Curl or Wget Instead of Add

• Query id: 4b410d24-1cbe-4430-a632-62c9a931cf1c
• Query name: Curl or Wget Instead of Add
• Platform: Dockerfile
• Severity: Low
• Category: Best Practices
• CWE: 610
• URL: Github

Description

Use of Curl or Wget should be done instead of Add to fetch packages from remote URLs due to the use of Add being strongly discouraged
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - dockerfile file

FROM openjdk:10-jdk
VOLUME /tmp
ADD https://example.com/big.tar.xz /usr/src/things/
RUN tar -xJf /usr/src/things/big.tar.xz -C /usr/src/things
RUN make -C /usr/src/things all

Code samples without security vulnerabilities

Negative test num. 1 - dockerfile file

FROM openjdk:10-jdk
RUN mkdir -p /usr/src/things \
    && curl -SL https://example.com/big.tar.xz \
    | tar -xJC /usr/src/things \
    && make -C /usr/src/things all

Negative test num. 2 - dockerfile file

FROM openjdk:10-jdk
ADD ./drop-http-proxy-header.conf /etc/apache2/conf-available
RUN mkdir -p /usr/src/things \
    && curl -SL https://example.com/big.tar.xz \
    | tar -xJC /usr/src/things \
    && make -C /usr/src/things all