False positive for docker:s6505 for yarn berry (yarn 2 and later)

candrews · August 14, 2024, 6:03pm

What language is this for?
Docker
Which rule?
docker:S6505
Why do you believe it’s a false-positive/false-negative?
The finding says to use the --ignore-scripts argument to yarn. However, yarn has removed the --ignore-scripts in the “berry” versions, see Quick question regarding "--ignore-scripts" · Issue #1679 · yarnpkg/berry · GitHub. Therefore, the rule is impossible to satisfy when using newer versions of yarn.
For yarn berry (that’s yarn 2.x and later), the equivalent is to set the environment variable YARN_ENABLE_SCRIPTS=false
Are you using
- SonarQube - which version?
  10.5.1
How can we reproduce the problem? Give us a self-contained snippet of code (formatted text, no screenshots)
The examples provided at Docker static code analysis demonstrate this problem:

FROM node:latest

RUN yarn install --ignore-scripts

is the recommended fix, but it gives an error with newer version of yarn. The correct example when using yarn 2 or later is:

RUN YARN_ENABLE_SCRIPTS=false yarn install

candrews · August 21, 2024, 6:25pm

@Alexandre_Gigleux or anyone else - can you please take a look at this issue and consider improving Sonar to address it?

Colin · August 22, 2024, 5:15am

Please don’t tag people not alrady involved in a post. We appreciate your feedback, but it takes time to review all the feedback we get (while also developing new features… and taking summer holidays). Your patience is appreciated.

rudy.regazzoni · August 22, 2024, 7:04am

Hello @candrews and welcome back to community!

Thanks for raising awareness on this topic.
Indeed this is a FP that need to be fixed.
I created a ticket to follow-up on it.

Best,
Rudy