# Dependency on Vulnerable Third-Party Component (CWE-1395)

The product uses a third-party component that contains one or more known vulnerabilities.

- Prevalence: 높음 자주 악용됨
- Impact: 보통 검토 권장
- Prevention: 문서화됨 3개의 수정 예시

**OWASP:** Security Misconfiguration (A05:2021-Security Misconfiguration) - #5

## Description

Using vulnerable dependencies exposes the application to known exploits. Container images and application dependencies should be regularly scanned and updated.

## Prevention

3개의 Shoulder 탐지 규칙을 기반으로 한 Dependency on Vulnerable Third-Party 예방 전략.

### Docker

Clean apt cache in the same RUN layer to reduce image size

Add --no-install-recommends to apt-get install to minimize image size

Add -y flag to apt-get install for non-interactive Docker builds

## Warning Signs

- [LOW] apt-get without cache cleanup increases image size
- [LOW] apt-get commands without cache cleanup in the same RUN layer
- [LOW] apt-get without --no-install-recommends increases image size
- [LOW] apt-get install commands without --no-install-recommends flag
- [LOW] apt-get install without -y flag may hang waiting for input

## Consequences

- 승인되지 않은 코드 실행
- 애플리케이션 데이터 읽기
- DoS

## Mitigations

- 의존성에 대한 취약점 스캔을 정기적으로 수행하세요
- 모든 의존성을 패치된 버전으로 유지하세요
- 컨테이너에는 최소화된 베이스 이미지를 사용하세요

## Detection

- Total rules: 3
- Languages: dockerfile

## Rules by Language

### Dockerfile (3 rules)

- **Docker apt-get Missing Cache Cleanup** [LOW]: Detects apt-get commands without cache cleanup in the same RUN layer.
  - Remediation: Clean up apt cache in the same RUN command.

```dockerfile
RUN apt-get update && \
    apt-get install -y --no-install-recommends curl && \
    rm -rf /var/lib/apt/lists/*
```

Learn more: https://shoulder.dev/learn/docker/cwe-1395/apt-cache-cleanup
- **Docker apt-get Missing --no-install-recommends** [LOW]: Detects apt-get install commands without --no-install-recommends flag.
  - Remediation: Add --no-install-recommends to minimize image size.

```dockerfile
RUN apt-get install -y --no-install-recommends curl
```

Learn more: https://shoulder.dev/learn/docker/cwe-1395/apt-no-install-recommends
- **Docker apt-get Missing -y Flag** [LOW]: Detects apt-get install commands without the -y flag for non-interactive builds.
  - Remediation: Add the -y flag for non-interactive installation.

```dockerfile
RUN apt-get install -y curl
```

Learn more: https://shoulder.dev/learn/docker/cwe-1395/apt-missing-y-flag