bug(secret): AWS Secret detection detects strings of 40 characters as false positive #5871

christiangonre · 2024-01-04T14:54:31Z

christiangonre
Jan 4, 2024

IDs

AWS (aws-secret-access-key)

Description

In the version 0.48.0 (I think the problem happens since this fix ) some of my scans fails because it detects some gpg keys as aws-secret-access-key.
My pipelines exits because the aws-secret-access-key is considered as a CRITICAL error that makes sense, but in this case this string is not a secret-access-key.

This is a example of a string that fails:
27C50E7F590947D7273A741E85194C08421980C9

This fails in all the trivy scans that involves a secret detection, in my case it fails when I do trivy image but it also fails with trivy fs

Reproduction Steps

1. Create a file named file.txt with this content:

gpg: Signature made Fr  4 Sep 10:04:50 2020 CST
gpg:                using RSA key 27C50E7F590947D7273A741E85194C08421980C9
gpg: Good signature from "Sebastian Thiel (YubiKey USB-C) <[email protected]>" [ultimate]
gpg:                 aka "Sebastian Thiel (In Rust I trust) <[email protected]>" [ultimate]

2. Scan with the following command: trivy fs file.txt
3. It will fail with the following error:

/file.txt (secrets)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)

CRITICAL: AWS (aws-secret-access-key)
═══════════════════════════════════════════════════════════════════════════════════════════════════════
AWS Secret Access Key
───────────────────────────────────────────────────────────────────────────────────────────────────────
/file.txt:3
───────────────────────────────────────────────────────────────────────────────────────────────────────
1 ```bash
2 gpg: Signature made Fr 4 Sep 10:04:50 2020 CST
3 [ gpg: using RSA key ****************************************
4 gpg: Good signature from "Sebastian Thiel (YubiKey USB-C) [email protected]" [ultimate]
───────────────────────────────────────────────────────────────────────────────────────────────────────

Target

Filesystem

Scanner

Secret

Target OS

Ubuntu 22.04 / MacOS Sonoma 14.2.1

Debug Output

2024-01-04T15:51:24.078+0100	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-01-04T15:51:24.078+0100	DEBUG	Ignore statuses	{"statuses": null}
2024-01-04T15:51:24.089+0100	DEBUG	cache dir:  /Users/christian/Library/Caches/trivy
2024-01-04T15:51:24.089+0100	DEBUG	DB update was skipped because the local DB is the latest
2024-01-04T15:51:24.090+0100	DEBUG	DB Schema: 2, UpdatedAt: 2024-01-04 12:14:08.298791052 +0000 UTC, NextUpdate: 2024-01-04 18:14:08.298790772 +0000 UTC, DownloadedAt: 2024-01-04 14:01:55.451294 +0000 UTC
2024-01-04T15:51:24.091+0100	INFO	Vulnerability scanning is enabled
2024-01-04T15:51:24.091+0100	DEBUG	Vulnerability type:  [os library]
2024-01-04T15:51:24.091+0100	INFO	Secret scanning is enabled
2024-01-04T15:51:24.091+0100	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-01-04T15:51:24.091+0100	INFO	Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2024-01-04T15:51:24.091+0100	DEBUG	Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan]
2024-01-04T15:51:24.091+0100	DEBUG	No secret config detected: trivy-secret.yaml
2024-01-04T15:51:24.091+0100	DEBUG	The nuget packages directory couldn't be found. License search disabled
2024-01-04T15:51:24.091+0100	DEBUG	Walk the file tree rooted at 'file.txt' in parallel
2024-01-04T15:51:24.105+0100	DEBUG	OS is not detected.
2024-01-04T15:51:24.105+0100	DEBUG	Detected OS: unknown
2024-01-04T15:51:24.105+0100	INFO	Number of language-specific files: 0
2024-01-04T15:51:24.105+0100	DEBUG	Secret file: /file.txt

/file.txt (secrets)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)

CRITICAL: AWS (aws-secret-access-key)
═══════════════════════════════════════════════════════════════════════════════════════════════════════
AWS Secret Access Key
───────────────────────────────────────────────────────────────────────────────────────────────────────
 /file.txt:3
───────────────────────────────────────────────────────────────────────────────────────────────────────
   1   
   2   gpg: Signature made Fr  4 Sep 10:04:50 2020 CST
   3 [ gpg:                using RSA key ****************************************
   4   gpg: Good signature from "Sebastian Thiel (YubiKey USB-C) <[email protected]>" [ultimate]
───────────────────────────────────────────────────────────────────────────────────────────────────────

Version

Version: 0.48.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-01-04 12:14:08.298791052 +0000 UTC
  NextUpdate: 2024-01-04 18:14:08.298790772 +0000 UTC
  DownloadedAt: 2024-01-04 14:01:55.451294 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-01-04 00:49:07.45555807 +0000 UTC
  NextUpdate: 2024-01-07 00:49:07.45555793 +0000 UTC
  DownloadedAt: 2024-01-04 14:03:01.163388 +0000 UTC

Checklist

Read the documentation regarding wrong detection
Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

DmitriyLewen · 2024-01-09T10:41:40Z

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

bug(secret): AWS Secret detection detects strings of 40 characters as false positive #5871

{{title}}

Replies: 1 comment

{{title}}

Select a reply

bug(secret): AWS Secret detection detects strings of 40 characters as false positive #5871

christiangonre Jan 4, 2024

IDs

Description

Reproduction Steps

Target

Scanner

Target OS

Debug Output

Version

Checklist

Replies: 1 comment

DmitriyLewen Jan 9, 2024 Maintainer

christiangonre
Jan 4, 2024

DmitriyLewen
Jan 9, 2024
Maintainer