gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-12 15:50:15 -08:00
Code Issues Packages Projects Releases Wiki Activity

fix(misconf): strip build metadata suffixes from image history (#9498)

Browse Source 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
This commit is contained in:
Nikita Pivkin
2025-09-22 12:46:14 +06:00
committed by GitHub
parent aff03ebab2
commit c9388069a4
2 changed files with 18 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
pkg/fanal/analyzer/imgconf/dockerfile/dockerfile.go
View File

@@ -111,9 +111,8 @@ func imageConfigToDockerfile(cfg *v1.ConfigFile) []byte {
}
}
}
// Remove Buildah-specific suffix (currently only `|inherit Labels=false`)
// cf. https://github.com/containers/buildah/blob/5a02e74b5d0f01e4d68ea0dcdbf5f5f444baa68f/imagebuildah/stage_executor.go#L1885
createdBy = strings.TrimSuffix(createdBy, "|inheritLabels=false")
createdBy = stripBuildMetadata(createdBy)
dockerfile.WriteString(strings.TrimSpace(createdBy) + "\n")
}
@@ -126,6 +125,17 @@ func imageConfigToDockerfile(cfg *v1.ConfigFile) []byte {
return dockerfile.Bytes()
}
var metadataRe = regexp.MustCompile(`\|[a-zA-Z0-9_-]+=[^ \t]+`)
// stripBuildMetadata removes build metadata suffixes appended by container build backends
// (e.g., Buildah, Buildkit). Each suffix has the form "|key=value".
// Example: "/bin/sh -c #(nop) HEALTHCHECK NONE|unsetLabel=true|inheritLabels=false|force-mtime=10"
// c.f. Buildah source for metadata construction:
// https://github.com/containers/buildah/blob/fb473e4d538f693f8b3ee3f8f2ed93a2abed5064/imagebuildah/stage_executor.go#L2616
func stripBuildMetadata(line string) string {
return metadataRe.ReplaceAllString(line, "")
}
func buildRunInstruction(s string) string {
pos := strings.Index(s, "/bin/sh -c")
if pos == -1 {

6
pkg/fanal/analyzer/imgconf/dockerfile/dockerfile_test.go
View File

@@ -435,7 +435,7 @@ ENTRYPOINT ["/bin/sh" "-c" "echo test"]
`,
},
{
name: "buildah backend or docker legacy builder (DOCKER_BUILDKIT=0)",
name: "remove backend-specific metadata suffixes",
input: &v1.ConfigFile{
History: []v1.History{
{
@@ -444,6 +444,9 @@ ENTRYPOINT ["/bin/sh" "-c" "echo test"]
{
CreatedBy: "/bin/sh -c #(nop) ADD file:24d346633efc860b5011cefa5c0af73006e74e5dfb3c5c0e9cb0e90a927931e1 in readme |inheritLabels=false",
},
{
CreatedBy: "/bin/sh -c #(nop) HEALTHCHECK NONE|unsetLabel=true|inheritLabels=false|force-mtime=10",
},
{
CreatedBy: `/bin/sh -c #(nop) ENTRYPOINT ["/bin/sh"]|inheritLabels=false`,
},
@@ -451,6 +454,7 @@ ENTRYPOINT ["/bin/sh" "-c" "echo test"]
},
expected: `COPY dir:3a024d8085bc39741a0a094a8e287a00a760975c7c2e6b5dc6c7d3174b7d1ab6 ./files
ADD file:24d346633efc860b5011cefa5c0af73006e74e5dfb3c5c0e9cb0e90a927931e1 readme
HEALTHCHECK NONE
ENTRYPOINT ["/bin/sh"]
`,
},