feat: add Dockerfile analysis for build command detection

Changes:

-Function find_dockerfile_from_job: handles finding Dockerfile inside workflow in 2 cases of workflow jobs: -run and -uses.

-Simple DockerNode class, so far it stores mainly the dockerfile path retrieved from workflow

-Parsing Dockerfile using dockerfile-parse and RUN instruction commands using bashparser.py

-Parsing and storing build commands found in Dockerfiles

Signed-off-by: Achraf Maghous <achraf.maghous@oracle.com>

Author: achrafmag

pyproject.toml

@@ -38,7 +38,6 @@ dependencies = [
     "problog >= 2.2.6,<3.0.0",
     "cryptography >=44.0.0,<45.0.0",
     "semgrep == 1.113.0",
-    "dockerfile-parse >= 2.0.1"
 ]
 keywords = []
 # https://pypi.org/classifiers/
@@ -80,7 +79,6 @@ dev = [
     "pylint >=3.0.3,<4.0.0",
     "cyclonedx-bom >=4.0.0,<5.0.0",
     "types-beautifulsoup4 >= 4.12.0,<5.0.0",
-    "types-dockerfile-parse >= 2.0.0"
 ]
 docs = [
     "sphinx >=8.0.0,<9.0.0",

src/macaron/slsa_analyzer/checks/build_script_check.py

@@ -107,15 +107,12 @@ def run_check(self, ctx: AnalyzeContext) -> CheckResultData:
         #       we parse bash scripts that are reachable through CI only.
         result_tables: list[CheckFacts] = []
         ci_services = ctx.dynamic_data["ci_services"]
-
         for tool in build_tools:
             for ci_info in ci_services:
                 ci_service: BaseCIService = ci_info["service"]
                 # Checking if a CI service is discovered for this repo.
                 if isinstance(ci_service, NoneCIService):
                     continue
-
-                # Process regular workflow build commands
                 try:
                     for build_command in ci_service.get_build_tool_commands(
                         callgraph=ci_info["callgraph"], build_tool=tool
@@ -151,38 +148,6 @@ def run_check(self, ctx: AnalyzeContext) -> CheckResultData:
                 except CallGraphError as error:
                     logger.debug(error)
 
-                # Process Docker build commands if the CI service has the method
-                if hasattr(ci_service, "get_docker_build_commands"):
-                    try:
-                        for build_command in ci_service.get_docker_build_commands(
-                            callgraph=ci_info["callgraph"], build_tool=tool
-                        ):
-                            logger.debug("Processing Docker build command %s", build_command)
-                            # For Dockerfile, link to the Dockerfile itself
-                            relative_path = os.path.relpath(build_command["ci_path"], ctx.component.repository.fs_path)
-                            trigger_link = ci_service.api_client.get_file_link(
-                                ctx.component.repository.full_name,
-                                ctx.component.repository.commit_sha,
-                                relative_path,
-                            )
-                            logger.debug("Trigger link for Docker build command: %s", trigger_link)
-
-                            result_tables.append(
-                                BuildScriptFacts(
-                                    build_tool_name=tool.name,
-                                    ci_service_name=ci_service.name,
-                                    build_trigger=trigger_link,
-                                    language=build_command["language"],
-                                    language_distributions=None,
-                                    language_versions=None,
-                                    language_url=None,
-                                    build_tool_command=tool.serialize_to_json(build_command["command"]),
-                                    confidence=Confidence.HIGH,
-                                )
-                            )
-                    except CallGraphError as error:
-                        logger.debug(error)
-
         return CheckResultData(result_tables=result_tables, result_type=CheckResultType.PASSED)
 
 

src/macaron/slsa_analyzer/ci_service/base_ci_service.py

@@ -280,24 +280,6 @@ def get_third_party_configurations(self) -> list[str]:
         """
         return []
 
-    def get_docker_build_commands(self, callgraph: CallGraph, build_tool: BaseBuildTool) -> Iterable[BuildToolCommand]:
-        """
-        Traverse the callgraph and find all the reachable Docker build commands.
-
-        Parameters
-        ----------
-        callgraph: CallGraph
-            The callgraph reachable from the CI workflows.
-
-        Yields
-        ------
-        BuildToolCommand
-            The object that contains the Docker build command as well useful contextual information.
-        """
-        # By default we assume that there is no Docker build command available for a CI service.
-        # Each CI service should override this method if a Docker build command is generated for it.
-        raise CallGraphError("There is no Docker build command for this CI service.")
-
 
 class NoneCIService(BaseCIService):
     """This class can be used to initialize an empty CI service."""