Update Instruction Alone

  • Query id: 9bae49be-0aa3-4de5-bab2-4c3a069e40cd
  • Query name: Update Instruction Alone
  • Platform: Dockerfile
  • Severity: Low
  • Category: Build Process
  • CWE: 710
  • URL: Github

Description

Instruction 'RUN update' should always be followed by ' install' in the same RUN statement
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - dockerfile file
FROM alpine:latest
RUN apk update
RUN apk add nginx

CMD ["nginx", "-g", "daemon off;"]
Positive test num. 2 - dockerfile file
FROM opensuse:latest
RUN zypper refresh
RUN zypper install nginx

CMD ["nginx", "-g", "daemon off;"]
Positive test num. 3 - dockerfile file
FROM debian:latest
RUN apt update
RUN apt install nginx

CMD ["nginx", "-g", "daemon off;"]

Positive test num. 4 - dockerfile file
FROM centos:latest
RUN yum update
RUN yum install nginx

CMD ["nginx", "-g", "daemon off;"]
Positive test num. 5 - dockerfile file
FROM fedora:latest
RUN dnf update
RUN dnf install nginx

CMD ["nginx", "-g", "daemon off;"]
Positive test num. 6 - dockerfile file
FROM archlinux:latest
RUN pacman -Syu
RUN pacman -S nginx

CMD ["nginx", "-g", "daemon off;"]
Positive test num. 7 - dockerfile file
FROM ubuntu:18.04
RUN apt-get update
RUN apt-get install -y --no-install-recommends mysql-client \
    && rm -rf /var/lib/apt/lists/*
RUN apk update
ENTRYPOINT ["mysql"]

Code samples without security vulnerabilities

Negative test num. 1 - dockerfile file
FROM ubuntu:18.04
RUN apt-get update \
    && apt-get install -y --no-install-recommends mysql-client \
    && rm -rf /var/lib/apt/lists/*
RUN apk update \
    && apk add --no-cache git ca-certificates
RUN apk --update add easy-rsa
ENTRYPOINT ["mysql"]
Negative test num. 2 - dockerfile file
FROM alpine:latest
RUN apk update && apk add nginx
RUN apk --update-cache add vim
RUN apk -U add nano

CMD ["nginx", "-g", "daemon off;"]
Negative test num. 3 - dockerfile file
FROM alpine:latest
RUN apk --update add nginx
RUN apk add --update nginx

CMD ["nginx", "-g", "daemon off;"]

Negative test num. 4 - dockerfile file
FROM ubuntu:18.04
RUN apt-get update && apt-get install -y netcat \
    apt-get update && apt-get install -y supervisor
ENTRYPOINT ["mysql"]
Negative test num. 5 - dockerfile file
FROM ubuntu:16.04

RUN apt-get update \
    && apt-get install -y --no-install-recommends zend-server-php-5.6=8.5.17+b19 \
    && rm -rf /var/lib/apt/lists/*

RUN /usr/local/zend/bin/php -r "readfile('https://getcomposer.org/installer');" | /usr/local/zend/bin/php \
    && /usr/local/zend/bin/php composer.phar self-update && /usr/local/zend/bin/php composer.phar update
Negative test num. 6 - dockerfile file
FROM archlinux:latest
RUN pacman -Syu && pacman -S nginx

CMD ["nginx", "-g", "daemon off;"]
Negative test num. 7 - dockerfile file
FROM ubuntu:18.04
RUN apt-get update && apt-get install -y --no-install-recommends mysql-client \
    && rm -rf /var/lib/apt/lists/*
RUN apk update
ENTRYPOINT ["mysql"]
Negative test num. 8 - dockerfile file
FROM opensuse:latest
RUN zypper refresh && zypper install nginx

CMD ["nginx", "-g", "daemon off;"]
Negative test num. 9 - dockerfile file
FROM debian:latest
RUN apt update && install nginx

CMD ["nginx", "-g", "daemon off;"]
Negative test num. 10 - dockerfile file
FROM centos:latest
RUN yum update && yum install nginx

CMD ["nginx", "-g", "daemon off;"]
Negative test num. 11 - dockerfile file
FROM fedora:latest
RUN dnf update && dnf install nginx

CMD ["nginx", "-g", "daemon off;"]