trivy icon indicating copy to clipboard operation
trivy copied to clipboard
Published 4 months ago verified publisher icon aquasecurity

perf(secret): only match secrets of meaningful length, allow example strings to not be matched

Open PT-GD opened this issue 1 year ago • 3 comments

Description

This change requires a potentially matching secret Base64 text to be at least 64 characters long. This would be the typical encoded length of the smallest possible library-supported RSA private key, 384 bits. (n.b. 384*1.33/8 = 63.8)

Any actual key smaller than this matching rule is not usable with existing library implementations and is also small that it can't really be considered a practical "secret." It would be trivially crackable and also result in unusably small block sizes.

Related issues

  • Close #7700

Checklist

  • [X] I've read the guidelines for contributing to this repository.
  • [X] I've followed the conventions in the PR title.
  • [ ] I've added tests that prove my fix is effective or that my feature works.
  • [N/A] I've updated the documentation with the relevant information (if needed).
  • [N/A] I've added usage information (if the PR introduces new options)
  • [N/A] I've included a "before" and "after" example to the description (if the PR is a user interface change).

PT-GD avatar Mar 24 '25 15:03 PT-GD

CLA assistant check
All committers have signed the CLA.

CLAassistant avatar Mar 24 '25 15:03 CLAassistant

Can anyone familiar with the test framework help write updates to https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/secret/scanner_test.go#L528 and the other tests related to AsymmetricPrivateKey?

I don't see any negative test assertions in the suite. I'd think we want tests which continue to find matches for longer strings but now don't find matches for shorter strings.

PT-GD avatar Mar 24 '25 15:03 PT-GD

Hello @PT-GD Thanks for your work!

Can anyone familiar with the test framework help write updates to https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/secret/scanner_test.go#L528 and the other tests related to AsymmetricPrivateKey?

You can add one more key with lower lenght in asymmetric-private-key.txt (like i added key in line 6). This will prove that Trivy correctly finds secret with valid length and ignores secret if length is less than valid length.

DmitriyLewen avatar Mar 25 '25 04:03 DmitriyLewen

This PR is stale because it has been labeled with inactivity.

github-actions[bot] avatar May 25 '25 00:05 github-actions[bot]