Ignore empty package names
Context
We use a sh/bash trick to embed inline comments when we upgrade packages to fix vulnerabilities in our Docker Images. The trick looks like this:
RUN ... some commands ... \
&& apk add --no-cache --upgrade \
some-package "$(: 'Fixes CVE-1234')" \
&& ...some more commands...
This keeps our Docker Image nice and tidy (just one layer to install all dependencies). We use that with yum
and apt-get
, as we have images build from AmazonLinux2 and Ubuntu, and the trick works nicely there.
We also have images built from Alpine, though, which is where the trick doesnt work.
Example
Consider following Dockerfile
:
FROM mcr.microsoft.com/dotnet/sdk:5.0-alpine AS base-build
#hadolint ignore=DL3013,DL3018
RUN apk add --no-cache \
jq \
curl \
python3 \
py3-pip \
&& apk add --no-cache --upgrade \
pcre2>10.40-r0 "$(: 'Fixes https://security.snyk.io/vuln/SNYK-ALPINE315-PCRE2-2869384')" \
&& pip3 install --no-cache-dir --upgrade \
pip \
&& pip3 install --no-cache-dir \
awscli \
&& rm -rf /var/cache/apk/*
When building this, the apk add --no-cache --upgrade pcre2...
command fails. This is because apk
is given two strings which it interprets as package names:
- the
"pcre2>10.40-r0"
which properly identifies what we want to install - the
""
which is a result of the inline comment trick we use.
The error message is:
#5 1.223 ERROR: unable to select packages:
#5 1.273 (no such package):
#5 1.273 required by: world[]
Feature request
Make apk
ignore empty-string package names. This way it will work the same way as apt-get
and yum
.
Existing workarounds
Removing the double quotes from the inline comment trick works:
RUN ... some commands ... \
&& apk add --no-cache --upgrade \
some-package $(: 'Fixes CVE-1234') \
&& ...some more commands...
However, this additionally triggers a hadolint
warning:
Dockerfile:4 SC2046 warning: Quote this to prevent word splitting.
We can add an ignore for the warning, but we'd much rather have apk
just ignore empty strings.