New JWT detection finds sample code in dependency docs #5772

rossgrady · 2023-12-11T22:39:01Z

rossgrady
Dec 11, 2023

IDs

(secrets) JWT in PyJWT-2.8.0

Description

Recently our builds started failing & after some exploration, we realized that we had upgraded from trivy 0.47 to 0.48, which introduced JWT secret scanning.

I Googled the particular context provided by trivy (see below) & was taken directly to the docs for the module that had the secret found . . . i.e. it's sample code from the docs (https://pyjwt.readthedocs.io/en/latest/usage.html)

I'm curious about where the responsibility lies here to mitigate this . . . do I just exclude & move on, do I raise this with y'all, do I raise it with the PyJWT maintainers? At the moment I figured I'd start this discussion, since (a) it's a brand new feature and (b) I might not be the only one who tripped over this, so putting this here will make it find-able by others :)

/usr/local/lib64/python3.8/site-packages/PyJWT-2.8.0.dist-info/METADATA (secrets)
=================================================================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
MEDIUM: JWT (jwt-token)
════════════════════════════════════════════════════════════════════════════════
JWT token
────────────────────────────────────────────────────────────────────────────────
 /usr/local/lib64/python3.8/site-packages/PyJWT-2.8.0.dist-info/METADATA:90 (added by 'pip3 install /code')
────────────────────────────────────────────────────────────────────────────────
  88       >>> encoded = jwt.encode({"some": "payload"}, "secret", algorithm="HS256")
  89       >>> print(encoded)
  90 [     *********************************************************************************************************
  91       >>> jwt.decode(encoded, "secret", algorithms=["HS256"])
────────────────────────────────────────────────────────────────────────────────

Reproduction Steps

1. build a container image that includes a pip install of PyJWT-2.8.0
2. trivy scan the resulting container image

Target

Container Image

Scanner

Secret

Target OS

No response

Debug Output

./trivy image --exit-code 1 --ignore-unfixed icr.io/git-defenders/detect-secrets:redhat-ubi-custom --debug                  
2023-12-11T17:35:03.121-0500	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-12-11T17:35:03.122-0500	DEBUG	Ignore statuses	{"statuses": ["unknown","not_affected","affected","under_investigation","will_not_fix","fix_deferred","end_of_life"]}
2023-12-11T17:35:03.163-0500	DEBUG	cache dir:  /Users/ragrady/Library/Caches/trivy
2023-12-11T17:35:03.163-0500	DEBUG	DB update was skipped because the local DB is the latest
2023-12-11T17:35:03.163-0500	DEBUG	DB Schema: 2, UpdatedAt: 2023-12-11 18:11:01.766139561 +0000 UTC, NextUpdate: 2023-12-12 00:11:01.76613918 +0000 UTC, DownloadedAt: 2023-12-11 22:24:54.85924 +0000 UTC
2023-12-11T17:35:03.163-0500	INFO	Vulnerability scanning is enabled
2023-12-11T17:35:03.163-0500	DEBUG	Vulnerability type:  [os library]
2023-12-11T17:35:03.163-0500	INFO	Secret scanning is enabled
2023-12-11T17:35:03.163-0500	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-12-11T17:35:03.163-0500	INFO	Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2023-12-11T17:35:03.163-0500	DEBUG	Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan]
2023-12-11T17:35:03.446-0500	DEBUG	No secret config detected: trivy-secret.yaml
2023-12-11T17:35:03.446-0500	DEBUG	The nuget packages directory couldn't be found. License search disabled
2023-12-11T17:35:03.446-0500	DEBUG	No secret config detected: trivy-secret.yaml
2023-12-11T17:35:03.586-0500	DEBUG	Image ID: sha256:8145e16b0513fc01a1e52ebca1a46f2d8d8a97da829a8c94461770f55642cd76
2023-12-11T17:35:03.586-0500	DEBUG	Diff IDs: [sha256:14946186767bc29fcb3592d96f656b4e95dc5a6736fa696729a6c6f26f061bd7 sha256:48677a2742d0906e9dd37503352cb05a3507773fb328c83c07365c3bb491c8e9 sha256:f9888c3e741e5440e9c9a63854a969019918ac00aece87005385509a6e497c20 sha256:78b6589fcc83f42b939934b676b524ff0d0a032124a7b2952ea586b69155c817 sha256:044d60468dd0f5c68f4f9a9aff050b1b39046a52c696c19f496da869d12b96ac sha256:506d0aca9859a06a05471238c6865e841269901fbc7c2c538e4f0138bb8d0a47 sha256:e48b238ea6413a9c42d8dc64581dd2d767b4d6eb5cffcbfc72a98768d34db61e sha256:f5ad4441ab680b94f50d6c044bb1ab964d59992d9fc9baaa637c65b2e9cc82f7 sha256:0d230c65bd57a7035a3c3cc9c193af5bb09d1f47e2724f5bd4b61be61de2be88]
2023-12-11T17:35:03.586-0500	DEBUG	Base Layers: [sha256:14946186767bc29fcb3592d96f656b4e95dc5a6736fa696729a6c6f26f061bd7 sha256:48677a2742d0906e9dd37503352cb05a3507773fb328c83c07365c3bb491c8e9 sha256:f9888c3e741e5440e9c9a63854a969019918ac00aece87005385509a6e497c20 sha256:78b6589fcc83f42b939934b676b524ff0d0a032124a7b2952ea586b69155c817 sha256:044d60468dd0f5c68f4f9a9aff050b1b39046a52c696c19f496da869d12b96ac sha256:506d0aca9859a06a05471238c6865e841269901fbc7c2c538e4f0138bb8d0a47 sha256:e48b238ea6413a9c42d8dc64581dd2d767b4d6eb5cffcbfc72a98768d34db61e sha256:f5ad4441ab680b94f50d6c044bb1ab964d59992d9fc9baaa637c65b2e9cc82f7]
2023-12-11T17:35:03.663-0500	INFO	Detected OS: redhat
2023-12-11T17:35:03.663-0500	INFO	Detecting RHEL/CentOS vulnerabilities...
2023-12-11T17:35:03.663-0500	DEBUG	Red Hat: os version: 8
2023-12-11T17:35:03.663-0500	DEBUG	Red Hat: the number of packages: 176
2023-12-11T17:35:03.699-0500	INFO	Number of language-specific files: 1
2023-12-11T17:35:03.699-0500	INFO	Detecting python-pkg vulnerabilities...
2023-12-11T17:35:03.699-0500	DEBUG	Detecting library vulnerabilities, type: python-pkg, path: 
2023-12-11T17:35:03.700-0500	DEBUG	Secret file: /usr/local/lib64/python3.8/site-packages/PyJWT-2.7.0.dist-info/METADATA

icr.io/git-defenders/detect-secrets:redhat-ubi-custom (redhat 8.8)

Total: 37 (UNKNOWN: 0, LOW: 2, MEDIUM: 28, HIGH: 7, CRITICAL: 0)

┌────────────────────────┬────────────────┬──────────┬────────┬────────────────────┬────────────────────────┬──────────────────────────────────────────────────────────────┐
│        Library         │ Vulnerability  │ Severity │ Status │ Installed Version  │     Fixed Version      │                            Title                             │
├────────────────────────┼────────────────┼──────────┼────────┼────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ curl                   │ CVE-2023-27536 │ MEDIUM   │ fixed  │ 7.61.1-30.el8_8.2  │ 7.61.1-30.el8_8.3      │ curl: GSS delegation too eager connection re-use             │
│                        │                │          │        │                    │                        │ https://avd.aquasec.com/nvd/cve-2023-27536                   │
│                        ├────────────────┤          │        │                    │                        ├──────────────────────────────────────────────────────────────┤
│                        │ CVE-2023-28321 │          │        │                    │                        │ curl: IDN wildcard match may lead to Improper Cerificate     │
│                        │                │          │        │                    │                        │ Validation                                                   │
│                        │                │          │        │                    │                        │ https://avd.aquasec.com/nvd/cve-2023-28321                   │
├────────────────────────┼────────────────┤          │        ├────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ emacs-filesystem       │ CVE-2022-48337 │          │        │ 1:26.1-10.el8_8.2  │ 1:26.1-11.el8          │ emacs: command execution via shell metacharacters            │
│                        │                │          │        │                    │                        │ https://avd.aquasec.com/nvd/cve-2022-48337                   │
│                        ├────────────────┤          │        │                    │                        ├──────────────────────────────────────────────────────────────┤
│                        │ CVE-2022-48339 │          │        │                    │                        │ emacs: command injection vulnerability in htmlfontify.el     │
│                        │                │          │        │                    │                        │ https://avd.aquasec.com/nvd/cve-2022-48339                   │
├────────────────────────┼────────────────┼──────────┤        ├────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ glibc                  │ CVE-2023-4911  │ HIGH     │        │ 2.28-225.el8       │ 2.28-225.el8_8.6       │ glibc: buffer overflow in ld.so leading to privilege         │
│                        │                │          │        │                    │                        │ escalation                                                   │
│                        │                │          │        │                    │                        │ https://avd.aquasec.com/nvd/cve-2023-4911                    │
│                        ├────────────────┼──────────┤        │                    │                        ├──────────────────────────────────────────────────────────────┤
│                        │ CVE-2023-4527  │ MEDIUM   │        │                    │                        │ glibc: Stack read overflow in getaddrinfo in no-aaaa mode    │
│                        │                │          │        │                    │                        │ https://avd.aquasec.com/nvd/cve-2023-4527                    │
│                        ├────────────────┤          │        │                    │                        ├──────────────────────────────────────────────────────────────┤
│                        │ CVE-2023-4806  │          │        │                    │                        │ glibc: potential use-after-free in getaddrinfo()             │
│                        │                │          │        │                    │                        │ https://avd.aquasec.com/nvd/cve-2023-4806                    │
│                        ├────────────────┤          │        │                    │                        ├──────────────────────────────────────────────────────────────┤
│                        │ CVE-2023-4813  │          │        │                    │                        │ glibc: potential use-after-free in gaih_inet()               │
│                        │                │          │        │                    │                        │ https://avd.aquasec.com/nvd/cve-2023-4813                    │
├────────────────────────┼────────────────┼──────────┤        │                    │                        ├──────────────────────────────────────────────────────────────┤
│ glibc-common           │ CVE-2023-4911  │ HIGH     │        │                    │                        │ glibc: buffer overflow in ld.so leading to privilege         │
│                        │                │          │        │                    │                        │ escalation                                                   │
│                        │                │          │        │                    │                        │ https://avd.aquasec.com/nvd/cve-2023-4911                    │
│                        ├────────────────┼──────────┤        │                    │                        ├──────────────────────────────────────────────────────────────┤
│                        │ CVE-2023-4527  │ MEDIUM   │        │                    │                        │ glibc: Stack read overflow in getaddrinfo in no-aaaa mode    │
│                        │                │          │        │                    │                        │ https://avd.aquasec.com/nvd/cve-2023-4527                    │
│                        ├────────────────┤          │        │                    │                        ├──────────────────────────────────────────────────────────────┤
│                        │ CVE-2023-4806  │          │        │                    │                        │ glibc: potential use-after-free in getaddrinfo()             │
│                        │                │          │        │                    │                        │ https://avd.aquasec.com/nvd/cve-2023-4806                    │
│                        ├────────────────┤          │        │                    │                        ├──────────────────────────────────────────────────────────────┤
│                        │ CVE-2023-4813  │          │        │                    │                        │ glibc: potential use-after-free in gaih_inet()               │
│                        │                │          │        │                    │                        │ https://avd.aquasec.com/nvd/cve-2023-4813                    │
├────────────────────────┼────────────────┼──────────┤        │                    │                        ├──────────────────────────────────────────────────────────────┤
│ glibc-minimal-langpack │ CVE-2023-4911  │ HIGH     │        │                    │                        │ glibc: buffer overflow in ld.so leading to privilege         │
│                        │                │          │        │                    │                        │ escalation                                                   │
│                        │                │          │        │                    │                        │ https://avd.aquasec.com/nvd/cve-2023-4911                    │
│                        ├────────────────┼──────────┤        │                    │                        ├──────────────────────────────────────────────────────────────┤
│                        │ CVE-2023-4527  │ MEDIUM   │        │                    │                        │ glibc: Stack read overflow in getaddrinfo in no-aaaa mode    │
│                        │                │          │        │                    │                        │ https://avd.aquasec.com/nvd/cve-2023-4527                    │
│                        ├────────────────┤          │        │                    │                        ├──────────────────────────────────────────────────────────────┤
│                        │ CVE-2023-4806  │          │        │                    │                        │ glibc: potential use-after-free in getaddrinfo()             │
│                        │                │          │        │                    │                        │ https://avd.aquasec.com/nvd/cve-2023-4806                    │
│                        ├────────────────┤          │        │                    │                        ├──────────────────────────────────────────────────────────────┤
│                        │ CVE-2023-4813  │          │        │                    │                        │ glibc: potential use-after-free in gaih_inet()               │
│                        │                │          │        │                    │                        │ https://avd.aquasec.com/nvd/cve-2023-4813                    │
├────────────────────────┼────────────────┼──────────┤        ├────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ krb5-libs              │ CVE-2022-42898 │ HIGH     │        │ 1.18.2-22.el8_7    │ 1.18.2-25.el8_8        │ krb5: integer overflow vulnerabilities in PAC parsing        │
│                        │                │          │        │                    │                        │ https://avd.aquasec.com/nvd/cve-2022-42898                   │
├────────────────────────┼────────────────┼──────────┤        ├────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ libcap                 │ CVE-2023-2603  │ MEDIUM   │        │ 2.48-4.el8         │ 2.48-5.el8_8           │ libcap: Integer Overflow in _libcap_strdup()                 │
│                        │                │          │        │                    │                        │ https://avd.aquasec.com/nvd/cve-2023-2603                    │
│                        ├────────────────┼──────────┤        │                    │                        ├──────────────────────────────────────────────────────────────┤
│                        │ CVE-2023-2602  │ LOW      │        │                    │                        │ libcap: Memory Leak on pthread_create() Error                │
│                        │                │          │        │                    │                        │ https://avd.aquasec.com/nvd/cve-2023-2602                    │
├────────────────────────┼────────────────┼──────────┤        ├────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ libcurl                │ CVE-2023-27536 │ MEDIUM   │        │ 7.61.1-30.el8_8.2  │ 7.61.1-30.el8_8.3      │ curl: GSS delegation too eager connection re-use             │
│                        │                │          │        │                    │                        │ https://avd.aquasec.com/nvd/cve-2023-27536                   │
│                        ├────────────────┤          │        │                    │                        ├──────────────────────────────────────────────────────────────┤
│                        │ CVE-2023-28321 │          │        │                    │                        │ curl: IDN wildcard match may lead to Improper Cerificate     │
│                        │                │          │        │                    │                        │ Validation                                                   │
│                        │                │          │        │                    │                        │ https://avd.aquasec.com/nvd/cve-2023-28321                   │
├────────────────────────┼────────────────┼──────────┤        ├────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ libnghttp2             │ CVE-2023-44487 │ HIGH     │        │ 1.33.0-3.el8_2.1   │ 1.33.0-5.el8_8         │ HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable   │
│                        │                │          │        │                    │                        │ to a DDoS attack...                                          │
│                        │                │          │        │                    │                        │ https://avd.aquasec.com/nvd/cve-2023-44487                   │
├────────────────────────┼────────────────┼──────────┤        ├────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ libssh                 │ CVE-2023-1667  │ MEDIUM   │        │ 0.9.6-6.el8        │ 0.9.6-10.el8_8         │ libssh: NULL pointer dereference during rekeying with        │
│                        │                │          │        │                    │                        │ algorithm guessing                                           │
│                        │                │          │        │                    │                        │ https://avd.aquasec.com/nvd/cve-2023-1667                    │
│                        ├────────────────┤          │        │                    │                        ├──────────────────────────────────────────────────────────────┤
│                        │ CVE-2023-2283  │          │        │                    │                        │ libssh: authorization bypass in pki_verify_data_signature    │
│                        │                │          │        │                    │                        │ https://avd.aquasec.com/nvd/cve-2023-2283                    │
├────────────────────────┼────────────────┤          │        │                    │                        ├──────────────────────────────────────────────────────────────┤
│ libssh-config          │ CVE-2023-1667  │          │        │                    │                        │ libssh: NULL pointer dereference during rekeying with        │
│                        │                │          │        │                    │                        │ algorithm guessing                                           │
│                        │                │          │        │                    │                        │ https://avd.aquasec.com/nvd/cve-2023-1667                    │
│                        ├────────────────┤          │        │                    │                        ├──────────────────────────────────────────────────────────────┤
│                        │ CVE-2023-2283  │          │        │                    │                        │ libssh: authorization bypass in pki_verify_data_signature    │
│                        │                │          │        │                    │                        │ https://avd.aquasec.com/nvd/cve-2023-2283                    │
├────────────────────────┼────────────────┤          │        ├────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ libxml2                │ CVE-2023-28484 │          │        │ 2.9.7-16.el8       │ 2.9.7-16.el8_8.1       │ libxml2: NULL dereference in xmlSchemaFixupComplexType       │
│                        │                │          │        │                    │                        │ https://avd.aquasec.com/nvd/cve-2023-28484                   │
│                        ├────────────────┤          │        │                    │                        ├──────────────────────────────────────────────────────────────┤
│                        │ CVE-2023-29469 │          │        │                    │                        │ libxml2: Hashing of empty dict strings isn't deterministic   │
│                        │                │          │        │                    │                        │ https://avd.aquasec.com/nvd/cve-2023-29469                   │
├────────────────────────┼────────────────┤          │        ├────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ ncurses                │ CVE-2023-29491 │          │        │ 6.1-9.20180224.el8 │ 6.1-9.20180224.el8_8.1 │ ncurses: Local users can trigger security-relevant memory    │
│                        │                │          │        │                    │                        │ corruption via malformed data                                │
│                        │                │          │        │                    │                        │ https://avd.aquasec.com/nvd/cve-2023-29491                   │
├────────────────────────┤                │          │        │                    │                        │                                                              │
│ ncurses-base           │                │          │        │                    │                        │                                                              │
│                        │                │          │        │                    │                        │                                                              │
│                        │                │          │        │                    │                        │                                                              │
├────────────────────────┤                │          │        │                    │                        │                                                              │
│ ncurses-libs           │                │          │        │                    │                        │                                                              │
│                        │                │          │        │                    │                        │                                                              │
│                        │                │          │        │                    │                        │                                                              │
├────────────────────────┼────────────────┼──────────┤        ├────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ openssh                │ CVE-2023-38408 │ HIGH     │        │ 8.0p1-17.el8_7     │ 8.0p1-19.el8_8         │ Remote code execution in ssh-agent PKCS#11 support           │
│                        │                │          │        │                    │                        │ https://avd.aquasec.com/nvd/cve-2023-38408                   │
├────────────────────────┤                │          │        │                    │                        │                                                              │
│ openssh-clients        │                │          │        │                    │                        │                                                              │
│                        │                │          │        │                    │                        │                                                              │
├────────────────────────┼────────────────┼──────────┤        ├────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ perl-HTTP-Tiny         │ CVE-2023-31486 │ MEDIUM   │        │ 0.074-1.el8        │ 0.074-2.el8            │ http-tiny: insecure TLS cert default                         │
│                        │                │          │        │                    │                        │ https://avd.aquasec.com/nvd/cve-2023-31486                   │
├────────────────────────┼────────────────┼──────────┤        ├────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ shadow-utils           │ CVE-2023-4641  │ LOW      │        │ 2:4.6-17.el8       │ 2:4.6-19.el8           │ shadow-utils: possible password leak during passwd(1) change │
│                        │                │          │        │                    │                        │ https://avd.aquasec.com/nvd/cve-2023-4641                    │
├────────────────────────┼────────────────┼──────────┤        ├────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ sqlite-libs            │ CVE-2020-24736 │ MEDIUM   │        │ 3.26.0-17.el8_7    │ 3.26.0-18.el8_8        │ sqlite: Crash due to misuse of window functions.             │
│                        │                │          │        │                    │                        │ https://avd.aquasec.com/nvd/cve-2020-24736                   │
├────────────────────────┼────────────────┤          │        ├────────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ systemd-libs           │ CVE-2023-26604 │          │        │ 239-74.el8_8       │ 239-74.el8_8.2         │ systemd: privilege escalation via the less pager             │
│                        │                │          │        │                    │                        │ https://avd.aquasec.com/nvd/cve-2023-26604                   │
└────────────────────────┴────────────────┴──────────┴────────┴────────────────────┴────────────────────────┴──────────────────────────────────────────────────────────────┘
2023-12-11T17:35:03.718-0500	INFO	Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Python (python-pkg)

Total: 7 (UNKNOWN: 0, LOW: 2, MEDIUM: 3, HIGH: 2, CRITICAL: 0)

┌─────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────────────┐
│         Library         │    Vulnerability    │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                            │
├─────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ certifi (METADATA)      │ CVE-2023-37920      │ HIGH     │ fixed  │ 2023.5.7          │ 2023.7.22      │ python-certifi: Removal of e-Tugra root certificate         │
│                         │                     │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-37920                  │
├─────────────────────────┼─────────────────────┤          │        ├───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ cryptography (METADATA) │ CVE-2023-38325      │          │        │ 41.0.0            │ 41.0.2         │ python-cryptography: SSH certificate encoding/parsing       │
│                         │                     │          │        │                   │                │ incompatibility with OpenSSH                                │
│                         │                     │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-38325                  │
│                         ├─────────────────────┼──────────┤        │                   ├────────────────┼─────────────────────────────────────────────────────────────┤
│                         │ CVE-2023-49083      │ MEDIUM   │        │                   │ 41.0.6         │ cryptography is a package designed to expose cryptographic  │
│                         │                     │          │        │                   │                │ primitives ...                                              │
│                         │                     │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-49083                  │
│                         ├─────────────────────┼──────────┤        │                   ├────────────────┼─────────────────────────────────────────────────────────────┤
│                         │ GHSA-jm77-qphf-c4w8 │ LOW      │        │                   │ 41.0.3         │ pyca/cryptography's wheels include vulnerable OpenSSL       │
│                         │                     │          │        │                   │                │ https://github.com/advisories/GHSA-jm77-qphf-c4w8           │
│                         ├─────────────────────┤          │        │                   ├────────────────┼─────────────────────────────────────────────────────────────┤
│                         │ GHSA-v8gr-m533-ghj9 │          │        │                   │ 41.0.4         │ Vulnerable OpenSSL included in cryptography wheels          │
│                         │                     │          │        │                   │                │ https://github.com/advisories/GHSA-v8gr-m533-ghj9           │
├─────────────────────────┼─────────────────────┼──────────┤        ├───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ urllib3 (METADATA)      │ CVE-2023-43804      │ MEDIUM   │        │ 1.26.16           │ 2.0.6, 1.26.17 │ python-urllib3: Cookie request header isn't stripped during │
│                         │                     │          │        │                   │                │ cross-origin redirects                                      │
│                         │                     │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-43804                  │
│                         ├─────────────────────┤          │        │                   ├────────────────┼─────────────────────────────────────────────────────────────┤
│                         │ CVE-2023-45803      │          │        │                   │ 2.0.7, 1.26.18 │ urllib3: Request body not stripped after redirect from 303  │
│                         │                     │          │        │                   │                │ status changes...                                           │
│                         │                     │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45803                  │
└─────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴────────────────┴─────────────────────────────────────────────────────────────┘

/usr/local/lib64/python3.8/site-packages/PyJWT-2.7.0.dist-info/METADATA (secrets)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

MEDIUM: JWT (jwt-token)
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
JWT token
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 /usr/local/lib64/python3.8/site-packages/PyJWT-2.7.0.dist-info/METADATA:89 (added by 'pip3 install /code')
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  87       >>> encoded = jwt.encode({"some": "payload"}, "secret", algorithm="HS256")
  88       >>> print(encoded)
  89 [     *********************************************************************************************************
  90       >>> jwt.decode(encoded, "secret", algorithms=["HS256"])
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Version

./trivy --version
Version: 0.48.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-12-11 18:11:01.766139561 +0000 UTC
  NextUpdate: 2023-12-12 00:11:01.76613918 +0000 UTC
  DownloadedAt: 2023-12-11 22:24:54.85924 +0000 UTC

Checklist

Read the documentation regarding wrong detection
Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

rossgrady · 2023-12-11T22:40:41Z

rossgrady
Dec 11, 2023
Author

Note that I'm not asking about any of the CVEs; just the false positive JWT detection, which may be an actual JWT, just one that was intentionally leaked by the PyJWT maintainers in their usage example!

0 replies

divya-layerhealth · 2023-12-13T13:49:40Z

divya-layerhealth
Dec 13, 2023

Having the same issue when scanning containers that contain the PyJWT package -- for now I have unilaterally disabled the jwt-token rule in a trivy-secret.yaml config, if that's helpful to others who want a quick resolution from looking at this thread.

I'm curious if there are plans to disable secret scanning rules with more granularity (e.g. disable for specific paths/packages), as the secret scanning feature is awesome beyond this. Couldn't find an obvious resolution in the docs so thought to ask!

1 reply

DmitriyLewen Dec 15, 2023
Maintainer

You can use allow-rules with path:

allow-rules:
  - id: jwt-token
    description: skip jwt secret for dir1
    path: dir1/.*

➜ tree ./dir
./dir
├── dir1
│   └── secret.txt
└── dir2
    └── secret.txt
                                                                                                                                                  
➜ trivy -q fs --scanners secret ./dir

dir2/secret.txt (secrets)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

MEDIUM: JWT (jwt-token)
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
JWT token
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 dir2/secret.txt:5
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   3   >>> encoded = jwt.encode({"some": "payload"}, key, algorithm="HS256")
   4   >>> print(encoded)
   5 [ *********************************************************************************************************
   6   >>> jwt.decode(encoded, key, algorithms="HS256")
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

DmitriyLewen · 2023-12-15T03:30:27Z

DmitriyLewen
Dec 15, 2023
Maintainer

Hello all!
We try to fix false positives for similar cases (e.g. test, example rules).

But looks like it doesn't work in this case.

We can't exclude this secret:
PyJWT-2.8.0.dist-info is actually package (I mean not a test or example package).
Secret found is actually jwt token (as correct said @rossgrady ).
Secret text or path to this file doesn't contain anchor words (like test, example, etc.) to indicate that this secret is just example.

If you have any ideas, tell us and we will try to fix it.

2 replies

jpadilla Feb 16, 2024

@DmitriyLewen are you saying that if I changed it to something like this things would work?

>>> import jwt
>>> encoded = jwt.encode({"example": "test"}, "secret", algorithm="HS256")
>>> print(encoded)
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleGFtcGxlIjoidGVzdCJ9.IDdBb7ADHOIxOfnkMO2lhUDFbO4auZ_RsZ213YlhY3Q
>>> jwt.decode(encoded, "secret", algorithms=["HS256"])
{'example': 'test'}

DmitriyLewen Feb 16, 2024
Maintainer

Trivy currently doesn't have logic to decode jwt token after detecting and checking test or examplewords in decoded secret. I meant case when secret contains these words before decoding. e.g. for AWS -AKIAIOSFODNN7EXAMPLE`

jeremysnell · 2024-10-25T23:49:02Z

jeremysnell
Oct 25, 2024

Any update on this? PyJWT 2.9.0 still has this "vulnerability".

2 replies

DmitriyLewen Oct 28, 2024
Maintainer

Hello @jeremysnell

Unfortunately, secret in PyJWT 2.9.0 has no markers (e.g. test, example, etc.).
Also Trivy has no logic to decode secret before checking allow rules.

That's why we can't exclude this secret from report.
You can filter this file or add secret configuration for your case to fix this issue.

jeremysnell Oct 28, 2024

Thanks Dmitriy!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

New JWT detection finds sample code in dependency docs #5772

{{title}}

Replies: 4 comments 5 replies

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

New JWT detection finds sample code in dependency docs #5772

rossgrady Dec 11, 2023

IDs

Description

Reproduction Steps

Target

Scanner

Target OS

Debug Output

Version

Checklist

Replies: 4 comments · 5 replies

rossgrady Dec 11, 2023 Author

divya-layerhealth Dec 13, 2023

DmitriyLewen Dec 15, 2023 Maintainer

DmitriyLewen Dec 15, 2023 Maintainer

jpadilla Feb 16, 2024

DmitriyLewen Feb 16, 2024 Maintainer

jeremysnell Oct 25, 2024

DmitriyLewen Oct 28, 2024 Maintainer

jeremysnell Oct 28, 2024

rossgrady
Dec 11, 2023

Replies: 4 comments 5 replies

rossgrady
Dec 11, 2023
Author

divya-layerhealth
Dec 13, 2023

DmitriyLewen Dec 15, 2023
Maintainer

DmitriyLewen
Dec 15, 2023
Maintainer

DmitriyLewen Feb 16, 2024
Maintainer

jeremysnell
Oct 25, 2024

DmitriyLewen Oct 28, 2024
Maintainer