Skip to content

feat(misconf): normalize CreatedBy strings for COPY and ADD instructions for podman (buildah) images #8952

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
nikpivkin opened this issue May 30, 2025 · 1 comment · May be fixed by #8953
Open

feat(misconf): normalize CreatedBy strings for COPY and ADD instructions for podman (buildah) images #8952

nikpivkin opened this issue May 30, 2025 · 1 comment · May be fixed by #8953
Labels
kind/feature Categorizes issue or PR as related to a new feature. scan/misconfiguration Issues relating to misconfiguration scanning

Comments

@nikpivkin
Copy link
Contributor

Example dockerfile:

FROM scratch
COPY . ./files
ADD readme readme

Build image via podman build . --inherit-labels=false --tag myimage:test

History:

❯ podman history myimage:test --format "{{.CreatedBy}}" --no-trunc
/bin/sh -c #(nop) ADD file:24d346633efc860b5011cefa5c0af73006e74e5dfb3c5c0e9cb0e90a927931e1 in readme |inheritLabels=false
/bin/sh -c #(nop) COPY dir:55f494488e3d5d72974d2ecacf26a1989faabb3185b66505f2bb02394a6505ae in ./files |inheritLabels=false

Code for building a string in buildah: https://github.com/containers/buildah/blob/5a02e74b5d0f01e4d68ea0dcdbf5f5f444baa68f/imagebuildah/stage_executor.go#L1982

Discussed in #8943
@nikpivkin nikpivkin added kind/feature Categorizes issue or PR as related to a new feature. scan/misconfiguration Issues relating to misconfiguration scanning labels May 30, 2025
@nikpivkin nikpivkin linked a pull request May 30, 2025 that will close this issue
Open
6 tasks
@nikpivkin
Copy link
Contributor Author

After investigating this issue, I have found that only the string for the COPY instruction for the buildah and docker legacy builders needs to be cleaned up (removing in). We also need to investigate how the ||inheritLabels=false suffix might affect the checks that are added when the --inherit-labels flag is used in the buildah backend.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature. scan/misconfiguration Issues relating to misconfiguration scanning
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(misconf): normalize CreatedBy for buildah and legacy docker builder nikpivkin/trivy
1 participant
@nikpivkin