Reason for Proposed Changes

• This query exists to guarantee that any image referenced in a "dockerfile" is either an explicit image (ubuntu:22.04) or a non explicit image that has been declared in a valid manner.
• Given this, the type of expected statements to look out for are as follows:

FROM ubuntu:22.04 
FROM ubuntu:22.04 AS new_image
FROM declared_image
FROM declared_image AS new_image

• The query must enforce 2 similar rules to ensure valid image referencing and declaration:
  • No FROM x AS y statement has an invalid x image.
  • No FROM x statement has an invalid x image.
• Any "x" image can be either explicit image declared previously through a chain that ends in an explicit image, that is to say all images must be based, originally, on explicit images.
• Currently the query fails when a "FROM x" statement is correctly used with an x representing a valid declared image, it is not verifying previous declarations to compare validity or lack there of.
• Additionally the current implementation does not take into account sequential declaration; this is to say something like :

FROM Image1
FROM ubuntu:22.04 AS Image1

will not raise the flag even though it should; a "dockerfile" does not support forward reference and so the query should definitely consider the image version not explicit.

Proposed Changes

• To solve the issue in "FROM x" statements being incorrectly flagged, i simply updated the current logic based on the identical use case already implemented for "FROM x AS y" statements.
• For the issue related to invalid assumption of forward referencing i made use of the "EndLine" field located in each "command" generated for the payload, which allows for easy distinction between what should be accounted (i.e. declarations written before the one being considered) and the ones written later in the "dockerfile" which should be ignored.
• With this implementation any complete hierarchical definition of images in the "dockerfile" can be correctly assessed and new tests have been added to corroborate this behavior:
  • positive3 : Flags "FROM x" commands dependent on undeclared images;
  • positive4: Flags invalid attempt at forward referencing for both relevant commands;
  • negative4: Demonstrates support for referencing an image generated through hierarchical declarations;

originalPR

I submit this contribution under the Apache-2.0 license.