AVD-DS-0024 rule looks wrong

[nE0sIghT]

Description

Hi! I just hit AVD-DS-0024 rule in the apt-mirror2 repository with the explanation:

AVD-DS-0024 (HIGH): 'apt-get dist-upgrade' should not be used in Dockerfile
════════════════════════════════════════
'apt-get dist-upgrade' upgrades a major version so it doesn't make more sense in Dockerfile.

The description looks wrong because of [1] states:

To run package upgrades that require installing or removing some other package, run the following command, and check the packages to be REMOVED: Any package lib<foo> is fine.

... and [2] states:

dist-upgrade in addition to performing the function of upgrade, also intelligently handles changing dependencies with new versions of packages; apt-get has a "smart" conflict resolution system, and it will attempt to upgrade the most important packages at the expense of less important ones if necessary. The dist-upgrade command may therefore remove some packages.

So the upgrade command may not remove packages in the upgrade process while dist-upgrade may.

[1] https://wiki.debian.org/AptCLI
[2] https://manpages.debian.org/unstable/apt/apt-get.8.en.html

Desired Behavior

I beleave AVD-DS-0024 should be removed completely.

Actual Behavior

AVD-DS-0024 claims dist-upgrade is wrong and should not be used while there is no other way to do complete upgrade.

Reproduction Steps

1. Create Docker file with the `apt-get dist-upgrade`
2. Run trivy

Target

Filesystem

Scanner

None

Output Format

None

Mode

None

Debug Output

2024-11-28T17:09:05Z	DEBUG	No plugins loaded
2024-11-28T17:09:05Z	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2024-11-28T17:09:05Z	DEBUG	Cache dir	dir=".trivy"
2024-11-28T17:09:05Z	DEBUG	Cache dir	dir=".trivy"
2024-11-28T17:09:05Z	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-11-28T17:09:05Z	WARN	'--scanners config' is deprecated. Use '--scanners misconfig' instead. See https://github.com/aquasecurity/trivy/discussions/5586 for the detail.
2024-11-28T17:09:05Z	DEBUG	Ignore statuses	statuses=[]
2024-11-28T17:09:05Z	DEBUG	[vulndb] There is no valid metadata file	err="unable to open a file: open .trivy/db/metadata.json: no such file or directory"
2024-11-28T17:09:05Z	INFO	[vulndb] Need to update DB
2024-11-28T17:09:05Z	DEBUG	[vulndb] No metadata file
2024-11-28T17:09:05Z	INFO	[vulndb] Downloading vulnerability DB...
2024-11-28T17:09:05Z	INFO	[vulndb] Downloading artifact...	repo="mirror.gcr.io/aquasec/trivy-db:2"
26.44 MiB / 56.42 MiB [---------------------------->________________________________] 46.86% ? p/s ?56.42 MiB / 56.42 MiB [----------------------------------------------------------->] 100.00% ? p/s ?56.42 MiB / 56.42 MiB [----------------------------------------------------------->] 100.00% ? p/s ?56.42 MiB / 56.42 MiB [---------------------------------------------->] 100.00% 49.96 MiB p/s ETA 0s56.42 MiB / 56.42 MiB [---------------------------------------------->] 100.00% 49.96 MiB p/s ETA 0s56.42 MiB / 56.42 MiB [---------------------------------------------->] 100.00% 49.96 MiB p/s ETA 0s56.42 MiB / 56.42 MiB [---------------------------------------------->] 100.00% 46.74 MiB p/s ETA 0s56.42 MiB / 56.42 MiB [---------------------------------------------->] 100.00% 46.74 MiB p/s ETA 0s56.42 MiB / 56.42 MiB [---------------------------------------------->] 100.00% 46.74 MiB p/s ETA 0s56.42 MiB / 56.42 MiB [---------------------------------------------->] 100.00% 43.72 MiB p/s ETA 0s56.42 MiB / 56.42 MiB [---------------------------------------------->] 100.00% 43.72 MiB p/s ETA 0s56.42 MiB / 56.42 MiB [-------------------------------------------------] 100.00% 27.46 MiB p/s 2.3s2024-11-28T17:09:08Z	INFO	[vulndb] Artifact successfully downloaded	repo="mirror.gcr.io/aquasec/trivy-db:2"
2024-11-28T17:09:08Z	DEBUG	Updating database metadata...
2024-11-28T17:09:08Z	DEBUG	DB info	schema=2 updated_at=2024-11-28T12:17:25.022187652Z next_update=2024-11-29T12:17:25.022187241Z downloaded_at=2024-11-28T17:09:08.920006572Z
2024-11-28T17:09:08Z	DEBUG	[pkg] Package types	types=[os library]
2024-11-28T17:09:08Z	DEBUG	[pkg] Package relationships	relationships=[unknown root direct indirect]
2024-11-28T17:09:08Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-28T17:09:08Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-11-28T17:09:08Z	DEBUG	[misconfig] Failed to open the check metadata	err="open .trivy/policy/metadata.json: no such file or directory"
2024-11-28T17:09:08Z	INFO	[misconfig] Need to update the built-in checks
2024-11-28T17:09:08Z	INFO	[misconfig] Downloading the built-in checks...
2024-11-28T17:09:08Z	DEBUG	[misconfig] Loading check bundle	repository="ghcr.io/aquasecurity/trivy-checks:1"
160.25 KiB / 160.25 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-11-28T17:09:09Z	DEBUG	[misconfig] Digest of the built-in checks	digest="sha256:34fe41b4f92a89202ffe7f94c158884fe633a45751706735ebadce7a96ec7dec"
2024-11-28T17:09:09Z	DEBUG	[misconfig] Checks successfully loaded from disk
2024-11-28T17:09:09Z	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-11-28T17:09:09Z	DEBUG	Initializing scan cache...	type="memory"
2024-11-28T17:09:09Z	DEBUG	Skipping path	path=".git"
2024-11-28T17:09:09Z	DEBUG	[misconfig] Scanning files for misconfigurations...	scanner="Helm"
2024-11-28T17:09:09Z	DEBUG	[rego] Overriding filesystem for checks
2024-11-28T17:09:09Z	DEBUG	[rego] Embedded libraries are loaded	count=15
2024-11-28T17:09:10Z	DEBUG	[rego] Embedded checks are loaded	count=509
2024-11-28T17:09:10Z	DEBUG	[rego] Checks from disk are loaded	count=524
2024-11-28T17:09:10Z	DEBUG	[rego] Overriding filesystem for data
2024-11-28T17:09:10Z	DEBUG	[misconfig] Scanning files for misconfigurations...	scanner="Dockerfile"
2024-11-28T17:09:10Z	DEBUG	[rego] Overriding filesystem for checks
2024-11-28T17:09:10Z	DEBUG	[rego] Embedded libraries are loaded	count=15
2024-11-28T17:09:10Z	DEBUG	[rego] Embedded checks are loaded	count=509
2024-11-28T17:09:11Z	DEBUG	[rego] Checks from disk are loaded	count=524
2024-11-28T17:09:11Z	DEBUG	[rego] Overriding filesystem for data
2024-11-28T17:09:11Z	DEBUG	[dockerfile scanner] Scanning files...	count=2
2024-11-28T17:09:11Z	DEBUG	[rego] Scanning inputs	count=2
2024-11-28T17:09:11Z	WARN	[pip] Unable to find python `site-packages` directory. License detection is skipped.	err="unable to find path to Python executable"
2024-11-28T17:09:11Z	DEBUG	OS is not detected.
2024-11-28T17:09:11Z	DEBUG	Detected OS: unknown
2024-11-28T17:09:11Z	INFO	Number of language-specific files	num=0
2024-11-28T17:09:11Z	INFO	Detected config files	num=2
2024-11-28T17:09:11Z	DEBUG	Scanned config file	file_path="Dockerfile"
2024-11-28T17:09:11Z	DEBUG	Scanned config file	file_path=".devcontainer/Dockerfile"
2024-11-28T17:09:11Z	DEBUG	Found an ignore file	file_path=".trivyignore"
2024-11-28T17:09:11Z	DEBUG	Ignored	id="DS002" target=".devcontainer/Dockerfile"
2024-11-28T17:09:11Z	DEBUG	Ignored	id="DS017" target=".devcontainer/Dockerfile"
2024-11-28T17:09:11Z	DEBUG	Ignored	id="DS026" target=".devcontainer/Dockerfile"
2024-11-28T17:09:11Z	DEBUG	Ignored	id="DS029" target=".devcontainer/Dockerfile"
2024-11-28T17:09:11Z	DEBUG	Ignored	id="DS002" target="Dockerfile"
2024-11-28T17:09:11Z	DEBUG	Ignored	id="DS017" target="Dockerfile"
2024-11-28T17:09:11Z	DEBUG	Ignored	id="DS026" target="Dockerfile"
2024-11-28T17:09:11Z	DEBUG	Ignored	id="DS029" target="Dockerfile"
2024-11-28T17:09:11Z	DEBUG	[vex] VEX filtering is disabled

Dockerfile (dockerfile)
=======================
Tests: 24 (SUCCESSES: 23, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

AVD-DS-0024 (HIGH): 'apt-get dist-upgrade' should not be used in Dockerfile
════════════════════════════════════════
'apt-get dist-upgrade' upgrades a major version so it doesn't make more sense in Dockerfile.

See https://avd.aquasec.com/misconfig/ds024
────────────────────────────────────────
 Dockerfile:33-40
────────────────────────────────────────
  33 ┌ RUN \
  34 │     if which apk > /dev/null; then \
  35 │         apk upgrade --no-cache ;\
  36 │     else \
  37 │         apt-get -y update ;\
  38 │         apt-get -y dist-upgrade ;\
  39 │         rm -rf /var/lib/apt/lists/* ;\
  40 └     fi
────────────────────────────────────────

Operating System

docker.io/aquasec/trivy

Version

0.57.1

Checklist

• Run trivy clean --all
• Read the troubleshooting

[nikpivkin]

@simar7 In general, I agree with @nE0sIghT. I haven't seen a recommendation to avoid dist-upgrade in the security advisory. There used to be advice to avoid both upgrade and dist-upgrade, but that has now been removed. The only reason upgrade is preferred in non-interactive mode is that it doesn't install or remove packages.

[simar7]

I see - it makes sense to me as well. Actually the advice given in AVD-DS-0024 isn't very useful to begin with. Let's create an issue to deprecate this check.

[simar7]

thanks for the heads up @nE0sIghT - Track #8017