Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JWT secret detector only works if "JWT" word is in scope #6802

Closed
2 tasks
DmitriyLewen opened this issue May 28, 2024 Discussed in #6786 · 0 comments · Fixed by #7410
Closed
2 tasks

JWT secret detector only works if "JWT" word is in scope #6802

DmitriyLewen opened this issue May 28, 2024 Discussed in #6786 · 0 comments · Fixed by #7410
Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/bug Categorizes issue or PR as related to a bug.

Comments

@DmitriyLewen
Copy link
Contributor

Discussed in #6786

Originally posted by asankov May 27, 2024

Description

The secret detector would not detect a JWT unless there is the word "JWT" somewhere on the line.

For example, this file:

token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

would yield no findings, but this one:

jwt: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

will.

This is due to the jwt being set in the Keywords in the jwt matcher - https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/secret/builtin-rules.go#L591

Desired Behavior

JWT token is detected regardless of other context.

Actual Behavior

JWT token is detected only if jwt is present on the line

Reproduction Steps

1. Create a file similar to the one in the description
2. Run `trivy fs <file>`
3. Observe no findings

Target

Filesystem

Scanner

Secret

Output Format

None

Mode

None

Debug Output

2024-05-27T14:39:46+03:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-05-27T14:39:46+03:00	DEBUG	Ignore statuses	statuses=[]
2024-05-27T14:39:46+03:00	DEBUG	Cache dir	dir="/Users/asankov/Library/Caches/trivy"
2024-05-27T14:39:46+03:00	DEBUG	DB update was skipped because the local DB is the latest
2024-05-27T14:39:46+03:00	DEBUG	DB info	schema=2 updated_at=2024-05-27T06:12:09.854561954Z next_update=2024-05-27T12:12:09.854561794Z downloaded_at=2024-05-27T10:39:59.156462Z
2024-05-27T14:39:46+03:00	INFO	Vulnerability scanning is enabled
2024-05-27T14:39:46+03:00	DEBUG	Vulnerability type	type=[os library]
2024-05-27T14:39:46+03:00	INFO	Secret scanning is enabled
2024-05-27T14:39:46+03:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-27T14:39:46+03:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-27T14:39:46+03:00	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-05-27T14:39:46+03:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2024-05-27T14:39:46+03:00	DEBUG	[nuget] The nuget packages directory couldn't be found. License search disabled
2024-05-27T14:39:46+03:00	DEBUG	OS is not detected.
2024-05-27T14:39:46+03:00	DEBUG	Detected OS: unknown
2024-05-27T14:39:46+03:00	INFO	Number of language-specific files	num=0

Operating System

macOS

Version

Version: 0.51.4
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-05-27 06:12:09.854561954 +0000 UTC
  NextUpdate: 2024-05-27 12:12:09.854561794 +0000 UTC
  DownloadedAt: 2024-05-27 10:39:59.156462 +0000 UTC

Checklist

@DmitriyLewen DmitriyLewen added kind/bug Categorizes issue or PR as related to a bug. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. labels May 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant