# Use of Unmaintained Third Party Components (CWE-1104) The product relies on third-party components that are no longer being maintained by the original developer or by the open source community. **Stack:** Docker - Prevalence: मध्यम 2 भाषाएँ कवर की गईं - Impact: मध्यम समीक्षा अनुशंसित - Prevention: प्रलेखित 5 फिक्स उदाहरण **OWASP:** Security Misconfiguration (A05:2021-Security Misconfiguration) - #5 ## Description Without ongoing maintenance, newly discovered vulnerabilities in these components will not be patched. This creates an increasing risk as time passes and vulnerabilities are discovered. ## Prevention 4 Shoulder डिटेक्शन नियमों पर आधारित Use of Unmaintained Third Party के लिए रोकथाम रणनीतियाँ। ### Docker Pin base images to specific version tags or SHA digests for reproducible builds Use npm ci instead of npm install for deterministic, reproducible Docker builds Update FROM to a supported Node.js LTS version (24-alpine or 22-alpine) ## Warning Signs - [MEDIUM] Dockerfile uses ...: ... - [MEDIUM] base images using "latest" tag or missing version tags - [MEDIUM] Dockerfile uses ... which is end-of-life or outdated. IMPORTANT: Update to node:24-alpine (Active LTS) or node:22-alpine - [MEDIUM] Dockerfiles using outdated or end-of-life Node - [MEDIUM] Node.js versions are inconsistent across configuration files. Check the docker-image-outdated finding for the latest rec - [MEDIUM] inconsistent Node - [LOW] Dockerfile uses 'npm install' - consider 'npm ci' for reproducible builds. - [LOW] Dockerfiles using `npm install` instead of `npm ci` for production builds ## Consequences - अनधिकृत कोड निष्पादित करना - एप्लिकेशन डेटा पढ़ना - DoS ## Mitigations - तृतीय-पक्ष निर्भरताओं का नियमित ऑडिट और अद्यतन करें - कॉम्पोनेंट भेद्यताओं की निगरानी के लिए एक प्रक्रिया स्थापित करें - अनुरक्षित न रह गए कॉम्पोनेंट्स को बदलने की योजना रखें ## Detection - Total rules: 5 - Languages: dockerfile, javascript ## Rules by Language ### Dockerfile (4 rules) - **Docker Base Image Security** [MEDIUM]: Detects base images using "latest" tag or missing version tags. - Remediation: Use specific version tags for base images. ```dockerfile FROM node:24-alpine ``` Learn more: https://shoulder.dev/learn/docker/cwe-1104/base-image-security - **Use npm ci for Reproducible Builds** [LOW]: Detects Dockerfiles using `npm install` instead of `npm ci` for production builds. - Remediation: Use `npm ci` instead of `npm install` for reproducible builds. ```dockerfile RUN npm ci ``` Learn more: https://shoulder.dev/learn/docker/cwe-1104/npm-ci - **Dockerfile Uses Outdated Node.js Version** [MEDIUM]: Detects Dockerfiles using outdated or end-of-life Node.js versions. - Remediation: Update to a supported Node.js LTS version. ```dockerfile FROM node:24-alpine ``` Learn more: https://shoulder.dev/learn/docker/cwe-1104/outdated-node-version - **Node.js Version Mismatch Between Configuration Files** [MEDIUM]: Detects inconsistent Node.js versions across project configuration files. When .nvmrc specifies one Node.js version but Dockerfile uses a different version, it causes environment drift: - "Works on my machine" bugs (code works locally but fails in production) - Security inconsistencies (development may use patched version while production uses vulnerable version) - Dependency incompatibilities (npm packages may behave differently) - Debugging difficulties (hard to reproduce production issues - Remediation: Align ALL configuration files to use the SAME Node.js version. IMPORTANT: Check the docker-image-outdated finding for the LATEST version. The API provides real-time version recommendations. After determining the latest version from docker-image-outdated, update: - Dockerfile: FROM node:-alpine - .nvmrc: - package.json engines.node: ">=.0.0" NEVER downgrade. Always use the NEWER version shown in docker-image-outdated.