Apk Add Using Local Cache Path

  • Query id: ae9c56a6-3ed1-4ac0-9b54-31267f51151d
  • Query name: Apk Add Using Local Cache Path
  • Platform: Dockerfile
  • Severity: Info
  • Category: Supply-Chain
  • CWE: 459
  • URL: Github

Description

When installing packages, use the '--no-cache' switch to avoid the need to use '--update' and remove '/var/cache/apk/*'
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - dockerfile file
FROM gliderlabs/alpine:3.3
RUN apk add --update-cache python
WORKDIR /app
ONBUILD COPY . /app
ONBUILD RUN virtualenv /env && /env/bin/pip install -r /app/requirements.txt
EXPOSE 8080
CMD ["/env/bin/python", "main.py"]
Positive test num. 2 - dockerfile file
FROM gliderlabs/alpine:3.3
RUN apk add --update-cache python
WORKDIR /app
ONBUILD COPY . /app
ONBUILD RUN virtualenv /env; \
    /env/bin/pip install -r /app/requirements.txt
EXPOSE 8080
CMD ["/env/bin/python", "main.py"]

Code samples without security vulnerabilities

Negative test num. 1 - dockerfile file
FROM gliderlabs/alpine:3.3
RUN apk add --no-cache python
WORKDIR /app
ONBUILD COPY . /app
ONBUILD RUN virtualenv /env && /env/bin/pip install -r /app/requirements.txt
EXPOSE 8080
CMD ["/env/bin/python", "main.py"]
Negative test num. 2 - dockerfile file
FROM gliderlabs/alpine:3.3
RUN apk add --no-cache python
WORKDIR /app
ONBUILD COPY . /app
ONBUILD RUN virtualenv /env; \
    /env/bin/pip install -r /app/requirements.txt
EXPOSE 8080
CMD ["/env/bin/python", "main.py"]