Missing Flag From Dnf Install
- Query id: 7ebd323c-31b7-4e5b-b26f-de5e9e477af8
- Query name: Missing Flag From Dnf Install
- Platform: Dockerfile
- Severity: Low
- Category: Supply-Chain
- CWE: 710
- URL: Github
Description¶
The '-y' or '--assumeyes' flag should be added when invoking dnf install. If omitted, it can cause the command to fail during the build process, because dnf would expect manual input.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - dockerfile file
FROM fedora:27
RUN set -uex && \
dnf config-manager --set-enabled docker-ce-test && \
dnf install docker-ce && \
dnf clean all
FROM fedora:28
RUN set -uex
RUN dnf config-manager --set-enabled docker-ce-test
RUN dnf in docker-ce
RUN dnf clean all
Positive test num. 2 - dockerfile file
FROM fedora:27
RUN set -uex; \
dnf config-manager --set-enabled docker-ce-test; \
dnf install docker-ce; \
dnf clean all
FROM fedora:28
RUN set -uex
RUN dnf config-manager --set-enabled docker-ce-test
RUN dnf in docker-ce
RUN dnf clean all
Positive test num. 3 - dockerfile file
FROM fedora:27
RUN microdnf install \
openssl-libs-1:1.1.1k-6.el8_5.x86_64 \
zlib-1.2.11-18.el8_5.x86_64 \
&& microdnf clean all
Positive test num. 4 - dockerfile file
ARG BASE_CONTAINER_REGISTRY
# Base the installer on the Azure CLI image as we require the tool
# to download the psa-check from the UniversalPackage feed.
# Additionally, the script to retrieve the Kubernetes schemas
# requires Python (yaml & requests) which are included by
# default in the Azure CLI image.
# hadolint ignore=DL3006
FROM ${BASE_CONTAINER_REGISTRY:-mcr.microsoft.com}/azure-cli AS installer
ARG AZP_URL
ARG AZP_TOKEN
ARG DCP_INSTALLATION=infra-test
ARG HADOLINT_VERSION=2.12.0
ARG KUSTOMIZE_VERSION=5.5.0
ARG KUBECONFORM_VERSION=0.6.7
ARG FLYWAY_VERSION=11.1.0
RUN tdnf install \
jq \
tar \
libicu \
python3-requests \
python3-yaml
Code samples without security vulnerabilities¶
Negative test num. 1 - dockerfile file
FROM fedora:27
RUN set -uex && \
dnf config-manager --set-enabled docker-ce-test && \
dnf install -y docker-ce && \
dnf clean all
Negative test num. 2 - dockerfile file
FROM fedora:27
RUN set -uex; \
dnf config-manager --set-enabled docker-ce-test; \
dnf install -y docker-ce; \
dnf clean all
Negative test num. 3 - dockerfile file
FROM fedora:27
RUN microdnf install -y \
openssl-libs-1:1.1.1k-6.el8_5.x86_64 \
zlib-1.2.11-18.el8_5.x86_64 \
&& microdnf clean all
Negative test num. 4 - dockerfile file
ARG BASE_CONTAINER_REGISTRY
# Base the installer on the Azure CLI image as we require the tool
# to download the psa-check from the UniversalPackage feed.
# Additionally, the script to retrieve the Kubernetes schemas
# requires Python (yaml & requests) which are included by
# default in the Azure CLI image.
# hadolint ignore=DL3006
FROM ${BASE_CONTAINER_REGISTRY:-mcr.microsoft.com}/azure-cli AS installer
ARG AZP_URL
ARG AZP_TOKEN
ARG DCP_INSTALLATION=infra-test
ARG HADOLINT_VERSION=2.12.0
ARG KUSTOMIZE_VERSION=5.5.0
ARG KUBECONFORM_VERSION=0.6.7
ARG FLYWAY_VERSION=11.1.0
RUN tdnf install -y \
jq \
tar \
libicu \
python3-requests \
python3-yaml