Using Unnamed Build Stages

  • Query id: 68a51e22-ae5a-4d48-8e87-b01a323605c9
  • Query name: Using Unnamed Build Stages
  • Platform: Dockerfile
  • Severity: Low
  • Category: Build Process
  • CWE: 710
  • URL: Github

Description

This query is used to ensure that build stages are named. This way even if the Dockerfile is re-ordered, the COPY instruction doesn't break.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - dockerfile file
FROM golang:1.16
WORKDIR /go/src/github.com/foo/href-counter/
RUN go get -d -v golang.org/x/net/html  
COPY app.go ./
RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app .

FROM alpine:latest  
RUN apk --no-cache add ca-certificates
WORKDIR /root/
COPY --from=0 /go/src/github.com/foo/href-counter/app ./
CMD ["./app"] 

Code samples without security vulnerabilities

Negative test num. 1 - dockerfile file
FROM golang:1.7.3 AS builder
WORKDIR /go/src/github.com/foo/href-counter/
RUN go get -d -v golang.org/x/net/html
COPY app.go    .
RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app .

# another dockerfile
FROM alpine:latest
RUN apk --no-cache add ca-certificates
WORKDIR /root/
COPY --from=builder /go/src/github.com/foo/href-counter/app .
CMD ["./app"]