yum install without version

이 제품은 선택한 Datadog 사이트에서 지원되지 않습니다. ().
이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

Id: 6452c424-1d92-4deb-bb18-a03e95d579c4

Cloud Provider: Dockerfile

Platform: Dockerfile

Severity: Medium

Category: Supply-Chain

Learn More

Description

Dockerfile RUN commands that use yum install must specify explicit package versions to ensure build reproducibility and reduce the risk of unintentionally installing newer, unvetted, or vulnerable package releases.

This rule inspects Dockerfile RUN instructions that invoke yum install and flags package arguments that are plain names without a version specifier. Each package should include an explicit version (for example, pkg-1.2.3 or pkg=1.2.3).

Both single-string RUN commands and tokenized RUN forms are checked. Command flags and options (for example, -y, --enablerepo) are ignored, and only tokens beginning with letters are validated. Resources missing a version for any package will be flagged.

Secure example:

FROM centos:7
RUN yum install -y httpd-2.4.6-90.el7.centos mod_ssl-2.4.6-90.el7.centos

Compliant Code Examples

FROM opensuse/leap:15.2
RUN yum install -y httpd-2.24.2 && yum clean all
HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1


FROM opensuse/leap:15.3
ENV RETHINKDB_PACKAGE_VERSION 2.4.0~0trusty
RUN yum install -y rethinkdb-$RETHINKDB_PACKAGE_VERSION && yum clean all

Non-Compliant Code Examples

FROM opensuse/leap:15.2
RUN yum install -y httpd && yum clean all
RUN ["yum", "install", "httpd"]
HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1