semgrep-rules icon indicating copy to clipboard operation
semgrep-rules copied to clipboard
verified publisher icon semgrep

The rule dockerfile.best-practice.missing-image-version.missing-image-version does not handle intermediate stages using earlier stages

Open raoganeshr opened this issue 3 years ago • 2 comments

Describe the bug e.g.

FROM python:3.10.1-alpine3.15@sha256:4be65b406f7402b5c4fd5df7173d2fd7ea3fdaa74d9c43b6ebd896197a45c448 as base

# ruleid: missing-image-version
FROM base AS BUILD

To Reproduce Use above example of docker file

Expected behavior Intermediate build steps should not be affected by this rule.

Screenshots If applicable, add screenshots to help explain your problem.

What is the priority of the bug to you?

P2

Environment semgrep docker

Use case What will fixing this bug enable for you? I currently have to run individual rules inside docker ruleset to avoid running dockerfile.best-practice.missing-image-version.missing-image-version

raoganeshr avatar Apr 22 '22 07:04 raoganeshr

This issue is synced in Linear at https://linear.app/r2c/issue/PA-1207/the-rule-dockerfilebest-practicemissing-image-versionmissing-image. Note: this link is for r2c use only and is not accessible publicly.

r2c-demo avatar Apr 22 '22 07:04 r2c-demo

moved to semgrep-rules

ievans avatar Apr 25 '22 23:04 ievans

Here's a simple repro of this bug: https://semgrep.dev/s/K1Rn Pattern:

FROM $IMAGE AS $ALIAS
FROM $ALIAS

Target code:

# matches
FROM a as b
FROM b

# should match too
FROM a as base
FROM base

mjambon avatar Sep 20 '22 02:09 mjambon

This bug will be fixed by https://github.com/returntocorp/semgrep/pull/6130

mjambon avatar Sep 20 '22 02:09 mjambon