Quality Gate Passed on PR having a security issue in Dockerfile

  • ALM used: Azure DevOps

  • CI system used: SonarCloud paid plan - Azure DevOps

  • Languages of the repository
    Only a Dockerfile in repository

  • Error observed (wrap logs/code around with triple quotes ``` for proper formatting)

First of all, Thank you for having corrected the problem in this topic: Dockerfile indexed with language 'null'

My problem is still linked to the Dockerfile

SonarCloud indexes and treats my file, but although it has a security error, the quality gate does not identify it.

My quality gate has the rule active, and does not recognize the problem, neither from a pull request, nor from my main branch or a scan on main main branch directly.

In the analysis, the new lines are recognized as new lines of code but are not classified as High Severity, as described in rule docker:S6437 (Credentials should not be hard-coded).

I would like to know if it is an error on my part or if there is really a problem in the service.

  • Steps to reproduce

Current lignes in my Dockerfile on main branch

FROM ***.jfrog.io/dotnet/sdk:6.0 AS BuildEnv
RUN dotnet new webapp
RUN dotnet publish -c Release -o output
FROM ***.jfrog.io/dotnet/runtime:6.0-alpine3.17
COPY --from=BuildEnv /app/output .
ENTRYPOINT [ "dotnet" , "app.dll" ]

New incoming lignes in my Dockerfile in Pull Request

FROM ***.jfrog.io/dotnet/sdk:6.0 AS BuildEnv

# Noncompliant
RUN ssh-keygen -N "passphrase" -t rsa -b 2048 -f /etc/ssh/rsa_key
RUN /example.sh --ssh /etc/ssh/rsa_key

RUN dotnet new webapp
RUN dotnet publish -c Release -o output
FROM ***.jfrog.io/dotnet/runtime:6.0-alpine3.17
COPY --from=BuildEnv /app/output .
ENTRYPOINT [ "dotnet" , "app.dll" ]

Yaml Pipeline

trigger: none

  vmImage: ubuntu-latest

- checkout: self 
  fetchDepth: 0
- task: SonarCloudPrepare@1
    SonarCloud: '***'
    organization: '***'
    scannerMode: 'CLI'
    configMode: 'manual'
    cliProjectKey: '***'
    cliProjectName: '***'
    cliSources: 'SonarCloud/sonar-docker'
    extraProperties: |

- task: SonarCloudAnalyze@1
  displayName: 'Run SonarCloud analysis'

- task: SonarCloudPublish@1
  displayName: 'Publish results on build summary'

Thank you very much for your help

Hello @juanfer007

thanks for raising this topic and adding the proper reproducer.

The SonarCloud analysis behaves correctly in this case, as the Dockerfile you provided should not raise an issue on the ssh-keygen command.

In S6437 we only consider raising issues in the last image of a Dockerfile, as it’s the only image that gets published.
Using this ssh-keygen command in the first (and not last image) of a Dockerfile – like in your example – is safe here, as the key itself will only be set in this image and not be reused.

We changed this behavior in the current release of the Docker-Analyzer to reduce the amount of False-positives. So in older versions, this may still be detected.

Looking at rule S6437, we will adapt the rule description to explicitly state this behavior, as it can lead to confusion.



Thanks for your reply @jonas.wielage

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.