Dependency on Vulnerable Third-Party Component (CWE-1395)

Dependency on Vulnerable Third-Party Component

The product uses a third-party component that contains one or more known vulnerabilities.

Using vulnerable dependencies exposes the application to known exploits. Container images and application dependencies should be regularly scanned and updated.

普遍性

高

频繁被利用

影响

中

建议审查

预防

已记录

3 个修复示例

2 预防

如何修复此漏洞

基于 3 条 Shoulder 检测规则的 Dependency on Vulnerable Third-Party 预防策略。

🐳 Docker 查看全部 Docker 详情 →

Docker apt-get Missing Cache Cleanup LOW

Clean apt cache in the same RUN layer to reduce image size

+3 -1 dockerfile

  FROM ubuntu:22.04
- RUN apt-get update && apt-get install -y --no-install-recommends curl
+ RUN apt-get update && \
+     apt-get install -y --no-install-recommends curl && \
+     rm -rf /var/lib/apt/lists/*

Docker apt-get Missing --no-install-recommends LOW

Add --no-install-recommends to apt-get install to minimize image size

+1 -1 dockerfile

  FROM ubuntu:22.04
- RUN apt-get update && apt-get install -y curl
+ RUN apt-get update && apt-get install -y --no-install-recommends curl

Docker apt-get Missing -y Flag LOW

Add -y flag to apt-get install for non-interactive Docker builds

+1 -1 dockerfile

  FROM ubuntu:22.04
- RUN apt-get update && apt-get install curl
+ RUN apt-get update && apt-get install -y curl

3 检测

查找代码中的漏洞

使用Shoulder扫描代码中的Dependency on Vulnerable Third-Party Component模式。 3 规则.

终端

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=1395

# Or scan entire project
npx @shoulderdev/cli trust .

检测规则 (3)

🐳 Dockerfile 3 rules

Docker apt-get Missing Cache Cleanup LOW

Detects apt-get commands without cache cleanup in the same RUN layer.

Docker apt-get Missing --no-install-recommends LOW

Detects apt-get install commands without --no-install-recommends flag.

Docker apt-get Missing -y Flag LOW

Detects apt-get install commands without the -y flag for non-interactive builds.

4 警告信号

代码审查中需要关注的内容

这些模式表明潜在的Dependency on Vulnerable Third-Party Component漏洞。在代码审查和安全审计中注意查找。

🔵

apt-get without cache cleanup increases image size docker-apt-missing-cache-cleanup

🔵

apt-get commands without cache cleanup in the same RUN layer docker-apt-missing-cache-cleanup

🔵

apt-get without --no-install-recommends increases image size docker-apt-missing-no-install-recommends

🔵

apt-get install commands without --no-install-recommends flag docker-apt-missing-no-install-recommends

🔵

apt-get install without -y flag may hang waiting for input docker-apt-missing-y-flag

🔍

扫描你的代码库: Dependency on Vulnerable Third-Party Component

Shoulder CLI 在整个代码库中找到易受攻击的模式。

npx shoulder trust 浏览所有规则