insider icon indicating copy to clipboard operation
insider copied to clipboard
verified publisher icon insidersec

SVG path in React component is detected and constants as hard coded credentials

Open pindamonhangaba opened this issue 4 years ago • 1 comments

Describe the bug

When running on a react project, svg files with a path and constants with "authorize" (?) in the name are marked as "High"

Expected behavior

SVG's are not credentials

Screenshots image

image

pindamonhangaba avatar Aug 20 '21 12:08 pindamonhangaba

Having about the same issue. Moreover, excluding svg files does not help.

Insider launch

docker run --rm -v $(pwd):/target-project insidersec/insider -v -tech javascript -target /target-project -exclude client/public/res/* -exclude test/*

Output

...
CVSS 7
Severity 
Class pencil.svg (0:0)
VulnerabilityID d3fcec32a5bdfc4891b31b00d27d9d0c
Description Credentials must not be stored in the code, an attacker could decompile the application and obtain the credential.
ClassMessage client/public/res/icons/streamline/pencil.svg (0:0)
Recomendation There are ‘Secrets Management’ solutions that can be used to store secrets.
...

juris avatar Dec 02 '21 11:12 juris