Sorry, for reviving this issue to report another problem, especially considering it is in the context of SonarCloud, but I think the issues could be relevant for all distributions.
As you probably know, symbolic notation is now supported:
This means I can do things like:
COPY --chown=root:root --chmod=a=rX dist/myproject/browser /usr/share/nginx/html
The uppercase X works nicely with recursive copying, that is, when you also copy directories. And I’m glad to see SonarQube supports it.
However, I noticed a few problems. For one particular file I deliberately want to allow write permission:
COPY --chown=nginx:nginx --chmod=ug=wr,o=r docker/config.json.template /usr/share/nginx/html/config.json
So I want to ignore this particular issue on this particular line. In order to that, I have the following options:
- Use NOSONAR comment, which disables all rules on that file (not ideal, but let’s discuss that in Rule-specific NOSONAR ),
- Exclude the rule for this file (not ideal either).
Reference:
Actually, NOSONAR wouldn’t even work, because the following is invalid syntax (I have now mentioned it in the linked discussion topic about rule-specific NOSONAR):
COPY --chown=nginx:nginx --chmod=ug=wr,o=r docker/config.json.template /usr/share/nginx/html/config.json # NOSONAR: docker:S6504: must be writable
I tried putting the comment on the previous line, but Sonar ignored it:
# NOSONAR: docker:S6504: must be writable
COPY --chown=nginx:nginx --chmod=ug=wr,o=r docker/config.json.template /usr/share/nginx/html/config.json
Result:
=> ERROR [7/7] COPY --chown=nginx:nginx --chmod=ug=wr,o=r docker/config.json.template /usr/share/nginx/html/config.json # NOSONAR: docker:S6504: must be writable 0.0s
------
> [7/7] COPY --chown=nginx:nginx --chmod=ug=wr,o=r docker/config.json.template /usr/share/nginx/html/config.json # NOSONAR: docker:S6504: must be writable:
------
Dockerfile:10
--------------------
8 | COPY --chown=root:root --chmod=a=r docker/config.json.template /usr/share/nginx/html_template/
9 | # Allow write permission for the entrypoint script to evaluate the template
10 | >>> COPY --chown=nginx:nginx --chmod=ug=wr,o=r docker/config.json.template /usr/share/nginx/html/config.json # NOSONAR: docker:S6504: must be writable
11 |
12 | USER nginx
--------------------
ERROR: failed to build: failed to solve: failed to compute cache key: failed to calculate checksum of ref 7041fe3e-7e9d-4c43-864a-fe6969214880::bnbznhswbwgsbckjqikcwm95e: "/#": not found
So, for now I’ll have to disable the rule on file level…