Apt Get Install Pin Version Not Defined

  • Query id: 965a08d7-ef86-4f14-8792-4a3b2098937e
  • Query name: Apt Get Install Pin Version Not Defined
  • Platform: Dockerfile
  • Severity: Medium
  • Category: Supply-Chain
  • CWE: 1357
  • URL: Github

Description

When installing a package, its pin version should be defined
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - dockerfile file
FROM busybox
RUN apt-get install python
RUN ["apt-get", "install", "python"]

FROM busybox2
RUN apt-get install -y -t python

FROM busybox3
RUN apt-get update && apt-get install -y \
    python-qt4 \
    python-pyside \
    python-pip \
    python3-pip \
    python3-pyqt5
Positive test num. 2 - dockerfile file
FROM busybox4
RUN apt-get install python
RUN ["apt-get", "install", "python"]

FROM busybox5
RUN apt-get install -y -t python

FROM busybox6
RUN apt-get update ; \
    apt-get install -y \
    python-qt4 \
    python-pyside \
    python-pip \
    python3-pip \
    python3-pyqt5

Code samples without security vulnerabilities

Negative test num. 1 - dockerfile file
FROM busybox
RUN apt-get install python=2.7
Negative test num. 2 - dockerfile file
FROM busyboxneg2
RUN apt-get install python=2.7

FROM busyboxneg3
RUN apt-get install -y -t python=2.7

FROM busyboxneg4
RUN apt-get update; \
    apt-get install -y \
    python-qt4=4.11 \
    python-pyside=6.0.1 \
    python-pip=1.0.2 \
    python3-pip=1.0 \
    python3-pyqt5=5
Negative test num. 3 - dockerfile file
FROM busybox
RUN apt-get install python=2.7 ; echo "A" && echo "B"