Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixed the dockerfile.security.missing-user rule #3438

Closed

Conversation

saghaulor
Copy link

@saghaulor saghaulor commented Jul 26, 2024

  • The previous version of this rule would have false positives on
HEALTHCHECK ... \
  CMD ...
ENTRYPOINT ...

and

HEALTHCHECK ... \
CMD ...
ENTRYPOINT ...

It doesn't really make sense to flag on the CMD sub-directive of the HEALTHCHECK
directive since there's very little chance that the application could be compromised
via the HEALTHCHECK and then gain root access. This false positive creates a lot of noise
and therefore we're addressing it.

FROM busybox
ENTRYPOINT ["some-command"]
CMD ["--some-arg"]
  • The autofix arguments have changed because technically it doesn't matter
    where in the Dockerfile the USER directive is specified, insofar as the
    last specified USER is non-root. Previously, the autofix would attempt
    to add the USER directive above the CMD or ENTRYPOINT directives.
    However, since either or both of these can appear, we're not going to
    specify the CMD or ENTRYPOINT directive in the fix.
  • Cleaned up some of the test files to remove invalid syntax like calling CMD twice
  • Fixes dockerfile.security.missing-user has a false positive related to HEALTHCHECK CMD #3436

@CLAassistant
Copy link

CLAassistant commented Jul 26, 2024

CLA assistant check
All committers have signed the CLA.

@saghaulor saghaulor force-pushed the fix_dockerfile_missing_user branch 3 times, most recently from 965c154 to 0aede95 Compare July 28, 2024 19:36
- Fixed a bug where the previous version of this rule would have false positives on
```
HEALTHCHECK ... \
  CMD ...
ENTRYPOINT ...
```
and
```
HEALTHCHECK ... \
CMD ...
ENTRYPOINT ...
```
  It doesn't really make sense to flag on the CMD sub-directive of the HEALTHCHECK
  directive since there's very little chance that the application could be compromised
  via the HEALTHCHECK and then gain root access. This false positive creates a lot of noise
  and therefore we're addressing it.
- There was a separate rule for ENTRYPOINT, which doesn't really make sense,
  since CMD and ENTRYPOINT can be used in the same Dockerfile,
  as per https://docs.docker.com/reference/dockerfile/#exec-form-entrypoint-example
  Therefore, the rule was removed
- Fixed the bug that will create two findings for a Dockerfile like this
```
FROM busybox
ENTRYPOINT ["some-command"]
CMD ["--some-arg"]
```
- The autofix arguments have changed because technically it doesn't matter
  where in the Dockerfile the USER directive is specified, insofar as the
  last specified USER is non-root. Previously, the autofix would attempt
  to add the USER directive above the CMD or ENTRYPOINT directives.
  However, since either or both of these can appear, we're not going to
  specify the CMD or ENTRYPOINT directive in the fix.
- Cleaned up some of the test files to remove invalid syntax like calling CMD twice
- Fixes semgrep#3436
@saghaulor saghaulor force-pushed the fix_dockerfile_missing_user branch from 0aede95 to 283b70f Compare August 1, 2024 23:35
@p4p3r
Copy link
Collaborator

p4p3r commented Aug 2, 2024

Hello @saghaulor and thanks for your contribution!
The rules were indeed split to allow to add a fix. Your fix will not work because the way it works is that Semgrep replaces the whole match whatever is specified by the fix key: in your case it will replace, for instance, ENTRYPOINT "semgrep --config p/xss" with USER non-root!

I would suggest to keep the rules separated but rewrite the one about the CMD to match it only when ENTRYPOINT is not present:

As you can notice, in the missin-user rule, I'm using a slightly different (and more straightforward) way to make sure I don't match the HEALTCHECK command. This is not going to be working right now, but it will as soon as a new Semgrep release is published next week (this is the relevant change that I'm waiting for: semgrep/semgrep@c697cdf).
This should allow us to reduce FPs without regexes :-)

@p4p3r
Copy link
Collaborator

p4p3r commented Aug 2, 2024

Also, the way Semgrep's testsuite works is that it will match rule file name and test file name. In your PR, dockerfile/security/missing-user-entrypoint-cmd.dockerfile doesn't have a matching rule file (that would be dockerfile/security/missing-user-entrypoint-cmd.yaml), so it will be ignored.

@saghaulor
Copy link
Author

@p4p3r thanks for the context and the engine fix, I definitely wasn't excited about using regexes for the solution. I just tested it out and it's not longer triggering false positives on the HEALTHCHECK ... CMD directives. It's also not triggering the missing-user rule for Dockerfiles with ENTRYPOINT and CMD.

Do you agree that these are valid dockerfiles?

FROM busybox

COPY thing /usr/bin/thing

ENTRYPOINT ["/usr/bin/thing"]

USER non-root
FROM busybox

COPY thing /usr/bin/thing

CMD ["/usr/bin/thing"]

USER non-root

My understanding is that the ENTRYPOINT and/or CMD will be executed as user non-root as it is the last declared user, and if so, there's still a bug in the rule. If my understanding is correct, then that means that there will be false positives related to the above examples.

Also, have y'all considered restructuring how your test suite applies to rules? It seems that currently it will necessitate creating new rules for edge cases, or creating test files that are not valid to include edge cases so that you don't have to introduce new rules.

Overall, I think most of the false positives have been addressed, but the above examples will still mean that at least one false positive exists (assuming that I have understood dockerfiles correctly).

@saghaulor
Copy link
Author

I've opened a new PR that addresses the bug related to a USER directive not being recognized after a CMD or ENTRYPOINT directive. I felt like it was better to do it that way so that we can keep the context of this conversation but not make the PR confusing, since this conversation was about the HEALTHCHECK issue and the new PR is about the aforementioned bug.

@saghaulor saghaulor closed this Aug 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

dockerfile.security.missing-user has a false positive related to HEALTHCHECK CMD
3 participants