Snyk issue: code analysis (CWE-547)

AxaFrance / oidc-client

Light, Secure, Pure Javascript OIDC (Open ID Connect) Client. We provide also a REACT wrapper (compatible NextJS, etc.).

MIT License

579 stars 157 forks source link

Snyk issue: code analysis (CWE-547) #1408

Closed pgangwani closed 1 month ago

pgangwani commented 1 month ago

Issue and Steps to Reproduce

Hello @guillaume-chervet and maintainers, I am seeing below error of snyk in analysis:

Avoid hardcoding values that are meant to be secret. Found a hardcoded string used in here. CWE-547

Versions

all versions (7.18.1 and above)

Screenshots

Screenshot 2024-07-11 at 7 05 04 PM

Expected

No snyk issue should come from library generated files

Actual

CWE-547 is found in public files specifically OidcServiceWorker.js

Additional Details

Installed packages:

guillaume-chervet commented 1 month ago

hi @pgangwani thank you again for your issue :)

It is a false positive. These values are not secrets

pgangwani commented 1 month ago

Yeah I understand it is treating as hardcoding of accesstoken but actually this placeholder. There is recommendation in tool: Screenshot 2024-07-12 at 11 19 31 AM

Not sure if we can do this. This might break. Thoughts?

jafin commented 1 month ago

@pgangwani that recommendation appears to be for a secret, as @guillaume-chervet as hinted, this is not a secret, its a const value. I think the best thing you may try is in SYNK set the issue to ignore as false positive.

pgangwani commented 1 month ago

if any of you can answer #1420 , I can close both.

pgangwani commented 1 month ago

Closing as last comment in #1420