[Scorecard:Docker-Deps]: Docker dependencies not pinned

[laurentsimon]

Hi team,

I ran OSSF's scorecard on your repo and it reported the following non-pinned docker dependencies:

!! frozen-deps/docker - src/drivers/npm/Dockerfile has non-pinned dependency 'node:12-bla2'
!! frozen-deps/docker - src/drivers/npm/Dockerfile has non-pinned dependency 'node:12-bla1'
!! frozen-deps/docker - src/drivers/npm/Dockerfile has non-pinned dependency 'node:12-alpine'

In light of recent supply chain attacks like codecov, it would be useful to pin the dependencies by hash.

Pinning by version or any floating tag does not protect sufficiently, since it still allows attackers to update the dependencies if they can compromise a project.

@laurentsimon @laurentsimon2 FYI

How to fix
The fix is to use a hash to pin the dependencies. You can find an example here.

To find the hash corresponding to your dependency, run:

$ docker pull <dep>
...
Digest: sha256:acf7795dc91df17e10effee064bd229580a9c34213b4dba578d64768af5d8c51
...

Updates remain feasible. Project owners usually enable github's dependabot through this settings. Dependabot will automatically
create PRs that you can review, accept or reject when new versions of your dependencies become available.

It is recommended to accept dependabot PRs regularly to receive security patches.

Several projects are taking steps to address the same issue, e.g. envoy proxy.

Please let me know if you have any questions.

[laurentsimon]

Re-opening this issue as scorecard reported the following issues:

!! frozen-deps/docker - src/drivers/npm/Dockerfile has non-pinned dependency 'node:12-bla2'
!! frozen-deps/docker - src/drivers/npm/Dockerfile has non-pinned dependency 'node:12-bla1'
!! frozen-deps/docker - src/drivers/npm/Dockerfile has non-pinned dependency 'node:12-alpine'

Please let me know if you have questions.

[laurentsimon]

Re-opening this issue as scorecard reported the following issues:

!! frozen-deps/docker - src/drivers/npm/Dockerfile has non-pinned dependency 'node:12-bla2'
!! frozen-deps/docker - src/drivers/npm/Dockerfile has non-pinned dependency 'node:12-bla1'
!! frozen-deps/docker - src/drivers/npm/Dockerfile has non-pinned dependency 'node:12-alpine'

Please let me know if you have questions.

[laurentsimon]

Re-opening this issue as scorecard reported the following issues:

$ ./scorecard --repo=github.com/laurentsimon/scorecard-remediation-tests/ --checks=Frozen-Deps

!! frozen-deps/docker - src/drivers/npm/Dockerfile has non-pinned dependency 'node:12-bla2'
!! frozen-deps/docker - src/drivers/npm/Dockerfile has non-pinned dependency 'node:12-bla1'
!! frozen-deps/docker - src/drivers/npm/Dockerfile has non-pinned dependency 'node:12-alpine'

Please let me know if you have questions.