Uploaded image for project: 'Bitbucket Data Center'
  1. Bitbucket Data Center
  2. BSERV-14404

Secret scanning rule for JSON Web Token is too permissive

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Medium Medium
    • 9.0.0
    • 8.3.4, 8.9.4, 8.12.1
    • Secret Scanning

      Issue Summary

      Secret scanning rule for JSON Web Token is too permissive, there are a lot of false positives. When pushing up FE dependency manifest files (yarn.lock or package-lock.json) with `eyes` package, the scanner picks up this as a secret.

      Steps to Reproduce

      1. Push up a commit containing something like: 
      eyes@0.1.x:
  version "0.1.8"
  resolved "https://registry.yarnpkg.com/eyes/-/eyes-0.1.8.tgz#62cf120234c683785d902348a800ef3e0cc20bc0"
      1. Secret is detected

      Expected Results

      No emails for secret detected sent out

      Actual Results

      Emails are sent out for secret detected

      Workaround

      Modify the JSON Web Token rule:

      .*\b(ey[a-zA-Z0-9_-]+)\.([a-zA-Z0-9_-]+)\.([a-zA-Z0-9_-]+)\b.*

      to something like:

      .*\b(ey[a-zA-Z0-9_-]{5,})\.([a-zA-Z0-9_-]{5,})\.([a-zA-Z0-9_-]{5,})\b.*

              509bae61989f Sunny Wu
              ysun Yingran Sun
              Votes:
              2 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: