Zypper install without explicit package version

문서 > Datadog 보안 > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Zypper install without explicit package version

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

Id: 562952e4-0348-4dea-9826-44f3a2c6117b

Cloud Provider: Dockerfile

Platform: Dockerfile

Severity: Low

Category: Supply-Chain

Learn More

Provider Reference

Description

When using zypper to install packages in a Dockerfile, each package should include an explicit version to ensure reproducible builds and avoid unintentionally pulling newer package releases that could introduce vulnerabilities or break functionality.

This rule inspects Dockerfile RUN instructions that invoke zypper install or zypper in (both shell-form and exec-form) and flags package arguments that are bare names without a version component. Resources missing a version, for example, curl instead of curl=7.79.1 will be flagged. Specify the version inline using the repository-appropriate syntax or use a package pin/lock mechanism to fix the exact package release.

Secure example:

RUN zypper install -y curl=7.79.1 libxml2=2.9.10

Compliant Code Examples

FROM opensuse/leap:15.2
RUN zypper install -y httpd=2.4.46 && zypper clean
HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1

Non-Compliant Code Examples

FROM opensuse/leap:15.2
RUN zypper install -y httpd && zypper clean
RUN ["zypper", "install", "http"]
HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1