Skip to content

fix(misconf): wrap legacy ENV values in quotes to preserve spaces #9497

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Sep 22, 2025
Merged

fix(misconf): wrap legacy ENV values in quotes to preserve spaces #9497

merged 3 commits into from
Sep 22, 2025

Conversation

@nikpivkin
Copy link
Contributor

@nikpivkin nikpivkin commented Sep 19, 2025
edited
Loading

Description

Some Dockerfiles use legacy ENV in the form:

ENV key val1 val2

Docker stores this in image history as:

❯ docker history --no-trunc --format '{{json .}}' diss-9494 | jq -r '.CreatedBy'
ENV TEST=val1 val2
...

This can cause parsing errors, because extra tokens (e.g., val2) are treated as separate keys.

This PR fixes the issue by wrapping ENV values in quotes, preserving internal spaces, so that the Dockerfile parser correctly interprets legacy ENV instructions.

Related issues

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@nikpivkin nikpivkin requested a review from simar7 September 19, 2025 07:48
@nikpivkin nikpivkin added the autoready Automatically mark PR as ready for review when all checks pass label Sep 19, 2025
@github-actions github-actions bot marked this pull request as ready for review September 19, 2025 09:06
@github-actions github-actions bot removed the autoready Automatically mark PR as ready for review when all checks pass label Sep 19, 2025
DmitriyLewen
DmitriyLewen reviewed Sep 19, 2025
View reviewed changes
@nikpivkin nikpivkin added this pull request to the merge queue Sep 22, 2025
Merged via the queue into aquasecurity:main with commit 267a970 Sep 22, 2025
13 checks passed
@nikpivkin nikpivkin deleted the img-history-legacy-env branch September 22, 2025 12:19
@aqua-bot aqua-bot mentioned this pull request Sep 22, 2025
Merged
alexlebens pushed a commit to alexlebens/infrastructure that referenced this pull request Sep 30, 2025
@alexlebens
Update mirror.gcr.io/aquasec/trivy Docker tag to v0.67.0 (#1622)
c62e888 
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [mirror.gcr.io/aquasec/trivy](https://www.aquasec.com/products/trivy/) ([source](https://github.com/aquasecurity/trivy)) | minor | `0.66.0` -> `0.67.0` |

---

### Release Notes

<details>
<summary>aquasecurity/trivy (mirror.gcr.io/aquasec/trivy)</summary>

### [`v0.67.0`](https://github.com/aquasecurity/trivy/blob/HEAD/CHANGELOG.md#0670-2025-09-30)

[Compare Source](aquasecurity/trivy@v0.66.0...v0.67.0)

##### Features

- add documentation URL for database lock errors ([#&#8203;9531](aquasecurity/trivy#9531)) ([eba48af](aquasecurity/trivy@eba48af))
- **cli:** change --list-all-pkgs default to true ([#&#8203;9510](aquasecurity/trivy#9510)) ([7b663d8](aquasecurity/trivy@7b663d8))
- **cloudformation:** support default values and list results in Fn::FindInMap ([#&#8203;9515](aquasecurity/trivy#9515)) ([42b3bf3](aquasecurity/trivy@42b3bf3))
- **cyclonedx:** preserve SBOM structure when scanning SBOM files with vulnerability updates ([#&#8203;9439](aquasecurity/trivy#9439)) ([aff03eb](aquasecurity/trivy@aff03eb))
- **redhat:** add os-release detection for RHEL-based images ([#&#8203;9458](aquasecurity/trivy#9458)) ([cb25a07](aquasecurity/trivy@cb25a07))
- **sbom:** added support for CoreOS ([#&#8203;9448](aquasecurity/trivy#9448)) ([6d562a3](aquasecurity/trivy@6d562a3))
- **seal:** add seal support ([#&#8203;9370](aquasecurity/trivy#9370)) ([e4af279](aquasecurity/trivy@e4af279))

##### Bug Fixes

- **aws:** use `BuildableClient` insead of `xhttp.Client` ([#&#8203;9436](aquasecurity/trivy#9436)) ([fa6f1bf](aquasecurity/trivy@fa6f1bf))
- close file descriptors and pipes on error paths ([#&#8203;9536](aquasecurity/trivy#9536)) ([a4cbd6a](aquasecurity/trivy@a4cbd6a))
- **db:** Dowload database when missing but metadata still exists ([#&#8203;9393](aquasecurity/trivy#9393)) ([92ebc7e](aquasecurity/trivy@92ebc7e))
- **k8s:** disable parallel traversal with fs cache for k8s images ([#&#8203;9534](aquasecurity/trivy#9534)) ([c0c7a6b](aquasecurity/trivy@c0c7a6b))
- **misconf:** handle tofu files in module detection ([#&#8203;9486](aquasecurity/trivy#9486)) ([bfd2f6b](aquasecurity/trivy@bfd2f6b))
- **misconf:** strip build metadata suffixes from image history ([#&#8203;9498](aquasecurity/trivy#9498)) ([c938806](aquasecurity/trivy@c938806))
- **misconf:** unmark cty values before access ([#&#8203;9495](aquasecurity/trivy#9495)) ([8e40d27](aquasecurity/trivy@8e40d27))
- **misconf:** wrap legacy ENV values in quotes to preserve spaces ([#&#8203;9497](aquasecurity/trivy#9497)) ([267a970](aquasecurity/trivy@267a970))
- **nodejs:** parse workspaces as objects for package-lock.json files ([#&#8203;9518](aquasecurity/trivy#9518)) ([404abb3](aquasecurity/trivy@404abb3))
- **nodejs:** use snapshot string as `Package.ID` for pnpm packages ([#&#8203;9330](aquasecurity/trivy#9330)) ([4517e8c](aquasecurity/trivy@4517e8c))
- **vex:** don't  suppress vulns for packages with infinity loop ([#&#8203;9465](aquasecurity/trivy#9465)) ([78f0d4a](aquasecurity/trivy@78f0d4a))
- **vuln:** compare `nuget` package names in lower case ([#&#8203;9456](aquasecurity/trivy#9456)) ([1ff9ac7](aquasecurity/trivy@1ff9ac7))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xMTYuNiIsInVwZGF0ZWRJblZlciI6IjQxLjExNi42IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJpbWFnZSJdfQ==-->

Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/1622
Co-authored-by: Renovate Bot <[email protected]>
Co-committed-by: Renovate Bot <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DmitriyLewen DmitriyLewen DmitriyLewen approved these changes

@simar7 simar7 Awaiting requested review from simar7

@knqyf263 knqyf263 Awaiting requested review from knqyf263 knqyf263 is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

bug(misconf): ENV with extra spaces in image history causes parse error

2 participants

@nikpivkin @DmitriyLewen