SONARIAC-1840 Should only raise on instructions in the final image

Author: GabinL21

iac-extensions/docker/src/main/java/org/sonar/iac/docker/checks/AbstractFinalImageCheck.java

@@ -16,31 +16,47 @@
  */
 package org.sonar.iac.docker.checks;
 
+import java.util.function.BiConsumer;
 import org.sonar.iac.common.api.checks.CheckContext;
 import org.sonar.iac.common.api.checks.IacCheck;
 import org.sonar.iac.common.api.checks.InitContext;
+import org.sonar.iac.common.extension.visitors.TreeContext;
+import org.sonar.iac.common.extension.visitors.TreeVisitor;
 import org.sonar.iac.docker.checks.utils.MultiStageBuildInspector;
 import org.sonar.iac.docker.tree.api.Body;
 import org.sonar.iac.docker.tree.api.DockerTree;
-import org.sonar.iac.docker.tree.api.RunInstruction;
 
 public abstract class AbstractFinalImageCheck implements IacCheck {
 
+  private final TreeVisitor<FinalImageContext> visitor = new TreeVisitor<>();
+
   @Override
   public void initialize(InitContext init) {
-    init.register(Body.class, this::checkBody);
+    init.register(Body.class, this::processBody);
+    initializeOnFinalImage();
+  }
+
+  protected abstract void initializeOnFinalImage();
+
+  protected <T extends DockerTree> void register(Class<T> cls, BiConsumer<CheckContext, T> consumer) {
+    visitor.register(cls, (ctx, node) -> consumer.accept(ctx.checkContext, node));
   }
 
-  private void checkBody(CheckContext ctx, Body body) {
+  private void processBody(CheckContext checkContext, Body body) {
     var multiStageBuildInspector = MultiStageBuildInspector.of(body);
+    var stages = body.dockerImages();
+    var finalImageContext = new FinalImageContext(checkContext);
 
-    body.dockerImages().stream()
-      .flatMap(image -> image.instructions().stream())
-      .filter(instruction -> instruction.is(DockerTree.Kind.RUN))
-      .map(RunInstruction.class::cast)
-      .filter(multiStageBuildInspector::isInFinalImage)
-      .forEach(runInstruction -> checkRunInstructionFromFinalImage(ctx, runInstruction));
+    stages.stream()
+      .filter(multiStageBuildInspector::isStageInFinalImage)
+      .forEach(stage -> visitor.scan(finalImageContext, stage));
   }
 
-  protected abstract void checkRunInstructionFromFinalImage(CheckContext ctx, RunInstruction runInstruction);
+  static class FinalImageContext extends TreeContext {
+    public final CheckContext checkContext;
+
+    public FinalImageContext(CheckContext checkContext) {
+      this.checkContext = checkContext;
+    }
+  }
 }

iac-extensions/docker/src/main/java/org/sonar/iac/docker/checks/ConsecutiveRunInstructionCheck.java

@@ -22,8 +22,6 @@
 import java.util.Set;
 import org.sonar.check.Rule;
 import org.sonar.iac.common.api.checks.CheckContext;
-import org.sonar.iac.common.api.checks.IacCheck;
-import org.sonar.iac.common.api.checks.InitContext;
 import org.sonar.iac.common.api.checks.SecondaryLocation;
 import org.sonar.iac.docker.tree.api.DockerImage;
 import org.sonar.iac.docker.tree.api.DockerTree;
@@ -32,17 +30,17 @@
 import org.sonar.iac.docker.tree.api.RunInstruction;
 
 @Rule(key = "S7031")
-public class ConsecutiveRunInstructionCheck implements IacCheck {
+public class ConsecutiveRunInstructionCheck extends AbstractFinalImageCheck {
   private static final String PRIMARY_MESSAGE = "Merge this RUN instruction with the consecutive ones.";
   private static final String SECONDARY_MESSAGE = "consecutive RUN instruction";
 
   @Override
-  public void initialize(InitContext init) {
-    init.register(DockerImage.class, ConsecutiveRunInstructionCheck::checkFromRunsInstruction);
+  protected void initializeOnFinalImage() {
+    register(DockerImage.class, this::checkStageFromFinalImage);
   }
 
-  private static void checkFromRunsInstruction(CheckContext ctx, DockerImage image) {
-    var listOfConsecutiveRunInstructions = extractConsecutiveRunInstructions(image);
+  protected void checkStageFromFinalImage(CheckContext ctx, DockerImage stage) {
+    var listOfConsecutiveRunInstructions = extractConsecutiveRunInstructions(stage);
     for (List<RunInstruction> consecutiveRunInstructions : listOfConsecutiveRunInstructions) {
       var secondaryLocations = consecutiveRunInstructions.stream()
         .skip(1)

iac-extensions/docker/src/main/java/org/sonar/iac/docker/checks/PackageInstallationCacheCheck.java

@@ -106,6 +106,10 @@ private static CommandDetector buildRemoveCacheDetector(Set<String> cacheLocatio
   }
 
   @Override
+  protected void initializeOnFinalImage() {
+    register(RunInstruction.class, this::checkRunInstructionFromFinalImage);
+  }
+
   public void checkRunInstructionFromFinalImage(CheckContext ctx, RunInstruction runInstruction) {
     List<ArgumentResolution> resolvedArgument = CheckUtils.resolveInstructionArguments(runInstruction);
     Set<String> commandWithMountedCache = computeCachedCommands(retrieveMountedCachePath(runInstruction));

iac-extensions/docker/src/main/java/org/sonar/iac/docker/checks/SecretsGenerationCheck.java

@@ -216,6 +216,10 @@ public class SecretsGenerationCheck extends AbstractFinalImageCheck {
     CURL_USER_SHORT_FLAG_SPACE_PWD);
 
   @Override
+  protected void initializeOnFinalImage() {
+    register(RunInstruction.class, this::checkRunInstructionFromFinalImage);
+  }
+
   public void checkRunInstructionFromFinalImage(CheckContext ctx, RunInstruction runInstruction) {
     List<ArgumentResolution> resolvedArgument = CheckUtils.resolveInstructionArguments(runInstruction);
 

iac-extensions/docker/src/main/java/org/sonar/iac/docker/checks/utils/MultiStageBuildInspector.java

@@ -22,13 +22,10 @@
 import java.util.Optional;
 import java.util.Set;
 import org.sonar.iac.docker.symbols.ArgumentResolution;
-import org.sonar.iac.docker.tree.TreeUtils;
 import org.sonar.iac.docker.tree.api.Alias;
 import org.sonar.iac.docker.tree.api.Argument;
 import org.sonar.iac.docker.tree.api.Body;
 import org.sonar.iac.docker.tree.api.DockerImage;
-import org.sonar.iac.docker.tree.api.DockerTree;
-import org.sonar.iac.docker.tree.api.Instruction;
 import org.sonar.iac.docker.tree.api.SyntaxToken;
 
 public final class MultiStageBuildInspector {
@@ -49,11 +46,8 @@ public static boolean isLastStage(DockerImage dockerImage) {
     return dockerImage == getLastStage(body);
   }
 
-  public boolean isInFinalImage(Instruction instruction) {
-    return TreeUtils.firstAncestorOfKind(instruction, DockerTree.Kind.DOCKERIMAGE)
-      .map(DockerImage.class::cast)
-      .map(instructionStage -> isLastStage(instructionStage) || isStageDependencyOfFinalStage(instructionStage))
-      .orElse(true);
+  public boolean isStageInFinalImage(DockerImage dockerImage) {
+    return isLastStage(dockerImage) || isStageDependencyOfFinalStage(dockerImage);
   }
 
   private boolean isStageDependencyOfFinalStage(DockerImage stage) {

iac-extensions/docker/src/test/java/org/sonar/iac/docker/checks/ConsecutiveRunInstructionCheckTest.java

@@ -21,7 +21,12 @@
 class ConsecutiveRunInstructionCheckTest {
 
   @Test
-  void shouldVerifyCheck() {
+  void shouldRaiseIssuesOnNonCompliantInstructions() {
     DockerVerifier.verify("ConsecutiveRunInstructionCheck/ConsecutiveRunInstructionCheck.dockerfile", new ConsecutiveRunInstructionCheck());
   }
+
+  @Test
+  void shouldRaiseIssuesOnInstructionsInFinalImageOnly() {
+    DockerVerifier.verify("ConsecutiveRunInstructionCheck/ConsecutiveRunInstructionCheck_multiStage.dockerfile", new ConsecutiveRunInstructionCheck());
+  }
 }

iac-extensions/docker/src/test/java/org/sonar/iac/docker/checks/utils/MultiStageBuildInspectorTest.java

@@ -22,16 +22,12 @@
 import org.junit.jupiter.api.Test;
 import org.sonar.iac.docker.tree.api.Body;
 import org.sonar.iac.docker.tree.api.DockerImage;
-import org.sonar.iac.docker.tree.api.Instruction;
-import org.sonar.iac.docker.tree.api.RunInstruction;
 import org.sonar.iac.docker.tree.impl.AliasImpl;
 import org.sonar.iac.docker.tree.impl.ArgumentImpl;
 import org.sonar.iac.docker.tree.impl.BodyImpl;
 import org.sonar.iac.docker.tree.impl.DockerImageImpl;
 import org.sonar.iac.docker.tree.impl.FromInstructionImpl;
 import org.sonar.iac.docker.tree.impl.LiteralImpl;
-import org.sonar.iac.docker.tree.impl.RunInstructionImpl;
-import org.sonar.iac.docker.tree.impl.SingleArgumentListImpl;
 import org.sonar.iac.docker.tree.impl.SyntaxTokenImpl;
 
 import static org.assertj.core.api.Assertions.assertThat;
@@ -50,47 +46,39 @@ void shouldDetectLastStage() {
 
   @Test
   void shouldDetectInstructionsInFinalImage() {
-    var baseInstruction = createRunInstruction();
-    var baseStage = createDockerImage("ubuntu:latest", "base", baseInstruction);
-    var buildInstruction = createRunInstruction();
-    var buildStage = createDockerImage("base", "build", buildInstruction);
-    var otherInstruction = createRunInstruction();
-    var otherStage = createDockerImage("build", "other", otherInstruction);
-    var finalInstruction = createRunInstruction();
-    var finalStage = createDockerImage("build", "final", finalInstruction);
+    var baseStage = createDockerImage("ubuntu:latest", "base");
+    var buildStage = createDockerImage("base", "build");
+    var otherStage = createDockerImage("build", "other");
+    var finalStage = createDockerImage("build", "final");
     var body = createBody(buildStage, baseStage, otherStage, finalStage);
     var inspector = MultiStageBuildInspector.of(body);
 
-    assertThat(inspector.isInFinalImage(baseInstruction)).isTrue();
-    assertThat(inspector.isInFinalImage(buildInstruction)).isTrue();
-    assertThat(inspector.isInFinalImage(otherInstruction)).isFalse();
-    assertThat(inspector.isInFinalImage(finalInstruction)).isTrue();
+    assertThat(inspector.isStageInFinalImage(baseStage)).isTrue();
+    assertThat(inspector.isStageInFinalImage(buildStage)).isTrue();
+    assertThat(inspector.isStageInFinalImage(otherStage)).isFalse();
+    assertThat(inspector.isStageInFinalImage(finalStage)).isTrue();
   }
 
   @Test
   void shouldDetectInstructionsInFinalImageWithoutFinalAlias() {
-    var buildInstruction = createRunInstruction();
-    var buildStage = createDockerImage("ubuntu:latest", "build", buildInstruction);
-    var finalInstruction = createRunInstruction();
-    var finalStage = createDockerImage("build", null, finalInstruction);
+    var buildStage = createDockerImage("ubuntu:latest", "build");
+    var finalStage = createDockerImage("build", null);
     var body = createBody(buildStage, finalStage);
     var inspector = MultiStageBuildInspector.of(body);
 
-    assertThat(inspector.isInFinalImage(buildInstruction)).isTrue();
-    assertThat(inspector.isInFinalImage(finalInstruction)).isTrue();
+    assertThat(inspector.isStageInFinalImage(buildStage)).isTrue();
+    assertThat(inspector.isStageInFinalImage(finalStage)).isTrue();
   }
 
   @Test
   void shouldDetectInstructionsInFinalImageWithCircularDependencies() {
-    var buildInstruction = createRunInstruction();
-    var buildStage = createDockerImage("final", "build", buildInstruction);
-    var finalInstruction = createRunInstruction();
-    var finalStage = createDockerImage("build", "final", finalInstruction);
+    var buildStage = createDockerImage("final", "build");
+    var finalStage = createDockerImage("build", "final");
     var body = createBody(buildStage, finalStage);
     var inspector = MultiStageBuildInspector.of(body);
 
-    assertThat(inspector.isInFinalImage(buildInstruction)).isTrue();
-    assertThat(inspector.isInFinalImage(finalInstruction)).isTrue();
+    assertThat(inspector.isStageInFinalImage(buildStage)).isTrue();
+    assertThat(inspector.isStageInFinalImage(finalStage)).isTrue();
   }
 
   private Body createBody(DockerImage... dockerImages) {
@@ -100,22 +88,9 @@ private Body createBody(DockerImage... dockerImages) {
   }
 
   private static DockerImage createDockerImage(String imageName, @Nullable String aliasName) {
-    return createDockerImage(imageName, aliasName, createRunInstruction());
-  }
-
-  private static DockerImage createDockerImage(String imageName, @Nullable String aliasName, Instruction instruction) {
     var imageArgument = new ArgumentImpl(List.of(new LiteralImpl(new SyntaxTokenImpl(imageName, null, null))));
     var alias = aliasName != null ? new AliasImpl(null, new SyntaxTokenImpl(aliasName, null, null)) : null;
     var fromInstruction = new FromInstructionImpl(null, null, imageArgument, alias);
-    var image = new DockerImageImpl(fromInstruction, List.of(instruction));
-    instruction.setParent(image);
-    return image;
-  }
-
-  private static RunInstruction createRunInstruction() {
-    var command = "apt-get install nginx";
-    var commandLiteral = new LiteralImpl(new SyntaxTokenImpl(command, null, null));
-    var commandArgument = new ArgumentImpl(List.of(commandLiteral));
-    return new RunInstructionImpl(null, List.of(), new SingleArgumentListImpl(commandArgument));
+    return new DockerImageImpl(fromInstruction, List.of());
   }
 }

iac-extensions/docker/src/test/resources/checks/ConsecutiveRunInstructionCheck/ConsecutiveRunInstructionCheck.dockerfile

@@ -1,4 +1,6 @@
-FROM nonCompliantCaseSimpleCase
+FROM scratch
+
+CMD nonCompliantCaseSimpleCase
 # Noncompliant@+1 {{Merge this RUN instruction with the consecutive ones.}}
 RUN instruction 1
 # ^[sc=1;ec=3]
@@ -7,7 +9,7 @@ RUN instruction 2
 RUN instruction 3
 # ^[sc=1;ec=3]< {{consecutive RUN instruction}}
 
-FROM nonCompliantRaiseSeparateIssues
+CMD nonCompliantRaiseSeparateIssues
 # Noncompliant@+1
 RUN instruction 1
 # ^[sc=1;ec=3]
@@ -20,7 +22,7 @@ RUN instruction 3
 RUN instruction 4
 # ^[sc=1;ec=3]<
 
-FROM nonCompliantNotAtTheBeginningOrAtTheEnd
+CMD nonCompliantNotAtTheBeginningOrAtTheEnd
 WORKDIR something
 # Noncompliant@+1
 RUN instruction 1
@@ -29,7 +31,7 @@ RUN instruction 2
 # ^[sc=1;ec=3]<
 CMD something else
 
-FROM nonCompliantMultipleForm
+CMD nonCompliantMultipleForm
 # Noncompliant@+1
 RUN instruction 1
 # ^[sc=1;ec=3]
@@ -40,7 +42,7 @@ instruction 3
 EOF
 # ^[sc=1;ec=3]@-2<
 
-FROM nonCompliantRealUseCase1
+CMD nonCompliantRealUseCase1
 # Noncompliant@+1
 RUN curl -SL "https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-x64.tar.gz" --output nodejs.tar.gz
 # ^[sc=1;ec=3]
@@ -53,77 +55,76 @@ RUN rm nodejs.tar.gz
 RUN ln -s /usr/local/bin/node /usr/local/bin/nodejs
 # ^[sc=1;ec=3]<
 
-FROM nonCompliantRealUseCase2
+CMD nonCompliantRealUseCase2
 # Noncompliant@+1
 RUN curl -SL "https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-x64.tar.gz" --output nodejs.tar.gz
 # ^[sc=1;ec=3]
 RUN echo "$NODE_DOWNLOAD_SHA nodejs.tar.gz" | sha256sum -c -
 # ^[sc=1;ec=3]<
 
-FROM compliantBecauseTheyAreSeparated
+CMD compliantBecauseTheyAreSeparated
 RUN instruction 1
 WORKDIR /root
 RUN instruction 2
 
-FROM compliantBecauseWeCompareOnlyRootInstruction
+CMD compliantBecauseWeCompareOnlyRootInstruction
 RUN instruction 1
 ONBUILD RUN instruction 2
 RUN instruction 3
 
-FROM compliantBecauseWeOnlyCheckRunInstruction
+CMD compliantBecauseWeOnlyCheckRunInstruction
 RUN instruction 1
 CMD instruction 2
 CMD instruction 3
 RUN instruction 4
 
-FROM compliantDontDetectRunInstructionInHeredoc
+CMD compliantDontDetectRunInstructionInHeredoc
 RUN <<EOF
 RUN instruction 1
 RUN instruction 2
 RUN instruction 3
 EOF
 
-FROM compliantRealUseCase
+CMD compliantRealUseCase
 RUN curl -SL "https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-x64.tar.gz" --output nodejs.tar.gz \
 && echo "$NODE_DOWNLOAD_SHA nodejs.tar.gz" | sha256sum -c - \
 && tar -xzf "nodejs.tar.gz" -C /usr/local --strip-components=1 \
 && rm nodejs.tar.gz \
 && ln -s /usr/local/bin/node /usr/local/bin/nodejs
 
-FROM scratch
+CMD scratch
 # Noncompliant@+1
 RUN my command
 RUN other command
 
-FROM scratch
+CMD scratch
 # Compliant, different options cannot be merged
 RUN --security=insecure my command
 RUN other command
 
-FROM scratch
+CMD scratch
 # Compliant, different options cannot be merged
 RUN --security=insecure my command
 RUN --mount=type=bind,source=/tmp,target=/tmp other command
 
 # Compliant; instructions with the same options are not consecutive
-FROM scratch
+CMD scratch
 RUN --security=insecure my command
 RUN --mount=type=bind,source=/tmp,target=/tmp other command
 RUN --security=insecure my other command
 
-FROM scratch
+CMD scratch
 # Noncompliant@+1
 RUN --security=insecure my command
 RUN --security=insecure other command
 
-FROM scratch
+CMD scratch
 # Noncompliant@+1
 RUN --security=insecure --network=none my command
 RUN --network=none --security=insecure other command
 
-FROM scratch
+CMD scratch
 RUN --security=insecure my command
-
 # Noncompliant@+1
 RUN other command
 RUN yet another command