Skip to content

Security scan failure: Private keys stored in image #557

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
vitaliyatoptus opened this issue Feb 14, 2024 · 5 comments
Open

Security scan failure: Private keys stored in image #557

vitaliyatoptus opened this issue Feb 14, 2024 · 5 comments

Comments

@vitaliyatoptus
Copy link

Issue description:
We are using security scanning tool and it is currently flagging this project due to it's inclusion of a private key in server.key and client.key.
I understand that this is a false positive as mentioned key are used for tests only. However it is pretty hard to tweak security tool to ignore this particular issue and keep ensuring people do not put actual keys to the image.
I've found similar ticket in nodejs node-gyp module nodejs/node-gyp#2037 where they ended up extracting keys to the js file certs.js. I understand that it does not solve the issue however it tricks security scan and resolves mentioned false-positive.
Do you think similar thing (e.g. inlining key to the code) can be done here?

Steps to reproduce:
Run security scanning tool on the image that contains python-ldap project.

Operating system:
RHEL8 (I doubt it matters)

Python version:
3.9 (I doubt it matters)

python-ldap version:
latest (as of 15 Feb 2024)
@tiran
Copy link
Member

tiran commented Feb 15, 2024

Is your tool able to ignore files based on file patterns? We could rename the files to test-client.key and test-server.key if that helps.

@vitaliyatoptus
Copy link
Author

vitaliyatoptus commented Feb 19, 2024
edited
Loading

Based on my information the tool does not allow to ignore based on patterns and even if it does in a corporate world it will be merely impossible to get this approved. I've asked the security team and I will update here once I get the answer.

@kramar11
Copy link

Same here. A trivy scan reports severity HIGH for the private keys included in the package:

/app/.venv/lib/python3.11/site-packages/slapdtest/certs/client.key (secrets)
============================================================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

HIGH: AsymmetricPrivateKey (private-key)
════════════════════════════════════════
Asymmetric Private Key
────────────────────────────────────────
/app/.venv/lib/python3.11/site-packages/slapdtest/certs/client.key:1 (added by 'COPY /app /app # buildkit')


/app/.venv/lib/python3.11/site-packages/slapdtest/certs/server.key (secrets)
============================================================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

HIGH: AsymmetricPrivateKey (private-key)
════════════════════════════════════════
Asymmetric Private Key
────────────────────────────────────────
 /app/.venv/lib/python3.11/site-packages/slapdtest/certs/server.key:1 (added by 'COPY /app /app # buildkit')

Maybe best solution would be to not include slapdtest module with the python-ldap package, but rather make it optional or even a separate package?

@tiran
Copy link
Member

tiran commented May 29, 2024

That would take a large, backwards incompatible change.

It's very common to have test keys and test certificates in a project. It would be more reasonable if you could work with your vendor and figure out a general solution that works for OSS project.

@kramar11
Copy link

Sorry for late reply!

I understand that this would be backwards incompatible. But as automatic security scans in CI/CD pipelines are very common these days, you should maybe considering putting slapdtest in a separate package in a next major release where backwards compatibility isn't strictly required.

My solution so far ist, to simply remove the slapdtest folder in my container, i.e. in Dockerfile I have:

RUN rm -rf .venv/lib/python*/site-packages/slapdtest

Maybe this can help someone who has the same problem and finds this ticket.

nijel added a commit to nijel/docker that referenced this issue Apr 7, 2025
@nijel
fix: remove slapdtest from the image
6f8733f 
The secret key in that just trigger security scanners and we have no use
for the test data.

See python-ldap/python-ldap#557
@nijel nijel mentioned this issue Apr 7, 2025
Merged
nijel added a commit to WeblateOrg/docker that referenced this issue Apr 7, 2025
@nijel
fix: remove slapdtest from the image
cbdb719 
The secret key in that just trigger security scanners and we have no use
for the test data.

See python-ldap/python-ldap#557
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tiran @kramar11 @vitaliyatoptus