kics icon indicating copy to clipboard operation
kics copied to clipboard
verified publisher icon Checkmarx

bug(chown): chown flag is checked for non-executable files

Open korhojoa opened this issue 1 year ago • 0 comments

Expected Behavior

Preferred: No rule hit Alternatively: a message that's appropriate.

Actual Behavior

https://github.com/jenkinsci/docker/blob/217e7c7264738531d869fb8991b8211dc976c785/README.md Consider the dockerfile content on this page:

FROM jenkins/jenkins:lts-jdk17
COPY --chown=jenkins:jenkins plugins.txt /usr/share/jenkins/ref/plugins.txt
RUN jenkins-plugin-cli -f /usr/share/jenkins/ref/plugins.txt

At no point are executable files copied, but the message states (confusingly) that executables need not be owned by others than root. "It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership"

https://github.com/Checkmarx/kics/blob/ce3cbd0c18ef09ad6ad17e34d0e83e6eba47b470/assets/queries/dockerfile/chown_flag_exists/query.rego

Having --chown in a dockerfile doesn't mean that something is an executable. The link to docker's documentation doesn't seem to have any elaboration on the matter.

Steps to Reproduce the Problem

(Command line arguments and flags used)

  1. Have --chown in a dockerfile
  2. kics scan --path .
  3. see incorrect conclusions represented

Specifications

(N/A if not applicable)

  • Version: 2.0.1
  • Platform: x86_64
  • Subsystem: N/A

korhojoa avatar Jun 26 '24 07:06 korhojoa