From e2b4061540f3ceac75d9e4ee34fb5c595afad1ae Mon Sep 17 00:00:00 2001 From: Rudy Regazzoni <110470341+rudy-regazzoni-sonarsource@users.noreply.github.com> Date: Tue, 7 Jan 2025 10:24:20 +0100 Subject: [PATCH 1/5] SONARIAC-1856 Update S7019 content --- rules/S7019/docker/rule.adoc | 47 ++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/rules/S7019/docker/rule.adoc b/rules/S7019/docker/rule.adoc index b58061fac80..3b625b8a21c 100644 --- a/rules/S7019/docker/rule.adoc +++ b/rules/S7019/docker/rule.adoc @@ -10,6 +10,15 @@ This can cause problems when trying to gracefully stop containers because the ma Moreover, the exec form provides more control and predictability over the execution of the command. It does not invoke a command shell, which means it does not have the potential side effects of shell processing. +Although, the exec form does not allow shell features such as variable expansion, piping (`|`) and command chaining (`&&`, `||`, `;`). +In case you need to use these features, there is few alternatives: +- create a wrapper script +- explicitly specify the shell with the `SHELL` instruction before the `CMD` or `ENTRYPOINT` instruction + +=== Exceptions + +As mentioned above, this rule will not raise an issue if the `SHELL` instruction is used before the `CMD` or `ENTRYPOINT` instruction, as we consider this is a conscious decision. + == How to fix it === Code examples @@ -22,6 +31,22 @@ FROM scratch ENTRYPOINT echo "Welcome!" ---- +[source,docker,diff-id=2,diff-type=noncompliant] +---- +FROM scratch +ENTRYPOINT echo "Long script with chaining commands" \ + && echo "Welcome!" \ + && echo "Goodbye" +---- + +[source,docker,diff-id=3,diff-type=noncompliant] +---- +FROM scratch +ENTRYPOINT echo "Long script with chaining commands" \ + && echo "Welcome!" \ + && echo "Goodbye" +---- + ==== Compliant solution [source,docker,diff-id=1,diff-type=compliant] @@ -30,6 +55,28 @@ FROM scratch ENTRYPOINT ["echo", "Welcome!"] ---- +[source,docker,diff-id=1,diff-type=compliant] +---- +FROM scratch +SHELL ["/bin/bash", "-c"] +ENTRYPOINT echo "Long script with chaining commands" \ + && echo "Welcome!" \ + && echo "Goodbye" +---- + +[source,docker,diff-id=3,diff-type=compliant] +---- +FROM scratch +ENTRYPOINT ["/entrypoint.sh"] +---- + +With entrypoint.sh containing: +``` +echo "Long script with chaining commands" +&& echo "Welcome!" +&& echo "Goodbye" +``` + == Resources === Documentation From f90fd2fb4498dac461a79e5318b53eab1ac8fdfd Mon Sep 17 00:00:00 2001 From: Rudy Regazzoni <110470341+rudy-regazzoni-sonarsource@users.noreply.github.com> Date: Tue, 7 Jan 2025 11:38:58 +0100 Subject: [PATCH 2/5] Remove script example --- rules/S7019/docker/rule.adoc | 7 ------- 1 file changed, 7 deletions(-) diff --git a/rules/S7019/docker/rule.adoc b/rules/S7019/docker/rule.adoc index 3b625b8a21c..5a3f2c0e722 100644 --- a/rules/S7019/docker/rule.adoc +++ b/rules/S7019/docker/rule.adoc @@ -70,13 +70,6 @@ FROM scratch ENTRYPOINT ["/entrypoint.sh"] ---- -With entrypoint.sh containing: -``` -echo "Long script with chaining commands" -&& echo "Welcome!" -&& echo "Goodbye" -``` - == Resources === Documentation From 0719796eee8fb0d05f64fd9478df625a0f362b2b Mon Sep 17 00:00:00 2001 From: Rudy Regazzoni <110470341+rudy-regazzoni-sonarsource@users.noreply.github.com> Date: Tue, 7 Jan 2025 11:46:01 +0100 Subject: [PATCH 3/5] Fix id --- rules/S7019/docker/rule.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/S7019/docker/rule.adoc b/rules/S7019/docker/rule.adoc index 5a3f2c0e722..5a8ea3935ae 100644 --- a/rules/S7019/docker/rule.adoc +++ b/rules/S7019/docker/rule.adoc @@ -55,7 +55,7 @@ FROM scratch ENTRYPOINT ["echo", "Welcome!"] ---- -[source,docker,diff-id=1,diff-type=compliant] +[source,docker,diff-id=2,diff-type=compliant] ---- FROM scratch SHELL ["/bin/bash", "-c"] From dd2372c5813dbb1fcf68f1f1981f253f7e13b320 Mon Sep 17 00:00:00 2001 From: Rudy Regazzoni <110470341+rudy-regazzoni-sonarsource@users.noreply.github.com> Date: Wed, 8 Jan 2025 15:06:48 +0100 Subject: [PATCH 4/5] Update rules/S7019/docker/rule.adoc Co-authored-by: Jonas Wielage --- rules/S7019/docker/rule.adoc | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/rules/S7019/docker/rule.adoc b/rules/S7019/docker/rule.adoc index 5a8ea3935ae..c5bcb11806b 100644 --- a/rules/S7019/docker/rule.adoc +++ b/rules/S7019/docker/rule.adoc @@ -10,14 +10,16 @@ This can cause problems when trying to gracefully stop containers because the ma Moreover, the exec form provides more control and predictability over the execution of the command. It does not invoke a command shell, which means it does not have the potential side effects of shell processing. -Although, the exec form does not allow shell features such as variable expansion, piping (`|`) and command chaining (`&&`, `||`, `;`). -In case you need to use these features, there is few alternatives: -- create a wrapper script -- explicitly specify the shell with the `SHELL` instruction before the `CMD` or `ENTRYPOINT` instruction === Exceptions -As mentioned above, this rule will not raise an issue if the `SHELL` instruction is used before the `CMD` or `ENTRYPOINT` instruction, as we consider this is a conscious decision. +The exec form does not allow shell features such as variable expansion, piping (`|`) and command chaining (`&&`, `||`, `;`). +In case you need to use these features, there are a few alternatives: +* Creation of a wrapper script +* Explicitly specify the shell to use with the `SHELL` instruction before `CMD` or `ENTRYPOINT` + + +This rule will not raise an issue if the `SHELL` instruction is used before the `CMD` or `ENTRYPOINT` instruction, as we consider this a conscious decision. == How to fix it From 2b73abaa952fa3a5e0dd88bf931e7e3c81b2273f Mon Sep 17 00:00:00 2001 From: Rudy Regazzoni <110470341+rudy-regazzoni-sonarsource@users.noreply.github.com> Date: Wed, 8 Jan 2025 15:12:33 +0100 Subject: [PATCH 5/5] Address review comment --- rules/S7019/docker/rule.adoc | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/rules/S7019/docker/rule.adoc b/rules/S7019/docker/rule.adoc index 5a8ea3935ae..b312026cae5 100644 --- a/rules/S7019/docker/rule.adoc +++ b/rules/S7019/docker/rule.adoc @@ -39,14 +39,6 @@ ENTRYPOINT echo "Long script with chaining commands" \ && echo "Goodbye" ---- -[source,docker,diff-id=3,diff-type=noncompliant] ----- -FROM scratch -ENTRYPOINT echo "Long script with chaining commands" \ - && echo "Welcome!" \ - && echo "Goodbye" ----- - ==== Compliant solution [source,docker,diff-id=1,diff-type=compliant] @@ -64,7 +56,7 @@ ENTRYPOINT echo "Long script with chaining commands" \ && echo "Goodbye" ---- -[source,docker,diff-id=3,diff-type=compliant] +[source,docker,diff-id=2,diff-type=compliant] ---- FROM scratch ENTRYPOINT ["/entrypoint.sh"]