Closed chmeliik closed 3 weeks ago
Putting git credentials directly in the git remote origin url is bad way to authenticate to git repos. Nevertheless, if someone does use that approach, cachi2 shouldn't expose their credentials in the SBOM.
origin
# in the root of the cachi2 repo $ git remote set-url origin https://chmeliik:foo@github.com/containerbuildsystem/cachi2 $ cachi2 fetch-deps pip $ jq < cachi2-output/bom.json '.components[] | select(.purl | test("chmeliik"))' { "name": "cachi2", "purl": "pkg:pypi/cachi2?vcs_url=git%2Bhttps://chmeliik:foo%40github.com/containerbuildsystem/cachi2%40fdaebb589f60d2427ecd65ef301e011705aaf19d", "properties": [ { "name": "cachi2:found_by", "value": "cachi2" } ], "type": "library" }
Drop the credentials from the vcs_url qualifier to make sure they won't appear in the SBOM https://github.com/containerbuildsystem/cachi2/blob/e6fb059d2218483b1bc2e8327cb7336bc9db7b1e/cachi2/core/scm.py#L29-L34
Or perhaps drop them before ever creating a RepoID in the first place, just to be sure.
RepoID
Putting git credentials directly in the git remote
origin
url is bad way to authenticate to git repos. Nevertheless, if someone does use that approach, cachi2 shouldn't expose their credentials in the SBOM.Drop the credentials from the vcs_url qualifier to make sure they won't appear in the SBOM https://github.com/containerbuildsystem/cachi2/blob/e6fb059d2218483b1bc2e8327cb7336bc9db7b1e/cachi2/core/scm.py#L29-L34
Or perhaps drop them before ever creating a
RepoID
in the first place, just to be sure.