feat: add Dockerfile analysis for build command detection

Changes:

-Function find_dockerfile_from_job: handles finding Dockerfile inside workflow in 2 cases of workflow jobs: -run and -uses.

-Simple DockerNode class, so far it stores mainly the dockerfile path retrieved from workflow

-Parsing Dockerfile using dockerfile-parse and RUN instruction commands using bashparser.py

-Parsing and storing build commands found in Dockerfiles

Signed-off-by: Achraf Maghous <achraf.maghous@oracle.com>

Author: achrafmag

pyproject.toml

@@ -38,6 +38,7 @@ dependencies = [
     "problog >= 2.2.6,<3.0.0",
     "cryptography >=44.0.0,<45.0.0",
     "semgrep == 1.113.0",
+    "dockerfile-parse >= 2.0.1"
 ]
 keywords = []
 # https://pypi.org/classifiers/
@@ -79,6 +80,7 @@ dev = [
     "pylint >=3.0.3,<4.0.0",
     "cyclonedx-bom >=4.0.0,<5.0.0",
     "types-beautifulsoup4 >= 4.12.0,<5.0.0",
+    "types-dockerfile-parse >= 2.0.0"
 ]
 docs = [
     "sphinx >=8.0.0,<9.0.0",

src/macaron/slsa_analyzer/checks/build_script_check.py

@@ -107,12 +107,15 @@ def run_check(self, ctx: AnalyzeContext) -> CheckResultData:
         #       we parse bash scripts that are reachable through CI only.
         result_tables: list[CheckFacts] = []
         ci_services = ctx.dynamic_data["ci_services"]
+
         for tool in build_tools:
             for ci_info in ci_services:
                 ci_service: BaseCIService = ci_info["service"]
                 # Checking if a CI service is discovered for this repo.
                 if isinstance(ci_service, NoneCIService):
                     continue
+
+                # Process regular workflow build commands
                 try:
                     for build_command in ci_service.get_build_tool_commands(
                         callgraph=ci_info["callgraph"], build_tool=tool
@@ -148,6 +151,38 @@ def run_check(self, ctx: AnalyzeContext) -> CheckResultData:
                 except CallGraphError as error:
                     logger.debug(error)
 
+                # Process Docker build commands if the CI service has the method
+                if hasattr(ci_service, "get_docker_build_commands"):
+                    try:
+                        for build_command in ci_service.get_docker_build_commands(
+                            callgraph=ci_info["callgraph"], build_tool=tool
+                        ):
+                            logger.debug("Processing Docker build command %s", build_command)
+                            # For Dockerfile, link to the Dockerfile itself
+                            relative_path = os.path.relpath(build_command["ci_path"], ctx.component.repository.fs_path)
+                            trigger_link = ci_service.api_client.get_file_link(
+                                ctx.component.repository.full_name,
+                                ctx.component.repository.commit_sha,
+                                relative_path,
+                            )
+                            logger.debug("Trigger link for Docker build command: %s", trigger_link)
+
+                            result_tables.append(
+                                BuildScriptFacts(
+                                    build_tool_name=tool.name,
+                                    ci_service_name=ci_service.name,
+                                    build_trigger=trigger_link,
+                                    language=build_command["language"],
+                                    language_distributions=None,
+                                    language_versions=None,
+                                    language_url=None,
+                                    build_tool_command=tool.serialize_to_json(build_command["command"]),
+                                    confidence=Confidence.HIGH,
+                                )
+                            )
+                    except CallGraphError as error:
+                        logger.debug(error)
+
         return CheckResultData(result_tables=result_tables, result_type=CheckResultType.PASSED)
 
 

src/macaron/slsa_analyzer/ci_service/base_ci_service.py

@@ -280,6 +280,24 @@ def get_third_party_configurations(self) -> list[str]:
         """
         return []
 
+    def get_docker_build_commands(self, callgraph: CallGraph, build_tool: BaseBuildTool) -> Iterable[BuildToolCommand]:
+        """
+        Traverse the callgraph and find all the reachable Docker build commands.
+
+        Parameters
+        ----------
+        callgraph: CallGraph
+            The callgraph reachable from the CI workflows.
+
+        Yields
+        ------
+        BuildToolCommand
+            The object that contains the Docker build command as well useful contextual information.
+        """
+        # By default we assume that there is no Docker build command available for a CI service.
+        # Each CI service should override this method if a Docker build command is generated for it.
+        raise CallGraphError("There is no Docker build command for this CI service.")
+
 
 class NoneCIService(BaseCIService):
     """This class can be used to initialize an empty CI service."""