modify DKL-DI-0003 (#112)

* remove alerts for upgrade and relabel dist-upgrade to warn level
goodwithtech · Apr 23, 2021 · ed895e7 · ed895e7
1 parent 94101bd
commit ed895e7
Show file tree

Hide file tree

Showing 5 changed files with 27 additions and 17 deletions.
diff --git a/CHECKPOINT.md b/CHECKPOINT.md
@@ -142,11 +142,12 @@ Currently, `Dockle` checks following directories:
 
 
 ### DKL-DI-0003
-**Avoid `apt-get upgrade`, `apk upgrade`, `dist-upgrade`**
+**Avoid `apt-get dist-upgrade`**
 
-- https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#apt-get
+https://github.com/docker/docker.github.io/pull/12571
 
-    > Avoid `RUN apt-get upgrade` and `dist-upgrade`, as many of the “essential” packages from the parent images cannot upgrade inside an unprivileged container.
+~~https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#apt-get~~
+~~Avoid `RUN apt-get upgrade` and `dist-upgrade`, as many of the “essential” packages from the parent images cannot upgrade inside an unprivileged container.~~
 
 ### DKL-DI-0004
 **Use `apk add` with `--no-cache`**

diff --git a/README.md b/README.md
@@ -258,7 +258,7 @@ $ docker run --rm goodwithtech/dockle:v${DOCKLE_LATEST} [YOUR_IMAGE_NAME]
 || [Dockle Checkpoints for Docker](CHECKPOINT.md#dockle-checkpoints-for-docker) |
 | [DKL-DI-0001](CHECKPOINT.md#dkl-di-0001) | Avoid `sudo` command | FATAL
 | [DKL-DI-0002](CHECKPOINT.md#dkl-di-0002) | Avoid sensitive directory mounting | FATAL
-| [DKL-DI-0003](CHECKPOINT.md#dkl-di-0003) | Avoid `apt-get upgrade`, `apk upgrade`, `dist-upgrade` | FATAL
+| [DKL-DI-0003](CHECKPOINT.md#dkl-di-0003) | Avoid `apt-get dist-upgrade` | WARN
 | [DKL-DI-0004](CHECKPOINT.md#dkl-di-0004) | Use `apk add` with `--no-cache` | FATAL
 | [DKL-DI-0005](CHECKPOINT.md#dkl-di-0005) | Clear `apt-get` caches | FATAL
 | [DKL-DI-0006](CHECKPOINT.md#dkl-di-0006) | Avoid `latest` tag | WARN

diff --git a/pkg/assessor/manifest/manifest.go b/pkg/assessor/manifest/manifest.go
@@ -162,7 +162,7 @@ func assessHistory(index int, cmd types.History) []*types.Assessment {
 		assesses = append(assesses, &types.Assessment{
 			Code:     types.AvoidDistUpgrade,
 			Filename: ConfigFileName,
-			Desc:     fmt.Sprintf("Avoid upgrade in container : %s", cmd.CreatedBy),
+			Desc:     fmt.Sprintf("Avoid dist-upgrade in container : %s", cmd.CreatedBy),
 		})
 	}
 	if useSudo(cmdSlices) {
@@ -188,10 +188,7 @@ func useSudo(cmdSlices map[int][]string) bool {
 
 func useDistUpgrade(cmdSlices map[int][]string) bool {
 	for _, cmdSlice := range cmdSlices {
-		if containsThreshold(cmdSlice, []string{"apt-get", "apt", "apk", "dist-upgrade"}, 2) {
-			return true
-		}
-		if containsThreshold(cmdSlice, []string{"apt-get", "apt", "apk", "upgrade"}, 2) {
+		if containsThreshold(cmdSlice, []string{"apt-get", "apt", "dist-upgrade"}, 2) {
 			return true
 		}
 	}

diff --git a/pkg/assessor/manifest/manifest_test.go b/pkg/assessor/manifest/manifest_test.go
@@ -343,19 +343,31 @@ func TestUseDistUpgrade(t *testing.T) {
 					"apt-get", "upgrade",
 				},
 			},
-			expected: true,
+			expected: false,
 		},
 		"UseAptUpgrade": {
 			cmdSlices: map[int][]string{
 				0: {"apt", "upgrade"},
 				1: {"addgroup", "--system", "--gid", "101", "nginx"},
 			},
+			expected: false,
+		},
+		"UseDistUpgrade": {
+			cmdSlices: map[int][]string{
+				0: {"apt-get", "dist-upgrade"},
+			},
 			expected: true,
 		},
-		"NoAptUpgrade": {
+		"UseAptDistUpgrade": {
+			cmdSlices: map[int][]string{
+				0: {"apt", "dist-upgrade"},
+			},
+			expected: true,
+		},
+
+		"NoAptDistUpgrade": {
 			cmdSlices: map[int][]string{
-				0: {"pip", "install", "--upgrade", "pip", "setuptools"},
-				1: {"pip", "install", "upgrade", "pip", "setuptools"},
+				0: {"somecommand", "dist-upgrade", "pip", "setuptools"},
 			},
 			expected: false,
 		},

diff --git a/pkg/types/checkpoint.go b/pkg/types/checkpoint.go
@@ -45,7 +45,7 @@ var DefaultLevelMap = map[string]int{
 
 	AvoidSudo:                       FatalLevel,
 	AvoidSensitiveDirectoryMounting: FatalLevel,
-	AvoidDistUpgrade:                FatalLevel,
+	AvoidDistUpgrade:                WarnLevel,
 	UseApkAddNoCache:                FatalLevel,
 	MinimizeAptGet:                  FatalLevel,
 	AvoidLatestTag:                  WarnLevel,
@@ -66,9 +66,9 @@ var TitleMap = map[string]string{
 	AvoidCredential:                 "Do not store credential in ENVIRONMENT vars/files",
 	AvoidSudo:                       "Avoid sudo command",
 	AvoidSensitiveDirectoryMounting: "Avoid sensitive directory mounting",
-	AvoidDistUpgrade:                "Avoid apt-get/apk/dist-upgrade",
-	UseApkAddNoCache:                "Use apk add with --no-cache",
-	MinimizeAptGet:                  "Clear apt-get caches",
+	AvoidDistUpgrade:                `Avoid "apt-get dist-upgrade"`,
+	UseApkAddNoCache:                `Use "apk add" with --no-cache`,
+	MinimizeAptGet:                  `Clear apt-get caches`,
 	AvoidLatestTag:                  "Avoid latest tag",
 	AvoidEmptyPassword:              "Avoid empty password",
 	AvoidDuplicateUserGroup:         "Be unique UID/GROUP",