asf-tooling opened a new issue, #1124:
URL: https://github.com/apache/tooling-trusted-releases/issues/1124
**ASVS Level(s):** L1
**Description:**
### Summary
The builder stage uses `COPY . .` (line 23), which sends the entire build
context — including `.git` and `.svn` directories — to the Docker daemon and
into the builder layer. While the multi-stage selective copy ensures these do
not reach the final image, a `.dockerignore` file would provide additional
defense-in-depth benefits. This does NOT constitute an ASVS 13.4.1 violation,
as the final deployed image does not contain source control metadata. However,
larger build contexts slow down builds (especially in CI/CD), builder images if
accidentally pushed contain full source history, intermediate layers consume
more storage, and the builder stage has unnecessary files that could be
leveraged in supply chain attacks.
### Details
In `Dockerfile.alpine` at line 23, `COPY . .` includes all files. No
`.dockerignore` file exists to exclude unnecessary files from build context.
### Recommended Remediation
**Option 1: Add .dockerignore (Recommended for most cases)**
Create `.dockerignore` in repository root with exclusions for .git, .svn,
Python artifacts, IDE files, etc.
**⚠️ Important:** The current build requires `.git` for `make
generate-version`. If `.git` is excluded via `.dockerignore`, version
generation will fail.
**Option 2: Pass Version as Build Argument (Recommended for CI/CD)**
Modify Dockerfile.alpine to accept APP_VERSION as build argument:
```dockerfile
ARG APP_VERSION=dev
RUN apk add --no-cache make patch # git removed
RUN echo "APP_VERSION='${APP_VERSION}'\" > atr/version.py
```
Build command:
```bash
docker build --build-arg APP_VERSION=$(git describe --tags) -t atr .
```
**Option 3: Hybrid Approach**
Use .dockerignore but add exception for version generation using BuildKit
mount:
```dockerfile
RUN --mount=type=bind,source=.git,target=/tmp/git \
git --git-dir=/tmp/git describe --tags > /tmp/version.txt && \
echo "APP_VERSION='$(cat /tmp/version.txt)'\" > atr/version.py
```
### Acceptance Criteria
- [ ] .dockerignore created OR version passed as build arg
- [ ] Build context size reduced
- [ ] Version generation continues to work
- [ ] Unit tests verify build process
### References
- Source reports: L1:13.4.1.md
- Related findings: None
- ASVS sections: 13.4.1
### Priority
Low
---
---
**Triage notes:** very-low
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
