mounting
PASS - DKL-DI-0003: Avoid apt-get/apk/dist-upgrade
PASS - DKL-DI-0004: Use apk add with --no-cache
PASS - DKL-DI-0005: Clear apt-get caches
WARN - DKL-DI-0006: Avoid latest tag
* Avoid 'latest' tag
PASS - DKL-LI-0001: Avoid empty password
PASS - DKL-LI-0002: Be unique UID
PASS - DKL-LI-0002: Be unique GROUP
Output of dockle -v
:
dockle version 0.1.13
Additional details (base image name, container registry info...):
mterron/rethinkdb
I tried to install dockle from source, but got an error below.
package github.com/goodwithtech/dockle: no Go files in /path/to/go/src/github.com/goodwithtech/dockle
In Installation from source section of README.md
,
command shoud be go get -u github.com/goodwithtech/dockle/cmd/dockle
?
I noticed dockle can detect secrets in env vars, but could it also detect them in build args?
Description
This OS version is no longer supported by the distribution: alpine 3.9.6
2020-11-22T02:37:50.916Z WARN The vulnerability detection may be insufficient because security updates are not provided
...
Run docker run aquasec/trivy:latest --cache-dir /var/lib/trivy --exit-code 1 --no-progress $IMAGE:v0.3.1
Digest: sha256:37af346e8b0100035df20f330c49f96cccfd809ddb0ab2d3ca26bbb781e1d81f
Status: Downloaded newer image for aquasec/trivy:latest
2020-11-22T02:37:48.724Z INFO Need to update DB
2020-11-22T02:37:48.724Z INFO Downloading DB...
2020-11-22T02:37:50.916Z INFO Detecting Alpine vulnerabilities...
2020-11-22T02:37:50.916Z WARN This OS version is no longer supported by the distribution: alpine 3.9.6
2020-11-22T02:37:50.916Z WARN The vulnerability detection may be insufficient because security updates are not provided
Total: 2 (UNKNOWN: 2, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
+------------+------------------+----------+-------------------+---------------+-------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+------------+------------------+----------+-------------------+---------------+-------+
| musl | CVE-2020-28928 | UNKNOWN | 1.1.20-r5 | 1.1.20-r6 | |
+------------+ + + + +-------+
| musl-utils | | | | | |
+------------+------------------+----------+-------------------+---------------+-------+
Error: Process completed with exit code 1.
Description
Option "--output" don't work on Windows (possibly because combined with --debug).
After execute dockle.exe --debug --output report.log <image_name>
the log file (report.log) was created, but it is empty.
What did you expect to happen?
I expect the application output to be redirected \ duplicated to the "report.log" file.
What happened instead?
Logs are output to stdout \ strerr.
The log file is created, but not filled.
Output of run with -debug
:
dockle.exe -debug --output report.log <image_name>
2021-02-15T14:51:55.550+0700 �[35mDEBUG�[0m There is no .dockleignore file
2021-02-15T14:51:55.594+0700 �[35mDEBUG�[0m Fetch latest version from github
2021-02-15T14:51:56.731+0700 �[35mDEBUG�[0m Start assessments...
2021-02-15T14:55:25.275+0700 �[35mDEBUG�[0m Start scan : password files
2021-02-15T14:55:25.275+0700 �[35mDEBUG�[0m Start scan : /etc/passwd
2021-02-15T14:55:25.278+0700 �[35mDEBUG�[0m Start scan : /etc/group
2021-02-15T14:55:25.287+0700 �[35mDEBUG�[0m Start scan : /etc/hosts
2021-02-15T14:55:25.289+0700 �[35mDEBUG�[0m Start scan : credential files
2021-02-15T14:55:25.298+0700 �[35mDEBUG�[0m Scan start : config file
2021-02-15T14:55:25.301+0700 �[35mDEBUG�[0m Scan start : DOCKER_CONTENT_TRUST
2021-02-15T14:55:25.303+0700 �[35mDEBUG�[0m Start scan : cache files
2021-02-15T14:55:25.314+0700 �[35mDEBUG�[0m End assessments...
�[31mFATAL�[0m - �[36mDKL-DI-0005�[0m: Clear apt-get caches
* Use 'rm -rf /var/lib/apt/lists' after 'apt-get install' : *hidden by the author*
�[34mSKIP�[0m - �[36mDKL-LI-0001�[0m: Avoid empty password
* failed to detect etc/shadow,etc/master.passwd
�[34mSKIP�[0m - �[36mDKL-LI-0002�[0m: Be unique UID/GROUP
* failed to detect etc/passwd
* failed to detect etc/group
�[33mWARN�[0m - �[36mCIS-DI-0001�[0m: Create a user for the container
* Last user should not be root
�[35mINFO�[0m - �[36mCIS-DI-0005�[0m: Enable Content trust for Docker
* export DOCKER_CONTENT_TRUST=1 before docker pull/build
�[35mINFO�[0m - �[36mCIS-DI-0006�[0m: Add HEALTHCHECK instruction to the container image
* not found HEALTHCHECK statement
�[35mINFO�[0m - �[36mCIS-DI-0008�[0m: Confirm safety of setuid/setgid files
* setuid file: usr\bin\newgrp urwxr-xr-x
* setuid file: usr\bin\mount urwxr-xr-x
* setgid file: usr\sbin\pam_extrausers_chkpwd grwxr-xr-x
* setuid file: usr\lib\openssh\ssh-keysign urwxr-xr-x
* setuid file: usr\bin\su urwxr-xr-x
* setgid file: usr\bin\ssh-agent grwxr-xr-x
* setuid file: usr\bin\gpasswd urwxr-xr-x
* setuid file: usr\bin\passwd urwxr-xr-x
* setuid file: usr\bin\chsh urwxr-xr-x
* setuid file: usr\bin\umount urwxr-xr-x
* setuid file: usr\lib\dbus-1.0\dbus-daemon-launch-helper urwxr-xr--
* setgid file: usr\sbin\unix_chkpwd grwxr-xr-x
* setgid file: usr\bin\chage grwxr-xr-x
* setgid file: usr\bin\wall grwxr-xr-x
* setuid file: usr\bin\chfn urwxr-xr-x
* setgid file: usr\bin\expiry grwxr-xr-x
�[35mINFO�[0m - �[36mDKL-LI-0003�[0m: Only put necessary files
* unnecessary file : *hidden by the author*
Output of dockle -v
:
dockle.exe -v
dockle version 0.3.1
Additional details (base image name, container registry info...):
The image and registry are private, located behind the Proxy.
Hello, I love the Dockle tool.
These are questions about Dockle, could you please take a look and answer?
Q1:
If I run the command to scan an image saved in AWS ECR, how does it do with these images?
Will Dockle download these images and saves them on local disk then scan them?
Or it just download and scan them in memory?
(Appreciate if you could point out the source code where it processes images)
Q2:
For local images, I can scan them without tag:
dockle centos # --> ok
But if the images locates at remote, them tag is must to be assigned'
dockle myrepo/centos:tag1 # --> ok
dockle myrepo/centos # --> ng
Is there any way to skip the tag for remote images also?
Thanks for your time and waiting for your reply.
The fetch latest version is taking minutes to timeout causing a slowdown in our pipeline. There is a proxy in place between the container and the destination of the fetch request.
What did you expect to happen?
Timeout quickly if can't reach out with warning displayed.
What happened instead?
Waits for 2 minutes (ish)
DEBUG Fetch latest version from github
Then a long wait...
How does one scan an image that lives on the host machine and not on a remote registry?
My image name is example:latest
and the documented command seems to be requesting the image from docker.io registry https://registry-1.docker.io/v2/library/example/manifests/latest
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
goodwithtech/dockle:v0.2.4 example
2020-07-08T19:57:44.399Z FATAL failed to analyze image:
&{%!w(string=failed to extract files:
&{%!w(string=failed to fetch manifest:
&{%!w(string=Get)
%!w(string=https://registry-1.docker.io/v2/library/example/manifests/latest)
%!w(*registry.httpStatusError=&{...snip...]})})})}
Description
Scanning a docker image that has previously been saved as a tar file doesn't work with the dockle docker container:
What did you expect to happen?
Should be able scan image from file.
Steps to reproduce
docker pull alpine
docker save alpine -o alpine.tar
docker run --rm -v $(pwd):/src -w /src goodwithtech/dockle:v0.2.4 --input alpine.tar
Output:
Using default tag: latest
latest: Pulling from library/alpine
Digest: sha256:ab00606a42621fb68f2ed6ad3c88be54397f981a7b70a79db3d1172b11c4367d
Status: Image is up to date for alpine:latest
docker.io/library/alpine:latest
2020-02-16T03:59:03.688Z FATAL failed to open stream: &{%!w(string=open) %!w(string=alpine.tar) %!w(syscall.Errno=13)}
I would like to have an option to get the results in JSON format.
Since there's a workaround like scraping the results, it's not a strong request but useful in many ways.
dockle --json image_name
$ # Some what like this
$ dockle --json my_image:my_tag
{
"summary": {
"image_id": "704f8ff68c6d",
"image_name": "my_image",
"image_tag": "my_tag",
"number_warn": 1,
"number_fatal": 0,
"number_pass": 18,
"number_total": 19
},
"details": [
{
"code": "CIS-DI-0001",
"description": "Create a user for the container",
"level": "WARN",
"alert": [
"Last user should not be root"
]
},
{
"code": "CIS-DI-0002",
"description": "Use trusted base images for containers",
"level": "PASS",
"alert": [
""
]
},
⋮
{
"code": "DKL-LI-0002",
"description": "Be unique UID\/GROUPs",
"level": "PASS",
"alert": [
""
]
}
]
}
If I can get the results like so, it would be handy to use the results in other languages.
So far, my main purpose for this is to generate a status badge of Dockle something like below.
For example, If I can generate a JSON string like below, I can use the Dynamic Badges of shields.IO.
{
"schemaVersion": 1,
"label": "Dockle",
"message": "FATAL 1 WARN 2",
"color": "red"
}
![](https://img.shields.io/endpoint.svg?url=[RAW URL JSON])
![](https://img.shields.io/endpoint.svg?url=https://gist.githubusercontent.com/KEINOS/69610d8f340496448eedb3d602972efa/raw/fb45e04276a037492039e2c4dcba8bb8b1fc559c/dockle-status.json)
Azure/container-scan action uses Dockle to scan images for best practice violations. However, while pulling images from Azure container registry, we get the following error.
Error: FATAL unable to initialize a image struct: failed to initialize source: unable to retrieve auth token: invalid username/password: unauthorized: authentication required, visit https://aka.ms/acr/authorization for more information.
Error: An error occurred while scanning the container image for best practice violations
Is it possible to use Dockle with ACR images? From the README, it looks like it's not supported. But is there any workaround that can be suggested to the users of our action?
Description
I wanted to work with container security and chose Dockle for it. But I am unable to make it work. I first tried 0.2.4 version .deb then I got the tar file used the precompiled version and I got the same error:-
2020-04-15T08:53:45.618Z DEBUG There is no .dockleignore file
2020-04-15T08:53:45.618Z DEBUG Fetch the latest version from GitHub
2020-04-15T08:53:45.954Z WARN A new version v0.2.4 is now available! You have v0.2.3.
2020-04-15T08:53:45.954Z DEBUG Start assessments...
fatal error: runtime: out of memory
I tried to run the docker version and got a different error:-
&{%!w(string=open) %!w(string=.tar) %!w(syscall.Errno=13)}
I issued the command:-
./dockle --input <image-file.tar> -d
What did you expect to happen?
I expected it to work and show some assessed details.
What happened instead?
Out of memory error.
Output of run with -debug
:
2020-04-15T08:53:45.618Z DEBUG There is no .dockleignore file
2020-04-15T08:53:45.618Z DEBUG Fetch latest version from github
2020-04-15T08:53:45.954Z WARN A new version v0.2.4 is now available! You have v0.2.3.
2020-04-15T08:53:45.954Z DEBUG Start assessments...
fatal error: runtime: out of memory
runtime stack:
runtime.throw(0xc01fd7, 0x16)
/usr/local/go/src/runtime/panic.go:774 +0x72
runtime.sysMap(0xc174000000, 0x100000000, 0x122a3f8)
/usr/local/go/src/runtime/mem_linux.go:169 +0xc5
runtime.(*mheap).sysAlloc(0x12118a0, 0x100000000, 0xc0000e5e00, 0x436057)
/usr/local/go/src/runtime/malloc.go:701 +0x1cd
runtime.(*mheap).grow(0x12118a0, 0x80000, 0xffffffff)
/usr/local/go/src/runtime/mheap.go:1255 +0xa3
runtime.(*mheap).allocSpanLocked(0x12118a0, 0x80000, 0x122a408, 0x11bb8e0)
/usr/local/go/src/runtime/mheap.go:1170 +0x266
runtime.(*mheap).alloc_m(0x12118a0, 0x80000, 0x101, 0x0)
/usr/local/go/src/runtime/mheap.go:1022 +0xc2
runtime.(*mheap).alloc.func1()
/usr/local/go/src/runtime/mheap.go:1093 +0x4c
runtime.(*mheap).alloc(0x12118a0, 0x80000, 0xc000010101, 0x437145)
/usr/local/go/src/runtime/mheap.go:1092 +0x8a
runtime.largeAlloc(0xfffffe00, 0xc000030101, 0xc000000180)
/usr/local/go/src/runtime/malloc.go:1138 +0x97
runtime.mallocgc.func1()
/usr/local/go/src/runtime/malloc.go:1033 +0x46
runtime.systemstack(0xc00028fa40)
/usr/local/go/src/runtime/asm_amd64.s:370 +0x66
runtime.mstart()
/usr/local/go/src/runtime/proc.go:1146
goroutine 1 [running]:
runtime.systemstack_switch()
/usr/local/go/src/runtime/asm_amd64.s:330 fp=0xc000138600 sp=0xc0001385f8 pc=0x459200
runtime.mallocgc(0xfffffe00, 0xae7d00, 0x1, 0xc000138718)
/usr/local/go/src/runtime/malloc.go:1032 +0x895 fp=0xc0001386a0 sp=0xc000138600 pc=0x40c2a5
runtime.makeslice(0xae7d00, 0xfffffe00, 0xfffffe00, 0x40000000)
/usr/local/go/src/runtime/slice.go:49 +0x6c fp=0xc0001386d0 sp=0xc0001386a0 pc=0x443cbc
bytes.makeSlice(0xfffffe00, 0x0, 0x0, 0x0)
/usr/local/go/src/bytes/buffer.go:229 +0x77 fp=0xc000138738 sp=0xc0001386d0 pc=0x4f65d7
bytes.(*Buffer).grow(0xc000138860, 0x200, 0x40000000)
/usr/local/go/src/bytes/buffer.go:142 +0x15b fp=0xc000138788 sp=0xc000138738 pc=0x4f5f1b
bytes.(*Buffer).ReadFrom(0xc000138860, 0xd608c0, 0xc0000ae480, 0x0, 0xc000138858, 0x2)
/usr/local/go/src/bytes/buffer.go:202 +0x4b fp=0xc0001387f8 sp=0xc000138788 pc=0x4f63cb
io/ioutil.readAll(0xd608c0, 0xc0000ae480, 0x200, 0x0, 0x0, 0x0, 0x0, 0x0)
/usr/local/go/src/io/ioutil/ioutil.go:36 +0x100 fp=0xc000138898 sp=0xc0001387f8 pc=0x4fd050
io/ioutil.ReadAll(...)
/usr/local/go/src/io/ioutil/ioutil.go:45
github.com/goodwithtech/deckoder/extractor/docker.DockerExtractor.ExtractFromFile(0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
/go/pkg/mod/github.com/goodwithtech/[email protected]/extractor/docker/docker.go:307 +0x453 fp=0xc0001390f8 sp=0xc000138898 pc=0xa6ee53
github.com/goodwithtech/deckoder/analyzer.AnalyzeFromFile(0xd71380, 0xc000090010, 0xd69b40, 0xc00000e160, 0xc0003945f0, 0x2, 0xc0003945f0, 0xc0001393c8)
/go/pkg/mod/github.com/goodwithtech/[email protected]/analyzer/analyzer.go:43 +0x225 fp=0xc000139368 sp=0xc0001390f8 pc=0xa71c25
github.com/goodwithtech/dockle/pkg/scanner.ScanImage(0xd71380, 0xc000090010, 0x0, 0x0, 0x7ffd0c26b89b, 0x1e, 0x0, 0x0, 0x0, 0x0, ...)
/go/src/github.com/goodwithtech/dockle/pkg/scanner/scan.go:38 +0x1c8 fp=0xc000139480 sp=0xc000139368 pc=0xa72038
github.com/goodwithtech/dockle/pkg.Run(0xc0000bcc60, 0xc0000bcc60, 0xc0001b577f)
/go/src/github.com/goodwithtech/dockle/pkg/run.go:83 +0x56d fp=0xc000139780 sp=0xc000139480 pc=0xa7305d
github.com/urfave/cli.HandleAction(0xaf9760, 0xc2f2a0, 0xc0000bcc60, 0xc0001eda40, 0x0)
/go/pkg/mod/github.com/urfave/[email protected]/app.go:490 +0xc8 fp=0xc0001397a8 sp=0xc000139780 pc=0x74e078
github.com/urfave/cli.(*App).Run(0xc00032ab60, 0xc00006a080, 0x4, 0x4, 0x0, 0x0)
/go/pkg/mod/github.com/urfave/[email protected]/app.go:264 +0x58c fp=0xc000139ae0 sp=0xc0001397a8 pc=0x74c27c
main.main()
/go/src/github.com/goodwithtech/dockle/cmd/dockle/main.go:107 +0xa17 fp=0xc000139f60 sp=0xc000139ae0 pc=0xa743b7
runtime.main()
/usr/local/go/src/runtime/proc.go:203 +0x21e fp=0xc000139fe0 sp=0xc000139f60 pc=0x42fbde
runtime.goexit()
/usr/local/go/src/runtime/asm_amd64.s:1357 +0x1 fp=0xc000139fe8 sp=0xc000139fe0 pc=0x45b151
goroutine 20 [syscall]:
os/signal.signal_recv(0x45b156)
/usr/local/go/src/runtime/sigqueue.go:147 +0x9c
os/signal.loop()
/usr/local/go/src/os/signal/signal_unix.go:23 +0x22
created by os/signal.init.0
/usr/local/go/src/os/signal/signal_unix.go:29 +0x41
Output of dockle -v
:
dockle version 0.2.3
Additional details (base image name, container registry info...):
The image size I am testing is 9.86 GB and the same size worked with Trivy and generated a report for me to analyze. I want to make this tool work as I am fascinated by the CIS benchmarks.
/boot, /dev, /etc, /lib, /proc, /sys, /usr
I'm not sure there can be an attack vector with these volumes, though the runtime might
have some vulns around mounting /dev, /proc, and /sys, potentially .
Hey guys,
Is there any plans to implement JUnit like reports? Could be helpful for CI systems that can consume such reports and build adorable graphs :)
Thanks in advance.
Description
On Ubuntu VM (fresh and clean Ubuntu Server 18.10) Dockle fails to scan images.
What did you expect to happen?
No errors during execution
What happened instead?
FATAL "Failed to analyze image: failed to extract files" error
Output of run with -debug
:
$ ./dockle --exit-code 1 -f json --output ./dockle_results.json bkimminich/juice-shop --debug
2019-09-03T17:19:11.383Z FATAL failed to analyze image: failed to extract files: Could not extract the archive
osboxes@osboxes:~/docker/docker_tools$ ./dockle --debug --exit-code 1 -f json --output ./dockle_results.json bkimminich/juice-shop
2019-09-03T17:19:21.212Z DEBUG There is no .dockleignore file
2019-09-03T17:19:21.213Z DEBUG Fetch latest version from github
2019-09-03T17:19:22.282Z DEBUG Start assessments...
2019-09-03T17:20:22.284Z FATAL failed to analyze image:
github.com/goodwithtech/dockle/pkg/scanner.ScanImage
/go/src/github.com/goodwithtech/dockle/pkg/scanner/scan.go:32
- failed to extract files:
github.com/knqyf263/fanal/analyzer.Analyze
/go/pkg/mod/github.com/goodwithtech/[email protected]/analyzer/analyzer.go:137
- Could not extract the archive
github.com/knqyf263/fanal/extractor.init.ializers
/go/pkg/mod/github.com/goodwithtech/[email protected]/extractor/extractor.go:13
runtime.main
/usr/local/go/src/runtime/proc.go:188
runtime.goexit
/usr/local/go/src/runtime/asm_amd64.s:1337
Output of dockle -v
:
dockle version 0.1.16
Additional details (base image name, container registry info...):
For some reason on another host dockle works fine, but on a fresh VM with Docker just installed Dockle fails.
Seems correlating to the Trivy issue - aquasecurity/trivy#139
As a Docker container runs as one process on a host machine and it's separated from other processes, I do not think running as root is not "critical".
More like it won't do much even if you make it as a non-root user because it strongly depends on which user you're running Docker daemon on the host machine.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.