-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New vulns #2 #11
New vulns #2 #11
Conversation
Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Orca Security Scan Summary
Status | Check | Issues by priority | |
---|---|---|---|
Passed | Infrastructure as Code | 0 1 3 1 | View in Orca |
Failed | Secrets | 1 0 1 0 | View in Orca |
Passed | Vulnerabilities | 0 0 0 0 | View in Orca |
🛡️ The following IaC misconfigurations have been detected
NAME | FILE | ||
---|---|---|---|
Missing User Instruction | ...est/smoke/Dockerfile | View in code | |
Healthcheck Instruction Missing | ...est/smoke/Dockerfile | View in code | |
Image Version Not Explicit | ...est/smoke/Dockerfile | View in code | |
Unpinned Package Version in Apk Add | ...est/smoke/Dockerfile | View in code | |
Apk Add Using Local Cache Path | ...est/smoke/Dockerfile | View in code |
🔑 The following Secrets have been detected in your pull request across all commits
NAME | FILE | LINE NUM | COMMIT | ||
---|---|---|---|---|---|
Private Key | lib/insecurity.ts | 23 | 95169dc | View in code | |
Generic High Entropy Secret | ...ata/static/users.yml | 150 | 95169dc | View in code |
📜 PR Summary 📜
|
✨ gitStream Review ✨README.md
data/static/users.yml
lib/insecurity.ts
package.json
routes/likeProductReviews.ts
routes/updateProductReviews.ts
test/smoke/Dockerfile
General Improvements
Overall, handling of sensitive data needs to be improved, and some security and best practices should be enforced more strictly. Verifying the dependencies for vulnerabilities using tools such as Snyk or npm audit is recommended. |
05b7b5a
to
95de275
Compare
@@ -20,6 +20,7 @@ | |||
import * as z85 from 'z85' | |||
|
|||
export const publicKey = fs ? fs.readFileSync('encryptionkeys/jwt.pub', 'utf8') : 'placeholder-public-key' | |||
const privateKey = '-----BEGIN RSA PRIVATE KEY-----\r\nMIICXAIBAAKBgQDNwqLEe9wgTXCbC7+RPdDbBbeqjdbs4kOPOIGzqLpXvJXlxxW8iMz0EaM4BKUqYsIa+ndv3NAn2RxCd5ubVdJJcX43zO6Ko0TFEZx/65gY3BE0O6syCEmUP4qbSd6exou/F+WTISzbQ5FBVPVmhnYhG/kpwt/cIxK5iUn5hm+4tQIDAQABAoGBAI+8xiPoOrA+KMnG/T4jJsG6TsHQcDHvJi7o1IKC/hnIXha0atTX5AUkRRce95qSfvKFweXdJXSQ0JMGJyfuXgU6dI0TcseFRfewXAa/ssxAC+iUVR6KUMh1PE2wXLitfeI6JLvVtrBYswm2I7CtY0q8n5AGimHWVXJPLfGV7m0BAkEA+fqFt2LXbLtyg6wZyxMA/cnmt5Nt3U2dAu77MzFJvibANUNHE4HPLZxjGNXN+a6m0K6TD4kDdh5HfUYLWWRBYQJBANK3carmulBwqzcDBjsJ0YrIONBpCAsXxk8idXb8jL9aNIg15Wumm2enqqObahDHB5jnGOLmbasizvSVqypfM9UCQCQl8xIqy+YgURXzXCN+kwUgHinrutZms87Jyi+D8Br8NY0+Nlf+zHvXAomD2W5CsEK7C+8SLBr3k/TsnRWHJuECQHFE9RA2OP8WoaLPuGCyFXaxzICThSRZYluVnWkZtxsBhW2W8z1b8PvWUE7kMy7TnkzeJS2LSnaNHoyxi7IaPQUCQCwWU4U+v4lD7uYBw00Ga/xt+7+UqFPlPVdz1yyr4q24Zxaw0LgmuEvgU5dycq8N7JxjTubX0MIRR+G9fmDBBl8=\r\n-----END RSA PRIVATE KEY-----' |
Check failure
Code scanning / CodeQL
Hard-coded credentials Critical
MIICXAIBAAKBgQDNwqLEe9wgTXCbC7+RPdDbBbeqjdbs4kOPOIGzqLpXvJXlxxW8iMz0EaM4BKUqYsIa+ndv3NAn2RxCd5ubVdJJcX43zO6Ko0TFEZx/65gY3BE0O6syCEmUP4qbSd6exou/F+WTISzbQ5FBVPVmhnYhG/kpwt/cIxK5iUn5hm+4tQIDAQABAoGBAI+8xiPoOrA+KMnG/T4jJsG6TsHQcDHvJi7o1IKC/hnIXha0atTX5AUkRRce95qSfvKFweXdJXSQ0JMGJyfuXgU6dI0TcseFRfewXAa/ssxAC+iUVR6KUMh1PE2wXLitfeI6JLvVtrBYswm2I7CtY0q8n5AGimHWVXJPLfGV7m0BAkEA+fqFt2LXbLtyg6wZyxMA/cnmt5Nt3U2dAu77MzFJvibANUNHE4HPLZxjGNXN+a6m0K6TD4kDdh5HfUYLWWRBYQJBANK3carmulBwqzcDBjsJ0YrIONBpCAsXxk8idXb8jL9aNIg15Wumm2enqqObahDHB5jnGOLmbasizvSVqypfM9UCQCQl8xIqy+YgURXzXCN+kwUgHinrutZms87Jyi+D8Br8NY0+Nlf+zHvXAomD2W5CsEK7C+8SLBr3k/TsnRWHJuECQHFE9RA2OP8WoaLPuGCyFXaxzICThSRZYluVnWkZtxsBhW2W8z1b8PvWUE7kMy7TnkzeJS2LSnaNHoyxi7IaPQUCQCwWU4U+v4lD7uYBw00Ga/xt+7+UqFPlPVdz1yyr4q24Zxaw0LgmuEvgU5dycq8N7JxjTubX0MIRR+G9fmDBBl8=
-----END RSA PRIVATE KEY-----" is used as
jwt key
The hard-coded value "-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDNwqLEe9wgTXCbC7+RPdDbBbeqjdbs4kOPOIGzqLpXvJXlxxW8iMz0EaM4BKUqYsIa+ndv3NAn2RxCd5ubVdJJcX43zO6Ko0TFEZx/65gY3BE0O6syCEmUP4qbSd6exou/F+WTISzbQ5FBVPVmhnYhG/kpwt/cIxK5iUn5hm+4tQIDAQABAoGBAI+8xiPoOrA+KMnG/T4jJsG6TsHQcDHvJi7o1IKC/hnIXha0atTX5AUkRRce95qSfvKFweXdJXSQ0JMGJyfuXgU6dI0TcseFRfewXAa/ssxAC+iUVR6KUMh1PE2wXLitfeI6JLvVtrBYswm2I7CtY0q8n5AGimHWVXJPLfGV7m0BAkEA+fqFt2LXbLtyg6wZyxMA/cnmt5Nt3U2dAu77MzFJvibANUNHE4HPLZxjGNXN+a6m0K6TD4kDdh5HfUYLWWRBYQJBANK3carmulBwqzcDBjsJ0YrIONBpCAsXxk8idXb8jL9aNIg15Wumm2enqqObahDHB5jnGOLmbasizvSVqypfM9UCQCQl8xIqy+YgURXzXCN+kwUgHinrutZms87Jyi+D8Br8NY0+Nlf+zHvXAomD2W5CsEK7C+8SLBr3k/TsnRWHJuECQHFE9RA2OP8WoaLPuGCyFXaxzICThSRZYluVnWkZtxsBhW2W8z1b8PvWUE7kMy7TnkzeJS2LSnaNHoyxi7IaPQUCQCwWU4U+v4lD7uYBw00Ga/xt+7+UqFPlPVdz1yyr4q24Zxaw0LgmuEvgU5dycq8N7JxjTubX0MIRR+G9fmDBBl8=
-----END RSA PRIVATE KEY-----" is used as
key
@@ -15,7 +15,7 @@ | |||
return (req: Request, res: Response, next: NextFunction) => { | |||
const id = req.body.id | |||
const user = security.authenticatedUsers.from(req) | |||
db.reviews.findOne({ _id: "a" }).then((review: Review) => { | |||
db.reviews.findOne({ _id: id }).then((review: Review) => { |
Check failure
Code scanning / CodeQL
Database query built from user-controlled sources High
user-provided value
This query object depends on a
user-provided value
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 2 months ago
To fix this issue, we need to ensure that the user-provided id
is treated as a literal value and not as a query object. This can be achieved by using MongoDB's $eq
operator, which ensures that the value is interpreted as a literal. Additionally, we should validate that the id
is a string to prevent any potential injection attacks.
-
Copy modified lines R17-R20 -
Copy modified line R22 -
Copy modified line R29 -
Copy modified line R46
@@ -16,4 +16,8 @@ | ||
const id = req.body.id | ||
if (typeof id !== 'string') { | ||
res.status(400).json({ error: 'Invalid ID format' }) | ||
return | ||
} | ||
const user = security.authenticatedUsers.from(req) | ||
db.reviews.findOne({ _id: id }).then((review: Review) => { | ||
db.reviews.findOne({ _id: { $eq: id } }).then((review: Review) => { | ||
if (!review) { | ||
@@ -24,3 +28,3 @@ | ||
db.reviews.update( | ||
{ _id: id }, | ||
{ _id: { $eq: id } }, | ||
{ $inc: { likesCount: 1 } } | ||
@@ -41,3 +45,3 @@ | ||
db.reviews.update( | ||
{ _id: id }, | ||
{ _id: { $eq: id } }, | ||
{ $set: { likedBy: likedBy } } |
@@ -13,6 +13,19 @@ | |||
// vuln-code-snippet start noSqlReviewsChallenge forgedReviewChallenge | |||
module.exports = function productReviews () { | |||
return (req: Request, res: Response, next: NextFunction) => { | |||
const user = security.authenticatedUsers.from(req) // vuln-code-snippet vuln-line forgedReviewChallenge | |||
db.reviews.update( // vuln-code-snippet neutral-line forgedReviewChallenge | |||
{ _id: req.body.id }, // vuln-code-snippet vuln-line noSqlReviewsChallenge forgedReviewChallenge |
Check failure
Code scanning / CodeQL
Database query built from user-controlled sources High
user-provided value
This query object depends on a
user-provided value
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 2 months ago
To fix the problem, we need to ensure that the user input is safely embedded into the query. For MongoDB, we can use the $eq
operator to ensure that the user input is treated as a literal value. This prevents any potential NoSQL injection attacks.
- Modify the query to use the
$eq
operator for the_id
field. - Ensure that the
req.body.id
is treated as a literal value and not as a query object.
-
Copy modified line R18
@@ -17,3 +17,3 @@ | ||
db.reviews.update( // vuln-code-snippet neutral-line forgedReviewChallenge | ||
{ _id: req.body.id }, // vuln-code-snippet vuln-line noSqlReviewsChallenge forgedReviewChallenge | ||
{ _id: { $eq: req.body.id } }, // vuln-code-snippet vuln-line noSqlReviewsChallenge forgedReviewChallenge | ||
{ $set: { message: req.body.message } }, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
❌ Jit has detected 10 important findings in this PR that you should review.
The findings are detailed below as separate comments.
It’s highly recommended that you fix these security issues before merge.
Repository Risks:
- Database Integration: Connects to a database, often involving sensitive data that must be securely managed.
Repository Context:
graph LR
GitHub$Repository#linear-b/juice-shop["GitHub Repository<br/>linear-b/juice-shop"]:::GitHub$Repository
DBIntegration#redis["DBIntegration<br/>redis"]:::DBIntegration
GitHub$Repository#linear-b/juice-shop -- "Repository uses database" --> DBIntegration#redis
"errorhandler": "^1.5.1", | ||
"exif": "^0.6.0", | ||
"express": "^4.17.1", | ||
"express-ipfilter": "^1.2.0", | ||
"express-jwt": "0.1.3", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Security control: Software Component Analysis Js
Type: Verification Bypass In Jsonwebtoken
Description: express-jwt>jsonwebtoken
Severity: CRITICAL
Fix suggestion:
This fix suggestion was generated by Jit. Please note that the suggestion might not always fit every use case. It is highly recommended that you check and review it before merging.
Suggestion guidelines
Update each outdated library in your code.
Note: Once you apply these changes, you'll need to regenerate the package-lock.json
file on your end.
Ensure to thoroughly test your application after updating each library, to make sure that the update hasn't broken anything.
If an update does cause issues, consider whether you can modify your code to work with the updated library, or if necessary, look for an alternative library that is maintained and up to date.
"express-jwt": "0.1.3", | |
"express-jwt": "8.4.1", |
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fp
Ignore and mark this specific single instance of finding as “False Positive”#jit_ignore_accept
Ignore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_file
Ignore any finding of type "Verification Bypass in jsonwebtoken" in package.json; future occurrences will also be ignored.#jit_undo_ignore
Undo ignore command
@@ -119,17 +119,20 @@ | |||
"cookie-parser": "^1.4.5", | |||
"cors": "^2.8.5", | |||
"dottie": "^2.0.2", | |||
"download": "^8.0.0", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Security control: Software Component Analysis Js
Type: Got Allows A Redirect To A Unix Socket
Description: download>got
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fp
Ignore and mark this specific single instance of finding as “False Positive”#jit_ignore_accept
Ignore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_file
Ignore any finding of type "Got allows a redirect to a UNIX socket" in package.json; future occurrences will also be ignored.#jit_undo_ignore
Undo ignore command
"errorhandler": "^1.5.1", | ||
"exif": "^0.6.0", | ||
"express": "^4.17.1", | ||
"express-ipfilter": "^1.2.0", | ||
"express-jwt": "0.1.3", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Security control: Software Component Analysis Js
Type: Authorization Bypass In Express-Jwt
Description: express-jwt
Severity: HIGH
Fix suggestion:
This fix suggestion was generated by Jit. Please note that the suggestion might not always fit every use case. It is highly recommended that you check and review it before merging.
Suggestion guidelines
Update each outdated library in your code.
Note: Once you apply these changes, you'll need to regenerate the package-lock.json
file on your end.
Ensure to thoroughly test your application after updating each library, to make sure that the update hasn't broken anything.
If an update does cause issues, consider whether you can modify your code to work with the updated library, or if necessary, look for an alternative library that is maintained and up to date.
"express-jwt": "0.1.3", | |
"express-jwt": "8.4.1", |
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fp
Ignore and mark this specific single instance of finding as “False Positive”#jit_ignore_accept
Ignore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_file
Ignore any finding of type "Authorization bypass in express-jwt" in package.json; future occurrences will also be ignored.#jit_undo_ignore
Undo ignore command
@@ -119,17 +119,20 @@ | |||
"cookie-parser": "^1.4.5", | |||
"cors": "^2.8.5", | |||
"dottie": "^2.0.2", | |||
"download": "^8.0.0", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Security control: Software Component Analysis Js
Type: Http-Cache-Semantics Vulnerable To Regular Expression Denial Of Service
Description: Paths from library to vulnerable dependencies:
- download>got>cacheable-request>http-cache-semantics
- sqlite3>node-gyp>make-fetch-happen>http-cache-semantics
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fp
Ignore and mark this specific single instance of finding as “False Positive”#jit_ignore_accept
Ignore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_file
Ignore any finding of type "http-cache-semantics vulnerable to Regular Expression Denial of Service" in package.json; future occurrences will also be ignored.#jit_undo_ignore
Undo ignore command
"errorhandler": "^1.5.1", | ||
"exif": "^0.6.0", | ||
"express": "^4.17.1", | ||
"express-ipfilter": "^1.2.0", | ||
"express-jwt": "0.1.3", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Security control: Software Component Analysis Js
Type: Regular Expression Denial Of Service In Moment
Description: Paths from library to vulnerable dependencies:
- express-jwt>jsonwebtoken>moment
- file-stream-rotator>moment
- filesniffer>filehound>moment
- finale-rest>moment
- sequelize>moment-timezone>moment
Severity: HIGH
Fix suggestion:
This fix suggestion was generated by Jit. Please note that the suggestion might not always fit every use case. It is highly recommended that you check and review it before merging.
Suggestion guidelines
Update each outdated library in your code.
Note: Once you apply these changes, you'll need to regenerate the package-lock.json
file on your end.
Ensure to thoroughly test your application after updating each library, to make sure that the update hasn't broken anything.
If an update does cause issues, consider whether you can modify your code to work with the updated library, or if necessary, look for an alternative library that is maintained and up to date.
"express-jwt": "0.1.3", | |
"express-jwt": "8.4.1", |
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fp
Ignore and mark this specific single instance of finding as “False Positive”#jit_ignore_accept
Ignore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_file
Ignore any finding of type "Regular Expression Denial of Service in moment" in package.json; future occurrences will also be ignored.#jit_undo_ignore
Undo ignore command
"errorhandler": "^1.5.1", | ||
"exif": "^0.6.0", | ||
"express": "^4.17.1", | ||
"express-ipfilter": "^1.2.0", | ||
"express-jwt": "0.1.3", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Security control: Software Component Analysis Js
Type: Forgeable Public/Private Tokens In Jws
Description: express-jwt>jsonwebtoken>jws
Severity: HIGH
Fix suggestion:
This fix suggestion was generated by Jit. Please note that the suggestion might not always fit every use case. It is highly recommended that you check and review it before merging.
Suggestion guidelines
Update each outdated library in your code.
Note: Once you apply these changes, you'll need to regenerate the package-lock.json
file on your end.
Ensure to thoroughly test your application after updating each library, to make sure that the update hasn't broken anything.
If an update does cause issues, consider whether you can modify your code to work with the updated library, or if necessary, look for an alternative library that is maintained and up to date.
"express-jwt": "0.1.3", | |
"express-jwt": "8.4.1", |
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fp
Ignore and mark this specific single instance of finding as “False Positive”#jit_ignore_accept
Ignore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_file
Ignore any finding of type "Forgeable Public/Private Tokens in jws" in package.json; future occurrences will also be ignored.#jit_undo_ignore
Undo ignore command
@@ -15,7 +15,7 @@ | |||
return (req: Request, res: Response, next: NextFunction) => { | |||
const id = req.body.id | |||
const user = security.authenticatedUsers.from(req) | |||
db.reviews.findOne({ _id: "a" }).then((review: Review) => { | |||
db.reviews.findOne({ _id: id }).then((review: Review) => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Security control: Static Code Analysis Js
Type: Codsec.Javascriptnosql-Injection.Nosql-Injection
Description: Putting request data into a mongo query can leadto a NoSQL Injection. Be sure to properly sanitize thedata if you absolutely must pass request data into a query.
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fp
Ignore and mark this specific single instance of finding as “False Positive”#jit_ignore_accept
Ignore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_file
Ignore any finding of type "codsec.javascriptnosql-injection.nosql-injection" in routes/likeProductReviews.ts; future occurrences will also be ignored.#jit_undo_ignore
Undo ignore command
{ _id: req.body.id }, // vuln-code-snippet vuln-line noSqlReviewsChallenge forgedReviewChallenge | ||
{ $set: { message: req.body.message } }, | ||
{ multi: true } // vuln-code-snippet vuln-line noSqlReviewsChallenge | ||
).then( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Security control: Static Code Analysis Js
Type: Codsec.Javascriptnosql-Injection.Nosql-Injection
Description: Putting request data into a mongo query can leadto a NoSQL Injection. Be sure to properly sanitize thedata if you absolutely must pass request data into a query.
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fp
Ignore and mark this specific single instance of finding as “False Positive”#jit_ignore_accept
Ignore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_file
Ignore any finding of type "codsec.javascriptnosql-injection.nosql-injection" in routes/updateProductReviews.ts; future occurrences will also be ignored.#jit_undo_ignore
Undo ignore command
@@ -20,6 +20,7 @@ | |||
import * as z85 from 'z85' | |||
|
|||
export const publicKey = fs ? fs.readFileSync('encryptionkeys/jwt.pub', 'utf8') : 'placeholder-public-key' | |||
const privateKey = '-----BEGIN RSA PRIVATE KEY-----\r\nMIICXAIBAAKBgQDNwqLEe9wgTXCbC7+RPdDbBbeqjdbs4kOPOIGzqLpXvJXlxxW8iMz0EaM4BKUqYsIa+ndv3NAn2RxCd5ubVdJJcX43zO6Ko0TFEZx/65gY3BE0O6syCEmUP4qbSd6exou/F+WTISzbQ5FBVPVmhnYhG/kpwt/cIxK5iUn5hm+4tQIDAQABAoGBAI+8xiPoOrA+KMnG/T4jJsG6TsHQcDHvJi7o1IKC/hnIXha0atTX5AUkRRce95qSfvKFweXdJXSQ0JMGJyfuXgU6dI0TcseFRfewXAa/ssxAC+iUVR6KUMh1PE2wXLitfeI6JLvVtrBYswm2I7CtY0q8n5AGimHWVXJPLfGV7m0BAkEA+fqFt2LXbLtyg6wZyxMA/cnmt5Nt3U2dAu77MzFJvibANUNHE4HPLZxjGNXN+a6m0K6TD4kDdh5HfUYLWWRBYQJBANK3carmulBwqzcDBjsJ0YrIONBpCAsXxk8idXb8jL9aNIg15Wumm2enqqObahDHB5jnGOLmbasizvSVqypfM9UCQCQl8xIqy+YgURXzXCN+kwUgHinrutZms87Jyi+D8Br8NY0+Nlf+zHvXAomD2W5CsEK7C+8SLBr3k/TsnRWHJuECQHFE9RA2OP8WoaLPuGCyFXaxzICThSRZYluVnWkZtxsBhW2W8z1b8PvWUE7kMy7TnkzeJS2LSnaNHoyxi7IaPQUCQCwWU4U+v4lD7uYBw00Ga/xt+7+UqFPlPVdz1yyr4q24Zxaw0LgmuEvgU5dycq8N7JxjTubX0MIRR+G9fmDBBl8=\r\n-----END RSA PRIVATE KEY-----' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Security control: Secret Detection
Type: Private-Key
Description: Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fp
Ignore and mark this specific single instance of finding as “False Positive”#jit_ignore_accept
Ignore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_file
Ignore any finding of type "private-key" in lib/insecurity.ts; future occurrences will also be ignored.#jit_undo_ignore
Undo ignore command
@@ -1,3 +1,4 @@ | |||
FROM alpine |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Security control: Docker Scan
Type: Image User Should Not Be 'Root'
Description: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
Severity: HIGH
Fix suggestion:
This fix suggestion was generated by Jit. Please note that the suggestion might not always fit every use case. It is highly recommended that you check and review it before merging.
Suggestion guidelines
- First of all, check if your container is running as a root user. In most of the cases, you can do it by running a command like this:
docker run <image> whoami
. If it returnsroot
, then you should consider using a non-root user, by following one of the next steps:- If a non-root user already exists in your container, consider using it.
- If not, you can create a new user by adding a
USER
command to the Dockerfile, with a non-root user as argument, for example:USER <non-root-user-name>
.
FROM alpine | |
FROM alpine | |
RUN addgroup --system <group> | |
RUN adduser --system <user> --ingroup <group> | |
USER <user>:<group> | |
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fp
Ignore and mark this specific single instance of finding as “False Positive”#jit_ignore_accept
Ignore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_file
Ignore any finding of type "Image user should not be 'root'" in test/smoke/Dockerfile; future occurrences will also be ignored.#jit_undo_ignore
Undo ignore command
Description
A clear and concise summary of the change and which issue (if any) it fixes. Should also include relevant motivation and context.
Resolved or fixed issue:
Affirmation