Scratch not excluded from docker image tag rule

Rules and Languages Report False-positive / False-negative...
, ,
1

Hi all,

We have had failed sonarscans recently due to this rule:

Our builds suffer a bit from the docker Dive wasted space issue as we use golden base images and then run updates on them (and obviously add anything specific for that build). So we do a multistage build and copy into scratch:

FROM 1234567890.dkr.ecr.eu-west-1.amazonaws.com/golden-images/base:2.2.0 AS golden

COPY setup-image.sh ./
RUN bash setup-image.sh && rm setup-image.sh

FROM scratch
COPY --from=golden / /

COPY entrypoint.sh ./

ENTRYPOINT ["bash", "/entrypoint.sh"]

We are using Enterprise Edition

  • Version 10.3 (build 82913)

With this (what should be) a valid simple dockerfile, the rule above fires with:

FROM scratch
Use a specific version tag for the image.

This is from a job in our GitlabCI pipeline using sonarscanner CLI.

Obviously if i do apply a tag on this it fails:

Dockerfile:8
--------------------
   6 |     RUN bash setup-image.sh && rm setup-image.sh
   7 |     
   8 | >>> FROM scratch:latest
   9 |     COPY --from=golden / /
  10 |     
--------------------
ERROR: failed to solve: scratch:latest: docker.io/library/scratch:latest: not found

Surely scratch should be excluded from this rule (not sure of others)?

Thanks,
Simon

4

Hello @TheNom and welcome to community!

Thanks for raising awareness on this topic.
This is indeed a FP, I have created a jira ticket in order to follow up on this.
I checked the other rules we have regarding Docker, it seems this is the only rule concerned.

Sorry for the inconvenience caused.
Best regards,
Rudy

3 Likes
5

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.