False positive SonarLint/SonarQube rule docker:S6596 with multi-stage docker builds

Clean Code Report False-positive / False-negative...
, ,
1

In both the SonarLint plugin for IntelliJ IDEA (version whatever is currently newest) and SonarQube developer edition (We’re using 10.3), rule docker:S6596 “Specific version tag for image should be used” us triggered on multi-stage docker builds. For example, consider the following Dockerfile:

# syntax=docker/dockerfile:1

ARG NODE_VERSION=20.10.0

################################################################################

# Use node image for base image for all stages.

ARG PREFIX="${PRIVATE_REGISTRY}/docker-hub-proxy/"

FROM ${PREFIX}node:${NODE_VERSION}-alpine AS base

# Set working directory for all build stages.

WORKDIR /usr/src/app

# Install dependencies frontend

FROM base AS deps-fe

COPY frontend ./fe

WORKDIR ./fe

RUN npm ci

Rule docker:S6596 triggers on the FROM base AS deps-fe line, stating a specific version tag should be used for the base image. This rule should not trigger on references to previous build stages of the same Dockerfile.

Rule specification:

Rule introduced:

4

Hello @javanegmond,
thanks for reporting this issue!

You’re right, the rule S6596 shouldn’t raise in this case.
We normally don’t raise on references to previous build stages.
In your case the image of the referenced build stage was unresolvable to us because of the ${PRIVATE_REGISTRY}. In these cases, we did miss to register the alias.

I created a ticket to fix this issue, which can be viewed here:
SONARIAC-1418 - S6596 should not raise on references to previous build stages when previous stage is unresolvable

Best,
Jonas