# Dependency on Vulnerable Third-Party Component (CWE-1395) The product uses a third-party component that contains one or more known vulnerabilities. - Prevalence: High Frequently exploited - Impact: Medium Review recommended - Prevention: Documented 3 fix examples **OWASP:** Security Misconfiguration (A05:2021-Security Misconfiguration) - #5 ## Description Using vulnerable dependencies exposes the application to known exploits. Container images and application dependencies should be regularly scanned and updated. ## Prevention Prevention strategies for Dependency on Vulnerable Third-Party based on 3 Shoulder detection rules. ### Docker Clean apt cache in the same RUN layer to reduce image size Add --no-install-recommends to apt-get install to minimize image size Add -y flag to apt-get install for non-interactive Docker builds ## Warning Signs - [LOW] apt-get without cache cleanup increases image size - [LOW] apt-get commands without cache cleanup in the same RUN layer - [LOW] apt-get without --no-install-recommends increases image size - [LOW] apt-get install commands without --no-install-recommends flag - [LOW] apt-get install without -y flag may hang waiting for input ## Consequences - Execute Unauthorized Code - Read Application Data - DoS ## Mitigations - Regularly scan dependencies for vulnerabilities - Keep all dependencies updated to patched versions - Use minimal base images for containers ## Detection - Total rules: 3 - Languages: dockerfile ## Rules by Language ### Dockerfile (3 rules) - **Docker apt-get Missing Cache Cleanup** [LOW]: Detects apt-get commands without cache cleanup in the same RUN layer. - Remediation: Clean up apt cache in the same RUN command. ```dockerfile RUN apt-get update && \ apt-get install -y --no-install-recommends curl && \ rm -rf /var/lib/apt/lists/* ``` Learn more: https://shoulder.dev/learn/docker/cwe-1395/apt-cache-cleanup - **Docker apt-get Missing --no-install-recommends** [LOW]: Detects apt-get install commands without --no-install-recommends flag. - Remediation: Add --no-install-recommends to minimize image size. ```dockerfile RUN apt-get install -y --no-install-recommends curl ``` Learn more: https://shoulder.dev/learn/docker/cwe-1395/apt-no-install-recommends - **Docker apt-get Missing -y Flag** [LOW]: Detects apt-get install commands without the -y flag for non-interactive builds. - Remediation: Add the -y flag for non-interactive installation. ```dockerfile RUN apt-get install -y curl ``` Learn more: https://shoulder.dev/learn/docker/cwe-1395/apt-missing-y-flag