search

PythonCharmers / python-future

Easy, clean, reliable Python 2/3 compatibility
http://python-future.org
MIT License
1.17k stars 291 forks source link

PrismaScan Flags Critical Issue With Private Keys #590

Open juls858 opened 2 years ago

juls858 commented 2 years ago

Actual Behavior

Copied from here

PrismaScan: https://vscanapidoc.redlock.io

Our company uses PrismaScan to scan container images for vulnerabilities.

The backports test module contains private keys which are causing this alert.

{
"compliances": [
                {
                    "id": 425,
                    "title": "Private keys stored in image",
                    "severity": "high",
                    "cause": "Found: /opt/conda/lib/python3.9/site-packages/future/backports/test/badcert.pem, /opt/conda/lib/python3.9/site-packages/future/backports/test/badkey.pem, /opt/conda/lib/python3.9/site-packages/future/backports/test/keycert.passwd.pem, /opt/conda/lib/python3.9/site-packages/future/backports/test/keycert.pem, /opt/conda/lib/python3.9/site-packages/future/backports/test/keycert2.pem, /opt/conda/lib/python3.9/site-packages/future/backports/test/ssl_key.passwd.pem, /opt/conda/lib/python3.9/site-packages/future/backports/test/ssl_key.pem, /opt/conda/pkgs/future-0.18.2-py39h06a4308_1/lib/python3.9/site-packages/future/backports/test/badcert.pem, /opt/conda/pkgs/future-0.18.2-py39h06a4308_1/lib/python3.9/site-packages/future/backports/test/badkey.pem, /opt/conda/pkgs/future-0.18.2-py39h06a4308_1/lib/python3.9/site-packages/future/backports/test/keycert.passwd.pem, /opt/conda/pkgs/future-0.18.2-py39h06a4308_1/lib/python3.9/site-packages/future/backports/test/keycert.pem, /opt/conda/pkgs/future-0.18.2-py39h06a4308_1/lib/python3.9/site-packages/future/backports/test/keycert2.pem, /opt/conda/pkgs/future-0.18.2-py39h06a4308_1/lib/python3.9/site-packages/future/backports/test/ssl_key.passwd.pem, /opt/conda/pkgs/future-0.18.2-py39h06a4308_1/lib/python3.9/site-packages/future/backports/test/ssl_key.pem"
                }
            ]
}

Expected Behavior

No security alert should be flagged as these are tests or test distributed code should not include private keys.

Steps to Reproduce

Create container image with Minconda. I am using this image in DockerHub: continuumio/miniconda3 Run PrismaScan

Anaconda or Miniconda version:
Operating System:

Docker Image: continuumio/miniconda3:4.9.2-alpine

conda info
``` active environment : None user config file : /home/app/.condarc populated config files : conda version : 4.10.3 conda-build version : not installed python version : 3.9.5.final.0 virtual packages : __linux=5.10.25=0 __glibc=2.32=0 __unix=0=0 __archspec=1=x86_64 base environment : /opt/conda (read only) conda av data dir : /opt/conda/etc/conda conda av metadata url : None channel URLs : https://repo.anaconda.com/pkgs/main/linux-64 https://repo.anaconda.com/pkgs/main/noarch https://repo.anaconda.com/pkgs/r/linux-64 https://repo.anaconda.com/pkgs/r/noarch package cache : /opt/conda/pkgs /home/app/.conda/pkgs envs directories : /home/app/.conda/envs /opt/conda/envs platform : linux-64 user-agent : conda/4.10.3 requests/2.25.1 CPython/3.9.5 Linux/5.10.25-linuxkit alpine/3.12.1 glibc/2.32 UID:GID : 1000:1000 netrc file : None offline mode : False ```
conda list --show-channel-urls
``` # packages in environment at /opt/conda: # # Name Version Build Channel _libgcc_mutex 0.1 main defaults aadict 0.2.3 pyh9f0ad1d_0 conda-forge aiopg 1.0.0 py_0 defaults arrow-cpp 3.0.0 py39hced866c_0 defaults asn1crypto 1.4.0 py_0 defaults asset 0.6.13 pyh9f0ad1d_0 conda-forge autologging 1.3.2 py_0 conda-forge aws-lambda-powertools 1.17.1 pyhd8ed1ab_0 conda-forge aws-xray-sdk 2.8.0 py39h06a4308_0 defaults awswrangler 2.9.0 pyhd8ed1ab_0 conda-forge beautifulsoup4 4.9.3 pyha847dfd_0 defaults blas 1.0 mkl defaults boost-cpp 1.73.0 h27cfd23_11 defaults boto3 1.17.109 pyhd3eb1b0_0 defaults botocore 1.20.109 pyhd3eb1b0_1 defaults bottleneck 1.3.2 py39hdd57654_1 defaults brotli 1.0.9 he6710b0_2 defaults brotlipy 0.7.0 py39h27cfd23_1003 defaults bzip2 1.0.8 h7b6447c_0 defaults c-ares 1.17.1 h27cfd23_0 defaults ca-certificates 2021.7.5 h06a4308_1 defaults certifi 2021.5.30 py39h06a4308_0 defaults cffi 1.14.6 py39h400218f_0 defaults chardet 4.0.0 py39h06a4308_1003 defaults click 8.0.1 pyhd3eb1b0_0 defaults conda 4.10.3 py39h06a4308_0 defaults conda-package-handling 1.7.3 py39h27cfd23_1 defaults cryptography 3.4.7 py39hd23ed53_0 defaults double-conversion 3.1.5 he6710b0_1 defaults et_xmlfile 1.1.0 py39h06a4308_0 defaults freetds 1.00.97 h52ef933_0 defaults future 0.18.2 py39h06a4308_1 defaults gflags 2.2.2 he6710b0_0 defaults globre 0.1.5 pyh9f0ad1d_0 conda-forge glog 0.5.0 h2531618_0 defaults greenlet 1.1.0 py39h2531618_0 defaults grpc-cpp 1.26.0 hf8bcb03_0 defaults icu 58.2 he6710b0_3 defaults idna 2.10 py_0 defaults importlib-metadata 3.10.0 py39h06a4308_0 defaults intel-openmp 2021.3.0 h06a4308_3350 defaults jdcal 1.4.1 py_0 defaults jmespath 0.10.0 py_0 defaults krb5 1.17.1 h173b8e3_0 defaults ld_impl_linux-64 2.33.1 h53a641e_7 defaults libboost 1.73.0 h3ff78a5_11 defaults libedit 3.1.20191231 h14c3975_1 defaults libevent 2.1.8 h1ba5d50_1 defaults libffi 3.3 he6710b0_2 defaults libgcc-ng 9.1.0 hdf63c60_0 defaults libpq 12.2 h20c2e04_0 defaults libprotobuf 3.11.2 hd408876_0 defaults libstdcxx-ng 9.1.0 hdf63c60_0 defaults libthrift 0.13.0 hfb8234f_6 defaults libxml2 2.9.10 hb55368b_3 defaults libxslt 1.1.34 hc22bd24_0 defaults lxml 4.6.3 py39h9120a33_0 defaults lz4-c 1.9.3 h2531618_0 defaults mkl 2021.3.0 h06a4308_520 defaults mkl-service 2.4.0 py39h7f8727e_0 defaults mkl_fft 1.3.0 py39h42c9631_2 defaults mkl_random 1.2.2 py39h51133e4_0 defaults ncurses 6.2 he6710b0_1 defaults numexpr 2.7.3 py39h22e1b3c_1 defaults numpy 1.20.3 py39hf144106_0 defaults numpy-base 1.20.3 py39h74d4b33_0 defaults openpyxl 3.0.7 pyhd3eb1b0_0 defaults openssl 1.1.1k h27cfd23_0 defaults orc 1.6.5 h973521d_1 defaults pandas 1.2.5 py39h295c915_0 defaults pg8000 1.19.5 pyhd3eb1b0_0 defaults pip 21.1.3 py39h06a4308_0 defaults psycopg2 2.8.6 py39h3c74f83_1 defaults pyarrow 3.0.0 py39he0739d4_3 defaults pycosat 0.6.3 py39h27cfd23_0 defaults pycparser 2.20 py_2 defaults pyhocon 0.3.58 pyhd8ed1ab_0 conda-forge pymssql 2.1.5 py39hf149a3a_1 conda-forge pymysql 1.0.2 py39h06a4308_1 defaults pyodbc 4.0.31 py39h295c915_0 defaults pyopenssl 19.1.0 pyhd3eb1b0_1 defaults pyparsing 2.4.7 pyhd3eb1b0_0 defaults pysocks 1.7.1 py39h06a4308_0 defaults python 3.9.5 h12debd9_4 defaults python-dateutil 2.8.2 pyhd3eb1b0_0 defaults python-dotenv 0.18.0 pyhd8ed1ab_0 conda-forge python-fastjsonschema 2.15.1 pyhd3eb1b0_0 defaults python_abi 3.9 2_cp39 conda-forge pytz 2021.1 pyhd3eb1b0_0 defaults re2 2020.11.01 h2531618_1 defaults readline 8.0 h7b6447c_0 defaults redshift_connector 2.0.883 pyhd8ed1ab_0 conda-forge requests 2.25.1 pyhd3eb1b0_0 defaults ruamel_yaml 0.15.100 py39h27cfd23_0 defaults s3transfer 0.4.2 pyhd3eb1b0_0 defaults scramp 1.4.0 pyhd3eb1b0_0 defaults setuptools 52.0.0 py39h06a4308_0 defaults six 1.16.0 pyhd3eb1b0_0 defaults snappy 1.1.8 he6710b0_0 defaults soupsieve 2.2.1 pyhd3eb1b0_0 defaults sqlalchemy 1.4.21 py39h7f8727e_0 defaults sqlite 3.36.0 hc218d9a_0 defaults tk 8.6.10 hbc83047_0 defaults tqdm 4.51.0 pyhd3eb1b0_0 defaults tzdata 2021a h52ac0ba_0 defaults unixodbc 2.3.9 h7b6447c_0 defaults uriparser 0.9.3 he6710b0_1 defaults urllib3 1.26.6 pyhd3eb1b0_1 defaults utf8proc 2.6.1 h27cfd23_0 defaults wheel 0.35.1 pyhd3eb1b0_0 defaults wrapt 1.12.1 py39he8ac12f_1 defaults xz 5.2.5 h7b6447c_0 defaults yaml 0.2.5 h7b6447c_0 defaults zipp 3.5.0 pyhd3eb1b0_0 defaults zlib 1.2.11 h7b6447c_3 defaults zstd 1.4.9 haebb681_0 defaults ```