Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🐛 Refactor Dockerfile validation code to handle here-documents #3774

Merged
merged 5 commits into from
Jan 10, 2024
Merged

🐛 Refactor Dockerfile validation code to handle here-documents #3774

merged 5 commits into from
Jan 10, 2024

Conversation

jkreileder
Copy link
Contributor

@jkreileder jkreileder commented Jan 6, 2024

What kind of change does this PR introduce?

bug fix

What is the current behavior?

The Pinned-Dependencies check fails on Dockerfiles that use here-documents.

RUN <<EOT1 <<EOT2
	pip install --no-deps -e git+https://github.com/username/repo.git@v1.0#egg=package
EOT1
	curl bla | bash
EOT2

=>

Error: check runtime error: Pinned-Dependencies: internal error: error parsing shell code: Dockerfile:1:1: unclosed here-document 'EOF'
2024/01/06 17:55:47 error during command execution: check runtime error: Pinned-Dependencies: internal error: error parsing shell code: Dockerfile:1:1: unclosed here-document 'EOF'

What is the new behavior (if this is a feature change)?

Dockerfiles containing here-documents don't cause failures and the pin-status of the dependencies is correctly extracted.

  • Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

Fixes #3335

Special notes for your reviewer

Does this PR introduce a user-facing change?

Shell commands in Dockerfile here-documents are now parsed correctly by the Pinned-Dependencies check

Refactors the `validateDockerfileInsecureDownloads` function to handle
Dockerfiles that contain here-documents.  This implementation handles the
basic use-case, namely shell commands.  It does not manage other
interpreters that are specified through a she-bang, such as python.

Fixes #3335

Signed-off-by: Jürgen Kreileder <jk@blackdown.de>
Copy link

codecov bot commented Jan 6, 2024

Codecov Report

Merging #3774 (f41e9a0) into main (6c345f1) will decrease coverage by 6.88%.
The diff coverage is 73.91%.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #3774      +/-   ##
==========================================
- Coverage   75.47%   68.59%   -6.89%     
==========================================
  Files         230      230              
  Lines       15613    15622       +9     
==========================================
- Hits        11784    10716    -1068     
- Misses       3103     4252    +1149     
+ Partials      726      654      -72     

@jkreileder
Copy link
Contributor Author

The other two missed branches (1 new, 1 old) are actually hard to trigger - at least I couldn't come up with something that triggers a parser error.

In the old code, the here-docs triggered that case (and raised a sh level error). But that doesn't occur anymore with the fix.

…loads()

Signed-off-by: Jürgen Kreileder <jk@blackdown.de>
Signed-off-by: Jürgen Kreileder <jk@blackdown.de>
Copy link
Member

@spencerschrock spencerschrock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution and the tests. Left a small comment about one of them

checks/raw/pinned_dependencies_test.go Show resolved Hide resolved
Signed-off-by: Jürgen Kreileder <jk@blackdown.de>
@spencerschrock
Copy link
Member

/scdiff generate Pinned-Dependencies

Copy link

@spencerschrock spencerschrock enabled auto-merge (squash) January 10, 2024 21:19
@spencerschrock spencerschrock merged commit e15264d into ossf:main Jan 10, 2024
38 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

BUG: Pinned-Dependencies fails to handle Dockerfiles with here-docs
2 participants