False Positives in the Secret Detection of a .NET solution?

Open mikeKuester opened this issue 1 year ago • 0 comments

Hi,

I'm just starting with the Artifactory and Xray. I installed the JFrog CLI and executed the jf audit command in the solution directory. This solution is a .NET 8 project with a WPF client and a web app. In the results are 27 Secret Detections with medium severity, but I think these are all false positives?

🎃Medium │ C:/source/xxx/sources/xxx/Controlboard.WpfClient/obj/Release/net8.0-windows10.0.19041/win-x64/Controlboard.WpfClient_civxzpp2_wpftmp.assets.cache│ 11:1008 │ Use************ │

The obj - folder is the intermediate folder for the compiler. I can't control what's in there and it's a .cache file.
At the given position is a package with the name UserSecrets, which seems to be used from the Grpc.Core.Api:

Microsoft.Extensions.Configuration.UserSecrets=lib/net8.0/Microsoft.Extensions.Configuration.UserSecrets.dll(Microsoft.Extensions.DependencyInjection7

Full line

Grpc.Core.Api$lib/netstandard2.1/Grpc.Core.Api.dllGrpc.Net.Clientlib/net8.0/Grpc.Net.Client.dllGrpc.Net.ClientFactory%lib/net8.0/Grpc.Net.ClientFactory.dllGrpc.Net.Commonlib/net8.0/Grpc.Net.Common.dllMathNet.Numerics5.0.0lib/net6.0/MathNet.Numerics.dll"Microsoft.Extensions.Configuration8.0.01lib/net8.0/Microsoft.Extensions.Configuration.dll/Microsoft.Extensions.Configuration.Abstractions>lib/net8.0/Microsoft.Extensions.Configuration.Abstractions.dll8lib/net8.0/Microsoft.Extensions.Configuration.Binder.dll.Microsoft.Extensions.Configuration.CommandLine=lib/net8.0/Microsoft.Extensions.Configuration.CommandLine.dll7Microsoft.Extensions.Configuration.EnvironmentVariablesFlib/net8.0/Microsoft.Extensions.Configuration.EnvironmentVariables.dll1Microsoft.Extensions.Configuration.FileExtensions8.0.1@lib/net8.0/Microsoft.Extensions.Configuration.FileExtensions.dll'Microsoft.Extensions.Configuration.Json6lib/net8.0/Microsoft.Extensions.Configuration.Json.dll.Microsoft.Extensions.Configuration.UserSecrets=lib/net8.0/Microsoft.Extensions.Configuration.UserSecrets.dll(Microsoft.Extensions.DependencyInjection7lib/net8.0/Microsoft.Extensions.DependencyInjection.dll5Microsoft.Extensions.DependencyInjection.AbstractionsDlib/net8.0/Microsoft.Extensions.DependencyInjection.Abstractions.dll Microsoft.Extensions.Diagnostics/lib/net8.0/Microsoft.Extensions.Diagnostics.dll-Microsoft.Extensions.Diagnostics.Abstractions<lib/net8.0/Microsoft.Extensions.Diagnostics.Abstractions.dll/Microsoft.Extensions.FileProviders.Abstractions>lib/net8.0/Microsoft.Extensions.FileProviders.Abstractions.dll+Microsoft.Extensions.FileProviders.Physical:lib/net8.0/Microsoft.Extensions.FileProviders.Physical.dll'Microsoft.Extensions.FileSystemGlobbing6lib/net8.0/Microsoft.Extensions.FileSystemGlobbing.dllMicrosoft.Extensions.Hosting+lib/net8.0/Microsoft.Extensions.Hosting.dll)Microsoft.Extensions.Hosting.Abstractions8lib/net8.0/Microsoft.Extensions.Hosting.Abstractions.dllMicrosoft.Extensions.Http(lib/net8.0/Microsoft.Extensions.Http.dllMicrosoft.Extensions.Logging+lib/net8.0/Microsoft.Extensions.Logging.dll8lib/net8.0/Microsoft.Extensions.Logging.Abstractions.dll*Microsoft.Extensions.Logging.Configuration9lib/net8.0/Microsoft.Extensions.Logging.Configuration.dll$Microsoft.Extensions.Logging.Console3lib/net8.0/Microsoft.Extensions.Logging.Console.dll"Microsoft.Extensions.Logging.Debug1lib/net8.0/Microsoft.Extensions.Logging.Debug.dll%Microsoft.Extensions.Logging.EventLog4lib/net8.0/Microsoft.Extensions.Logging.EventLog.dll(Microsoft.Extensions.Logging.EventSource7lib/net8.0/Microsoft.Extensions.Logging.EventSource.dll+lib/net8.0/Microsoft.Extensions.Options.dll4Microsoft.Extensions.Options.ConfigurationExtensionsClib/net8.0/Microsoft.Extensions.Options.ConfigurationExtensions.dll,Microsoft.Extensions.Options.DataAnnotations;lib/net8.0/Microsoft.Extensions.Options.DataAnnotations.dllMicrosoft.Extensions.Primitives.lib/net8.0/Microsoft.Extensions.Primitives.dllMicrosoft.Xaml.Behaviors.Wpf1.1.1352lib/net6.0-windows7.0/Microsoft.Xaml.Behaviors.dllNLog5.3.4lib/netstandard2.0/NLog.dllNLog.Extensions.Logging5.3.14&lib/net8.0/NLog.Extensions.Logging.dllNotification.Wpf*lib/net8.0-windows7.0/Notification.Wpf.dllNpgsqllib/net8.0/Npgsql.dllOokii.Dialogs.Wpf5.0.1+lib/net6.0-windows7.0/Ookii.Dialogs.Wpf.dllOpenTK.Compute4.3.0$lib/netcoreapp3.1/OpenTK.Compute.dllOpenTK.Core"lib/netstandard2.1/OpenTK.Core.dllOpenTK.GLWpfControl4.2.3"lib/netcoreapp3.1/GLWpfControl.dllOpenTK.Graphics&lib/netstandard2.1/OpenTK.Graphics.dllOpenTK.Input#lib/netstandard2.0/OpenTK.Input.dllOpenTK.Mathematics)lib/netstandard2.1/OpenTK.Mathematics.dll

24 of the 27 deteced "secrets" are this UserSecrets Packages.

The next is in the bin/../publish folder.

🎃Medium │ C:/source/xxx/sources/xxx/AppHost/bin/Release/net8.0-windows10.0.19041/win-x64/publish/wwwroot/_content/Microsoft.Fast.Components.FluentUI/lib/monaco-editor/min-maps/vs/base/worker/workerMain.js.map │ 1:734203 │ tok************ │

In this file it has two findings:

constructor(tokens: Uint32Array, endState: IState) {\n

public readonly tokens: Uint32Array;\n

And the last two secrets have been located in the hidden Visual Studio folder ".vs".

🎃Medium │ C:/source/TSA-Imager/sources/TSA-Imager/.vs/TSA-Imager/config/applicationhost.config │ 126:266 │ ses************ │

Ok, there are secrets stored, but these are the secrets for the internally use IIS web server for the local debugging sessions.

            <add name="AesProvider" type="Microsoft.ApplicationHost.AesProtectedConfigurationProvider" description="Uses an AES session key to encrypt and decrypt" keyContainerName="iisConfigurationKey" cspProviderName="" useOAEP="false" useMachineContainer="true" sessionKey="AQIAAA5mAAAApAAA/HKxkz6alrlAPez0IUgujj/6k3WxCDriHp6jvpv3yEZmo7h6SMzGLxo4mTrIQVHSkB7tmElHKfUFTzE2BWF7nFWHY6Z6qmGBauFzwJMwESjril7Gjz69RBFH259HQ6aRDq---------sYv3vKB0QU971tjX6H2B+9armlnC8UOuA6JYMDMI/VLLL16sng0fWAy5JYe0YVABVjiAWDW264RZW9Tr1Oax4qHZKg+SdjULxeOc2YmpX+d0yeITo1HkPF1hN1gHpIPIUDo05ilHUNfR3OkjVCIQK4cFKCq1s8NH+y+13MxUC4Fn1AlQ==" />
            <add name="IISWASOnlyAesProvider" type="Microsoft.ApplicationHost.AesProtectedConfigurationProvider" description="Uses an AES session key to encrypt and decrypt" keyContainerName="iisWasKey" cspProviderName="" useOAEP="false" useMachineContainer="true" sessionKey="AQIAAA5mAAAApAAALmU8lTC+v2qtfQiiiquvvLpUQqKLEXs+jSKoWCM/uPhyB++k4dwug19mGidNK5FYiWK2KYE1yhjVJcbp12E98Q0R2nT7eBiCMY2JairxQ591rqABK7keGaIjwH7PwG---------EkgMUX3jrxJi8LouxaIVPJAv/YQ1ZCWs8zImitxX/C/7o7yaIxznfsN5nGQzQfpUDPeby99aw2zPVTtZI2LaWIBON8guABvZ6JtJVDWmfdK6sodbnwdZkr6/Z2rfvamT1dC1SpQrGG7ulR/f9/GXvCaW10ZVKxekBF/CYlNMg==" />

Do I have to exclude all temporary (like obj) or hidden folders (like .vs) manually? If the CLI detects a nuget solution, isn't it possible that this is done by default or could there be a real security risk in this folders?

This works: jf audit --nuget --exclusions "*obj*;*.vs*"

The "bin/../publish" folder could not be excluded, so this are real false positive results, which I could not suppress.

Nov 14 '24 14:11 mikeKuester