This repository is for active development of the Azure SDK for .NET. For consumers of the SDK we recommend visiting our public developer docs at https://learn.microsoft.com/dotnet/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-net.
MIT License
5.26k
stars
4.61k
forks
source link
[EngSys] Sanitize 8 false positive CredScan leaks in Synapse #24911
Update the Synapse tests to stop using the string clientSecret and start using one of the strings already being suppressed in the suppression file above (such as __CLIENT_SECRET__). Tests need to be recorded again in this case.
1 is way easier but we are trying to keep the suppression file clean. We should investigate how feasible it is to follow approach 2 and choose one of them.
It seems we are using a (clearly fake) secret in our recordings:
clientSecret
. Example:https://github.com/Azure/azure-sdk-for-net/blob/cbef31d9894a62cddb2140b05fa3f64c03abf30f/sdk/synapse/Azure.Analytics.Synapse.Artifacts/tests/SessionRecords/NotebookClientLiveTests/TestGetNotebookAsync.json#L1607
CredScan doesn't seem to realize it's not an actual secret (reported here), so it's detecting 8 leaks.
We have two options here:
Add the string
clientSecret
to our CredScan suppresion file.Update the Synapse tests to stop using the string
clientSecret
and start using one of the strings already being suppressed in the suppression file above (such as__CLIENT_SECRET__
). Tests need to be recorded again in this case.1 is way easier but we are trying to keep the suppression file clean. We should investigate how feasible it is to follow approach 2 and choose one of them.