Apt Get Install Pin Version Not Defined

Query id: 965a08d7-ef86-4f14-8792-4a3b2098937e
Query name: Apt Get Install Pin Version Not Defined
Platform: Dockerfile
Severity: Medium
Category: Supply-Chain
CWE: 1357
URL: Github

Description¶

When installing a package, its pin version should be defined
Documentation

Code samples¶

Code samples with security vulnerabilities¶

Positive test num. 1 - dockerfile file

FROM busybox
RUN apt-get install python
RUN ["apt-get", "install", "python"]

FROM busybox2
RUN apt-get install -y -t python

FROM busybox3
RUN apt-get update && apt-get install -y \
    python-qt4 \
    python-pyside \
    python-pip \
    python3-pip \
    python3-pyqt5

Positive test num. 2 - dockerfile file

FROM busybox4
RUN apt-get install python
RUN ["apt-get", "install", "python"]

FROM busybox5
RUN apt-get install -y -t python

FROM busybox6
RUN apt-get update ; \
    apt-get install -y \
    python-qt4 \
    python-pyside \
    python-pip \
    python3-pip \
    python3-pyqt5

Code samples without security vulnerabilities¶

Negative test num. 1 - dockerfile file

FROM busybox
RUN apt-get install python=2.7

Negative test num. 2 - dockerfile file

FROM busyboxneg2
RUN apt-get install python=2.7

FROM busyboxneg3
RUN apt-get install -y -t python=2.7

FROM busyboxneg4
RUN apt-get update; \
    apt-get install -y \
    python-qt4=4.11 \
    python-pyside=6.0.1 \
    python-pip=1.0.2 \
    python3-pip=1.0 \
    python3-pyqt5=5

Negative test num. 3 - dockerfile file

FROM busybox
RUN apt-get install python=2.7 ; echo "A" && echo "B"