In a hookhandler of Extension:OAuth there is some CI specific code that adds a public/private key pair for UnitTests (https://github.com/wikimedia/mediawiki-extensions-OAuth/blob/927ab22ab9093268a472964b2831c38dc22e0470/src/Backend/Hooks.php#L52-L70). As this is part of the actual production codebase (not part of the tests/ subfolder), it can trigger security scanners like trivy.
Steps to replicate the issue (include links if applicable):
- Build a docker container image that includes the codebase of Extension:OAuth
- Run trivy image on this image
What happens?:
The trivy scanner reports a false positive:
> /var/www/w/extensions/OAuth/src/Backend/Hooks.php (secrets)
> ===============================================================================
> Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
>
> HIGH: AsymmetricPrivateKey (private-key)
> ══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
> Asymmetric Private Key
> ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
> /var/www/w/extensions/OAuth/src/Backend/Hooks.php:26 (added by 'COPY dir:d42d2d610f2def6b5ebf332507ee030')
> ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
> 24 if ( defined( 'MW_PHPUNIT_TEST' ) || ( $wgWikimediaJenkinsCI ?? false ) ) {
> 25 $wgOAuth2PrivateKey = <<<EOK
> 26 [ -----BEGIN RSA PRIVATE KEY-----****************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END RSA PRIVATE KEY-----
> 27 EOK;What should have happened instead?:
As this is only for testing purposes the code should live in the respective location, so security scanners can be configured to ignore it.
Software version:
REL1_39 - master branches (most likely others as well) of Extension:OAuth
Other information:
This issue could probably be mitigated by moving such code into the respective UnitTest implementation.