Query "Unpinned Package Version in Apk Add" for Docker detects missing versions for virtual package names

Question

Query "Unpinned Package Version in Apk Add" for Docker detects missing versions for virtual package names

malte-laukoetter opened this issue 3 years ago · 1 comments

Expected Behavior

KICS should not report version pinning issues when using virtual packages.

Actual Behavior

For the RUN instruction apk add --no-cache --virtual build-dependencies gnupg=1.0.0 unzip=1.0.0 curl=1.0.0; KICS detect that version pinning is missing for "build-dependencies". This is not a package that is installed but the name of the virtual package used to group the installed dependencies and therefore shouldn't have a version.

Specifications

Version: 1.5.5
Platform: Docker
Subsystem: Dockerfiles
Query: d3499f6d-1651-41bb-a9a7-de925fea487b

References

https://docs.alpinelinux.org/user-handbook/0.1a/Working/apk.html#_virtuals

Answer 1 · 2022-04-12T15:10:46.000Z

Hi @Lergin !
Thank you for your input.
Hope #5181 solves the problem.