Does not support # syntax includes in Dockerfiles

[mithodin]

Description

We are using dockerfile-plus and include statements to organise our dockerfiles. This leads to trivy just ignoring them. Simple example:

# syntax = edrevo/dockerfile-plus
INCLUDE+ ./deployment/dockerfiles/setup.Dockerfile

FROM setup as analyze

COPY ./deployment/scripts ./deployment/scripts

CMD ["ci:analyze"]

While I get that it's probably not easy to support custom syntax, maybe it would be possible to at least ignore the unknown syntax and still analyse the rest?

What did you expect to happen?

trivy analyses the the dockerfile

What happened instead?

trivy ignored the dockerfile (Detected config files: 0)

Output of run with -debug:

2023-03-29T08:19:58.484+0200	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-03-29T08:19:58.523+0200	DEBUG	cache dir:  <redacted>
2023-03-29T08:19:58.524+0200	DEBUG	DB update was skipped because the local DB is the latest
2023-03-29T08:19:58.524+0200	DEBUG	DB Schema: 2, UpdatedAt: 2023-03-29 00:58:16.576209108 +0000 UTC, NextUpdate: 2023-03-29 06:58:16.576208708 +0000 UTC, DownloadedAt: 2023-03-29 05:40:51.8033889 +0000 UTC
2023-03-29T08:19:58.524+0200	INFO	Vulnerability scanning is enabled
2023-03-29T08:19:58.524+0200	DEBUG	Vulnerability type:  [os library]
2023-03-29T08:19:58.524+0200	INFO	Misconfiguration scanning is enabled
2023-03-29T08:19:58.524+0200	DEBUG	Policies successfully loaded from disk
2023-03-29T08:19:58.525+0200	DEBUG	Walk the file tree rooted at 'deployment/dockerfiles/analyze.Dockerfile' in parallel
2023-03-29T08:19:58.897+0200	DEBUG	OS is not detected.
2023-03-29T08:19:58.897+0200	DEBUG	Detected OS: unknown
2023-03-29T08:19:58.897+0200	INFO	Number of language-specific files: 0
2023-03-29T08:19:58.897+0200	INFO	Detected config files: 0

Output of trivy -v:

Version: 0.37.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-03-29 00:58:16.576209108 +0000 UTC
  NextUpdate: 2023-03-29 06:58:16.576208708 +0000 UTC
  DownloadedAt: 2023-03-29 05:40:51.8033889 +0000 UTC

[simar7]

While I get that it's probably not easy to support custom syntax, maybe it would be possible to at least ignore the unknown syntax and still analyse the rest?

While I agree with what you have said, the file detection logic today is purposely designed to very simple and performant, as Trivy has to scan a variety of inputs. Having said that we do have an open issue for improving file detection #4182

[itaysk]

@mithodin in other words, dockerfile-plus is not dockerfile, so perhaps it shouldn't be named this way. If you'll rename the file Trivy will ignore it