Description
Description
Control docker-4.7 "Do not use update instructions alone in the Dockerfile" fails when running tests on environment with redhat/ubi9-minimal.
The ubi9-minimal image has an image description that includes the text "updated". The test for control docker-4.7 only checks for the presence of text "update" which results in a match and causes the control to fail.
Perhaps, the test should a more precise reference to "apt-get update" or "apt update" to avoid unexpected matches.
Reproduction steps
Execute the following commands to reproduce the issue:
docker pull redhat/ubi9-minimal:9.3-1552
git clone https://github.com/dev-sec/cis-docker-benchmark.git
inspec exec cis-docker-benchmark --controls docker-4.7
Current Behavior
inspec with control docker-4.7 fails and the following message is output to the console:
(message has been formatted for readability)
+<missing> 6 weeks ago
/bin/sh -c #(nop) LABEL description="The Universal Base Image Minimal is a stripped down image
that uses microdnf as a package manager. This base image is freely redistributable, but Red Hat only
supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained
by Red Hat and updated regularly."
Expected Behavior
Control docker-4.7 should not fail as a "RUN apt-get update" or "RUN apt update" is not being used.
OS / Environment
Ubuntu Linux 23.10
Docker 25.0.3
Inspec Version
6.6.0
Baseline Version
2.1.3
Additional information
