Dependabot ignores image references in COPY Dockerfile statement

[kereis]

Package ecosystem

docker

Manifest location and content before the Dependabot update

• All Dockerfiles in https://github.com/kereis/traefik-certs-dumper/tree/develop/docker
• All Dockerfiles in https://github.com/kereis/traefik-certs-dumper/tree/develop/alpine

dependabot.yml content

version: 2

updates:
  - package-ecosystem: github-actions
    directory: /
    schedule: {interval: monthly}
    reviewers: [kereis]
    assignees: [kereis]

  - package-ecosystem: docker
    directory: /docker
    schedule: {interval: monthly}
    reviewers: [kereis]
    assignees: [kereis]

  - package-ecosystem: docker
    directory: /alpine
    schedule: {interval: monthly}
    reviewers: [kereis]
    assignees: [kereis]

Updated dependency
FROM ldez/traefik-certs-dumper:v2.7.0 to FROM ldez/traefik-certs-dumper:v2.8.1

What you expected to see, versus what you actually saw
The updating logic work fine for Docker images that are referenced via FROM statement.
For instance, Dependabot updates the docker Docker image in my Docker-flavored image and ldez/traefik-certs-dumper in my Alpine-flavored images.

However, as you can specify Docker images in a COPY --from statement, I'd expect Dependabot to update the version of the used image as well. For example, if you take a look at my Docker-flavored images, you see that ldez/traefik-certs-dumper is used for copying files from its image to my image via COPY --from statement. But I have never received any pull request regarding updating that dependency. The logs down below also never mention the Docker image used in the COPY --from statement.

Images of the diff or a link to the PR, issue, or logs

Dependabot logs for my Docker-flavored images

  proxy | time="2022-05-01T18:06:11Z" level=info msg="proxy starting" commit=d0e8fc9c52e08bf359a8a4cff6deb91b01c23136
  proxy | 2022/05/01 18:06:11 Listening (:1080)
updater | 2022-05-01T18:06:11.752885222 [anonymous-instance:main:WARN:src/firecracker/src/main.rs:370] You are using a deprecated parameter: --seccomp-level 2, that will be removed in a future version.
updater | 2022-05-01T18:06:11.811738926 [358413559:main:WARN:src/devices/src/legacy/serial.rs:432] Detached the serial input due to peer close/error.
updater | time="2022-05-01T18:06:13Z" level=info msg="guest starting" commit=d54c1f07420d2f98b700854f969f92bffb6a9ded
updater | time="2022-05-01T18:06:13Z" level=info msg="starting job..." fetcher_timeout=5m0s job_id=358413559 updater_timeout=45m0s updater_version=0.183.0-0b9af6273654af08450bbcfd0d31588cb1e7cf36
updater | I, [2022-05-01T18:06:15.083599 #7]  INFO -- sentry: ** [Raven] Raven 3.1.2 ready to catch errors
updater | warning: parser/current is loading parser/ruby27, which recognizes2.7.6-compliant syntax, but you are running 2.7.5.
updater | Please see https://github.com/whitequark/parser#compatibility-with-ruby-mri.
updater | INFO <job_358413559> Starting job processing
  proxy | 2022/05/01 18:06:17 [002] GET https://api.github.com:443/repos/kereis/traefik-certs-dumper
  proxy | 2022/05/01 18:06:17 [002] * authenticating github api request
  proxy | 2022/05/01 18:06:17 [002] 200 https://api.github.com:443/repos/kereis/traefik-certs-dumper
  proxy | 2022/05/01 18:06:17 [004] GET https://api.github.com:443/repos/kereis/traefik-certs-dumper/git/refs/heads/develop
  proxy | 2022/05/01 18:06:17 [004] * authenticating github api request
  proxy | 2022/05/01 18:06:17 [004] 200 https://api.github.com:443/repos/kereis/traefik-certs-dumper/git/refs/heads/develop
  proxy | 2022/05/01 18:06:17 [006] GET https://api.github.com:443/repos/kereis/traefik-certs-dumper/contents/docker?ref=7a18618c61abb3e1fe522603262dbb3c4f515d13
  proxy | 2022/05/01 18:06:17 [006] * authenticating github api request
  proxy | 2022/05/01 18:06:17 [006] 200 https://api.github.com:443/repos/kereis/traefik-certs-dumper/contents/docker?ref=7a18618c61abb3e1fe522603262dbb3c4f515d13
  proxy | 2022/05/01 18:06:17 [008] GET https://api.github.com:443/repos/kereis/traefik-certs-dumper/contents/docker/Dockerfile?ref=7a18618c61abb3e1fe522603262dbb3c4f515d13
  proxy | 2022/05/01 18:06:17 [008] * authenticating github api request
  proxy | 2022/05/01 18:06:17 [008] 200 https://api.github.com:443/repos/kereis/traefik-certs-dumper/contents/docker/Dockerfile?ref=7a18618c61abb3e1fe522603262dbb3c4f515d13
  proxy | 2022/05/01 18:06:17 [010] GET https://api.github.com:443/repos/kereis/traefik-certs-dumper/contents/docker/Dockerfile.aarch64?ref=7a18618c61abb3e1fe522603262dbb3c4f515d13
  proxy | 2022/05/01 18:06:17 [010] * authenticating github api request
  proxy | 2022/05/01 18:06:17 [010] 200 https://api.github.com:443/repos/kereis/traefik-certs-dumper/contents/docker/Dockerfile.aarch64?ref=7a18618c61abb3e1fe522603262dbb3c4f515d13
  proxy | 2022/05/01 18:06:17 [012] GET https://api.github.com:443/repos/kereis/traefik-certs-dumper/contents/docker/Dockerfile.armhf?ref=7a18618c61abb3e1fe522603262dbb3c4f515d13
  proxy | 2022/05/01 18:06:17 [012] * authenticating github api request
  proxy | 2022/05/01 18:06:17 [012] 200 https://api.github.com:443/repos/kereis/traefik-certs-dumper/contents/docker/Dockerfile.armhf?ref=7a18618c61abb3e1fe522603262dbb3c4f515d13
updater | INFO <job_358413559> Finished job processing
updater | time="2022-05-01T18:06:17Z" level=info msg="task complete" container_id=job-358413559-file-fetcher exit_code=0 job_id=358413559 step=fetcher
updater | I, [2022-05-01T18:06:18.737136 #7]  INFO -- sentry: ** [Raven] Raven 3.1.2 ready to catch errors
updater | warning: parser/current is loading parser/ruby27, which recognizes2.7.6-compliant syntax, but you are running 2.7.5.
updater | Please see https://github.com/whitequark/parser#compatibility-with-ruby-mri.
updater | INFO <job_358413559> Starting job processing
updater | INFO <job_358413559> Starting update job for kereis/traefik-certs-dumper
updater | INFO <job_358413559> Checking if docker 20.10.14 needs updating
  proxy | 2022/05/01 18:06:20 [016] GET https://registry.hub.docker.com:443/v2/library/docker/tags/list
  proxy | 2022/05/01 18:06:20 [016] 401 https://registry.hub.docker.com:443/v2/library/docker/tags/list
  proxy | 2022/05/01 18:06:21 [018] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fdocker%3Apull
  proxy | 2022/05/01 18:06:21 [018] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fdocker%3Apull
  proxy | 2022/05/01 18:06:21 [020] GET https://registry.hub.docker.com:443/v2/library/docker/tags/list
  proxy | 2022/05/01 18:06:21 [020] 200 https://registry.hub.docker.com:443/v2/library/docker/tags/list
  proxy | 2022/05/01 18:06:21 [022] HEAD https://registry.hub.docker.com:443/v2/library/docker/manifests/latest
  proxy | 2022/05/01 18:06:21 [022] 401 https://registry.hub.docker.com:443/v2/library/docker/manifests/latest
  proxy | 2022/05/01 18:06:21 [024] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fdocker%3Apull
  proxy | 2022/05/01 18:06:21 [024] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fdocker%3Apull
  proxy | 2022/05/01 18:06:21 [026] HEAD https://registry.hub.docker.com:443/v2/library/docker/manifests/latest
  proxy | 2022/05/01 18:06:21 [026] 200 https://registry.hub.docker.com:443/v2/library/docker/manifests/latest
  proxy | 2022/05/01 18:06:21 [028] HEAD https://registry.hub.docker.com:443/v2/library/docker/manifests/20.10.14
  proxy | 2022/05/01 18:06:21 [028] 401 https://registry.hub.docker.com:443/v2/library/docker/manifests/20.10.14
  proxy | 2022/05/01 18:06:21 [030] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fdocker%3Apull
  proxy | 2022/05/01 18:06:21 [030] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fdocker%3Apull
  proxy | 2022/05/01 18:06:21 [032] HEAD https://registry.hub.docker.com:443/v2/library/docker/manifests/20.10.14
  proxy | 2022/05/01 18:06:21 [032] 200 https://registry.hub.docker.com:443/v2/library/docker/manifests/20.10.14
updater | INFO <job_358413559> Latest version is 20.10.14
updater | INFO <job_358413559> No update needed for docker 20.10.14
updater | INFO <job_358413559> Checking if arm64v8/docker 20.10.14 needs updating
  proxy | 2022/05/01 18:06:21 [034] GET https://registry.hub.docker.com:443/v2/arm64v8/docker/tags/list
  proxy | 2022/05/01 18:06:21 [034] 401 https://registry.hub.docker.com:443/v2/arm64v8/docker/tags/list
  proxy | 2022/05/01 18:06:21 [036] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Aarm64v8%2Fdocker%3Apull
  proxy | 2022/05/01 18:06:21 [036] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Aarm64v8%2Fdocker%3Apull
  proxy | 2022/05/01 18:06:21 [038] GET https://registry.hub.docker.com:443/v2/arm64v8/docker/tags/list
  proxy | 2022/05/01 18:06:21 [038] 200 https://registry.hub.docker.com:443/v2/arm64v8/docker/tags/list
  proxy | 2022/05/01 18:06:21 [040] HEAD https://registry.hub.docker.com:443/v2/arm64v8/docker/manifests/latest
  proxy | 2022/05/01 18:06:21 [040] 401 https://registry.hub.docker.com:443/v2/arm64v8/docker/manifests/latest
  proxy | 2022/05/01 18:06:21 [042] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Aarm64v8%2Fdocker%3Apull
  proxy | 2022/05/01 18:06:21 [042] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Aarm64v8%2Fdocker%3Apull
  proxy | 2022/05/01 18:06:21 [044] HEAD https://registry.hub.docker.com:443/v2/arm64v8/docker/manifests/latest
  proxy | 2022/05/01 18:06:21 [044] 200 https://registry.hub.docker.com:443/v2/arm64v8/docker/manifests/latest
  proxy | 2022/05/01 18:06:21 [046] HEAD https://registry.hub.docker.com:443/v2/arm64v8/docker/manifests/20.10.14
  proxy | 2022/05/01 18:06:22 [046] 401 https://registry.hub.docker.com:443/v2/arm64v8/docker/manifests/20.10.14
  proxy | 2022/05/01 18:06:22 [048] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Aarm64v8%2Fdocker%3Apull
  proxy | 2022/05/01 18:06:22 [048] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Aarm64v8%2Fdocker%3Apull
  proxy | 2022/05/01 18:06:22 [050] HEAD https://registry.hub.docker.com:443/v2/arm64v8/docker/manifests/20.10.14
  proxy | 2022/05/01 18:06:22 [050] 200 https://registry.hub.docker.com:443/v2/arm64v8/docker/manifests/20.10.14
updater | INFO <job_358413559> Latest version is 20.10.14
updater | INFO <job_358413559> No update needed for arm64v8/docker 20.10.14
updater | INFO <job_358413559> Checking if arm32v7/docker 19.03.8 needs updating
  proxy | 2022/05/01 18:06:22 [052] GET https://registry.hub.docker.com:443/v2/arm32v7/docker/tags/list
  proxy | 2022/05/01 18:06:22 [052] 401 https://registry.hub.docker.com:443/v2/arm32v7/docker/tags/list
  proxy | 2022/05/01 18:06:22 [054] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Aarm32v7%2Fdocker%3Apull
  proxy | 2022/05/01 18:06:22 [054] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Aarm32v7%2Fdocker%3Apull
  proxy | 2022/05/01 18:06:22 [056] GET https://registry.hub.docker.com:443/v2/arm32v7/docker/tags/list
  proxy | 2022/05/01 18:06:22 [056] 200 https://registry.hub.docker.com:443/v2/arm32v7/docker/tags/list
  proxy | 2022/05/01 18:06:22 [058] HEAD https://registry.hub.docker.com:443/v2/arm32v7/docker/manifests/latest
  proxy | 2022/05/01 18:06:22 [058] 401 https://registry.hub.docker.com:443/v2/arm32v7/docker/manifests/latest
  proxy | 2022/05/01 18:06:22 [060] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Aarm32v7%2Fdocker%3Apull
  proxy | 2022/05/01 18:06:22 [060] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Aarm32v7%2Fdocker%3Apull
  proxy | 2022/05/01 18:06:22 [062] HEAD https://registry.hub.docker.com:443/v2/arm32v7/docker/manifests/latest
  proxy | 2022/05/01 18:06:22 [062] 200 https://registry.hub.docker.com:443/v2/arm32v7/docker/manifests/latest
  proxy | 2022/05/01 18:06:22 [064] HEAD https://registry.hub.docker.com:443/v2/arm32v7/docker/manifests/19.03.8
  proxy | 2022/05/01 18:06:22 [064] 401 https://registry.hub.docker.com:443/v2/arm32v7/docker/manifests/19.03.8
  proxy | 2022/05/01 18:06:22 [066] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Aarm32v7%2Fdocker%3Apull
  proxy | 2022/05/01 18:06:22 [066] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Aarm32v7%2Fdocker%3Apull
  proxy | 2022/05/01 18:06:22 [068] HEAD https://registry.hub.docker.com:443/v2/arm32v7/docker/manifests/19.03.8
  proxy | 2022/05/01 18:06:22 [068] 200 https://registry.hub.docker.com:443/v2/arm32v7/docker/manifests/19.03.8
updater | INFO <job_358413559> Latest version is 19.03.8
updater | INFO <job_358413559> No update needed for arm32v7/docker 19.03.8
updater | INFO <job_358413559> Finished job processing
updater | time="2022-05-01T18:06:22Z" level=info msg="task complete" container_id=job-358413559-updater exit_code=0 job_id=358413559 step=updater

• Affected pull request: Bump docker from 20.10.11 to 20.10.15 kereis/dependabot-docker-copy-from-bug#2

🕹 Bonus points: Smallest manifest that reproduces the issue
Check https://github.com/kereis/dependabot-docker-copy-from-bug if you want to try to reproduce this issue.

Other notes
I don't know if this is a real bug or if this is rather a feature request. I took a look at

dependabot-core/docker/lib/dependabot/docker/file_parser.rb

Line 37 in e8a6a4b

def parse

and it looks like the docker updater only respects images referenced in a FROM statement inside Dockerfiles. This would possibly affect

dependabot-core/docker/lib/dependabot/docker/file_updater.rb

Line 10 in e8a6a4b

FROM_REGEX = /FROM(\s+--platform\=\S+)?/i.freeze

too.

So it might not technically be a bug but rather a missing feature. But I created this issue as a bug because this is something I would have expected from Dependabot to work.

If it's the real issue, I might try to add support for COPY statements and create a pull request. But until then I'd like to wait for feedback. 😄

[Nishnha]

I would love to see a PR for this @kereis!

I don't think it would be hard to add in multi-stage build support. We already fetch the dockerfiles in a project, so we just need to parse out the image names in COPY --from=<image> and pass them to the parser.

The file updater might need some slight modifications to make sure it doesn't change the rest of the COPY statement too.

The docs have one edge case that we have to pay attention to, though:

COPY --from=0 /go/src/github.com/alexellis/href-counter/app ./

The docs state "the COPY --from=0 line copies just the built artifact from the previous stage into this new stage", so we should exclude that case.

[ruudk]

Just wanted to say that I'd really like this feature too. I'm having this in my Dockerfile:

COPY --from=composer:2.5.5 /usr/bin/composer /usr/local/bin/composer

And I'd like Dependabot to automatically update it.

[dannysauer]

As a workaround, just add the image in your copy --from as a do-nothing stage, ideally with an alias. Then copy --from=youralias. The effect is equivalent, but now your dockerfile uses a FROM line that dependabot supports.

FROM ldez/traefik-certs-dumper:v2.7.0 AS tcd
FROM composer:2.5.5 AS c
FROM anotherbase:1.2.3
COPY --from=tcd /some/file /some/location
COPY --from=c /usr/bin/composer /usr/local/bin/composer

💥