Create rule S6497[Docker]: Using a container image based on its diges…

…t is security-sensitive (APPSEC-443) (#1515)
SonarSource · Feb 9, 2023 · 0c88ad0 · 0c88ad0
1 parent 8656528
commit 0c88ad0
Show file tree

Hide file tree

Showing 3 changed files with 99 additions and 0 deletions.
diff --git a/rules/S6497/docker/metadata.json b/rules/S6497/docker/metadata.json
@@ -0,0 +1,25 @@
+{
+  "title": "Pulling an image based on its digest is security-sensitive",
+  "type": "SECURITY_HOTSPOT",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "15min"
+  },
+  "tags": [
+    "dockerfile",
+    "cwe"
+  ],
+  "defaultSeverity": "Minor",
+  "ruleSpecification": "RSPEC-6497",
+  "sqKey": "S6497",
+  "scope": "Main",
+  "securityStandards": {
+      "CWE": [
+      1329
+    ]
+  },
+  "defaultQualityProfiles": [
+    "Sonar way"
+  ]
+}
diff --git a/rules/S6497/docker/rule.adoc b/rules/S6497/docker/rule.adoc
@@ -0,0 +1,72 @@
+A container image digest uniquely and immutably identifies a container image. 
+A tag, on the other hand, is a mutable reference to a container image.
+
+This tag can be updated to point to another version of the container at any point in time. +
+In general, the use of image digests instead of tags is intended to keep
+determinism stable within a system or infrastructure for reliability reasons.
+
+The problem is that pulling such an image prevents the resulting container from 
+being updated or patched in order to remove vulnerabilities or significant bugs. 
+
+
+
+== Ask Yourself Whether
+
+* You expect to receive security updates of the base image.
+
+There is a risk if you answer yes to this question.
+
+== Recommended Secure Coding Practices
+
+Containers should get the latest security updates. If there is a need for determinism, 
+the solution is to find tags that are not as prone to change as `latest` or 
+https://github.com/docker-library/faq#whats-the-difference-between-shared-and-simple-tags[shared tags].
+
+To do so, favor a more precise tag that uses https://semver.org/[semantic versioning] and target a major version, for example.
+
+
+== Sensitive Code Example
+
+[source,docker]
+----
+FROM mongo@sha256:8eb8f46e22f5ccf1feb7f0831d02032b187781b178cb971cd1222556a6cee9d1
+
+RUN echo ls
+----
+
+== Compliant Solution
+
+
+Here, mongo:6.0 is better than using a digest, and better than using a more precise version, such as 6.0.4,
+because it would prevent 6.0.5 security updates:
+
+[source,docker]
+----
+FROM mongo:6.0
+
+RUN echo ls
+----
+
+== See
+
+* https://github.com/safe-waters/docker-lock[Docker-Lock]
+* https://cloud.google.com/kubernetes-engine/docs/archive/using-container-image-digests-in-kubernetes-manifests#recommendations[Skaffold, kpt, digester, kustomize, gke-deploy, ko, and Bazel]
+* https://cloud.google.com/kubernetes-engine/docs/archive/using-container-images[GKE, Using Container Image Digests]
+* https://docs.openshift.com/container-platform/3.11/architecture/core_concepts/builds_and_image_streams.html#image-streams[OpenShift, Builds and Image Streams]
+
+ifdef::env-github,rspecator-view[]
+
+'''
+== Implementation Specification
+(visible only on this page)
+
+=== Message
+
+Setting a digest will prevent receiving updates of the base image. Make sure it is safe here.
+
+=== Highlighting
+
+* Presence of a digest: The digest
+
+endif::env-github,rspecator-view[]
+
diff --git a/rules/S6497/metadata.json b/rules/S6497/metadata.json
@@ -0,0 +1,2 @@
+{
+}