Skip to content

Files

Latest commit

 

History

History
35 lines (22 loc) · 896 Bytes

DL3035.md

File metadata and controls

35 lines (22 loc) · 896 Bytes

Pattern: Use of zypper update

Issue: -

Description

This rule lints against blanket updates and dist-upgrades, but allows more specific updates by two methods:

  • use zypper install -y $PACKAGE>=$VERSION to upgrade a particular package, giving a version requirement.
  • use zypper patch to mitigate particular security vulnerabilities.

Problems include:

  • updates failing on packages from base images in unprivileged containers
  • inconsistencies between builds producing problems for application developers

Example of incorrect code:

FROM opensuse/leap:15.2
RUN zypper update -y

Example of correct code:

FROM opensuse/leap:15.2
RUN zypper install -y httpd\>=2.4 && zypper clean
RUN zypper patch --cve=cve-2015-7547 && zypper clean

Further Reading