BUG: Pinned-Dependencies fails to handle Dockerfiles with here-docs #3335
Labels
kind/bug
Something isn't working
Comments
2 tasks
|
#3774 fixes the problem for moby/moby: $ go run main.go --checks Pinned-Dependencies --repo moby/moby
Starting [Pinned-Dependencies]
Finished [Pinned-Dependencies]
RESULTS
-------
Aggregate score: 0.0 / 10
Check scores:
|--------|---------------------|--------------------------------|--------------------------------------------------------------------------------|
| SCORE | NAME | REASON | DOCUMENTATION/REMEDIATION |
|--------|---------------------|--------------------------------|--------------------------------------------------------------------------------|
| 0 / 10 | Pinned-Dependencies | dependency not pinned by hash | https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies |
| | | detected -- score normalized | |
| | | to 0 | |
|--------|---------------------|--------------------------------|--------------------------------------------------------------------------------|And it also fixes the problem for me: $ scorecard --checks Pinned-Dependencies --repo=jkreileder/cf-ips-to-hcloud-fw
[...]
Error: check runtime error: Pinned-Dependencies: internal error: error parsing shell code: Dockerfile:1:1: unclosed here-document 'EOF'
2024/01/06 17:55:47 error during command execution: check runtime error: Pinned-Dependencies: internal error: error parsing shell code: Dockerfile:1:1: unclosed here-document 'EOF'
$ go run main.go --checks Pinned-Dependencies --repo=jkreileder/cf-ips-to-hcloud-fw
Starting [Pinned-Dependencies]
Finished [Pinned-Dependencies]
RESULTS
-------
Aggregate score: 10.0 / 10
Check scores:
|---------|---------------------|-----------------------------|--------------------------------------------------------------------------------|
| SCORE | NAME | REASON | DOCUMENTATION/REMEDIATION |
|---------|---------------------|-----------------------------|--------------------------------------------------------------------------------|
| 10 / 10 | Pinned-Dependencies | all dependencies are pinned | https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies |
|---------|---------------------|-----------------------------|--------------------------------------------------------------------------------| |
spencerschrock
pushed a commit
that referenced
this issue
Jan 10, 2024
* Refactor Dockerfile validation code to handle here-documents Refactors the `validateDockerfileInsecureDownloads` function to handle Dockerfiles that contain here-documents. This implementation handles the basic use-case, namely shell commands. It does not manage other interpreters that are specified through a she-bang, such as python. Fixes #3335 Signed-off-by: Jürgen Kreileder <jk@blackdown.de> * Add test for empty run command case in validateDockerfileInsecureDownloads() Signed-off-by: Jürgen Kreileder <jk@blackdown.de> * Simplify end line calculation in validateDockerfileInsecureDownloads() Signed-off-by: Jürgen Kreileder <jk@blackdown.de> * Document why we have a python test case here Signed-off-by: Jürgen Kreileder <jk@blackdown.de> --------- Signed-off-by: Jürgen Kreileder <jk@blackdown.de>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Dockerfiles with here-docs crash the Pinned-Deps check
Reproduction steps
Run
scorecard --checks Pinned-Dependencies --repo moby/moby(also works with--repo distribution/distribution)moby/moby/Dockerfileanddistribution/distribution/dockerfiles/vendor.DockerfilehaveRUNcommands such asRUN --mount=target=/context \ --mount=target=.,type=tmpfs \ --mount=target=/go/pkg/mod,type=cache <<EOT set -e rsync -a /context/. . go mod tidy go mod vendor mkdir /out cp -r go.mod go.sum vendor /out EOTExpected behavior
The Dockerfile should be correctly parsed.
The text was updated successfully, but these errors were encountered: