No association between the found issues and the Dockerfiles

[ivandalbosco]

Hello,

In the first step, I run Hadolint:
docker run --rm -i -e HADOLINT_FORMAT='checkstyle' hadolint/hadolint < Dockerfile.txt > hadolint_report.xml

This creates an output files containing 2 detected issues:

<?xml version='1.0' encoding='UTF-8'?>
<checkstyle version='4.3'>
	<file name='&#45;'>
		<error line='12' column='1' severity='warning' message='&#96;COPY&#96; to a relative destination without &#96;WORKDIR&#96; set.' source='DL3045'/>
		<error line='24' column='1' severity='error' message='Use COPY instead of ADD for files and folders' source='DL3020'/>
	</file>
</checkstyle>

In the second step, I run sonarscanner:
sonarscanner -Dsonar.host.url=http://localhost:9000 -Dsonar.login=XXX -Dsonar.password=YYY -Dsonar.projectKey=ZZZ -Dsonar.lang.patterns.dockerfile=Dockerfile.txt -Dsonar.hadolint.reports.path=hadolint_report.xml

My trouble is: in SonarQube, I cannot see any issue displayed. Actually, this is no wonder: the association between the found issues (in file hadolint_report.xml) and the source file (Dockerfile.txt) is not set anywhere. The sonarscanner step above displays:

ERROR: The source file '-' mentionned in Hadolint report was not found

Can you please help? Many thanks in advance,

Yves

hadolint/hadolint:latest (digest=174f005a1fed)
sonar-scanner-4.6.1.2450-windows
SonarQube 9.3

[Sancretor]

Hi @ivandalbosco !
Hadolint uses the file path to generate its report.
Using it from a Docker container, you provide the Docker through stdin (the < Dockerfile.txt part).
So... there is no path file for Hadolint to provide in its report, that's why you instead have -, and no files linked to your issues...

[ivandalbosco]

Thank you @Sancretor for your immediate response! I'd like to tackle the general case where:

• I may have several Dockerfiles in the file hierarchy, for example ./Dockerfile and ./sub/Dockerfile
• I may have several Dockerfiles in the same directory, for example ./Dockerfile1 and ./Dockerfile2

What is you suggestion?

• Do I have to forget the Docker hadolint/hadolint image?
• Should I resort to something like making one Hadolint analysis per Dockerfile?

[Sancretor]

Hi @ivandalbosco

No, you can still play with the Docker image but differently.
And one report per Dockerfile would be a huge pain in the ass...
What may work would be to mount your project directory inside the container and then start Hadolint at the root of this directory.
This way, you'll have the whole file hierarchy and Hadolint will be able to add the file path inside the report.

Something like docker run ... -v <your_project_dir>:/my_project -w /my_project ... > hadolint_report.xml
What do you think about it ?