Skip to content
This repository has been archived by the owner on Apr 26, 2023. It is now read-only.

No association between the found issues and the Dockerfiles #33

Open
ivandalbosco opened this issue Aug 26, 2022 · 3 comments
Open

No association between the found issues and the Dockerfiles #33

ivandalbosco opened this issue Aug 26, 2022 · 3 comments
Labels
question Further information is requested

Comments

@ivandalbosco
Copy link

Hello,

In the first step, I run Hadolint:
docker run --rm -i -e HADOLINT_FORMAT='checkstyle' hadolint/hadolint < Dockerfile.txt > hadolint_report.xml

This creates an output files containing 2 detected issues:

<?xml version='1.0' encoding='UTF-8'?>
<checkstyle version='4.3'>
	<file name='&#45;'>
		<error line='12' column='1' severity='warning' message='&#96;COPY&#96; to a relative destination without &#96;WORKDIR&#96; set.' source='DL3045'/>
		<error line='24' column='1' severity='error' message='Use COPY instead of ADD for files and folders' source='DL3020'/>
	</file>
</checkstyle>

In the second step, I run sonarscanner:
sonarscanner -Dsonar.host.url=http://localhost:9000 -Dsonar.login=XXX -Dsonar.password=YYY -Dsonar.projectKey=ZZZ -Dsonar.lang.patterns.dockerfile=Dockerfile.txt -Dsonar.hadolint.reports.path=hadolint_report.xml

My trouble is: in SonarQube, I cannot see any issue displayed. Actually, this is no wonder: the association between the found issues (in file hadolint_report.xml) and the source file (Dockerfile.txt) is not set anywhere. The sonarscanner step above displays:

ERROR: The source file '-' mentionned in Hadolint report was not found

Can you please help? Many thanks in advance,

Yves

hadolint/hadolint:latest (digest=174f005a1fed)
sonar-scanner-4.6.1.2450-windows
SonarQube 9.3
@ivandalbosco ivandalbosco added the question Further information is requested label Aug 26, 2022
@Sancretor
Copy link
Contributor

Hi @ivandalbosco !
Hadolint uses the file path to generate its report.
Using it from a Docker container, you provide the Docker through stdin (the < Dockerfile.txt part).
So... there is no path file for Hadolint to provide in its report, that's why you instead have -, and no files linked to your issues...

@ivandalbosco
Copy link
Author

Thank you @Sancretor for your immediate response! I'd like to tackle the general case where:

  • I may have several Dockerfiles in the file hierarchy, for example ./Dockerfile and ./sub/Dockerfile
  • I may have several Dockerfiles in the same directory, for example ./Dockerfile1 and ./Dockerfile2

What is you suggestion?

  • Do I have to forget the Docker hadolint/hadolint image?
  • Should I resort to something like making one Hadolint analysis per Dockerfile?

@Sancretor
Copy link
Contributor

Hi @ivandalbosco

No, you can still play with the Docker image but differently.
And one report per Dockerfile would be a huge pain in the ass...
What may work would be to mount your project directory inside the container and then start Hadolint at the root of this directory.
This way, you'll have the whole file hierarchy and Hadolint will be able to add the file path inside the report.

Something like docker run ... -v <your_project_dir>:/my_project -w /my_project ... > hadolint_report.xml
What do you think about it ?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ivandalbosco @Sancretor