Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BUG: pip install --upgrade pip in Dockerfile gets flagged #3953

Closed
duggalsu opened this issue Mar 19, 2024 · 2 comments
Closed

BUG: pip install --upgrade pip in Dockerfile gets flagged #3953

duggalsu opened this issue Mar 19, 2024 · 2 comments
Labels
kind/bug Something isn't working

Comments

@duggalsu
Copy link

Describe the bug
Running RUN pip install --no-cache-dir --upgrade pip in a Dockerfile gets flagged with pipCommand not pinned by hash.

Expected behavior
The correct approach to doing pip install is to upgrade pip first, so this should ideally not be flagged.
@duggalsu duggalsu added the kind/bug Something isn't working label Mar 19, 2024
@duggalsu
Copy link
Author

duggalsu commented Mar 22, 2024
edited
Loading

Based on the following, it seems to be safe to pin pip and setuptool. I would suggest a good process would be to first update these as pinned packages from a base requirements.txt before doing any further pip install.

Closing issue as it does not seem relevant now

@johnandersen777

This comment was marked as outdated.

Sign in to view
johnandersen777 pushed a commit to johnandersen777/dffml that referenced this issue Jun 22, 2024
@pdxjohnny
Revert "best practices: ossf scorecard: Pin pip install commands"
a9a16aa 
Related: ossf/scorecard#3953
Related: ossf/scorecard#4189
This reverts commit 0e59b55.
johnandersen777 pushed a commit to johnandersen777/dffml that referenced this issue Jun 23, 2024
@pdxjohnny
Revert "best practices: ossf scorecard: Pin pip install commands"
a3e1c33 
Related: ossf/scorecard#3953
Related: ossf/scorecard#4189
This reverts commit 0e59b55.
johnandersen777 pushed a commit to intel/dffml that referenced this issue Jun 23, 2024
@pdxjohnny
Revert "best practices: ossf scorecard: Pin pip install commands"
3a20c5c 
Related: ossf/scorecard#3953
Related: ossf/scorecard#4189
This reverts commit 0e59b55.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Something isn't working
Projects
Scorecard - NEW
Status: Done
Milestone
No milestone
Development

No branches or pull requests
2 participants
@duggalsu @johnandersen777