Dependency on Vulnerable Third-Party Component (CWE-1395)

Dependency on Vulnerable Third-Party Component

The product uses a third-party component that contains one or more known vulnerabilities.

Using vulnerable dependencies exposes the application to known exploits. Container images and application dependencies should be regularly scanned and updated.

보급률

높음

자주 악용됨

영향

보통

검토 권장

예방

문서화됨

3개의 수정 예시

2 예방

이 취약점을 수정하는 방법

3개의 Shoulder 탐지 규칙을 기반으로 한 Dependency on Vulnerable Third-Party 예방 전략.

🐳 Docker 모두 보기 Docker 자세히 →

Docker apt-get Missing Cache Cleanup LOW

Clean apt cache in the same RUN layer to reduce image size

+3 -1 dockerfile

  FROM ubuntu:22.04
- RUN apt-get update && apt-get install -y --no-install-recommends curl
+ RUN apt-get update && \
+     apt-get install -y --no-install-recommends curl && \
+     rm -rf /var/lib/apt/lists/*

Docker apt-get Missing --no-install-recommends LOW

Add --no-install-recommends to apt-get install to minimize image size

+1 -1 dockerfile

  FROM ubuntu:22.04
- RUN apt-get update && apt-get install -y curl
+ RUN apt-get update && apt-get install -y --no-install-recommends curl

Docker apt-get Missing -y Flag LOW

Add -y flag to apt-get install for non-interactive Docker builds

+1 -1 dockerfile

  FROM ubuntu:22.04
- RUN apt-get update && apt-get install curl
+ RUN apt-get update && apt-get install -y curl

3 탐지

코드에서 취약점 찾기

Shoulder를 사용하여 코드에서 Dependency on Vulnerable Third-Party Component 패턴을 스캔하세요. 3 규칙.

터미널

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=1395

# Or scan entire project
npx @shoulderdev/cli trust .

탐지 규칙 (3)

🐳 Dockerfile 3 rules

Docker apt-get Missing Cache Cleanup LOW

Detects apt-get commands without cache cleanup in the same RUN layer.

Docker apt-get Missing --no-install-recommends LOW

Detects apt-get install commands without --no-install-recommends flag.

Docker apt-get Missing -y Flag LOW

Detects apt-get install commands without the -y flag for non-interactive builds.

4 경고 신호

코드 리뷰에서 주의할 점

이 패턴은 잠재적인 Dependency on Vulnerable Third-Party Component 취약점을 나타냅니다. 코드 리뷰와 보안 감사 중에 찾아보세요.

🔵

apt-get without cache cleanup increases image size docker-apt-missing-cache-cleanup

🔵

apt-get commands without cache cleanup in the same RUN layer docker-apt-missing-cache-cleanup

🔵

apt-get without --no-install-recommends increases image size docker-apt-missing-no-install-recommends

🔵

apt-get install commands without --no-install-recommends flag docker-apt-missing-no-install-recommends

🔵

apt-get install without -y flag may hang waiting for input docker-apt-missing-y-flag

🔍

코드베이스를 스캔하세요: Dependency on Vulnerable Third-Party Component

Shoulder CLI는 전체 코드베이스에서 취약한 패턴을 찾아냅니다.

npx shoulder trust 모든 규칙 보기