sdoppalapudi
commented
3 years ago When we scanned our application using a static scan tool(Veracode), it reported a security vulnerabity in the below line with a category of "Use of Hard-coded Password"
Closed rajeevdodda closed 3 years ago
sdoppalapudi
commented
3 years ago When we scanned our application using a static scan tool(Veracode), it reported a security vulnerabity in the below line with a category of "Use of Hard-coded Password"
ljharb
commented
3 years ago Then your tool is pretty silly - just because a variable has the name “secret” doesn’t mean it’s actually a secret value, and your tool shouldn’t be warning you about third-party code.
sdoppalapudi
commented
3 years ago mean
@ljharb Thanks for the reply. But the scan tool veracode(static code scan) will scan all the build files and libraries used in the application. So, it reported this issue.
Looks it found a string 'SECRET_DO_NOT_PASS_THIS_OR_YOU_WILL_BE_FIRED' which has some SECRET in it. So, as part of our process, we need to report this vulnerability to the library GitHub and take confirmation.
can you please confirm is this an issue? I mean this piece of code in the library will not create any issue?.
ljharb
commented
3 years ago It is not an issue, and it is not a secret. The word “secret” isn’t a vulnerability.
sdoppalapudi
commented
3 years ago Thanks for the confirmation @ljharb.
ljharb
commented
3 years ago There’s no point in scanning third-party code for secrets, even if it’s included in your application, because they won’t be your secrets, and because there’s nothing you can do to fix it anyways.
When we scanned our application using a static scan tool, it reported a security vulnerabity in the below line with a category of "Use of Hard-coded Password"
https://github.com/facebook/prop-types/blob/4de0644a10a554d0a556daa39f029369bc007ea5/lib/ReactPropTypesSecret.js#L10