kics icon indicating copy to clipboard operation
kics copied to clipboard

Published 20 hours ago verified publisher icon Checkmarx

npm install in a multiline run command is detected as a vulnerability

Open onefloid opened this issue 1 year ago • 1 comments

Description

The following lines ends up in a NPM Install Command Without Pinned Version vulnerability. All packages are pinned with versions in package.json

#Dockerfile
RUN npm config set registry <internal_npm_registry> && \
    npm install && \
    npx vite build --mode $VITE_MODE

If I use three run commands instead, no vulnerability is found.

#Dockerfile
  RUN npm config set registry <internal_npm_registry>
  RUN npm install
  RUN npx vite build --mode $VITE_MODE

Expected Behavior

No vulnerability

Actual Behavior

NPM Install Command Without Pinned Version, Severity: MEDIUM, Results: 1 Description: Check if packages installed by npm are pinning a specific version. Platform: Dockerfile Learn more about this vulnerability: https://docs.kics.io/latest/queries/dockerfile-queries/e36d8880-3f78-4546-b9a1-12f0745ca0d5

    [1]: ../../path/Dockerfile:5

            004: COPY frontend .
            005: RUN npm config set registry <internal_npm_registry> && \
            006:     npm install && \
  • Version: v1.7.4

onefloid avatar Aug 01 '23 15:08 onefloid

I have a similar case.

No issue:

FROM node:20.11.0-alpine3.18

RUN apk add --no-cache git=2.40.1-r0 && npm install --global [email protected]

FROM node:20.11.0-alpine3.18

RUN apk add --no-cache git=2.40.1-r0 \
    && npm install --global [email protected]

With issue:

FROM node:20.11.0-alpine3.18

RUN apk add --no-cache git=2.40.1-r0 && \
    npm install --global [email protected]

FROM node:20.11.0-alpine3.18

RUN apk add --no-cache git=2.40.1-r0 \
    && npm install --global [email protected] \
    && echo "another command"

output:

Scanning with Keeping Infrastructure as Code Secure v1.7.12

[...]

------------------------------------

NPM Install Command Without Pinned Version, Severity: MEDIUM, Results: 1
Description: Check if packages installed by npm are pinning a specific version.
Platform: Dockerfile
Learn more about this vulnerability: https://docs.kics.io/latest/queries/dockerfile-queries/e36d8880-3f78-4546-b9a1-12f0745ca0d5

        [1]: Dockerfile:3

                002: 
                003: RUN apk add --no-cache git=2.40.1-r0 && \
                004:     npm install --global [email protected]

pjungermann avatar Feb 06 '24 18:02 pjungermann