Update Instruction Alone
- Query id: 9bae49be-0aa3-4de5-bab2-4c3a069e40cd
- Query name: Update Instruction Alone
- Platform: Dockerfile
- Severity: Low
- Category: Build Process
- CWE: 710
- URL: Github
Description¶
Instruction 'RUN update' should always be followed by ' install' in the same RUN statement
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - dockerfile file
FROM alpine:latest
RUN apk update
RUN apk add nginx
CMD ["nginx", "-g", "daemon off;"]
Positive test num. 2 - dockerfile file
FROM opensuse:latest
RUN zypper refresh
RUN zypper install nginx
CMD ["nginx", "-g", "daemon off;"]
Positive test num. 3 - dockerfile file
FROM debian:latest
RUN apt update
RUN apt install nginx
CMD ["nginx", "-g", "daemon off;"]
Positive test num. 4 - dockerfile file
Positive test num. 5 - dockerfile file
Positive test num. 6 - dockerfile file
Positive test num. 7 - dockerfile file
Code samples without security vulnerabilities¶
Negative test num. 1 - dockerfile file
FROM ubuntu:18.04
RUN apt-get update \
&& apt-get install -y --no-install-recommends mysql-client \
&& rm -rf /var/lib/apt/lists/*
RUN apk update \
&& apk add --no-cache git ca-certificates
RUN apk --update add easy-rsa
ENTRYPOINT ["mysql"]
Negative test num. 2 - dockerfile file
FROM alpine:latest
RUN apk update && apk add nginx
RUN apk --update-cache add vim
RUN apk -U add nano
CMD ["nginx", "-g", "daemon off;"]
Negative test num. 3 - dockerfile file
FROM alpine:latest
RUN apk --update add nginx
RUN apk add --update nginx
CMD ["nginx", "-g", "daemon off;"]
Negative test num. 4 - dockerfile file
Negative test num. 5 - dockerfile file
FROM ubuntu:16.04
RUN apt-get update \
&& apt-get install -y --no-install-recommends zend-server-php-5.6=8.5.17+b19 \
&& rm -rf /var/lib/apt/lists/*
RUN /usr/local/zend/bin/php -r "readfile('https://getcomposer.org/installer');" | /usr/local/zend/bin/php \
&& /usr/local/zend/bin/php composer.phar self-update && /usr/local/zend/bin/php composer.phar update