feat: add dnf and microdnf support to Dockerfile instruction parser (#763)

The installRegex did not recognize dnf install or microdnf install commands,
causing layer attribution and --exclude-base-image-vulns to potentially
fail for RPM-based images that use DNF (e.g., RHEL 8+, Fedora, CentOS Stream, Rocky Linux).

Author: bgardiner

lib/dockerfile/instruction-parser.ts

@@ -18,7 +18,7 @@ export {
 // Naive regex; see tests for cases
 // tslint:disable-next-line:max-line-length
 const installRegex =
-  /(rpm\s+-i|rpm\s+--install|apk\s+((--update|-u|--no-cache)\s+)*add(\s+(--update|-u|--no-cache))*|apt-get\s+((--assume-yes|--yes|-y)\s+)*install(\s+(--assume-yes|--yes|-y))*|apt\s+((--assume-yes|--yes|-y)\s+)*install|yum\s+install|aptitude\s+install)\s+/;
+  /(rpm\s+-i|rpm\s+--install|apk\s+((--update|-u|--no-cache)\s+)*add(\s+(--update|-u|--no-cache))*|apt-get\s+((--assume-yes|--yes|-y)\s+)*install(\s+(--assume-yes|--yes|-y))*|apt\s+((--assume-yes|--yes|-y)\s+)*install|dnf\s+((--assumeyes|--best|--nodocs|--allowerasing|-y)\s+)*install(\s+(--assumeyes|--best|--nodocs|--allowerasing|-y))*|microdnf\s+((--nodocs|--best|--assumeyes|-y)\s+)*install(\s+(--nodocs|--best|--assumeyes|-y))*|yum\s+install|aptitude\s+install)\s+/;
 
 function getPackagesFromDockerfile(dockerfile: Dockerfile): DockerFilePackages {
   const runInstructions = getRunInstructionsFromDockerfile(dockerfile);

test/fixtures/dockerfiles/with-dnf-installation/Dockerfile

@@ -0,0 +1,5 @@
+FROM registry.access.redhat.com/ubi9/ubi-minimal:latest
+
+RUN microdnf install -y curl && microdnf clean all
+
+CMD ["bash"]

test/lib/dockerfile.spec.ts

@@ -245,6 +245,28 @@ describe("readDockerfileAndAnalyse() correctly parses...", () => {
         },
       },
     ],
+    [
+      "a Dockerfile with a microdnf installation instruction",
+      {
+        fixture: "with-dnf-installation",
+        expected: {
+          baseImage: "registry.access.redhat.com/ubi9/ubi-minimal:latest",
+          dockerfilePackages: {
+            curl: {
+              instruction: "RUN microdnf install -y curl && microdnf clean all",
+            },
+          },
+          dockerfileLayers: {
+            "UlVOIG1pY3JvZG5mIGluc3RhbGwgLXkgY3VybCAmJiBtaWNyb2RuZiBjbGVhbiBhbGw=":
+              {
+                instruction:
+                  "RUN microdnf install -y curl && microdnf clean all",
+              },
+          },
+          error: undefined,
+        },
+      },
+    ],
   ];
   // tslint:disable-next-line: variable-name
   test.each<TestCaseTuple>(cases)("%s", async (_description, item) => {

test/lib/instructions-parser.spec.ts

@@ -32,6 +32,15 @@ describe("getPackagesFromRunInstructions", () => {
     ],
     [["apt install 389-admin"], ["389-admin"]],
     [["apt install apache2=2.3.35-4ubuntu1"], ["apache2"]],
+    [["dnf install curl"], ["curl"]],
+    [["dnf install -y curl"], ["curl"]],
+    [["dnf -y install curl"], ["curl"]],
+    [["dnf --nodocs install -y curl"], ["curl"]],
+    [["dnf install -y curl wget vim"], ["vim", "curl", "wget"]],
+    [["dnf install -y curl && dnf install -y wget"], ["curl", "wget"]],
+    [["microdnf install curl"], ["curl"]],
+    [["microdnf install --nodocs curl"], ["curl"]],
+    [["microdnf install -y curl && microdnf clean all"], ["curl"]],
   ];
 
   describe("Verify package detection", () => {
@@ -78,6 +87,7 @@ describe("getPackagesFromDockerFile", () => {
     ["library/nginx"],
     ["with-args-package"],
     ["with-multiple-run-instructions"],
+    ["with-dnf-installation"],
   ];
 
   test.each(dockerfileFixtures)(

test/lib/save/image.tar

@@ -8,7 +8,7 @@ declare global {
 
 export function toBeDockerPackageInstallCommand(received, pkgName) {
   const installCmdRegex =
-    /^(rpm\s+-i|rpm\s+--install|apk\s+((--update|-u|--no-cache)\s+)*add(\s+(--update|-u|--no-cache))*|apt-get\s+((--assume-yes|--yes|-y)\s+)*install(\s+(--assume-yes|--yes|-y))*|apt\s+((--assume-yes|--yes|-y)\s+)*install|yum\s+install|aptitude\s+install)\s+/;
+    /^(rpm\s+-i|rpm\s+--install|apk\s+((--update|-u|--no-cache)\s+)*add(\s+(--update|-u|--no-cache))*|apt-get\s+((--assume-yes|--yes|-y)\s+)*install(\s+(--assume-yes|--yes|-y))*|apt\s+((--assume-yes|--yes|-y)\s+)*install|dnf\s+((--assumeyes|--best|--nodocs|--allowerasing|-y)\s+)*install(\s+(--assumeyes|--best|--nodocs|--allowerasing|-y))*|microdnf\s+((--nodocs|--best|--assumeyes|-y)\s+)*install(\s+(--nodocs|--best|--assumeyes|-y))*|yum\s+install|aptitude\s+install)\s+/;
   const pass =
     (installCmdRegex.test(received) &&
       received.indexOf(pkgName) > -1 &&

test/matchers/dockerPackageInstallCommand.ts

@@ -15,6 +15,12 @@ describe("valid package install commands", () => {
     { command: "apt install curl", pkg: "curl" },
     { command: "yum install curl", pkg: "curl" },
     { command: "aptitude install curl", pkg: "curl" },
+    { command: "dnf install curl", pkg: "curl" },
+    { command: "dnf -y install curl", pkg: "curl" },
+    { command: "dnf --assumeyes install curl", pkg: "curl" },
+    { command: "dnf --nodocs install curl", pkg: "curl" },
+    { command: "microdnf install curl", pkg: "curl" },
+    { command: "microdnf --nodocs install curl", pkg: "curl" },
   ];
 
   testCases.forEach(({ command, pkg }) => {