fix(image): add logic to detect empty layers (aquasecurity#2790)

* add logic to detect empty layers * add test for createdBy from buildkit
qadirluo · Aug 30, 2022 · 2473b2c · 2473b2c
1 parent 9d018d4
commit 2473b2c
Show file tree

Hide file tree

Showing 2 changed files with 103 additions and 1 deletion.
diff --git a/pkg/fanal/image/daemon/image.go b/pkg/fanal/image/daemon/image.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"io"
 	"os"
+	"strings"
 	"sync"
 	"time"
 
@@ -153,12 +154,39 @@ func (img *image) configHistory() []v1.History {
 			},
 			CreatedBy:  h.CreatedBy,
 			Comment:    h.Comment,
-			EmptyLayer: h.Size == 0,
+			EmptyLayer: emptyLayer(h),
 		})
 	}
 	return history
 }
 
+func emptyLayer(history dimage.HistoryResponseItem) bool {
+	if history.Size != 0 {
+		return false
+	}
+	createdBy := strings.TrimSpace(strings.TrimLeft(history.CreatedBy, "/bin/sh -c #(nop)"))
+	// This logic is taken from https://github.com/moby/buildkit/blob/2942d13ff489a2a49082c99e6104517e357e53ad/frontend/dockerfile/dockerfile2llb/convert.go
+	if strings.HasPrefix(createdBy, "ENV") ||
+		strings.HasPrefix(createdBy, "MAINTAINER") ||
+		strings.HasPrefix(createdBy, "LABEL") ||
+		strings.HasPrefix(createdBy, "CMD") ||
+		strings.HasPrefix(createdBy, "ENTRYPOINT") ||
+		strings.HasPrefix(createdBy, "HEALTHCHECK") ||
+		strings.HasPrefix(createdBy, "EXPOSE") ||
+		strings.HasPrefix(createdBy, "USER") ||
+		strings.HasPrefix(createdBy, "VOLUME") ||
+		strings.HasPrefix(createdBy, "STOPSIGNAL") ||
+		strings.HasPrefix(createdBy, "SHELL") ||
+		strings.HasPrefix(createdBy, "ARG") ||
+		createdBy == "WORKDIR /" { // only when workdir == "/" then layer is empty
+		return true
+	}
+	// commands here: 'ADD', COPY, RUN and WORKDIR != "/"
+	// Also RUN command may not include 'RUN' prefix
+	// e.g. '/bin/sh -c mkdir test '
+	return false
+}
+
 func (img *image) diffIDs() ([]v1.Hash, error) {
 	var diffIDs []v1.Hash
 	for _, l := range img.inspect.RootFS.Layers {

diff --git a/pkg/fanal/image/daemon/image_test.go b/pkg/fanal/image/daemon/image_test.go
@@ -7,6 +7,7 @@ import (
 	"testing"
 	"time"
 
+	dimage "github.com/docker/docker/api/types/image"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
@@ -247,3 +248,76 @@ func Test_image_RawConfigFile(t *testing.T) {
 		})
 	}
 }
+
+func Test_image_emptyLayer(t *testing.T) {
+	tests := []struct {
+		name    string
+		history dimage.HistoryResponseItem
+		want    bool
+	}{
+		{
+			name: "size != 0",
+			history: dimage.HistoryResponseItem{
+				Size: 10,
+			},
+			want: false,
+		},
+		{
+			name: "ENV",
+			history: dimage.HistoryResponseItem{
+				CreatedBy: "/bin/sh -c #(nop) ENV TESTENV=TEST",
+			},
+			want: true,
+		},
+		{
+			name: "ENV created with buildkit",
+			history: dimage.HistoryResponseItem{
+				CreatedBy: "ENV BUILDKIT_ENV=TEST",
+				Comment:   "buildkit.dockerfile.v0",
+			},
+			want: true,
+		},
+		{
+			name: "ENV",
+			history: dimage.HistoryResponseItem{
+				CreatedBy: "/bin/sh -c #(nop) ENV TESTENV=TEST",
+			},
+			want: true,
+		},
+		{
+			name: "CMD",
+			history: dimage.HistoryResponseItem{
+				CreatedBy: "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
+			},
+			want: true,
+		},
+		{
+			name: "WORKDIR == '/'",
+			history: dimage.HistoryResponseItem{
+				CreatedBy: "/bin/sh -c #(nop) WORKDIR /",
+			},
+			want: true,
+		},
+		{
+			name: "WORKDIR != '/'",
+			history: dimage.HistoryResponseItem{
+				CreatedBy: "/bin/sh -c #(nop)  WORKDIR /app",
+			},
+			want: false,
+		},
+		{
+			name: "without command",
+			history: dimage.HistoryResponseItem{
+				CreatedBy: "/bin/sh -c mkdir test",
+			},
+			want: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			empty := emptyLayer(tt.history)
+			assert.Equal(t, tt.want, empty)
+		})
+	}
+}