Missing Version Specification In dnf install

• Query id: 93d88cf7-f078-46a8-8ddc-178e03aeacf1
• Query name: Missing Version Specification In dnf install
• Platform: Dockerfile
• Severity: Medium
• Category: Supply-Chain
• URL: Github

Description

Specifying a package version allows to reduce failures due to unanticipated changes in required packages.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - dockerfile file

FROM fedora:latest
RUN dnf -y update && dnf -y install httpd && dnf clean all
RUN ["dnf", "install", "httpd"]
COPY index.html /var/www/html/index.html
EXPOSE 80
ENTRYPOINT /usr/sbin/httpd -DFOREGROUND

Code samples without security vulnerabilities

Negative test num. 1 - dockerfile file

FROM fedora:latest
RUN dnf -y update && dnf -y install httpd-2.24.2 && dnf clean all
RUN ["dnf", "install", "httpd-2.24.2"]
COPY index.html /var/www/html/index.html
EXPOSE 80
ENTRYPOINT /usr/sbin/httpd -DFOREGROUND