Unpinned Package Version in Pip Install
- Query id: 02d9c71f-3ee8-4986-9c27-1a20d0d19bfc
- Query name: Unpinned Package Version in Pip Install
- Platform: Dockerfile
- Severity: Medium
- Category: Supply-Chain
- CWE: 1357
- URL: Github
Description¶
Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - dockerfile file
FROM alpine:3.9
RUN apk add --update py-pip=7.1.2-r0
RUN pip install --user pip
RUN ["pip", "install", "connexion"]
COPY requirements.txt /usr/src/app/
RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
COPY app.py /usr/src/app/
COPY templates/index.html /usr/src/app/templates/
EXPOSE 5000
ENV TEST="test"
CMD ["python", "/usr/src/app/app.py"]
FROM alpine:3.7
RUN apk add --update py-pip=7.1.2-r0
RUN pip install connexion
COPY requirements.txt /usr/src/app/
RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
RUN pip3 install requests
COPY app.py /usr/src/app/
COPY templates/index.html /usr/src/app/templates/
EXPOSE 5000
CMD ["python"]
Code samples without security vulnerabilities¶
Negative test num. 1 - dockerfile file
FROM alpine:3.4
RUN apk add --update py-pip=7.1.2-r0
RUN sudo pip install --upgrade pip=20.3 connexion=2.7.0
COPY requirements.txt /usr/src/app/
RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
COPY app.py /usr/src/app/
COPY templates/index.html /usr/src/app/templates/
EXPOSE 5000
CMD ["python", "/usr/src/app/app.py"]
FROM alpine:3.1
RUN apk add py-pip=7.1.2-r0
RUN sudo pip install --upgrade pip=20.3 connexion=2.7.0
COPY requirements.txt /usr/src/app/
RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
RUN pip3 install requests=2.7.0
COPY app.py /usr/src/app/
COPY templates/index.html /usr/src/app/templates/
EXPOSE 5000
CMD ["python", "/usr/src/app/app.py"]
Negative test num. 2 - dockerfile file
FROM alpine:3.4
RUN apk add --update py-pip=7.1.2-r0
RUN pip3 install -r pip_requirements.txt
COPY requirements.txt /usr/src/app/
RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
COPY app.py /usr/src/app/
COPY templates/index.html /usr/src/app/templates/
EXPOSE 5000
CMD ["python", "/usr/src/app/app.py"]
Negative test num. 3 - dockerfile file
FROM alpine:3.4
RUN apk add --update py-pip=7.1.2-r0
RUN pip3 install -c constraints.txt
COPY requirements.txt /usr/src/app/
RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
COPY app.py /usr/src/app/
COPY templates/index.html /usr/src/app/templates/
EXPOSE 5000
CMD ["python", "/usr/src/app/app.py"]