Skip to content

Commit

Permalink
feat(misconf): add support of buildkit instructions when building doc…
Browse files Browse the repository at this point in the history 
…kerfile from image config (#5990)
  • Loading branch information
@DmitriyLewen
DmitriyLewen committed Jan 25, 2024
1 parent e2eb70e commit adfde63
Show file tree
Hide file tree
Showing 2 changed files with 95 additions and 0 deletions.
9 changes: 9 additions & 0 deletions pkg/fanal/analyzer/imgconf/dockerfile/dockerfile.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,15 @@ func (a *historyAnalyzer) Analyze(ctx context.Context, input analyzer.ConfigAnal
case strings.HasPrefix(h.CreatedBy, "/bin/sh -c"):
// RUN instruction
createdBy = strings.ReplaceAll(h.CreatedBy, "/bin/sh -c", "RUN")
case strings.HasSuffix(h.CreatedBy, "# buildkit"):
// buildkit instructions
// COPY ./foo /foo # buildkit
// ADD ./foo.txt /foo.txt # buildkit
// RUN /bin/sh -c ls -hl /foo # buildkit
createdBy = strings.TrimSuffix(h.CreatedBy, "# buildkit")
if strings.HasPrefix(h.CreatedBy, "RUN /bin/sh -c") {
createdBy = strings.ReplaceAll(createdBy, "RUN /bin/sh -c", "RUN")
}
case strings.HasPrefix(h.CreatedBy, "USER"):
// USER instruction
createdBy = h.CreatedBy
Expand Down
86 changes: 86 additions & 0 deletions pkg/fanal/analyzer/imgconf/dockerfile/dockerfile_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,92 @@ func Test_historyAnalyzer_Analyze(t *testing.T) {
},
},
},
{
name: "happy path with buildkit instructions",
input: analyzer.ConfigAnalysisInput{
Config: &v1.ConfigFile{
Config: v1.Config{
Healthcheck: &v1.HealthConfig{
Test: []string{"CMD-SHELL", "curl --fail http://localhost:3000 || exit 1"},
Interval: time.Second * 10,
Timeout: time.Second * 3,
},
},
History: []v1.History{
{
CreatedBy: "/bin/sh -c #(nop) ADD file:289c2fac17119508ced527225d445747cd177111b4a0018a6b04948ecb3b5e29 in / ",
EmptyLayer: false,
},
{
CreatedBy: "/bin/sh -c #(nop) CMD [\"/bin/sh\"]",
EmptyLayer: true,
},
{
CreatedBy: "ADD ./foo.txt /foo.txt # buildkit",
EmptyLayer: false,
},
{
CreatedBy: "COPY ./foo /foo # buildkit",
EmptyLayer: false,
},
{
CreatedBy: "RUN /bin/sh -c ls -hl /foo # buildkit",
EmptyLayer: false,
},
{
CreatedBy: "USER foo",
EmptyLayer: true,
},
{
CreatedBy: `HEALTHCHECK &{["CMD-SHELL" "curl -sS 127.0.0.1 || exit 1"] "10s" "3s" "0s" '\x00'}`,
EmptyLayer: true,
},
},
},
},
want: &analyzer.ConfigAnalysisResult{
Misconfiguration: &types.Misconfiguration{
FileType: "dockerfile",
FilePath: "Dockerfile",
Failures: types.MisconfResults{
types.MisconfResult{
Namespace: "builtin.dockerfile.DS005",
Query: "data.builtin.dockerfile.DS005.deny",
Message: "Consider using 'COPY ./foo.txt /foo.txt' command instead of 'ADD ./foo.txt /foo.txt'",
PolicyMetadata: types.PolicyMetadata{
ID: "DS005",
AVDID: "AVD-DS-0005",
Type: "Dockerfile Security Check",
Title: "ADD instead of COPY",
Description: "You should use COPY instead of ADD unless you want to extract a tar file. Note that an ADD command will extract a tar file, which adds the risk of Zip-based vulnerabilities. Accordingly, it is advised to use a COPY command, which does not extract tar files.",
Severity: "LOW",
RecommendedActions: "Use COPY instead of ADD",
References: []string{"https://docs.docker.com/engine/reference/builder/#add"},
},
CauseMetadata: types.CauseMetadata{
Provider: "Dockerfile",
Service: "general",
StartLine: 1,
EndLine: 1,
Code: types.Code{
Lines: []types.Line{
{
Number: 1,
Content: "ADD ./foo.txt /foo.txt",
IsCause: true,
Truncated: false,
Highlighted: "\x1b[38;5;64mADD\x1b[0m ./foo.txt /foo.txt",
FirstCause: true,
LastCause: true,
},
},
},
},
},
},
},
},
},
{
name: "happy path. Base layer is found",
input: analyzer.ConfigAnalysisInput{
Expand Down

0 comments on commit adfde63

Please sign in to comment.