Incorrect Vulnerability Attribution Due to Inheritance Check Shortcut
Severity: Low
Status: Open
Summary
A new security check enabled by the POPs team, designed to detect ADD instructions in Dockerfiles, is incorrectly triggering ABC penalties across Iron Bank images. This is happening because a legacy code shortcut prevents proper inheritance checking of certain vulnerabilities. The shortcut incorrectly assumes that any vulnerability marked “Gate: Dockerfile” originated within the current image, while the new check can detect ADD instructions within parent base images as well. A similar issue is impacting the inheritance of EXPOSE instructions in Dockerfiles. Impact
Incorrect vulnerability scoring and penalties are being applied across Iron Bank, affecting both internal teams and vendors. This inaccurate scoring could lead to incorrect prioritization of security remediation efforts.
Root Cause
An existing code shortcut bypasses proper inheritance checking for vulnerabilities when: The vulnerability is detected by Anchore. The vulnerability description contains the text “Gate: Dockerfile”.
Workaround
Dao found a configuration option has been identified that can limit the ADD instruction detection to the currently scanned Dockerfile. Enabling this would eliminate the immediate false positives.
Proposed Solution
- Remove the “Gate: Dockerfile” shortcut.
- Implement standard inheritance checking to correctly attribute vulnerabilities to either the current image or its base image.
Estimated fix complexity: Low (2-3 lines of code change)
Next Steps
- Work with CHT to determine an appropriate remediation timeline based on the severity and impact of the issue. Implement Code Changes: Modify the code to remove the shortcut and enable proper inheritance checks.
- Testing: Thoroughly test the code changes to ensure correct vulnerability attribution, especially for
ADD
andEXPOSE
-related findings. Retrospective: Conduct a post-incident review to identify opportunities to improve vulnerability detection and inheritance processes.
Additional Notes
@zdick expressed concerns about whether the scoring methodology for inherited vulnerabilities needs review. This is a valid consideration for the Night's Watch team.