fix: replace ADD with COPY

RHACS reports OSBS images as vulnerable because of the usage of ADD
instruction, that allows to fetch remote content.

It's false positive as OSBS uses local resources only, but it scares
users.

We need to use keep ADD instruction to inject filestystem for base image
builds, to untar sources

STONEBLD-3815

Signed-off-by: Martin Basti <mbasti@redhat.com>

Author: MartinBasti

Dockerfile

@@ -2,7 +2,7 @@ FROM fedora:latest
 RUN dnf -y install python3-setuptools flatpak python3-pip git \
     gcc krb5-devel python3-devel popt-devel && dnf clean all
 RUN mkdir /tmp/atomic-reactor
-ADD . /tmp/atomic-reactor
+COPY . /tmp/atomic-reactor
 RUN pip3 install git+https://github.com/containerbuildsystem/osbs-client
 RUN cd /tmp/atomic-reactor && python3 setup.py install
 CMD ["atomic-reactor", "--verbose", "inside-build"]

atomic_reactor/plugins/add_dockerfile.py

@@ -8,7 +8,7 @@
 
 Include user-provided Dockerfile in the IMAGE_BUILD_INFO_DIR
 (or other if provided) directory in the built image.
-This is accomplished by appending an ADD command to it.
+This is accomplished by appending a COPY command to it.
 Name of the Dockerfile is changed to include N-V-R of the build.
 N-V-R is specified either by nvr argument OR from
 Name/Version/Release labels in Dockerfile.
@@ -98,12 +98,12 @@ def add_dockerfile(self, build_dir: BuildDir) -> None:
 
         if self.use_final_dockerfile:
             # when using final dockerfile, we should use DOCKERFILE_FILENAME
-            add_line = f'ADD {DOCKERFILE_FILENAME} {self.df_path}\n'
+            add_line = f'COPY {DOCKERFILE_FILENAME} {self.df_path}\n'
             allow_path_in_dockerignore(build_dir.path, DOCKERFILE_FILENAME)
         else:
             # otherwise we should copy current snapshot and use the copied version
             shutil.copy2(build_dir.dockerfile_path, build_dir.path / self.df_name)
-            add_line = f'ADD {self.df_name} {self.df_path}\n'
+            add_line = f'COPY {self.df_name} {self.df_path}\n'
             allow_path_in_dockerignore(build_dir.path, self.df_name)
 
         # put it before last instruction

atomic_reactor/plugins/add_filesystem.py

@@ -331,6 +331,7 @@ def _add_filesystem_to_dockerfile(self, file_name, build_dir: BuildDir):
         """
         Put an ADD instruction into the Dockerfile (to include the filesystem
         into the container image to be built)
+        NOTE: this must be ADD instruction as it un-TARs the source
         """
         content = 'ADD {0} /\n'.format(file_name)
         lines = build_dir.dockerfile.lines

atomic_reactor/plugins/add_help.py

@@ -8,7 +8,7 @@
 
 Convert a help markdown file a man page and store it to /help.1 in the image
 so that 'atomic help' could display it.
-This is accomplished by appending an ADD command to it.
+This is accomplished by appending a COPY command to it.
 
 Example configuration:
 {
@@ -138,7 +138,7 @@ def add_help_file_to_df(self, build_dir: BuildDir) -> None:
         dockerfile = build_dir.dockerfile
         lines = dockerfile.lines
 
-        content = 'ADD {0} /{0}'.format(self.man_filename)
+        content = 'COPY {0} /{0}'.format(self.man_filename)
         # put it before last instruction
         lines.insert(-1, content + '\n')
 

atomic_reactor/plugins/add_image_content_manifest.py

@@ -188,11 +188,11 @@ def _write_json_file(self, icm: dict, build_dir: BuildDir) -> None:
 
     def _add_to_dockerfile(self, build_dir: BuildDir) -> None:
         """
-        Put an ADD instruction into the Dockerfile (to include the ICM file
+        Put a COPY instruction into the Dockerfile (to include the ICM file
         into the container image to be built)
         """
         dest_file_path = os.path.join(self.content_manifests_dir, self.icm_file_name)
-        content = 'ADD {0} {1}'.format(self.icm_file_name, dest_file_path)
+        content = 'COPY {0} {1}'.format(self.icm_file_name, dest_file_path)
         lines = build_dir.dockerfile.lines
 
         # Put it before last instruction

atomic_reactor/plugins/flatpak_create_dockerfile.py

@@ -42,9 +42,9 @@
 LABEL release="@RELEASE@"
 
 RUN rm -f {yum_repos_dir}*
-ADD {relative_repos_path}* {yum_repos_dir}
+COPY {relative_repos_path}* {yum_repos_dir}
 
-ADD {includepkgs} /tmp/
+COPY {includepkgs} /tmp/
 
 RUN cat /tmp/atomic-reactor-includepkgs >> /etc/dnf/dnf.conf && \\
     INSTALLDIR=/var/tmp/flatpak-build && \\

atomic_reactor/plugins/inject_yum_repos.py

@@ -226,7 +226,7 @@ def _inject_repo_files(self, build_dir: BuildDir) -> None:
 
     def _inject_into_dockerfile(self, build_dir: BuildDir):
         build_dir.dockerfile.add_lines(
-            "ADD %s* %s" % (RELATIVE_REPOS_PATH, YUM_REPOS_DIR),
+            "COPY %s* %s" % (RELATIVE_REPOS_PATH, YUM_REPOS_DIR),
             all_stages=True, at_start=True, skip_scratch=True
         )
 
@@ -236,7 +236,7 @@ def _inject_into_dockerfile(self, build_dir: BuildDir):
                 build_dir.path / self._ca_bundle_pem
             )
             build_dir.dockerfile.add_lines(
-                f'ADD {self._ca_bundle_pem} /tmp/{self._ca_bundle_pem}',
+                f'COPY {self._ca_bundle_pem} /tmp/{self._ca_bundle_pem}',
                 all_stages=True, at_start=True, skip_scratch=True
             )
             allow_path_in_dockerignore(build_dir.path, self._ca_bundle_pem)

docs/plugins.md

@@ -177,7 +177,7 @@ containing the Dockerfile.
     and other metadata, and ADDs it to the built image
 - **add_dockerfile**
   - Status: Enabled
-  - The Dockerfile used to build the image has a line added to ADD itself into
+  - The Dockerfile used to build the image has a line added to COPY itself into
     the built image
 - **distgit_fetch_artefacts**
   - Status: Enabled

tests/plugins/test_add_dockerfile.py

@@ -81,7 +81,7 @@ def test_adddockerfile_plugin(tmpdir, workflow):  # noqa
     expected_df_content = """
 FROM fedora
 RUN yum install -y python-django
-ADD Dockerfile-rhel-server-docker-7.1-20 /root/buildinfo/Dockerfile-rhel-server-docker-7.1-20
+COPY Dockerfile-rhel-server-docker-7.1-20 /root/buildinfo/Dockerfile-rhel-server-docker-7.1-20
 CMD blabla"""
     # the copied Dockerfile should have the *original* content
     expected_df_copy = DockerfileCopy("Dockerfile-rhel-server-docker-7.1-20", df_content)
@@ -105,7 +105,7 @@ def test_adddockerfile_todest(tmpdir, workflow):  # noqa
     expected_df_content = """
 FROM fedora
 RUN yum install -y python-django
-ADD Dockerfile-jboss-eap-6-docker-6.4-77 /usr/share/doc/Dockerfile-jboss-eap-6-docker-6.4-77
+COPY Dockerfile-jboss-eap-6-docker-6.4-77 /usr/share/doc/Dockerfile-jboss-eap-6-docker-6.4-77
 CMD blabla"""
     expected_df_copy = DockerfileCopy("Dockerfile-jboss-eap-6-docker-6.4-77", df_content)
 
@@ -128,7 +128,7 @@ def test_adddockerfile_nvr_from_labels(tmpdir, workflow):  # noqa
 FROM fedora
 RUN yum install -y python-django
 LABEL Name="jboss-eap-6-docker" "Version"="6.4" "Release"=77
-ADD Dockerfile-jboss-eap-6-docker-6.4-77 /root/buildinfo/Dockerfile-jboss-eap-6-docker-6.4-77
+COPY Dockerfile-jboss-eap-6-docker-6.4-77 /root/buildinfo/Dockerfile-jboss-eap-6-docker-6.4-77
 CMD blabla"""
     expected_df_copy = DockerfileCopy("Dockerfile-jboss-eap-6-docker-6.4-77", df_content)
 
@@ -161,7 +161,7 @@ def test_adddockerfile_final(tmpdir, workflow):  # noqa
     expected_df_content = """
 FROM fedora
 RUN yum install -y python-django
-ADD Dockerfile /root/buildinfo/Dockerfile-rhel-server-docker-7.1-20
+COPY Dockerfile /root/buildinfo/Dockerfile-rhel-server-docker-7.1-20
 CMD blabla"""
     workflow.build_dir.for_each_platform(check_outputs(expected_df_content))
 

tests/plugins/test_add_help.py

@@ -170,7 +170,7 @@ def check_df_and_man_file(build_dir):
             f"""
             FROM fedora
             RUN yum install -y python-django
-            ADD {AddHelpPlugin.man_filename} /{AddHelpPlugin.man_filename}
+            COPY {AddHelpPlugin.man_filename} /{AddHelpPlugin.man_filename}
             CMD blabla
             """
         )