By DeepSource

Do not use zypper dist-upgrade DOK-W1011

Bug risk

You should avoid zypper dist-upgrade, as many of the “essential” packages from the base images won't upgrade inside an unprivileged container.

This rule lints against blanket updates and dist-upgrades, but allows more specific updates by two methods:

  • use zypper install -y $PACKAGE>=$VERSION to upgrade a particular package, giving a version requirement.

  • use zypper patch to mitigate particular security vulnerabilities.

Bad Practice

FROM opensuse/leap:15.2
RUN zypper dist-upgrade


FROM opensuse/leap:15.2
RUN zypper install -y httpd\>=2.4 && zypper clean
RUN zypper patch --cve=cve-2015-7547 && zypper clean