Open sian58 opened 3 years ago
@sian58 thanks for reporting this. We'll investigate and see if this is a change in our code or a change in image construction/layers somehow that is causing it.
I identified the block of code that is adding the RUN
directive here https://github.com/anchore/anchore-engine/blob/f766973387dc2a7753367efed6da42f85948f3a7/anchore_engine/util/docker.py#L384-L384. The history entry for the line is
{'Created': '2021-06-07T06:07:13.8883505Z', 'CreatedBy': 'HEALTHCHECK &{["CMD-SHELL" "node healthcheck.js"] "30s" "0s" "0s" \'\\x00\'}', 'Comment': '', 'Id': '<missing>', 'Size': 0, 'Tags': []}
This fails to match the regex and the condition for prepending RUN
to the command is met. The command here matches the command for the line in dockerhub's layer https://hub.docker.com/layers/s1an/nodehealthcheck/latestfromsys/images/sha256-6d3e2664b7e10875b3d7607daca7cc8d4c4d217b6c8d275ebdd66d356298aa4c?context=explore. Triaging the bug
I am seeing this when using the grype/V2 scanner as well.
I am facing this too, is there a ETA on the fix ?
Is this a request for help?: Yes
Is this a BUG REPORT or a FEATURE REQUEST? (choose one): BUG REPORT
Version of Anchore Engine and Anchore CLI if applicable: engine- 0.9.0 and cli - 0.9.1
What happened:
Extra "RUN" directive is being added to "guessed docker file content" [table - images, column - dockerfile_contents] when image is built from another docker source This causes incorrect policy evaluation. e.g. even if HEALTHCHECK exists, policy evaluation results in "Dockerfile directive 'HEALTHCHECK' not found, matching condition 'not_exists' check"
What did you expect to happen: The guessed image should not have extra RUN directive If HEALTHCHECK is there, policy evaluation should not result in "HEALTHCHECK not found"
Any relevant log output from /var/log/anchore:
What docker images are you using: docker pull s1an/nodehealthcheck:latestfromsys
How to reproduce the issue:
docker pull s1an/nodehealthcheck:latestfromsys
anchore-cli image add docker.io/s1an/nodehealthcheck:latestfromsys
http://localhost:8228/v1/images/by_id/b799c2ed1e2f26f59615972d8eb95e8f8e8e40ae492c61f5e8deb9d341e99fed/check?tag=latestfromsys
Anything else we need to know: Original dockerfile:
FROM node:6.16.0-alpine
RUN apk update && apk add curl nginx
HEALTHCHECK --interval=30s CMD node healthcheck.js
EXPOSE 3000
Guessed dockerfile content from table:
FROM scratch
ADD file:91fb97ea3549e52e7b6e22b93a6736cf915c756f3d13348406d8ad5f1a872680 in /
CMD ["/bin/sh"]
ENV NODE_VERSION=6.16.0
RUN /bin/sh -c addgroup -g 1000 node && adduser -u 1000 -G node -s /bin/sh -D node && apk add --no-cache libstdc++ && apk add --no-cache --virtual .build-deps binutils-gold curl g++ gcc gnupg libgcc linux-headers make python && for key in 94AE36675C464D64BAFA68DD7434390BDBE9B9C5 FD3A5288F042B6850C66B31F09FE44734EB7990E 71DCFD284A79C3B38668286BC97EC7A07EDE3FC1 DD8F2338BAE7501E3DD5AC78C273792F7D83545D C4F0DFFF4E8C1A8236409D08E73BC641CC11F4C8 B9AE9905FFD7803F25714661B63B535A4C206CA9 77984A986EBC2AA786BC0F66B01FBB92821C587A 8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 4ED778F539E3634C779C87C6D7062848A1AB005C A48C2BEE680E841632CD4E44F07496B3EB3C1762 B9E2F5981AA6E0CD28160D9FF13993A75599653C ; do gpg --batch --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys "$key" || gpg --batch --keyserver hkp://ipv4.pool.sks-keyservers.net --recv-keys "$key" || gpg --batch --keyserver hkp://pgp.mit.edu:80 --recv-keys "$key" ; done && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION.tar.xz" && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" && gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc && grep " node-v$NODE_VERSION.tar.xz\$" SHASUMS256.txt | sha256sum -c - && tar -xf "node-v$NODE_VERSION.tar.xz" && cd "node-v$NODE_VERSION" && ./configure && make -j$(getconf _NPROCESSORS_ONLN) && make install && apk del .build-deps && cd .. && rm -Rf "node-v$NODE_VERSION" && rm "node-v$NODE_VERSION.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt
ENV YARN_VERSION=1.12.3
RUN /bin/sh -c apk add --no-cache --virtual .build-deps-yarn curl gnupg tar && for key in 6A010C5166006599AA17F08146C2130DFD2497F5 ; do gpg --batch --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys "$key" || gpg --batch --keyserver hkp://ipv4.pool.sks-keyservers.net --recv-keys "$key" || gpg --batch --keyserver hkp://pgp.mit.edu:80 --recv-keys "$key" ; done && curl -fsSLO --compressed "https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz" && curl -fsSLO --compressed "https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz.asc" && gpg --batch --verify yarn-v$YARN_VERSION.tar.gz.asc yarn-v$YARN_VERSION.tar.gz && mkdir -p /opt && tar -xzf yarn-v$YARN_VERSION.tar.gz -C /opt/ && ln -s /opt/yarn-v$YARN_VERSION/bin/yarn /usr/local/bin/yarn && ln -s /opt/yarn-v$YARN_VERSION/bin/yarnpkg /usr/local/bin/yarnpkg && rm yarn-v$YARN_VERSION.tar.gz.asc yarn-v$YARN_VERSION.tar.gz && apk del .build-deps-yarn
CMD ["node"]
RUN RUN /bin/sh -c apk update && apk add curl nginx # buildkit
RUN HEALTHCHECK &{["CMD-SHELL" "node healthcheck.js"] "30s" "0s" "0s" '\x00'}
RUN EXPOSE map[3000/tcp:{}]
The issue is in last 3 lines:
RUN RUN /bin/sh -c apk update && apk add curl nginx # buildkit RUN HEALTHCHECK &{["CMD-SHELL" "node healthcheck.js"] "30s" "0s" "0s" '\x00'} RUN EXPOSE map[3000/tcp:{}]
Policy evaluation result: