# Dependency on Vulnerable Third-Party Component (CWE-1395) The product uses a third-party component that contains one or more known vulnerabilities. **Stack:** Docker - Prevalence: Élevée Fréquemment exploitée - Impact: Moyen Revue recommandée - Prevention: Documentée 3 exemples de correctifs **OWASP:** Security Misconfiguration (A05:2021-Security Misconfiguration) - #5 ## Description Using vulnerable dependencies exposes the application to known exploits. Container images and application dependencies should be regularly scanned and updated. ## Prevention Stratégies de prévention pour Dependency on Vulnerable Third-Party basées sur 3 règles de détection Shoulder. ### Docker Clean apt cache in the same RUN layer to reduce image size Add --no-install-recommends to apt-get install to minimize image size Add -y flag to apt-get install for non-interactive Docker builds ## Warning Signs - [LOW] apt-get without cache cleanup increases image size - [LOW] apt-get commands without cache cleanup in the same RUN layer - [LOW] apt-get without --no-install-recommends increases image size - [LOW] apt-get install commands without --no-install-recommends flag - [LOW] apt-get install without -y flag may hang waiting for input ## Consequences - Exécuter du code non autorisé - Lecture des données de l'application - DoS ## Mitigations - Analysez régulièrement les dépendances à la recherche de vulnérabilités - Maintenez toutes les dépendances à jour vers des versions corrigées - Utilisez des images de base minimales pour les conteneurs ## Detection - Total rules: 3 - Languages: dockerfile ## Rules by Language ### Dockerfile (3 rules) - **Docker apt-get Missing Cache Cleanup** [LOW]: Detects apt-get commands without cache cleanup in the same RUN layer. - Remediation: Clean up apt cache in the same RUN command. ```dockerfile RUN apt-get update && \ apt-get install -y --no-install-recommends curl && \ rm -rf /var/lib/apt/lists/* ``` Learn more: https://shoulder.dev/learn/docker/cwe-1395/apt-cache-cleanup - **Docker apt-get Missing --no-install-recommends** [LOW]: Detects apt-get install commands without --no-install-recommends flag. - Remediation: Add --no-install-recommends to minimize image size. ```dockerfile RUN apt-get install -y --no-install-recommends curl ``` Learn more: https://shoulder.dev/learn/docker/cwe-1395/apt-no-install-recommends - **Docker apt-get Missing -y Flag** [LOW]: Detects apt-get install commands without the -y flag for non-interactive builds. - Remediation: Add the -y flag for non-interactive installation. ```dockerfile RUN apt-get install -y curl ``` Learn more: https://shoulder.dev/learn/docker/cwe-1395/apt-missing-y-flag