Secret scanning rule for JSON Web Token is too permissive

XMLWordPrintable

    • Type: Bug
    • Resolution: Fixed
    • Priority: Medium
    • 9.0.0
    • Affects Version/s: 8.3.4, 8.9.4, 8.12.1
    • Component/s: Secret Scanning
    • 1
    • Severity 3 - Minor
    • 7

      Issue Summary

      Secret scanning rule for JSON Web Token is too permissive, there are a lot of false positives. When pushing up FE dependency manifest files (yarn.lock or package-lock.json) with `eyes` package, the scanner picks up this as a secret.

      Steps to Reproduce

      1. Push up a commit containing something like: 
      eyes@0.1.x:
  version "0.1.8"
  resolved "https://registry.yarnpkg.com/eyes/-/eyes-0.1.8.tgz#62cf120234c683785d902348a800ef3e0cc20bc0"
      1. Secret is detected

      Expected Results

      No emails for secret detected sent out

      Actual Results

      Emails are sent out for secret detected

      Workaround

      Modify the JSON Web Token rule:

      .*\b(ey[a-zA-Z0-9_-]+)\.([a-zA-Z0-9_-]+)\.([a-zA-Z0-9_-]+)\b.*

      to something like:

      .*\b(ey[a-zA-Z0-9_-]{5,})\.([a-zA-Z0-9_-]{5,})\.([a-zA-Z0-9_-]{5,})\b.*

            Assignee:
            Sunny Wu
            Reporter:
            Yingran Sun
            Votes:
            2 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: