serverless/components has a number of potential security flaws as identified by a VeraCode static scan

[iamle0pard]

If you run a VeraCode static security scan against the serverless folder and files within 'node_modules' you will see that there are a number of flaws identified.

Currently using serverless version: 1.72.0

Please note that VeraCode often finds the word "pass" or "secret" and assumes those are hard coded values of real passwords. I am filing this so you are aware of the issue(s) and can fix them, if needed. If they are false positives, please let me know so I can triage any issues in our scan results identified as such.

I'm not saying all of these issues are 100% true security issues. I am simply reporting what VeraCode has indicated. What you will find is that many times their algorithm only looks for keywords and then flags it. For instance anywhere the word 'Secret', 'Pass', or 'Password' are in the code it will flags as 'Use of Hard-coded Password'. In 99% of the cases this is a false positive. There may be many more like this.

Since it is a static code analysis done by their internal AI/algorithms it doesn't have the ability to process the preceding lines to see if the flagged line number is actually being protected by code that precedes it. I believe they error on the side of "flag it and then let the end user determine if it is a true issue or a false positive".

I'm just reporting these items as a notification to everyone on the project. If it is determined that there are no real security issues, then that is great! Internally I can flag them in our own VeraCode scan report as such to remove them from the results. We do this to ensure we don't ship code that has vulnerabilities in it, so that is also why I'm reporting it; if one of these was an actual security issue, it would be good to get it fixed.

Here are the specific files (with paths and code at that line number) for each item they reported:

http://cwe.mitre.org/data/definitions/259.html CWE-259: Use of Hard-coded Password /components/src/cli/commands-cn/utils.js: 140 providers.tencent.TENCENT_SECRET_ID = 'SecretId';

/components/src/cli/commands/utils.js: 119 providers.aws.AWS_SECRET_ACCESS_KEY = 'secretAccessKey';

/components/src/cli/commands-cn/utils.js: 141 providers.tencent.TENCENT_SECRET_KEY = 'SecretKey';

http://cwe.mitre.org/data/definitions/201.html CWE-201: Exposure of Sensitive Information Through Sent Data /components/src/cli/CLI.js: 130 process.stdout.write(color(content));

/platform-client-china/src/utils.js: 99 req.write(options.data);

/platform-client-china/src/index.js: 493 self.intercepts.stdout.write(...logs);

/platform-client/src/index.js: 578 self.intercepts.stdout.write(...logs)

/components/src/cli/CLI.js: 189 process.stdout.write(white(msg));

/platform-client-china/src/index.js: 495 self.intercepts.stderr.write(...logs);

/platform-client/src/index.js self.intercepts.stderr.write(...logs)