A docker compose file containing a service using an anonymous volume is reported by query as having a sensitive host directory.
Anonymous volumes (like named volumes) don't mount host directories.
Seems like the query is assuming that after attempting to split on a colon (when the volume value doesn't have one) that the first part is the host_path when in this case it is actually the path mounted in the container: kics/assets/queries/dockerCompose/volume_has_sensitive_host_directory/query.rego
Expected Behavior
Anonymous volumes (like named volumes) not to be flagged by this query.
Actual Behavior
Anonymous volumes flagged as having this vulnerability
Steps to Reproduce the Problem
Scan a docker compose file with a fragment like:
services:
frontend:
volumes:
- /usr/src/app/node_modules
Specifications
N/A
A docker compose file containing a service using an anonymous volume is reported by query as having a sensitive host directory.
Anonymous volumes (like named volumes) don't mount host directories.
Seems like the query is assuming that after attempting to split on a colon (when the volume value doesn't have one) that the first part is the host_path when in this case it is actually the path mounted in the container: kics/assets/queries/dockerCompose/volume_has_sensitive_host_directory/query.rego
Expected Behavior
Anonymous volumes (like named volumes) not to be flagged by this query.
Actual Behavior
Anonymous volumes flagged as having this vulnerability
Steps to Reproduce the Problem
Scan a docker compose file with a fragment like:
Specifications
N/A