Pip install Keeping Cached Packages
- Query id: f2f903fb-b977-461e-98d7-b3e2185c6118
- Query name: Pip install Keeping Cached Packages
- Platform: Dockerfile
- Severity: Medium
- Category: Supply-Chain
- URL: Github
Description¶
When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - dockerfile file
FROM python:3
RUN pip install --upgrade pip && \
pip install nibabel pydicom matplotlib pillow && \
pip install med2image
CMD ["cat", "/etc/os-release"]
FROM python:3.1
RUN pip install --upgrade pip
RUN python -m pip install nibabel pydicom matplotlib pillow
RUN pip3 install requests=2.7.0
RUN ["pip3", "install", "requests=2.7.0"]
CMD ["cat", "/etc/os-release"]
Code samples without security vulnerabilities¶
Negative test num. 1 - dockerfile file
FROM python:3
RUN pip install --no-cache-dir --upgrade pip && \
pip install --no-cache-dir nibabel pydicom matplotlib pillow && \
pip install --no-cache-dir med2image
RUN pip3 install --no-cache-dir requests=2.7.0
RUN ["pip3", "install", "requests=2.7.0", "--no-cache-dir"]
CMD ["cat", "/etc/os-release"]