generic.ci.security.use-frozen-lockfile.use-frozen-lockfile-pipenv

profile photo of returntocorpreturntocorp
Author
unknown
Download Count*

This rule has been deprecated.

Run Locally

Run in CI

Defintion

rules:
  - id: use-frozen-lockfile-pipenv
    patterns:
      - pattern: a()
      - pattern: b()
    message: This rule has been deprecated.
    languages:
      - generic
    severity: INFO
    metadata:
      category: security
      cwe:
        - "CWE-494: Download of Code Without Integrity Check"
      owasp:
        - A08:2021 - Software and Data Integrity Failures
      technology:
        - dockerfile
        - javascript
        - typescript
      references:
        - https://semgrep.dev
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues

Examples

use-frozen-lockfile.generic

# Install dependencies separately to improve caching
COPY package.json yarn.lock /app/
WORKDIR /app
# ruleid: use-frozen-lockfile-yarn
RUN yarn install
# trailing space
# ruleid: use-frozen-lockfile-yarn
RUN yarn install

# ok: use-frozen-lockfile-yarn
RUN yarn install --prod --frozen-lockfile --prefer-offline --ignore-optional --no-progress
# ok: use-frozen-lockfile-yarn
RUN yarn install --production --frozen-lockfile

# ok: use-frozen-lockfile-npm
# i am a comment, just to explain.. npm install

RUN yarn install --frozen-lockfile
RUN yarn install --immutable
# ruleid: use-frozen-lockfile-yarn
RUN yarn install some_package
RUN yarn install -g some_package
RUN yarn install --global some_package

RUN echo 'yarn installing foo'

RUN yarn install --frozen-lockfile
RUN yarn install --immutable
COPY . /app
RUN yarn build

WORKDIR /app
# ruleid: use-frozen-lockfile-yarn
RUN yarn install foo

RUN npm install foo
# ruleid: use-frozen-lockfile-npm
RUN npm install
RUN npm install -g some_package
RUN npm install --global some_package
RUN npm ci
COPY . /app
RUN yarn build

RUN echo 'npm installing foo'

# ok: use-frozen-lockfile-npm
RUN pnpm install