Support newer docker language syntax and features

[tspearconquest]

As per https://www.docker.com/blog/capturing-build-information-buildkit/, it is a best practice to use BuildKit's docker/dockerfile:v1.4 syntax, however certain features supported in dockerfile v1.4 are not supported by conftest, such as the --link flag for ADD and COPY.

Please add support for dockerfile v1.4 syntax and features.

Right now when trying to parse a Dockerfile using ADD --link or COPY --link conftest returns the following:

Error: running test: parse configurations: parser unmarshal: process dockerfile instructions: unknown flag: link, path: Dockerfile

[jalseth]

The current Dockerfile parsing comes from github.com/cpuguy83/dockercfg which looks like it hasn't been updated in a few years. Is there a Go module available that has parsing for these new formats?

[tspearconquest]

As far as I understand, and I'm not an expert in this so I'll have to ask a colleague on Monday, buildkit offers it.

Possibly either (or both) of these?

https://github.com/moby/buildkit/blob/master/frontend/dockerfile/parser/parser.go
https://github.com/moby/buildkit/blob/master/frontend/dockerfile/instructions/parse.go

[boranx]

imo we already use the buildkit parser, don't we? https://github.com/open-policy-agent/conftest/blob/master/parser/docker/docker.go#L9

[tspearconquest]

Hello, thanks. I built your PR and tried it against a Dockerfile with --link and it still fails. I'm not sure why it's not working.

[boranx]

could you paste the content of the dockerfile so we could double-check?

[tspearconquest]

ARG BUILDER_VERSION
ARG BUILDER_TYPE
ARG GIT_VERSION=2.36.5-r0
### Build from source
FROM my-repo/golang:stable as prep
# Above image runs as non-root by default but we need to add packages
USER 0

ARG GIT_VERSION
## This line is added to test for this issue but would not make a working dockerfile
## Our policies look for ADD without http://, hence this is just a dummy line for testing
ADD --link http://foo.tar.gz /root

RUN apk --quiet --update --no-cache add \
    build-base==0.5-r3 \
    git=="${GIT_VERSION}" \
 && mkdir /go/.cache \
 && chown 65532:65532 /go/.cache /go/bin /go

USER 65532


FROM prep as deps
USER 65532

WORKDIR /go

ARG GOCACHE=/go/.cache
ARG IMAGE_VERSION

RUN git clone -b "v${IMAGE_VERSION}" --depth 1 https://github.com/some-oss/dummy-project.git \
 && cd dummy-project \
 && go get -u golang.org/x/net@v0.7.0 \
 && go mod tidy \
 && go mod download


FROM deps as builder
USER 65532

ARG GOCACHE=/go/.cache

WORKDIR /go/dummy-project

RUN make build

[boranx]

well, using the content above, I managed to ./conftest parse path-to-your-file.Dockerfile and obtained the parsed output
If there's a simple form of the content that contains the failing part, I could add it to the acceptance tests to validate by pipelines as well

[tspearconquest]

Apologies, you're right. I built it on your master branch instead of the PR branch. When I checked out the correct branch, built it again, and ran conftest test and conftest parse on the dockerfile above, it works.