Closed HMhamedminaee closed 2 years ago
I believe the tool is detecting test code from public-encrypt
. If you look at their source repo (and the paths above), you'll see that these files are all related to tests for that package: https://github.com/crypto-browserify/publicEncrypt/.
It looks like there is already an upstream issue: https://github.com/crypto-browserify/publicEncrypt/pull/19. Once that is resolved and crypto-browserify
is updated, we can pick up a new version.
When we run twist lock on ibm-cos-sdk package it complains about public-encrypt
A quick npm list shows it is coming from ibm-cos-sdk package
npm list public-encrypt └─┬ ibm-cos-sdk@1.11.0 └─┬ crypto-browserify@3.12.0 └── public-encrypt@4.0.3
More info:
`Type: compliance Sev.: high Description: Private keys stored in image Found: /opt/app-root/node_modules/public-encrypt/test/1024.priv, /opt/app-root/node_modules/public-encrypt/test/ec.pass.priv, /opt/app-root/node_modules/public-encrypt/test/ec.priv, /opt/app-root/node_modules/public-encrypt/test/pass.1024.priv, /opt/app-root/node_modules/public-encrypt/test/rsa.1024.priv, /opt/app-root/node_modules/public-encrypt/test/rsa.2028.priv, /opt/app-root/node_modules/public-encrypt/test/rsa.pass.priv, /opt/app-root/node_modules/public-encrypt/test/test_key.pem, /opt/app-root/node_modules/public-encrypt/test/test_rsa_privkey.pem, /opt/app-root/node_modules/public-encrypt/test/test_rsa_privkey_encrypted.pem
Images affected:`