AWSSDK.Core triggers CWE-798 - Hardcoded credentials

aws / aws-sdk-net

The official AWS SDK for .NET. For more information on the AWS SDK for .NET, see our web site:

http://aws.amazon.com/sdkfornet/

Apache License 2.0

2.07k stars 859 forks source link

AWSSDK.Core triggers CWE-798 - Hardcoded credentials #3240

Closed skirk-mpr closed 6 months ago

skirk-mpr commented 7 months ago

Describe the bug

This is more of an FYI but our organization just turned on AWS Inspector for AWS Lambda and we are getting false positives for the finding CWE-798 - Hardcoded credentials in AWSSDK.Core.

From the finding it looks like its complaining because the string 'password' is contained within the name of a property (EC2InstancePassword).

Expected Behavior

Not trigger CWE-798 - Hardcoded credentials

Current Behavior

Triggers CWE-798 - Hardcoded credentials

Reproduction Steps

Deploy Lambda with AWSSDK.Core and run AWS Inspector against it.

Possible Solution

No response

Additional Information/Context

No response

AWS .NET SDK and/or Package version used

AWSSDK.Core

Targeted .NET Platform

.NET 6

Operating System and version

AmazonLinux

ashishdhingra commented 7 months ago

This appears to be false CWE at https://github.com/aws/aws-sdk-net/blob/81f29dcfc1165751396dea661cf98fb0112285a0/sdk/src/Core/Amazon.Runtime/Internal/Settings/SettingsConstants.cs#L82. It's just a constant name that is used in downstream logic. Needs review with the team if there is a workaround to ignore this CWE.

ashishdhingra commented 7 months ago

P124646133

ashishdhingra commented 7 months ago

@skirk-mpr I reviewed this issue with the team. There doesn't appear to be a way to ignore this false positive reported by AWS Inspector. I have opened internal ticket with AWS Inspector team to get their inputs on how to disable such false positives. Would report any updates here as it is available.

skirk-mpr commented 7 months ago

@ashishdhingra -- thanks so much, appreciate you circling back regarding this! Figured there wasn't really something warranting a fix on the SDK side, but either way, wanted to flag it so your team was aware.

Also, somilar thing is also getting flagged with Amazon.Extensions.CognitoAuthenitcation

ashishdhingra commented 7 months ago

@skirk-mpr Additionally you might refer Suppressing Amazon Inspector findings with suppression rules on how to create rule to suppress such warnings.

skirk-mpr commented 7 months ago

Thank you, @ashishdhingra!

ashishdhingra commented 6 months ago

@skirk-mpr I would close this issue for now since I have created ticket for the service team. They are working internally on a fix.

github-actions[bot] commented 6 months ago

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

ashishdhingra commented 6 months ago

@skirk-mpr Based on communication from service team, looks like they have implemented fix to exclude AWS SDK(s) from scanning.