"Omitting --ignore-scripts can lead to execution of shell scripts"

faheemgani · May 2, 2023, 11:03am

We are currently getting a vulnerability that is being flagged in our Dockerfile several times - each time that the word ‘yarn’ appears within the Dockerfile.

The recommendation is to append --ignore-scripts to disable the execution of post-install scripts - however - as far as I can tell the --ignore-scripts can only be appended to the yarn install command, not other commands such as apk add yarn or yarn test:coverage

Is this a bug in the scanner itself?

Nils_Werner · May 2, 2023, 12:12pm

Hi @faheemgani,

indeed, this is a false positive and we will fix this issue in the next release.
I created a ticket so you can track the process.

Best,
Nils

system · May 11, 2023, 1:24pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
False positive for docker:s6505 for yarn berry (yarn 2 and later) Report False-positive / False-negative... docker	3	50	August 22, 2024
False positives for rules when using yarn PnP configuration in monorepo SonarQube Cloud typescript , coverage , sonarqube-cloud	6	293	June 7, 2024
Excluded files marked are still being analyzed regardless SonarQube Server / Community Build	4	175	June 7, 2024
Scratch not excluded from docker image tag rule Report False-positive / False-negative... sonarqube , rules , built-in	2	485	January 5, 2024
Export const... not coverd by tests SonarQube Cloud typescript , coverage , sonarqube-cloud	7	1837	May 16, 2022

"Omitting --ignore-scripts can lead to execution of shell scripts"

Related topics