Dependency on Vulnerable Third-Party Component (CWE-1395)

Dependency on Vulnerable Third-Party Component

The product uses a third-party component that contains one or more known vulnerabilities.

Using vulnerable dependencies exposes the application to known exploits. Container images and application dependencies should be regularly scanned and updated.

Prevalence

High

Frequently exploited

Impact

Medium

Review recommended

Prevention

Documented

3 fix examples

2 Prevention

How to fix this vulnerability

Prevention strategies for Dependency on Vulnerable Third-Party based on 3 Shoulder detection rules.

🐳 Docker View all Docker details →

Docker apt-get Missing Cache Cleanup LOW

Clean apt cache in the same RUN layer to reduce image size

+3 -1 dockerfile

  FROM ubuntu:22.04
- RUN apt-get update && apt-get install -y --no-install-recommends curl
+ RUN apt-get update && \
+     apt-get install -y --no-install-recommends curl && \
+     rm -rf /var/lib/apt/lists/*

Docker apt-get Missing --no-install-recommends LOW

Add --no-install-recommends to apt-get install to minimize image size

+1 -1 dockerfile

  FROM ubuntu:22.04
- RUN apt-get update && apt-get install -y curl
+ RUN apt-get update && apt-get install -y --no-install-recommends curl

Docker apt-get Missing -y Flag LOW

Add -y flag to apt-get install for non-interactive Docker builds

+1 -1 dockerfile

  FROM ubuntu:22.04
- RUN apt-get update && apt-get install curl
+ RUN apt-get update && apt-get install -y curl

3 Detection

Find vulnerabilities in your code

Use Shoulder to scan your codebase for Dependency on Vulnerable Third-Party Component patterns. 3 rules.

terminal

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=1395

# Or scan entire project
npx @shoulderdev/cli trust .

Detection Rules (3)

🐳 Dockerfile 3 rules

Docker apt-get Missing Cache Cleanup LOW

Detects apt-get commands without cache cleanup in the same RUN layer.

Docker apt-get Missing --no-install-recommends LOW

Detects apt-get install commands without --no-install-recommends flag.

Docker apt-get Missing -y Flag LOW

Detects apt-get install commands without the -y flag for non-interactive builds.

4 Warning Signs

What to watch for in code reviews

These patterns indicate potential Dependency on Vulnerable Third-Party Component vulnerabilities. Look for these during code reviews and security audits.

🔵

apt-get without cache cleanup increases image size docker-apt-missing-cache-cleanup

🔵

apt-get commands without cache cleanup in the same RUN layer docker-apt-missing-cache-cleanup

🔵

apt-get without --no-install-recommends increases image size docker-apt-missing-no-install-recommends

🔵

apt-get install commands without --no-install-recommends flag docker-apt-missing-no-install-recommends

🔵

apt-get install without -y flag may hang waiting for input docker-apt-missing-y-flag

🔍

Scan your codebase for Dependency on Vulnerable Third-Party Component

Shoulder CLI finds vulnerable patterns across your entire codebase.

npx shoulder trust Browse all rules