generic.dockerfile.best-practice.avoid-zypper-update.avoid-zypper-update

returntocorp

Author

2,919

Download Count*

License

Packages in base images should be up-to-date, removing the need for 'zypper update'. If packages are out-of-date, consider contacting the base image maintainer.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: avoid-zypper-update
    severity: INFO
    languages:
      - generic
    message: Packages in base images should be up-to-date, removing the need for
      'zypper update'. If packages are out-of-date, consider contacting the base
      image maintainer.
    metadata:
      source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3035
      references:
        - https://github.com/hadolint/hadolint/wiki/DL3035
      category: best-practice
      technology:
        - dockerfile
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    paths:
      include:
        - "*dockerfile*"
        - "*Dockerfile*"
    pattern: zypper update

Examples

avoid-zypper-update.dockerfile

# cf. https://github.com/hadolint/hadolint/wiki/DL3035

FROM opensuse/leap:15.2

# ruleid: avoid-zypper-update
RUN zypper update -y

# ruleid: avoid-zypper-update
RUN zypper update -y && zypper install -y httpd\>=2.4 && zypper clean

# ok: avoid-zypper-update
RUN zypper install -y httpd\>=2.4 && zypper clean

# ok: avoid-zypper-update
RUN zypper patch --cve=cve-2015-7547 && zypper clean

Short Link: https://sg.run/KlbY