Add rule S7026 exceptions (#4230)

2024-09-11 09:05:40 +02:00 · 2024-09-11 09:05:40 +02:00 · 0e30d8dfd4
commit 0e30d8dfd4
parent 7e63801e76
1 changed files with 19 additions and 8 deletions
--- a/rules/S7026/docker/rule.adoc
+++ b/rules/S7026/docker/rule.adoc
@ -1,12 +1,23 @@
-In Dockerfiles, a common use case is to download remote resources to use during the build. This is often done using third-party tools inside the image, like `wget` or `curl`. However, this practice can lead to inefficient use of Docker's build cache and unnecessary complexity. The `ADD` instruction is a built-in feature of Docker that is specifically designed for this purpose, making it a more efficient and safer choice.
+In Dockerfiles, a common use case is downloading remote resources to use during the build. This is often done using third-party tools inside the image, like `wget` or `curl`. However, this practice can lead to inefficient use of Docker's build cache and unnecessary complexity. The `ADD` instruction is a built-in feature of Docker that is specifically designed for this purpose, making it a more efficient and safer choice.

 == Why is this an issue?

 Using `wget` or `curl` commands to retrieve remote content in Dockerfiles instead of the `ADD` instruction can lead to several issues, particularly related to the inefficient use of Docker's build cache.

-Docker's build cache is a powerful feature that can significantly speed up the build process by reusing intermediate layers from previous builds if no changes were detected. When you use `wget`, `curl`, or similar commands, these commands are run during the build process, and Docker has no way of knowing if the remote content has changed without executing the commands. This makes it impossible to effectively cache the results of these commands.
+Docker's build cache is a powerful feature that can significantly speed up the build process by reusing intermediate layers from previous builds if no changes were detected. When you use `wget`, `curl`, or similar commands, these commands are run during the build process, and Docker has no way of knowing if the remote content has changed without executing the commands. This makes it impossible to cache the results of these commands efficiently.
+
+Moreover, installing third-party tools inside the image can introduce unnecessary complexity, dependency on external tools and increase the size of the final image.
+
+=== Exceptions
+
+In some cases, the `ADD` instruction is not able to replace the `wget` or `curl` command, especially if specific HTTP parameters are required: method, headers, body, etc.
+
+[source,docker]
+----
+FROM ubuntu:20.04
+RUN wget --header="Authorization: Bearer your_token" --method=POST https://example.com/resource
+----

-Moreover, the installation of third-party tools inside the image can introduce unnecessary complexity, dependency on external tools and increase the size of the final image.

 == How to fix it

@ -16,13 +27,13 @@ Moreover, the installation of third-party tools inside the image can introduce u

 [source,docker,diff-id=1,diff-type=noncompliant]
 ----
-FROM ununtu:20.04
+FROM ubuntu:20.04
 RUN wget https://example.com/resource -O /path/to/resource
 ----

 [source,docker,diff-id=2,diff-type=noncompliant]
 ----
-FROM ununtu:20.04
+FROM ubuntu:20.04
 RUN curl -o /path/to/resource https://example.com/resource && echo "123456abcdef /path/to/resource" | sha256sum --check
 ----

@ -30,13 +41,13 @@ RUN curl -o /path/to/resource https://example.com/resource && echo "123456abcdef

 [source,docker,diff-id=1,diff-type=compliant]
 ----
-FROM ununtu:20.04
+FROM ubuntu:20.04
 ADD https://example.com/resource /path/to/resource
 ----

 [source,docker,diff-id=2,diff-type=compliant]
 ----
-FROM ununtu:20.04
+FROM ubuntu:20.04
 ADD --checksum=sha256:123456abcdef https://example.com/resource /path/to/resource
 ----