Anchore analysis returns a false positive error about `ADD` directive
Hello IB Team
I think we have discovered an anomaly in the tooling used for DockerFile analysis, and especially anchore
.
Recently, it has reported a LOW severity in our projects, with the following message:
Dockerfile directive 'ADD' check 'exists' matched against '' for line 'file:37a76ec18f9887751cd8473744917d08b7431fc4085097bb6a09d81b41775473 in /' Gate: dockerfile Trigger: instruction Policy ID: DoDDockerfileChecks
And this on all our projects based on alpine
:
However, NONE of our components uses the docker ADD
directive.
After investigation, we found it could be related to a confusion between the ADD
directive from Docker and the
subcommand add
(lowercase) used by apk
. We discovered that because only our alpine
based image was concerned by
this issue (direct or parent images like nginx-alpine
).
See experimentation we have conducted on the same project:
-
dockerfile
withoutADD
but withapk … add
→ CI detects it as a vulnerability (code) -
dockerfile
withoutADD
and withapk … add
removed → CI doesn't detect any issue (diff) -
dockerfile
withoutADD
and withapk add
(without word between them) → CI doesn't detect any issue (diff)
So we think it's a false positive based on the Anchore rule when apk
and add
are separated by parameters, like it's usually the case for our dockerfiles
, with usually apk --update-cache --no-cache add …
.
We will justify it accordingly in VAT and use the syntax to avoid this anomaly, but it would be good to adjust anchore to avoid it.
Regards,
Kevin