Open Porges opened 1 year ago
Just a heads-up that we've hit this in the Zeek project as well, in this Windows Dockerfile. In our case the complaint is:
Error: check runtime error: Pinned-Dependencies: internal error: error parsing shell code: ci/windows/Dockerfile:1:124: (( can only be used to open an arithmetic cmd
Also for us -- blocks running this on the dotnet/runtime repo.
RUN & .\dotnet-install.ps1 -Channel $env:_DOTNET_INSTALL_CHANNEL -Quality daily -InstallDir 'C:/Program Files/dotnet'
@afmarcum could you help set expectations on this? Perhaps it's to change "Pinned-Dependencies" to skip lines it can't parse.
Would love to be able to get a scorecard for dotnet/runtime, it's one of the most active repos on Github by their measures.
@danmoseley I believe this was fixed in #3515, which hasn't entered a release yet.
Running Scorecard with that PR, we get the following output for Pinned-Dependencies for dotnet/runtime
:
{
"details": [
"Info: Possibly incomplete results: error parsing shell code: & can only immediately follow a statement: eng/docker/libraries-sdk.windows.Dockerfile:14",
"Info: Possibly incomplete results: error parsing shell code: & can only immediately follow a statement: eng/docker/libraries-sdk.windows.Dockerfile:23",
"Info: Possibly incomplete results: error parsing shell code: \"fi\" can only be used to end an if: eng/testing/RunnerTemplate.sh:0",
# ... unpinned things ...
"Warn: containerImage not pinned by hash: eng/docker/libraries-sdk.windows.Dockerfile:4",
# ... more unpinned things ...
"Info: 0 out of 8 GitHub-owned GitHubAction dependencies pinned",
"Info: 0 out of 1 third-party GitHubAction dependencies pinned",
"Info: 0 out of 18 containerImage dependencies pinned",
"Info: 0 out of 2 downloadThenRun dependencies pinned",
"Info: 0 out of 2 npmCommand dependencies pinned"
],
"score": 0,
"reason": "dependency not pinned by hash detected -- score normalized to 0",
"name": "Pinned-Dependencies",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies",
"short": "Determines if the project has declared and pinned the dependencies of its build process."
}
}
Note that the parsing errors on the Dockerfile do not stop Scorecard from detecting that it is unpinned.
Describe the bug Pinned-Dependencies parses commands in Dockerfiles using the
sh
(https://github.com/mvdan/sh) parser. However, Dockerfiles can use any shell they want using theSHELL
statement.In particular, this means that Dockerfiles designed for Windows targets (and Powershell) will often fail to parse.
Reproduction steps Steps to reproduce the behavior:
SHELL
which doesn't parse assh
(an example here)Pinned-Dependencies: internal error: error parsing shell code: src/runtime-tools/win64/Dockerfile:1:18: & can only immediately follow a statement
Expected behavior Pinned-Dependencies should not assume that all Dockerfiles contain
sh
-compatible commands, especially if aSHELL
statement is present.