# Dependency on Vulnerable Third-Party Component (CWE-1395) The product uses a third-party component that contains one or more known vulnerabilities. **Stack:** Docker - Prevalence: Wysoka Często wykorzystywana - Impact: Średni Zalecany przegląd - Prevention: Udokumentowane 3 przykładów poprawek **OWASP:** Security Misconfiguration (A05:2021-Security Misconfiguration) - #5 ## Description Using vulnerable dependencies exposes the application to known exploits. Container images and application dependencies should be regularly scanned and updated. ## Prevention Strategie zapobiegania dla Dependency on Vulnerable Third-Party oparte na 3 regułach detekcji Shoulder. ### Docker Clean apt cache in the same RUN layer to reduce image size Add --no-install-recommends to apt-get install to minimize image size Add -y flag to apt-get install for non-interactive Docker builds ## Warning Signs - [LOW] apt-get without cache cleanup increases image size - [LOW] apt-get commands without cache cleanup in the same RUN layer - [LOW] apt-get without --no-install-recommends increases image size - [LOW] apt-get install commands without --no-install-recommends flag - [LOW] apt-get install without -y flag may hang waiting for input ## Consequences - Wykonanie nieautoryzowanego kodu - Odczyt danych aplikacji - DoS ## Mitigations - Regularnie skanuj zależności pod kątem podatności - Utrzymuj wszystkie zależności w wersjach z poprawkami - Dla kontenerów stosuj minimalne obrazy bazowe ## Detection - Total rules: 3 - Languages: dockerfile ## Rules by Language ### Dockerfile (3 rules) - **Docker apt-get Missing Cache Cleanup** [LOW]: Detects apt-get commands without cache cleanup in the same RUN layer. - Remediation: Clean up apt cache in the same RUN command. ```dockerfile RUN apt-get update && \ apt-get install -y --no-install-recommends curl && \ rm -rf /var/lib/apt/lists/* ``` Learn more: https://shoulder.dev/learn/docker/cwe-1395/apt-cache-cleanup - **Docker apt-get Missing --no-install-recommends** [LOW]: Detects apt-get install commands without --no-install-recommends flag. - Remediation: Add --no-install-recommends to minimize image size. ```dockerfile RUN apt-get install -y --no-install-recommends curl ``` Learn more: https://shoulder.dev/learn/docker/cwe-1395/apt-no-install-recommends - **Docker apt-get Missing -y Flag** [LOW]: Detects apt-get install commands without the -y flag for non-interactive builds. - Remediation: Add the -y flag for non-interactive installation. ```dockerfile RUN apt-get install -y curl ``` Learn more: https://shoulder.dev/learn/docker/cwe-1395/apt-missing-y-flag