Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(misconf): disable DS016 check for image history analyzer #7540

Merged
merged 1 commit into from
Sep 30, 2024
Merged

fix(misconf): disable DS016 check for image history analyzer #7540

merged 1 commit into from
Sep 30, 2024

Conversation

nikpivkin
Copy link
Contributor

@nikpivkin nikpivkin commented Sep 18, 2024
edited
Loading

Description

Related issues

Related PRs

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@nikpivkin
fix(misconf): disable DS016 check for image history analyzer
33e2436 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
@nikpivkin nikpivkin marked this pull request as ready for review September 28, 2024 12:31
knqyf263
knqyf263 approved these changes Sep 30, 2024
View reviewed changes
Copy link
Collaborator

@knqyf263 knqyf263 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@knqyf263 knqyf263 added this pull request to the merge queue Sep 30, 2024
@DmitriyLewen
Copy link
Contributor

DmitriyLewen commented Sep 30, 2024
edited
Loading

@knqyf263 @nikpivkin
maybe i am missing something, but is it correct to just skip AVD-DS-0011?

Maybe we can improve our GuessBaseImageIndex logic or at least write in the documentation that we skip this check for "--image-config-scanners misconfig"

@knqyf263
Copy link
Collaborator

Since the logic is based on the assumption that the CMD is set correctly and infers the base layer, it would be difficult to detect cases where the CMD is set incorrectly, as in the AVD-DS-0011 rule.

or at least write in the documentation that we skip this check for "--image-config-scanners misconfig"

Agreed, we should show a debug message about disabled check IDs. And document maybe.

Merged via the queue into aquasecurity:main with commit de40df9 Sep 30, 2024
13 checks passed
@aqua-bot aqua-bot mentioned this pull request Sep 30, 2024
Merged
@nikpivkin nikpivkin deleted the disable-DS016 branch September 30, 2024 05:12
@nikpivkin
Copy link
Contributor Author

@DmitriyLewen @knqyf263 That's reasonable. I'll create a PR for that.

@DmitriyLewen
Copy link
Contributor

it would be difficult to detect cases where the CMD is set incorrectly

hmm... you are right. If user has set 2 (or more) CMDs incorrectly - we can't guess the base layer correctly.
But it seems there is no way to solve such problems 😞

@knqyf263
Copy link
Collaborator

But it seems there is no way to solve such problems 😞

Yes, I didn't come up with a good idea, then I decided to disable it until we find a good approach.

@nikpivkin nikpivkin mentioned this pull request Oct 14, 2024
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knqyf263 knqyf263 knqyf263 approved these changes

@DmitriyLewen DmitriyLewen Awaiting requested review from DmitriyLewen DmitriyLewen is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

bug(misconf): Apply AVD-DS-0016 only to final layer
3 participants
@nikpivkin @DmitriyLewen @knqyf263