Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False Positives in the Secret Detecion of a .NET solution? #2760

Open
mikeKuester opened this issue Nov 14, 2024 · 0 comments
Open

False Positives in the Secret Detecion of a .NET solution? #2760

mikeKuester opened this issue Nov 14, 2024 · 0 comments
Labels
question Further information is requested

Comments

@mikeKuester
Copy link

mikeKuester commented Nov 14, 2024
edited
Loading

Hi,

I'm just starting with the Artifactory and Xray. I installed the JFrog CLI and executed the jf audit command in the solution directory. This solution is a .NET 8 project with a WPF client and a web app. In the results are 27 Secret Detections with medium severity, but I think these are all false positives?

🎃Medium │ C:/source/xxx/sources/xxx/Controlboard.WpfClient/obj/Release/net8.0-windows10.0.19041/win-x64/Controlboard.WpfClient_civxzpp2_wpftmp.assets.cache│ 11:1008 │ Use************ │

  • The obj - folder is the intermediate folder for the compiler. I can't control what's in there and it's a .cache file.
  • At the given position is a package with the name UserSecrets, which seems to be used from the Grpc.Core.Api:

Microsoft.Extensions.Configuration.UserSecrets=lib/net8.0/Microsoft.Extensions.Configuration.UserSecrets.dll(Microsoft.Extensions.DependencyInjection7

Full line

Grpc.Core.Api$lib/netstandard2.1/Grpc.Core.Api.dll�Grpc.Net.Client�lib/net8.0/Grpc.Net.Client.dll�Grpc.Net.ClientFactory%lib/net8.0/Grpc.Net.ClientFactory.dll�Grpc.Net.Common�lib/net8.0/Grpc.Net.Common.dll�MathNet.Numerics�5.0.0�lib/net6.0/MathNet.Numerics.dll"Microsoft.Extensions.Configuration�8.0.01lib/net8.0/Microsoft.Extensions.Configuration.dll/Microsoft.Extensions.Configuration.Abstractions>lib/net8.0/Microsoft.Extensions.Configuration.Abstractions.dll8lib/net8.0/Microsoft.Extensions.Configuration.Binder.dll.Microsoft.Extensions.Configuration.CommandLine=lib/net8.0/Microsoft.Extensions.Configuration.CommandLine.dll7Microsoft.Extensions.Configuration.EnvironmentVariablesFlib/net8.0/Microsoft.Extensions.Configuration.EnvironmentVariables.dll1Microsoft.Extensions.Configuration.FileExtensions�8.0.1@lib/net8.0/Microsoft.Extensions.Configuration.FileExtensions.dll'Microsoft.Extensions.Configuration.Json6lib/net8.0/Microsoft.Extensions.Configuration.Json.dll.Microsoft.Extensions.Configuration.UserSecrets=lib/net8.0/Microsoft.Extensions.Configuration.UserSecrets.dll(Microsoft.Extensions.DependencyInjection7lib/net8.0/Microsoft.Extensions.DependencyInjection.dll5Microsoft.Extensions.DependencyInjection.AbstractionsDlib/net8.0/Microsoft.Extensions.DependencyInjection.Abstractions.dll Microsoft.Extensions.Diagnostics/lib/net8.0/Microsoft.Extensions.Diagnostics.dll-Microsoft.Extensions.Diagnostics.Abstractions<lib/net8.0/Microsoft.Extensions.Diagnostics.Abstractions.dll/Microsoft.Extensions.FileProviders.Abstractions>lib/net8.0/Microsoft.Extensions.FileProviders.Abstractions.dll+Microsoft.Extensions.FileProviders.Physical:lib/net8.0/Microsoft.Extensions.FileProviders.Physical.dll'Microsoft.Extensions.FileSystemGlobbing6lib/net8.0/Microsoft.Extensions.FileSystemGlobbing.dll�Microsoft.Extensions.Hosting+lib/net8.0/Microsoft.Extensions.Hosting.dll)Microsoft.Extensions.Hosting.Abstractions8lib/net8.0/Microsoft.Extensions.Hosting.Abstractions.dll�Microsoft.Extensions.Http(lib/net8.0/Microsoft.Extensions.Http.dll�Microsoft.Extensions.Logging+lib/net8.0/Microsoft.Extensions.Logging.dll8lib/net8.0/Microsoft.Extensions.Logging.Abstractions.dll*Microsoft.Extensions.Logging.Configuration9lib/net8.0/Microsoft.Extensions.Logging.Configuration.dll$Microsoft.Extensions.Logging.Console3lib/net8.0/Microsoft.Extensions.Logging.Console.dll"Microsoft.Extensions.Logging.Debug1lib/net8.0/Microsoft.Extensions.Logging.Debug.dll%Microsoft.Extensions.Logging.EventLog4lib/net8.0/Microsoft.Extensions.Logging.EventLog.dll(Microsoft.Extensions.Logging.EventSource7lib/net8.0/Microsoft.Extensions.Logging.EventSource.dll+lib/net8.0/Microsoft.Extensions.Options.dll4Microsoft.Extensions.Options.ConfigurationExtensionsClib/net8.0/Microsoft.Extensions.Options.ConfigurationExtensions.dll,Microsoft.Extensions.Options.DataAnnotations;lib/net8.0/Microsoft.Extensions.Options.DataAnnotations.dll�Microsoft.Extensions.Primitives.lib/net8.0/Microsoft.Extensions.Primitives.dll�Microsoft.Xaml.Behaviors.Wpf�1.1.1352lib/net6.0-windows7.0/Microsoft.Xaml.Behaviors.dll�NLog�5.3.4�lib/netstandard2.0/NLog.dll�NLog.Extensions.Logging�5.3.14&lib/net8.0/NLog.Extensions.Logging.dll�Notification.Wpf*lib/net8.0-windows7.0/Notification.Wpf.dll�Npgsql�lib/net8.0/Npgsql.dll�Ookii.Dialogs.Wpf�5.0.1+lib/net6.0-windows7.0/Ookii.Dialogs.Wpf.dll�OpenTK.Compute�4.3.0$lib/netcoreapp3.1/OpenTK.Compute.dll�OpenTK.Core"lib/netstandard2.1/OpenTK.Core.dll�OpenTK.GLWpfControl�4.2.3"lib/netcoreapp3.1/GLWpfControl.dll�OpenTK.Graphics&lib/netstandard2.1/OpenTK.Graphics.dllOpenTK.Input#lib/netstandard2.0/OpenTK.Input.dll�OpenTK.Mathematics)lib/netstandard2.1/OpenTK.Mathematics.dll

24 of the 27 deteced "secrets" are this UserSecrets Packages.

The next is in the bin/../publish folder.

🎃Medium │ C:/source/xxx/sources/xxx/AppHost/bin/Release/net8.0-windows10.0.19041/win-x64/publish/wwwroot/_content/Microsoft.Fast.Components.FluentUI/lib/monaco-editor/min-maps/vs/base/worker/workerMain.js.map │ 1:734203 │ tok************ │

In this file it has two findings:

constructor(tokens: Uint32Array, endState: IState) {\n

public readonly tokens: Uint32Array;\n

And the last two secrets have been located in the hidden Visual Studio folder ".vs".

🎃Medium │ C:/source/TSA-Imager/sources/TSA-Imager/.vs/TSA-Imager/config/applicationhost.config │ 126:266 │ ses************ │

Ok, there are secrets stored, but these are the secrets for the internally use IIS web server for the local debugging sessions.

            <add name="AesProvider" type="Microsoft.ApplicationHost.AesProtectedConfigurationProvider" description="Uses an AES session key to encrypt and decrypt" keyContainerName="iisConfigurationKey" cspProviderName="" useOAEP="false" useMachineContainer="true" sessionKey="AQIAAA5mAAAApAAA/HKxkz6alrlAPez0IUgujj/6k3WxCDriHp6jvpv3yEZmo7h6SMzGLxo4mTrIQVHSkB7tmElHKfUFTzE2BWF7nFWHY6Z6qmGBauFzwJMwESjril7Gjz69RBFH259HQ6aRDq---------sYv3vKB0QU971tjX6H2B+9armlnC8UOuA6JYMDMI/VLLL16sng0fWAy5JYe0YVABVjiAWDW264RZW9Tr1Oax4qHZKg+SdjULxeOc2YmpX+d0yeITo1HkPF1hN1gHpIPIUDo05ilHUNfR3OkjVCIQK4cFKCq1s8NH+y+13MxUC4Fn1AlQ==" />
            <add name="IISWASOnlyAesProvider" type="Microsoft.ApplicationHost.AesProtectedConfigurationProvider" description="Uses an AES session key to encrypt and decrypt" keyContainerName="iisWasKey" cspProviderName="" useOAEP="false" useMachineContainer="true" sessionKey="AQIAAA5mAAAApAAALmU8lTC+v2qtfQiiiquvvLpUQqKLEXs+jSKoWCM/uPhyB++k4dwug19mGidNK5FYiWK2KYE1yhjVJcbp12E98Q0R2nT7eBiCMY2JairxQ591rqABK7keGaIjwH7PwG---------EkgMUX3jrxJi8LouxaIVPJAv/YQ1ZCWs8zImitxX/C/7o7yaIxznfsN5nGQzQfpUDPeby99aw2zPVTtZI2LaWIBON8guABvZ6JtJVDWmfdK6sodbnwdZkr6/Z2rfvamT1dC1SpQrGG7ulR/f9/GXvCaW10ZVKxekBF/CYlNMg==" />

Do I have to exclude all temporary (like obj) or hidden folders (like .vs) manually? If the CLI detects a nuget solution, isn't it possible that this is done by default or could there be a real security risk in this folders?

This works: jf audit --nuget --exclusions "*obj*;*.vs*"

The "bin/../publish" folder could not be excluded, so this are real false positive results, which I could not suppress.
@mikeKuester mikeKuester added the question Further information is requested label Nov 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mikeKuester