docker:S6504 not working correctly

Sorry, for reviving this issue to report another problem, especially considering it is in the context of SonarCloud, but I think the issues could be relevant for all distributions.

As you probably know, symbolic notation is now supported:

This means I can do things like:

COPY --chown=root:root --chmod=a=rX dist/myproject/browser /usr/share/nginx/html

The uppercase X works nicely with recursive copying, that is, when you also copy directories. And I’m glad to see SonarQube supports it.

However, I noticed a few problems. For one particular file I deliberately want to allow write permission:

COPY --chown=nginx:nginx --chmod=ug=wr,o=r docker/config.json.template /usr/share/nginx/html/config.json

So I want to ignore this particular issue on this particular line. In order to that, I have the following options:

  • Use NOSONAR comment, which disables all rules on that file (not ideal, but let’s discuss that in Rule-specific NOSONAR ),
  • Exclude the rule for this file (not ideal either).
Reference:

Actually, NOSONAR wouldn’t even work, because the following is invalid syntax (I have now mentioned it in the linked discussion topic about rule-specific NOSONAR):

COPY --chown=nginx:nginx --chmod=ug=wr,o=r docker/config.json.template /usr/share/nginx/html/config.json  # NOSONAR: docker:S6504: must be writable

I tried putting the comment on the previous line, but Sonar ignored it:

# NOSONAR: docker:S6504: must be writable
COPY --chown=nginx:nginx --chmod=ug=wr,o=r docker/config.json.template /usr/share/nginx/html/config.json
Result:
 => ERROR [7/7] COPY --chown=nginx:nginx --chmod=ug=wr,o=r docker/config.json.template /usr/share/nginx/html/config.json  # NOSONAR: docker:S6504: must be writable                                                                       0.0s
------
 > [7/7] COPY --chown=nginx:nginx --chmod=ug=wr,o=r docker/config.json.template /usr/share/nginx/html/config.json  # NOSONAR: docker:S6504: must be writable:
------
Dockerfile:10
--------------------
   8 |     COPY --chown=root:root --chmod=a=r docker/config.json.template /usr/share/nginx/html_template/
   9 |     # Allow write permission for the entrypoint script to evaluate the template
  10 | >>> COPY --chown=nginx:nginx --chmod=ug=wr,o=r docker/config.json.template /usr/share/nginx/html/config.json  # NOSONAR: docker:S6504: must be writable
  11 |     
  12 |     USER nginx
--------------------
ERROR: failed to build: failed to solve: failed to compute cache key: failed to calculate checksum of ref 7041fe3e-7e9d-4c43-864a-fe6969214880::bnbznhswbwgsbckjqikcwm95e: "/#": not found

So, for now I’ll have to disable the rule on file level…