Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(checks): improve argument handling in AVD-DS-0001 #326

Merged
merged 1 commit into from
Jan 29, 2025

Conversation

nikpivkin
Copy link
Contributor

@nikpivkin nikpivkin commented Jan 22, 2025

@nikpivkin nikpivkin marked this pull request as ready for review January 22, 2025 12:00
@nikpivkin nikpivkin requested a review from simar7 as a code owner January 22, 2025 12:00
@nikpivkin nikpivkin force-pushed the args-ds001 branch 4 times, most recently from 4aabad1 to af9834e Compare January 22, 2025 17:00
r[_].msg == "Specify a tag in the 'FROM' statement for image 'foo'"
}

test_deny_multiply_args if {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
test_deny_multiply_args if {
test_deny_multiple_args if {

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

r := deny with input as {"Stages": [
{"Name": "", "Commands": [{
"Cmd": "arg",
"Value": ["TAG"],
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the tag doesn't have a value doesn't it default to latest? Or this test is testing another case?

Copy link
Contributor Author

@nikpivkin nikpivkin Jan 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If image ref is alpine:$TAG and the user has not specified an argument, then by default the argument will be an empty string and image ref will be the invalid string: alpine:, so we can't say that the latest tag is being used.

❯ cat Dockerfile
ARG TAG
FROM alpine:$TAG

❯ docker build --no-cache -t test-img . -f Dockerfile
...
--------------------
   1 |     ARG TAG
   2 | >>> FROM alpine:$TAG
--------------------
ERROR: failed to solve: failed to parse stage name "alpine:": invalid reference format

But if the image ref is alpine$TAG and the user has not specified an argument, then the ref will be equal to alpine, which is a valid reference and the tag will be equal to latest.

❯ cat Dockerfile
ARG TAG
FROM alpine$TAG%

❯ docker build --no-cache -t test-img . -f Dockerfile
[+] Building 0.0s (5/5) FINISHED                                                                                            docker:default
 => [internal] load build definition from Dockerfile                                                                                  0.0s
 => => transferring dockerfile: 60B                                                                                                   0.0s
 => [internal] load metadata for docker.io/library/alpine:latest                                                                      0.0s
 => [internal] load .dockerignore                                                                                                     0.0s
 => => transferring context: 2B                                                                                                       0.0s
 => CACHED [1/1] FROM docker.io/library/alpine:latest

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah I see the difference now. Thanks!

@nikpivkin
Copy link
Contributor Author

@simar7 OK if I add digest handling in a different PR? I came across the following issue, which discusses the ambiguity of the specification regarding the FROM instruction

@simar7 simar7 self-requested a review January 29, 2025 18:19
@simar7 simar7 added this pull request to the merge queue Jan 29, 2025
Merged via the queue into aquasecurity:main with commit 100eb69 Jan 29, 2025
6 checks passed
@nikpivkin nikpivkin deleted the args-ds001 branch January 30, 2025 03:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants