Dockerfile scan causes error due to comment lines

SonarQube v9.9LTS
SonarScanner v4.7.0.2747

Hello,
we upgraded from SQ v8.9.10 to v9.9LTS. Now automatically Dockerfiles are scanned - what we appreciate.
But we are pretty surprised that SQ can’t handle comment lines in Dockerfiles like:

# This is a comment line

Even worse this was not very easy to figure out as the only hint was an error in the Jenkins logfile:

> 11:32:29.019 INFO: Sensor IaC Docker Sensor [iac]
> 11:32:29.046 INFO: 5 source files to be analyzed
> 11:32:29.093 DEBUG: 'ci/Dockerfile.amd64' generated metadata with charset 'UTF-8'
> 11:32:29.128 ERROR: Unable to parse file: file:///net/si0vmc4434/fs0/var/lib/jenkins/workspace/pe8000bcm_feature_sth-verify-sq9_2/application/fpe8000bcm/ci/Dockerfile.amd64. 
> 11:32:29.128 ERROR: Cannot parse 'ci/Dockerfile.amd64': String index out of range: -1

Only with trial and error I found out that the comment lines within the Dockerfile caused the error.
Are we doing something wrong? I think the syntax of the comments in the Dockerfile is correct.

Thank you for support.

1 Like

Hello @hstreidl !

Thanks for reaching out to us.
I confirm that the syntax is correct, as long as this comment represents a complete line because Docker does not support trailing comments or multiline comments.

The issue you are facing here is more probably related to the version of the Docker parser embedded in SonarQube v9.9.
This was the first version of the Docker parser released and it had some flaws (incorrect comment parsing, multiline processing, …).
It has been greatly improved since then and we also added new rules to it, but those improvements are available since SonarQube 10.

I, unfortunately, cannot provide much workaround for this. The only way would be to upgrade to SonarQube 10, which I know may have some implications on your side.

Best regards,
Rudy

2 Likes