Unpinned package version

Docs > Plateforme de sécurité Datadog > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Unpinned package version

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

Id: ansible-unpinned-package-version

Cloud Provider: Common

Platform: Ansible

Severity: Low

Category: Supply-Chain

Learn More

Provider Reference

Description

Package installer tasks that set state: latest without pinning a version or enabling update_only can cause unintended upgrades. This may introduce breaking changes, regressions, or service disruptions and make deployments non-reproducible.

Ansible package installer modules (for example apt, yum, dnf, pip) are checked for the following task properties: state must not be latest unless a version is specified or update_only is set to true. Tasks with state: latest and no version and missing or false update_only are flagged.

Remediate by pinning packages to explicit versions for deterministic installs, or set update_only: true when you only want to upgrade already-installed packages.

Secure example — pin a version:

- name: Install mypkg at a specific version
  apt:
    name: mypkg=1.2.3
    state: present
```Secure example — allow only updates to already-installed packages:

```yaml
- name: Update installed packages only
  yum:
    name: mypkg
    state: latest
    update_only: true

Compliant Code Examples

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: Install Ansible
      ansible.builtin.yum:
        name: ansible-2.12.7.0
        state: present

    - name: Install Ansible-lint
      ansible.builtin.pip:
        name: ansible-lint
        state: present
        version: 5.4.0

    - name: Update Ansible with update_only to true
      ansible.builtin.yum:
        name: sudo
        state: latest
        update_only: true

    - name: Install nmap
      community.general.zypper:
        name: nmap
        state: present

    - name: Install package without using cache
      community.general.apk:
        name: foo
        state: present
        no_cache: true

    - name: Install apache httpd
      ansible.builtin.apt:
        name: apache2
        state: present

    - name: Update Gemfile in another directory
      community.general.bundler:
        state: present
        chdir: ~/rails_project

    - name: Install a modularity appstream with defined profile
      ansible.builtin.dnf:
        name: "@postgresql/client"
        state: present

    - name: Install rake
      community.general.gem:
        name: rake
        state: present

    - name: Install formula foo with 'brew' from cask
      community.general.homebrew:
        name: homebrew/cask/foo
        state: present

    - name: Install Green Balls plugin
      community.general.jenkins_plugin:
        name: greenballs
        version: present
        state: present
        url: http://host_jenkins:8080
        username: user_jenkins
        password: userpass_jenkins
      register: result

    - name: Install packages based on package.json
      community.general.npm:
        path: /app/location
        state: present

    - name: Install nmap
      community.general.openbsd_pkg:
        name: nmap
        state: present

    - name: Install ntpdate
      ansible.builtin.package:
        name: ntpdate
        state: present

    - name: Install package bar from file
      community.general.pacman:
        name: ~/bar-1.0-1-any.pkg.tar.xz
        state: present

    - name: Install package bar from file
      community.general.pacman:
        name: ~/bar-1.0-1-any.pkg.tar.xz
        state: present

    - name: Install finger daemon
      community.general.pkg5:
        name: service/network/finger
        state: present

    - name: Install several packages
      community.general.pkgutil:
        name:
          - CSWsudo
          - CSWtop
        state: present

    - name: Install package foo
      community.general.portage:
        package: foo
        state: present

    - name: Make sure that it is the most updated package
      community.general.slackpkg:
        name: foo
        state: present

    - name: Make sure spell foo is installed
      community.general.sorcery:
        spell: foo
        state: present

    - name: Install package unzip
      community.general.swdepot:
        name: unzip
        state: present
        depot: "repository:/path"

    - name: Install multiple packages
      win_chocolatey:
        name:
          - procexp
          - putty
          - windirstat
        state: present

    - name: Install "imagemin" node.js package globally.
      community.general.yarn:
        name: imagemin
        global: true

    - name: Install a list of packages (suitable replacement for 2.11 loop deprecation warning)
      ansible.builtin.yum:
        name:
          - nginx
          - postgresql
          - postgresql-server
        state: present

    - name: Install local rpm file
      community.general.zypper:
        name: /tmp/fancy-software.rpm
        state: present

Non-Compliant Code Examples

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: Install Ansible
      ansible.builtin.yum:
        name: ansible
        state: latest

    - name: Install Ansible-lint
      ansible.builtin.pip:
        name: ansible-lint
        state: latest

    - name: Install some-package
      ansible.builtin.package:
        name: some-package
        state: latest

    - name: Install Ansible with update_only to false
      ansible.builtin.yum:
        name: sudo
        state: latest
        update_only: false

    - name: Install nmap
      community.general.zypper:
        name: nmap
        state: latest

    - name: Install package without using cache
      community.general.apk:
        name: foo
        state: latest
        no_cache: true

    - name: Install apache httpd
      ansible.builtin.apt:
        name: apache2
        state: latest

    - name: Update Gemfile in another directory
      community.general.bundler:
        state: latest
        chdir: ~/rails_project

    - name: Install a modularity appstream with defined profile
      ansible.builtin.dnf:
        name: "@postgresql/client"
        state: latest

    - name: Install rake
      community.general.gem:
        name: rake
        state: latest

    - name: Install formula foo with 'brew' from cask
      community.general.homebrew:
        name: homebrew/cask/foo
        state: latest

    - name: Install Green Balls plugin
      community.general.jenkins_plugin:
        name: greenballs
        state: latest
        url: http://host_jenkins:8080
        username: user_jenkins
        password: userpass_jenkins
      register: result

    - name: Install packages based on package.json
      community.general.npm:
        path: /app/location
        state: latest

    - name: Install nmap
      community.general.openbsd_pkg:
        name: nmap
        state: latest

    - name: Install ntpdate
      ansible.builtin.package:
        name: ntpdate
        state: latest

    - name: Install package bar from file
      community.general.pacman:
        name: ~/bar-1.0-1-any.pkg.tar.xz
        state: latest

    - name: Install finger daemon
      community.general.pkg5:
        name: service/network/finger
        state: latest

    - name: Install several packages
      community.general.pkgutil:
        name:
          - CSWsudo
          - CSWtop
        state: latest

    - name: Install package foo
      community.general.portage:
        package: foo
        state: latest

    - name: Make sure that it is the most updated package
      community.general.slackpkg:
        name: foo
        state: latest

    - name: Make sure spell foo is installed
      community.general.sorcery:
        spell: foo
        state: latest

    - name: Install package unzip
      community.general.swdepot:
        name: unzip
        state: latest
        depot: "repository:/path"

    - name: Install multiple packages
      win_chocolatey:
        name:
          - procexp
          - putty
          - windirstat
        state: latest

    - name: Install "imagemin" node.js package globally.
      community.general.yarn:
        name: imagemin
        global: true
        state: latest

    - name: Install a list of packages (suitable replacement for 2.11 loop deprecation warning)
      ansible.builtin.yum:
        name:
          - nginx
          - postgresql
          - postgresql-server
        state: latest

    - name: Install local rpm file
      community.general.zypper:
        name: /tmp/fancy-software.rpm
        state: latest