Skip to content

DL3035

Jump to bottom Edit New page
Moritz Röhrich edited this page Oct 21, 2020 · 1 revision

Do not use zypper update

Problematic code:

FROM opensuse/leap:15.2
RUN zypper update -y

Correct code:

FROM opensuse/leap:15.2
RUN zypper install -y httpd\>=2.4 && zypper clean
RUN zypper patch --cve=cve-2015-7547 && zypper clean

Rationale:

See DL3031, DL3005. Problems include:

  • Updates failing on packages from base images in unprivileged containers
  • Inconsistencies between builds producing problems for application developers

Notes:

This rule lints against blanket updates and dist-upgrades, but allows more specific updates by two methods:

  • use zypper install -y $PACKAGE>=$VERSION to upgrade a particular package, giving a version requirement.
  • use zypper patch to mitigate particular security vulnerabilities.
Add a custom footer
Add a custom sidebar
Clone this wiki locally