基于规则验证的Dockerfile临时文件静态检测方法  

作　　者：苏珲 张建辉[1,2] 曾俊杰 楚小茜 SU Hui;ZHANG Jianhui;ZENG Junjie;CHU Xiaoxi(School of Cyber Science and Engineering,Zhengzhou University,Zhengzhou 450000,Henan,China;Songshan Laboratory,Zhengzhou 450000,Henan,China)

机构地区：[1]郑州大学网络空间安全学院,河南郑州450000 [2]嵩山实验室,河南郑州450000

出　　处：《计算机工程》2025年第3期189-196,共8页Computer Engineering

基　　金：国家重点研发计划(2022YFB2901403);河南省重大科技专项(221100210900-01)。

摘　　要：Dockerfile中存在的临时文件问题使Docker镜像打包了超过其功能所需的不必要的文件资源,导致镜像尺寸增大,影响了镜像传输和部署的效率。现有的动态分析法在运行时会产生大量日志,造成较大的系统开销,而静态分析法无法检测出临时文件的多种变化形式,限制了其在日常检测中的有效应用。提出一种Dockerfile临时文件静态检测方法,通过规则验证收集21种临时文件形式,使用节点关联算法改进抽象语法树(AST)结构,提高检测效率,并在节点关联的AST(NA-AST)结构基础上使用着色机制对节点进行处理,保证检测完整性。实验结果表明,相较于现有方法,所提方法能够以较小的时间开销检测出文件中存在的各种临时文件形式。此外,提供一种对临时文件形式分类的依据,其可用于对后续临时文件新增形式的分析和检测,具有较高的普适性。The temporary file issue in the Dockerfile causes the Docker image to pack unnecessary file resources beyond its functional requirements,resulting in an increase in image size and affecting the efficiency of image transmission and deployment.Existing dynamic analysis methods generate many logs during runtime,resulting in significant system overhead.However,static analysis methods cannot detect various changes in temporary files,which limits their effective application for daily detection.A static detection method for Dockerfile temporary files is proposed,which collects 21 temporary file forms through rule validation using a node association algorithm to improve the Abstract Syntax Tree(AST)structure and enhance detection efficiency.Based on Node Association-AST(NA-AST),a coloring mechanism is used to process nodes,ensuring detection integrity.The experimental results show that compared to existing schemes,the proposed method can detect various temporary file forms in files with less time overhead.In addition,a basis for classifying the forms of temporary files is provided,which can be used for analyzing and detecting new forms of subsequent temporary files and has higher universality.

关 键 词：Docker技术 容器 Dockerfile临时文件 抽象语法树 镜像 

分 类 号：TP18[自动化与计算机技术—控制理论与控制工程]