generic.ci.security.use-frozen-lockfile.use-frozen-lockfile-yarn

profile photo of returntocorpreturntocorp
Author
unknown
Download Count*
LGPL Commons Clause
License

To ensure reproducible and deterministic builds, when performing yarn install, make sure to use the lockfile. Yarn will update the lockfile rather than using the pinned versions. By using --immutable yarn will throw an exit code if the lockfile was to be modified.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: use-frozen-lockfile-yarn
    patterns:
      - pattern: |
          RUN ... yarn $INSTALL ...
      - pattern-not-inside: |
          RUN ... yarn $INSTALL ... --frozen-lockfile ... 
      - pattern-not-inside: |
          RUN ... yarn $INSTALL ... --immutable ...
      - pattern-not-inside: |
          RUN ... yarn $INSTALL ... -g ...
      - pattern-not-inside: |
          RUN ... yarn $INSTALL ... --global ...
      - metavariable-regex:
          metavariable: $INSTALL
          regex: ^(install)$
      - focus-metavariable: $INSTALL
    fix: |
      install --immutable
    message: To ensure reproducible and deterministic builds, when performing yarn
      install, make sure to use the lockfile. Yarn will update the lockfile
      rather than using the pinned versions. By using `--immutable` yarn will
      throw an exit code if the lockfile was to be modified.
    languages:
      - dockerfile
    severity: INFO
    metadata:
      category: security
      cwe:
        - "CWE-494: Download of Code Without Integrity Check"
      owasp:
        - A08:2021 - Software and Data Integrity Failures
      technology:
        - dockerfile
        - javascript
        - typescript
        - yarn
      references:
        - https://classic.yarnpkg.com/lang/en/docs/cli/install/
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Examples

use-frozen-lockfile.generic

# Install dependencies separately to improve caching
COPY package.json yarn.lock /app/
WORKDIR /app
# ruleid: use-frozen-lockfile-yarn
RUN yarn install
# trailing space
# ruleid: use-frozen-lockfile-yarn
RUN yarn install

# ok: use-frozen-lockfile-yarn
RUN yarn install --prod --frozen-lockfile --prefer-offline --ignore-optional --no-progress
# ok: use-frozen-lockfile-yarn
RUN yarn install --production --frozen-lockfile

RUN yarn install --frozen-lockfile
RUN yarn install --immutable
# ruleid: use-frozen-lockfile-yarn
RUN yarn install some_package
RUN yarn install -g some_package
RUN yarn install --global some_package

RUN echo 'yarn installing foo'

RUN yarn install --frozen-lockfile
RUN yarn install --immutable
COPY . /app
RUN yarn build

WORKDIR /app
# ruleid: use-frozen-lockfile-yarn
RUN yarn install foo

RUN npm install foo
# ruleid: use-frozen-lockfile-npm
RUN npm install
RUN npm install -g some_package
RUN npm install --global some_package
RUN npm ci
COPY . /app
RUN yarn build

RUN echo 'npm installing foo'

# ok: use-frozen-lockfile-npm
RUN pnpm install