Yum install Without Version

• Query id: 6452c424-1d92-4deb-bb18-a03e95d579c4
• Query name: Yum install Without Version
• Platform: Dockerfile
• Severity: Medium
• Category: Supply-Chain
• URL: Github

Description

Not specifying the package version can cause failures due to unanticipated changes in required packages
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - dockerfile file

FROM opensuse/leap:15.2
RUN yum install -y httpd && yum clean all
RUN ["yum", "install", "httpd"]
HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1

Code samples without security vulnerabilities

Negative test num. 1 - dockerfile file

FROM opensuse/leap:15.2
RUN yum install -y httpd-2.24.2 && yum clean all
HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1


FROM opensuse/leap:15.3
ENV RETHINKDB_PACKAGE_VERSION 2.4.0~0trusty
RUN yum install -y rethinkdb-$RETHINKDB_PACKAGE_VERSION && yum clean all