RuleCopyIgnoredFile ignores negating matches

[mik-laj]

Contributing guidelines and issue reporting guide

• I've read the contributing guidelines and wholeheartedly agree. I've also read the issue reporting guide.

Well-formed report checklist

• I have found a bug that the documentation does not mention anything about my problem
• I have found a bug that there are no open or closed issues that are related to my problem
• I have provided version/information about my environment and done my best to provide a reproducer

Description of bug

Bug description

We can prepend lines with a ! (exclamation mark) to make exceptions to exclusions in .dockerignore (ref), but the RuleCopyIgnoredFile rule doesn't respect this and throws a warning, which is invalid. The image is still built correctly and contains all necessary files, so no warning should be thrown.

Reproduction

I created a new project as below:
File: ./Dockerfile

# syntax=docker/dockerfile:1.14.0
# check=experimental=all

FROM python:3.11-slim-bullseye

RUN mkdir -p /app/
COPY ./manage.py /app/

File .dockerignore:

# Ignore everything...
**
# ...except stated below:
!manage.py

File ./manage.py:

print("Hello world!")

And now image linter checks fails:

$ docker buildx build . --check
[+] Building 1.2s (5/5) FINISHED                                                                                                                                                     docker:desktop-linux
 => [internal] load build definition from Dockerfile                                                                                                                                                 0.0s
 => => transferring dockerfile: 203B                                                                                                                                                                 0.0s
 => resolve image config for docker-image://docker.io/docker/dockerfile:1.14.0                                                                                                                       0.6s
 => CACHED docker-image://docker.io/docker/dockerfile:1.14.0@sha256:4c68376a702446fc3c79af22de146a148bc3367e73c25a5803d453b6b3f722fb                                                                 0.0s
 => => resolve docker.io/docker/dockerfile:1.14.0@sha256:4c68376a702446fc3c79af22de146a148bc3367e73c25a5803d453b6b3f722fb                                                                            0.0s
 => [internal] load metadata for docker.io/library/python:3.11-slim-bullseye                                                                                                                         0.4s
 => [internal] load .dockerignore                                                                                                                                                                    0.0s
 => => transferring context: 104B                                                                                                                                                                    0.0s
Check complete, 1 warning has been found!

WARNING: CopyIgnoredFile - https://docs.docker.com/go/dockerfile/rule/copy-ignored-file/
Attempting to Copy file "./manage.py" that is excluded by .dockerignore
Dockerfile:7
--------------------
   5 |     FROM python:${PYTHON_VERSION}-slim-bullseye
   6 |
   7 | >>> COPY ./manage.py /app
--------------------

./manage.py file is excluded by ** pattern but later it is added again to the context by the !manage.py line.

The Docker image contains all the necessary files and is a valid image:

docker run test-copy-ignore-file bash -c "cat /app/manage.py"
print("Hello world!")%

Version information

 docker info
Client:
 Version:    28.0.1
 Context:    desktop-linux
 Debug Mode: false
 Plugins:
  ai: Docker AI Agent - Ask Gordon (Docker Inc.)
    Version:  v0.9.4
    Path:     /usr/local/lib/docker/cli-plugins/docker-ai
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.21.1-desktop.2
    Path:     /usr/local/lib/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.33.1-desktop.1
    Path:     /usr/local/lib/docker/cli-plugins/docker-compose
  debug: Get a shell into any image or container (Docker Inc.)
    Version:  0.0.38
    Path:     /usr/local/lib/docker/cli-plugins/docker-debug
  desktop: Docker Desktop commands (Beta) (Docker Inc.)
    Version:  v0.1.5
    Path:     /usr/local/lib/docker/cli-plugins/docker-desktop
  dev: Docker Dev Environments (Docker Inc.)
    Version:  v0.1.2
    Path:     /usr/local/lib/docker/cli-plugins/docker-dev
  extension: Manages Docker extensions (Docker Inc.)
    Version:  v0.2.27
    Path:     /usr/local/lib/docker/cli-plugins/docker-extension
  feedback: Provide feedback, right in your terminal! (Docker Inc.)
    Version:  v1.0.5
    Path:     /usr/local/lib/docker/cli-plugins/docker-feedback
  init: Creates Docker-related starter files for your project (Docker Inc.)
    Version:  v1.4.0
    Path:     /usr/local/lib/docker/cli-plugins/docker-init
  sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
    Version:  0.6.0
    Path:     /usr/local/lib/docker/cli-plugins/docker-sbom
  scout: Docker Scout (Docker Inc.)
    Version:  v1.16.3
    Path:     /usr/local/lib/docker/cli-plugins/docker-scout
....

[jammutkarsh]

Hey @tonistiigi, is this something which I pick up and solve?
From a brief search, I think PatternMatcher.MatchesOrParentMatchesneeds to be debugged. Correct?

[tonistiigi]

@jammutkarsh Sure. I'm not sure if that library is the problem as it is used elsewhere as well https://github.com/moby/buildkit/pull/5135/files#diff-905097ba6a4e36b3afbb1204e52315791dc0915f2a845c768bc84c6af5db1e1fR1909 is where it was added. Maybe the OrParent is the problem?