Control docker-4.7 fails when running tests on environment with redhat/ubi9-minimal

[edselg]

Description

Control docker-4.7 "Do not use update instructions alone in the Dockerfile" fails when running tests on environment with redhat/ubi9-minimal.

The ubi9-minimal image has an image description that includes the text "updated". The test for control docker-4.7 only checks for the presence of text "update" which results in a match and causes the control to fail.

Perhaps, the test should a more precise reference to "apt-get update" or "apt update" to avoid unexpected matches.

Reproduction steps

Execute the following commands to reproduce the issue:

docker pull redhat/ubi9-minimal:9.3-1552
git clone https://github.com/dev-sec/cis-docker-benchmark.git
inspec exec cis-docker-benchmark --controls docker-4.7

Current Behavior

inspec with control docker-4.7 fails and the following message is output to the console:
(message has been formatted for readability)

+<missing>                                                                 6 weeks ago   
/bin/sh -c #(nop) LABEL description="The Universal Base Image Minimal is a stripped down image 
that uses microdnf as a package manager. This base image is freely redistributable, but Red Hat only 
supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained 
by Red Hat and updated regularly."

Expected Behavior

Control docker-4.7 should not fail as a "RUN apt-get update" or "RUN apt update" is not being used.

OS / Environment

Ubuntu Linux 23.10
Docker 25.0.3

Inspec Version

6.6.0

Baseline Version

2.1.3

Additional information