# Dependency on Vulnerable Third-Party Component (CWE-1395) The product uses a third-party component that contains one or more known vulnerabilities. - Prevalence: 高 频繁被利用 - Impact: 中 建议审查 - Prevention: 已记录 3 个修复示例 **OWASP:** Security Misconfiguration (A05:2021-Security Misconfiguration) - #5 ## Description Using vulnerable dependencies exposes the application to known exploits. Container images and application dependencies should be regularly scanned and updated. ## Prevention 基于 3 条 Shoulder 检测规则的 Dependency on Vulnerable Third-Party 预防策略。 ### Docker Clean apt cache in the same RUN layer to reduce image size Add --no-install-recommends to apt-get install to minimize image size Add -y flag to apt-get install for non-interactive Docker builds ## Warning Signs - [LOW] apt-get without cache cleanup increases image size - [LOW] apt-get commands without cache cleanup in the same RUN layer - [LOW] apt-get without --no-install-recommends increases image size - [LOW] apt-get install commands without --no-install-recommends flag - [LOW] apt-get install without -y flag may hang waiting for input ## Consequences - 执行未授权代码 - 读取应用程序数据 - 拒绝服务 (DoS) ## Mitigations - 定期扫描依赖的漏洞 - 将所有依赖保持在已打补丁的版本 - 为容器使用最小化的基础镜像 ## Detection - Total rules: 3 - Languages: dockerfile ## Rules by Language ### Dockerfile (3 rules) - **Docker apt-get Missing Cache Cleanup** [LOW]: Detects apt-get commands without cache cleanup in the same RUN layer. - Remediation: Clean up apt cache in the same RUN command. ```dockerfile RUN apt-get update && \ apt-get install -y --no-install-recommends curl && \ rm -rf /var/lib/apt/lists/* ``` Learn more: https://shoulder.dev/learn/docker/cwe-1395/apt-cache-cleanup - **Docker apt-get Missing --no-install-recommends** [LOW]: Detects apt-get install commands without --no-install-recommends flag. - Remediation: Add --no-install-recommends to minimize image size. ```dockerfile RUN apt-get install -y --no-install-recommends curl ``` Learn more: https://shoulder.dev/learn/docker/cwe-1395/apt-no-install-recommends - **Docker apt-get Missing -y Flag** [LOW]: Detects apt-get install commands without the -y flag for non-interactive builds. - Remediation: Add the -y flag for non-interactive installation. ```dockerfile RUN apt-get install -y curl ``` Learn more: https://shoulder.dev/learn/docker/cwe-1395/apt-missing-y-flag