# DOCKER-BP-024: Install Only One of wget or curl

> **Severity:** LOW | **CWE:** CWE-710

- **Language:** Docker
- **Category:** Best Practice
- **URL:** https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-024
- **Detection:** `pathfinder scan --ruleset docker/DOCKER-BP-024 --project .`

## Description

Detects installation of both wget and curl in the same Dockerfile.
Both tools serve the same purpose (downloading files), so installing both
wastes image space. Choose one tool and use it consistently.

## Vulnerable Code

```python
FROM ubuntu:22.04

# Bad: Installing both wget and curl wastes space
RUN apt-get update && apt-get install -y wget curl
```

## Secure Code

```python
FROM ubuntu:22.04

# Good: Choose one tool (curl is more feature-rich)
RUN apt-get update && apt-get install -y curl

# Or use wget if you prefer
# RUN apt-get update && apt-get install -y wget
```

## Detection Rule (Python SDK)

```python
from rules.container_decorators import dockerfile_rule
from rules.container_matchers import instruction
from rules.container_combinators import all_of


@dockerfile_rule(
    id="DOCKER-BP-024",
    name="Install Only One of wget or curl",
    severity="LOW",
    cwe="CWE-710",
    category="best-practice",
    tags="docker,dockerfile,wget,curl,download,tools,optimization,image-size,redundancy,best-practice",
    message="Installing both wget and curl wastes space. Choose one tool for downloads."
)
def use_either_wget_or_curl():
    return all_of(
        instruction(type="RUN", contains="wget"),
        instruction(type="RUN", contains="curl")
    )
```

## How to Fix

- Review your Dockerfile to address the install only one of wget or curl issue
- Follow Docker official best practices for image building
- Use docker build --check to validate Dockerfile syntax and best practices

## FAQ

**Q: Why does this rule flag install only one of wget or curl?**

Installing both wget and curl wastes space. Choose one tool for downloads.

**Q: How do I fix this?**

Review the secure code example in the playground above and apply the recommended pattern to your Dockerfile or docker-compose.yml.

## References

- [Docker Best Practices](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/)
- [Dockerfile Best Practice: Use set -o pipefail with pipes](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run)

---

Source: https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-024
Code Pathfinder — Open source, type-aware SAST with cross-file dataflow analysis