Unpinned Package Version

  • Query id: c05e2c20-0a2c-4686-b1f8-5f0a5612d4e8
  • Query name: Unpinned Package Version
  • Platform: Ansible
  • Severity: Low
  • Category: Supply-Chain
  • CWE: Ongoing
  • URL: Github

Description

Setting state to latest performs an update and installs additional packages possibly resulting in performance degradation or loss of service
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: Install Ansible
      ansible.builtin.yum:
        name: ansible
        state: latest

    - name: Install Ansible-lint
      ansible.builtin.pip:
        name: ansible-lint
        state: latest

    - name: Install some-package
      ansible.builtin.package:
        name: some-package
        state: latest

    - name: Install Ansible with update_only to false
      ansible.builtin.yum:
        name: sudo
        state: latest
        update_only: false

    - name: Install nmap
      community.general.zypper:
        name: nmap
        state: latest

    - name: Install package without using cache
      community.general.apk:
        name: foo
        state: latest
        no_cache: true

    - name: Install apache httpd
      ansible.builtin.apt:
        name: apache2
        state: latest

    - name: Update Gemfile in another directory
      community.general.bundler:
        state: latest
        chdir: ~/rails_project

    - name: Install a modularity appstream with defined profile
      ansible.builtin.dnf:
        name: "@postgresql/client"
        state: latest

    - name: Install rake
      community.general.gem:
        name: rake
        state: latest

    - name: Install formula foo with 'brew' from cask
      community.general.homebrew:
        name: homebrew/cask/foo
        state: latest

    - name: Install Green Balls plugin
      community.general.jenkins_plugin:
        name: greenballs
        state: latest
        url: http://host_jenkins:8080
        username: user_jenkins
        password: userpass_jenkins
      register: result

    - name: Install packages based on package.json
      community.general.npm:
        path: /app/location
        state: latest

    - name: Install nmap
      community.general.openbsd_pkg:
        name: nmap
        state: latest

    - name: Install ntpdate
      ansible.builtin.package:
        name: ntpdate
        state: latest

    - name: Install package bar from file
      community.general.pacman:
        name: ~/bar-1.0-1-any.pkg.tar.xz
        state: latest

    - name: Install finger daemon
      community.general.pkg5:
        name: service/network/finger
        state: latest

    - name: Install several packages
      community.general.pkgutil:
        name:
          - CSWsudo
          - CSWtop
        state: latest

    - name: Install package foo
      community.general.portage:
        package: foo
        state: latest

    - name: Make sure that it is the most updated package
      community.general.slackpkg:
        name: foo
        state: latest

    - name: Make sure spell foo is installed
      community.general.sorcery:
        spell: foo
        state: latest

    - name: Install package unzip
      community.general.swdepot:
        name: unzip
        state: latest
        depot: "repository:/path"

    - name: Install multiple packages
      win_chocolatey:
        name:
          - procexp
          - putty
          - windirstat
        state: latest

    - name: Install "imagemin" node.js package globally.
      community.general.yarn:
        name: imagemin
        global: true
        state: latest

    - name: Install a list of packages (suitable replacement for 2.11 loop deprecation warning)
      ansible.builtin.yum:
        name:
          - nginx
          - postgresql
          - postgresql-server
        state: latest

    - name: Install local rpm file
      community.general.zypper:
        name: /tmp/fancy-software.rpm
        state: latest

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: Install Ansible
      ansible.builtin.yum:
        name: ansible-2.12.7.0
        state: present

    - name: Install Ansible-lint
      ansible.builtin.pip:
        name: ansible-lint
        state: present
        version: 5.4.0

    - name: Update Ansible with update_only to true
      ansible.builtin.yum:
        name: sudo
        state: latest
        update_only: true

    - name: Install nmap
      community.general.zypper:
        name: nmap
        state: present

    - name: Install package without using cache
      community.general.apk:
        name: foo
        state: present
        no_cache: true

    - name: Install apache httpd
      ansible.builtin.apt:
        name: apache2
        state: present

    - name: Update Gemfile in another directory
      community.general.bundler:
        state: present
        chdir: ~/rails_project

    - name: Install a modularity appstream with defined profile
      ansible.builtin.dnf:
        name: "@postgresql/client"
        state: present

    - name: Install rake
      community.general.gem:
        name: rake
        state: present

    - name: Install formula foo with 'brew' from cask
      community.general.homebrew:
        name: homebrew/cask/foo
        state: present

    - name: Install Green Balls plugin
      community.general.jenkins_plugin:
        name: greenballs
        version: present
        state: present
        url: http://host_jenkins:8080
        username: user_jenkins
        password: userpass_jenkins
      register: result

    - name: Install packages based on package.json
      community.general.npm:
        path: /app/location
        state: present

    - name: Install nmap
      community.general.openbsd_pkg:
        name: nmap
        state: present

    - name: Install ntpdate
      ansible.builtin.package:
        name: ntpdate
        state: present

    - name: Install package bar from file
      community.general.pacman:
        name: ~/bar-1.0-1-any.pkg.tar.xz
        state: present

    - name: Install package bar from file
      community.general.pacman:
        name: ~/bar-1.0-1-any.pkg.tar.xz
        state: present

    - name: Install finger daemon
      community.general.pkg5:
        name: service/network/finger
        state: present

    - name: Install several packages
      community.general.pkgutil:
        name:
          - CSWsudo
          - CSWtop
        state: present

    - name: Install package foo
      community.general.portage:
        package: foo
        state: present

    - name: Make sure that it is the most updated package
      community.general.slackpkg:
        name: foo
        state: present

    - name: Make sure spell foo is installed
      community.general.sorcery:
        spell: foo
        state: present

    - name: Install package unzip
      community.general.swdepot:
        name: unzip
        state: present
        depot: "repository:/path"

    - name: Install multiple packages
      win_chocolatey:
        name:
          - procexp
          - putty
          - windirstat
        state: present

    - name: Install "imagemin" node.js package globally.
      community.general.yarn:
        name: imagemin
        global: true

    - name: Install a list of packages (suitable replacement for 2.11 loop deprecation warning)
      ansible.builtin.yum:
        name:
          - nginx
          - postgresql
          - postgresql-server
        state: present

    - name: Install local rpm file
      community.general.zypper:
        name: /tmp/fancy-software.rpm
        state: present