Do not use zypper dist-upgrade DOK-W1011

You should avoid zypper dist-upgrade, as many of the “essential” packages from the base images won't upgrade inside an unprivileged container.

This rule lints against blanket updates and dist-upgrades, but allows more specific updates by two methods:

• use zypper install -y $PACKAGE>=$VERSION to upgrade a particular package, giving a version requirement.

• use zypper patch to mitigate particular security vulnerabilities.

Bad Practice

FROM opensuse/leap:15.2
RUN zypper dist-upgrade

Recommended

FROM opensuse/leap:15.2
RUN zypper install -y httpd\>=2.4 && zypper clean
RUN zypper patch --cve=cve-2015-7547 && zypper clean