Zypper Install Without Version

  • Query id: 562952e4-0348-4dea-9826-44f3a2c6117b
  • Query name: Zypper Install Without Version
  • Platform: Dockerfile
  • Severity: Medium
  • Category: Supply-Chain
  • URL: Github

Description

Not specifying the package version can cause failures due to unanticipated changes in required packages
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - dockerfile file
FROM opensuse/leap:15.2
RUN zypper install -y httpd && zypper clean
RUN ["zypper", "install", "http"]
HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1

Code samples without security vulnerabilities

Negative test num. 1 - dockerfile file
FROM opensuse/leap:15.2
RUN zypper install -y httpd=2.4.46 && zypper clean
HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1