Unpinned Package Version in Apk Add

  • Query id: d3499f6d-1651-41bb-a9a7-de925fea487b
  • Query name: Unpinned Package Version in Apk Add
  • Platform: Dockerfile
  • Severity: Medium
  • Category: Supply-Chain
  • URL: Github

Description

Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - dockerfile file
FROM alpine:3.9
RUN apk add --update py-pip
RUN sudo pip install --upgrade pip
COPY requirements.txt /usr/src/app/
RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
COPY app.py /usr/src/app/
COPY templates/index.html /usr/src/app/templates/
EXPOSE 5000
ENV TEST="test"
CMD ["python", "/usr/src/app/app.py"]

FROM alpine:3.7
RUN apk add py-pip && apk add tea
RUN apk add py-pip \
    && rm -rf /tmp/*
RUN apk add --dir /dir libimagequant \
    && minidlna
RUN ["apk", "add", "py-pip"]
RUN sudo pip install --upgrade pip
COPY requirements.txt /usr/src/app/
RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
COPY app.py /usr/src/app/
COPY templates/index.html /usr/src/app/templates/
EXPOSE 5000
CMD ["python"]

Code samples without security vulnerabilities

Negative test num. 1 - dockerfile file
FROM alpine:3.4
RUN apk add --update py-pip=7.1.2-r0
RUN sudo pip install --upgrade pip
COPY requirements.txt /usr/src/app/
RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
COPY app.py /usr/src/app/
COPY templates/index.html /usr/src/app/templates/
EXPOSE 5000
CMD ["python", "/usr/src/app/app.py"]

FROM alpine:3.1
RUN apk add py-pip=7.1.2-r0
RUN ["apk", "add", "py-pip=7.1.2-r0"]
RUN sudo pip install --upgrade pip
COPY requirements.txt /usr/src/app/
RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
COPY app.py /usr/src/app/
COPY templates/index.html /usr/src/app/templates/
EXPOSE 5000
CMD ["python", "/usr/src/app/app.py"]