Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(misconf): disable DS016 check for image history analyzer #7540

Merged
merged 1 commit into from
Sep 30, 2024

Conversation

nikpivkin
Copy link
Contributor

@nikpivkin nikpivkin commented Sep 18, 2024

Description

Related issues

Related PRs

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
Copy link
Collaborator

@knqyf263 knqyf263 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@knqyf263 knqyf263 added this pull request to the merge queue Sep 30, 2024
@DmitriyLewen
Copy link
Contributor

DmitriyLewen commented Sep 30, 2024

@knqyf263 @nikpivkin
maybe i am missing something, but is it correct to just skip AVD-DS-0011?

Maybe we can improve our GuessBaseImageIndex logic or at least write in the documentation that we skip this check for "--image-config-scanners misconfig"

@knqyf263
Copy link
Collaborator

Since the logic is based on the assumption that the CMD is set correctly and infers the base layer, it would be difficult to detect cases where the CMD is set incorrectly, as in the AVD-DS-0011 rule.

or at least write in the documentation that we skip this check for "--image-config-scanners misconfig"

Agreed, we should show a debug message about disabled check IDs. And document maybe.

Merged via the queue into aquasecurity:main with commit de40df9 Sep 30, 2024
13 checks passed
@nikpivkin nikpivkin deleted the disable-DS016 branch September 30, 2024 05:12
@nikpivkin
Copy link
Contributor Author

@DmitriyLewen @knqyf263 That's reasonable. I'll create a PR for that.

@DmitriyLewen
Copy link
Contributor

it would be difficult to detect cases where the CMD is set incorrectly

hmm... you are right. If user has set 2 (or more) CMDs incorrectly - we can't guess the base layer correctly.
But it seems there is no way to solve such problems 😞

@knqyf263
Copy link
Collaborator

But it seems there is no way to solve such problems 😞

Yes, I didn't come up with a good idea, then I decided to disable it until we find a good approach.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

bug(misconf): Apply AVD-DS-0016 only to final layer
3 participants