jf rt docker-push and jf rt podman-push create circular dependency chains

[hazeltonl]

Describe the bug

Using JF CLI to push a container image that defines the ENTRYPOINT or MAINTAINERS in the last layer assumes that every layer of the image is a dependency of the JFrog Build.

• ENTRYPOINT or MAINTAINERS in last layer of Dockerfile: All layers of built image are dependencies, no layers from base image are dependencies.
• ENTRYPOINT or MAINTAINERS in first layer of Dockerfile: All layers of base image are dependencies, no layers of built image are dependencies.
• ENTRYPOINT and MAINTAINERS not defined in Docekrfile: No layers are tracked as dependencies unless base image has MAINTAINERS or ENTRYPOINT defined.

Current behavior

3 CASES

ENTRYPOINT or MAINTAINERS First

With this Dockerfile:

FROM base_image
ENTRYPOINT entrypoint.sh
RUN this
RUN that

The JFrog Build in Artifactory will list

• all the layers of the image built with the layers of the base image as artifacts
• all the layers of the base image without the layers of the image built as dependencies

This feels correct. This is what should happen all the time.

ENTRYPOINT or MAINTAINERS Last

With this Dockerfile:

FROM base_image
RUN this
RUN that
ENTRYPOINT entrypoint.sh

The JFrog Build in Artifactory will list

• all the layers of the image built with the layers of the base image as artifacts
• all the layers of the image built without the layers of the base image as dependencies

That results in the layers of the image built (the JFrog Build's artifacts) being dependencies of themselves.

No ENTRYPOINT or MAINTAINERS defined

With this Dockerfile:

FROM base_image
RUN this
RUN that

The JFrog Build in Artifactory will list

• all the layers of the image built with the layers of the base image as artifacts
• no dependencies (unless the base image has ENTRYPOINT or MAINTAINERS defined)

That results in lack of dependency tracking.

Reproduction steps

With the following commands:

docker build -t jf.server.name/artifactory-repo/example/image:example_tag --no-cache .
jf rt docker-push jf.server.name/artifactory-repo/example/image:example_tag artifactory-repo --build-name example_build_name --build-number 1 --url https://jf.server.name/artifactory --access-token ACCESS_TOKEN
jf rt bp --url https://jf.server.name/artifactory --access-token ACCESS_TOKEN example_build_name 1

Compare the layers listed as artifacts versus the layers listed as dependencies in the JFrog Build for each of 3 Dockerfiles (ENTRYPOINT last, ENTRYPOINT first, no ENTRYPOINT).

Expected behavior

JF CLI should accurately track layers of the base image as dependencies of the JFrog Build regardless of where/if ENTRYPOINT or MAINTAINERS is defined.

JFrog CLI-Core version

v2.57.7

JFrog CLI version (if applicable)

jf version 2.73.2

Operating system type and version

Fedora-flavored Linux (RHEL and AlmaLinux) version 9, and Windows Server 2019

JFrog Artifactory version

7.98.14

JFrog Xray version

No response

[hazeltonl]

This seems due to https://github.com/jfrog/jfrog-cli-core/blob/master/artifactory/utils/container/buildinfo.go#L273 where arbitrarily looking for layers created by "MAINTAINERS" or "ENTRYPOINT".
@Or-Geva Is this an assumption that a base image would always have one of those two things defined, therefore ensuring that the base image's layers are the only layers identified as dependencies?