ignore stage names in FROM instructions, add test

Signed-off-by: slmsbrhgn <[email protected]>
sigstore · Sep 14, 2024 · 6d3a32d · 6d3a32d
1 parent 780780b
commit 6d3a32d
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 1 deletion.
diff --git a/cmd/cosign/cli/dockerfile/verify.go b/cmd/cosign/cli/dockerfile/verify.go
@@ -24,6 +24,7 @@ import (
 	"os"
 	"strings"
 
+	"github.com/google/go-containerregistry/pkg/logs"
 	"github.com/sigstore/cosign/v2/cmd/cosign/cli/verify"
 	"github.com/sigstore/cosign/v2/internal/ui"
 )
@@ -110,7 +111,15 @@ func (fc *finderCache) getImagesFromDockerfile(ctx context.Context, dockerfile i
 	if err := fileScanner.Err(); err != nil {
 		return nil, err
 	}
-	return images, nil
+	validImages := []string{}
+	for _, image := range images {
+		if fc.isStage(image) {
+			logs.Debug.Printf("Ignoring stage name: %s", image)
+			continue
+		}
+		validImages = append(validImages, image)
+	}
+	return validImages, nil
 }
 
 func (fc *finderCache) getImageFromLine(line string) string {

diff --git a/cmd/cosign/cli/dockerfile/verify_test.go b/cmd/cosign/cli/dockerfile/verify_test.go
@@ -134,6 +134,16 @@ CMD bin`,
 			},
 			expected: []string{"gcr.io/gauntlet/test/one", "gcr.io/gauntlet/test/two:latest", "gcr.io/gauntlet/test/runtime", "gcr.io/someorg/someimage"},
 		},
+		{
+			name: "from-stage-ignored",
+			fileContents: `
+FROM gcr.io/someorg/sometool:sometag AS tools_image
+FROM gcr.io/someorg/someimage AS base_image
+FROM base_image
+COPY --from=tools_image /bin/sometool
+CMD bin`,
+			expected: []string{"gcr.io/someorg/sometool:sometag", "gcr.io/someorg/someimage"},
+		},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {