Use dumb-init for all Docker based analyzers
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Summary
When a Docker container is started with a CMD directive, the given command becomes PID 1 in the container and will receive signals, however, none of our analyzers currently implement signal handling.
This can be problematic if, for example, a container is started without the -it (-t Allocate a pseudo-tty, -i Keep STDIN open even if not attached) flags, since it won't be possible to kill the container by using Ctrl-C. For more details on this, please see this discussion.
In order to allow our analyzers to properly respond to signals, regardless of which flags are used to start the container, we should use dumb-init to launch our analyzers. From the dumb-init documentation:
Omitting an init system often leads to incorrect handling of processes and signals, and can result in problems such as containers which can’t be gracefully stopped, or leaking containers which should have been destroyed.
dumb-init is simple to use and solves many of these problems: you can just add it to the front of any container’s command, and it will take on the role of PID 1 for itself. It immediately spawns your process as PID ~2, and then proxies on any signals it receives. This helps to avoid special kernel behavior applied to PID 1, while also handling regular responsibilities of the init system (like reaping orphaned zombie processes).
The dumb-init command can be added to our projects, by adding the following line to the Dockerfile:
RUN apk --no-cache --update add dumb-initThe following projects will need to be updated to make use of dumb-init:
- gemnasium
- kubesec
- pmd-apex
- sobelow
- spotbugs
- secrets
- eslint
- gemnasium-maven
- gemnasium-python
- gemnasium
- retire.js
- bundler-audit
- security-code-scan
- gosec
- nodejs-scan
- security-code-scan
- phpcs-security-audit
- brakeman
- bandit
- flawfinder
- kubesec
- semgrep
Improvements
After this change, if a container is started without the -it (-t Allocate a pseudo-tty, -i Keep STDIN open even if not attached) flags, the container will still respond to signals and can be killed by sending a SIGINT signal by pressing Ctrl-C. Without this change, it's not possible to kill a running container using Ctrl-C.