Skip to content

fix: replace ADD with COPY #2180

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
MartinBasti merged 1 commit into from
Oct 3, 2025
Merged

fix: replace ADD with COPY #2180

MartinBasti merged 1 commit into from
Oct 3, 2025

Conversation

@MartinBasti
Copy link
Contributor

@MartinBasti MartinBasti commented Sep 25, 2025
edited
Loading

RHACS reports OSBS images as vulnerable because of the usage of ADD instruction, that allows to fetch remote content.

It's false positive as OSBS uses local resources only, but it scares users.

We don't need to use ADD instruction, we can replace it with COPY
We need to keep ADD instruction for building base images, as it untars archive into filesystem.

STONEBLD-3815

Maintainers will complete the following section

  • Commit messages are descriptive enough
  • Code coverage from testing does not decrease and new code is covered
  • Python type annotations added to new code
  • JSON/YAML configuration changes are updated in the relevant schema
  • Changes to metadata also update the documentation for the metadata
  • Pull request has a link to an osbs-docs PR for user documentation updates
  • New feature can be disabled from a configuration file

chmeliik
chmeliik reviewed Sep 25, 2025
View reviewed changes
rcerven
rcerven requested changes Oct 2, 2025
View reviewed changes
@MartinBasti MartinBasti force-pushed the replace-add-with-copy branch from 581554d to 327c808 Compare October 2, 2025 13:20
@MartinBasti
fix: replace ADD with COPY
95e1156 
RHACS reports OSBS images as vulnerable because of the usage of ADD
instruction, that allows to fetch remote content.

It's false positive as OSBS uses local resources only, but it scares
users.

We need to use keep ADD instruction to inject filestystem for base image
builds, to untar sources

STONEBLD-3815

Signed-off-by: Martin Basti <mbasti@redhat.com>
@MartinBasti MartinBasti force-pushed the replace-add-with-copy branch from 327c808 to 95e1156 Compare October 2, 2025 13:55
@MartinBasti MartinBasti merged commit 96d90ce into containerbuildsystem:master Oct 3, 2025
13 of 15 checks passed
@MartinBasti MartinBasti deleted the replace-add-with-copy branch October 3, 2025 11:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rcerven rcerven rcerven approved these changes

@chmeliik chmeliik chmeliik approved these changes

@mkosiarc mkosiarc Awaiting requested review from mkosiarc

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@MartinBasti @rcerven @chmeliik