Extra RUN directive being added to 'guessed dockerfile_contents'

[sian58]

Is this a request for help?: Yes

---

Is this a BUG REPORT or a FEATURE REQUEST? (choose one): BUG REPORT

Version of Anchore Engine and Anchore CLI if applicable: engine- 0.9.0 and cli - 0.9.1

What happened:

Extra "RUN" directive is being added to "guessed docker file content" [table - images, column - dockerfile_contents] when image is built from another docker source This causes incorrect policy evaluation. e.g. even if HEALTHCHECK exists, policy evaluation results in "Dockerfile directive 'HEALTHCHECK' not found, matching condition 'not_exists' check"

What did you expect to happen: The guessed image should not have extra RUN directive If HEALTHCHECK is there, policy evaluation should not result in "HEALTHCHECK not found"

Any relevant log output from /var/log/anchore:

What docker images are you using: docker pull s1an/nodehealthcheck:latestfromsys

How to reproduce the issue:

1. Pull this image - docker pull s1an/nodehealthcheck:latestfromsys
2. Add to anchore-engine - anchore-cli image add docker.io/s1an/nodehealthcheck:latestfromsys
3. Wait for it to be analyzed
4. Check database, table - "images", column - "dockerfile_contents" The content will have "RUN" in front of "HEALTHCHECK"
5. Enable CIS policy bundle
6. Evaluate policy for this image by calling this API: http://localhost:8228/v1/images/by_id/b799c2ed1e2f26f59615972d8eb95e8f8e8e40ae492c61f5e8deb9d341e99fed/check?tag=latestfromsys
7. Check output. There should be "HEALTHCHECK not found" rule fired in "results"

Anything else we need to know: Original dockerfile: FROM node:6.16.0-alpine RUN apk update && apk add curl nginx HEALTHCHECK --interval=30s CMD node healthcheck.js EXPOSE 3000

Guessed dockerfile content from table: FROM scratch ADD file:91fb97ea3549e52e7b6e22b93a6736cf915c756f3d13348406d8ad5f1a872680 in / CMD ["/bin/sh"] ENV NODE_VERSION=6.16.0 RUN /bin/sh -c addgroup -g 1000 node && adduser -u 1000 -G node -s /bin/sh -D node && apk add --no-cache libstdc++ && apk add --no-cache --virtual .build-deps binutils-gold curl g++ gcc gnupg libgcc linux-headers make python && for key in 94AE36675C464D64BAFA68DD7434390BDBE9B9C5 FD3A5288F042B6850C66B31F09FE44734EB7990E 71DCFD284A79C3B38668286BC97EC7A07EDE3FC1 DD8F2338BAE7501E3DD5AC78C273792F7D83545D C4F0DFFF4E8C1A8236409D08E73BC641CC11F4C8 B9AE9905FFD7803F25714661B63B535A4C206CA9 77984A986EBC2AA786BC0F66B01FBB92821C587A 8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 4ED778F539E3634C779C87C6D7062848A1AB005C A48C2BEE680E841632CD4E44F07496B3EB3C1762 B9E2F5981AA6E0CD28160D9FF13993A75599653C ; do gpg --batch --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys "$key" || gpg --batch --keyserver hkp://ipv4.pool.sks-keyservers.net --recv-keys "$key" || gpg --batch --keyserver hkp://pgp.mit.edu:80 --recv-keys "$key" ; done && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION.tar.xz" && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" && gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc && grep " node-v$NODE_VERSION.tar.xz\$" SHASUMS256.txt | sha256sum -c - && tar -xf "node-v$NODE_VERSION.tar.xz" && cd "node-v$NODE_VERSION" && ./configure && make -j$(getconf _NPROCESSORS_ONLN) && make install && apk del .build-deps && cd .. && rm -Rf "node-v$NODE_VERSION" && rm "node-v$NODE_VERSION.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt ENV YARN_VERSION=1.12.3 RUN /bin/sh -c apk add --no-cache --virtual .build-deps-yarn curl gnupg tar && for key in 6A010C5166006599AA17F08146C2130DFD2497F5 ; do gpg --batch --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys "$key" || gpg --batch --keyserver hkp://ipv4.pool.sks-keyservers.net --recv-keys "$key" || gpg --batch --keyserver hkp://pgp.mit.edu:80 --recv-keys "$key" ; done && curl -fsSLO --compressed "https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz" && curl -fsSLO --compressed "https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz.asc" && gpg --batch --verify yarn-v$YARN_VERSION.tar.gz.asc yarn-v$YARN_VERSION.tar.gz && mkdir -p /opt && tar -xzf yarn-v$YARN_VERSION.tar.gz -C /opt/ && ln -s /opt/yarn-v$YARN_VERSION/bin/yarn /usr/local/bin/yarn && ln -s /opt/yarn-v$YARN_VERSION/bin/yarnpkg /usr/local/bin/yarnpkg && rm yarn-v$YARN_VERSION.tar.gz.asc yarn-v$YARN_VERSION.tar.gz && apk del .build-deps-yarn CMD ["node"] RUN RUN /bin/sh -c apk update && apk add curl nginx # buildkit RUN HEALTHCHECK &{["CMD-SHELL" "node healthcheck.js"] "30s" "0s" "0s" '\x00'} RUN EXPOSE map[3000/tcp:{}]

The issue is in last 3 lines:

RUN RUN /bin/sh -c apk update && apk add curl nginx # buildkit RUN HEALTHCHECK &{["CMD-SHELL" "node healthcheck.js"] "30s" "0s" "0s" '\x00'} RUN EXPOSE map[3000/tcp:{}]

Policy evaluation result:

[zhill]

@sian58 thanks for reporting this. We'll investigate and see if this is a change in our code or a change in image construction/layers somehow that is causing it.

[zburstein]

I identified the block of code that is adding the RUN directive here https://github.com/anchore/anchore-engine/blob/f766973387dc2a7753367efed6da42f85948f3a7/anchore_engine/util/docker.py#L384-L384. The history entry for the line is

{'Created': '2021-06-07T06:07:13.8883505Z', 'CreatedBy': 'HEALTHCHECK &{["CMD-SHELL" "node healthcheck.js"] "30s" "0s" "0s" \'\\x00\'}', 'Comment': '', 'Id': '<missing>', 'Size': 0, 'Tags': []}

This fails to match the regex and the condition for prepending RUN to the command is met. The command here matches the command for the line in dockerhub's layer https://hub.docker.com/layers/s1an/nodehealthcheck/latestfromsys/images/sha256-6d3e2664b7e10875b3d7607daca7cc8d4c4d217b6c8d275ebdd66d356298aa4c?context=explore. Triaging the bug

[pvnovarese]

I am seeing this when using the grype/V2 scanner as well.

[arun542]

I am facing this too, is there a ETA on the fix ?