Scan Flagged Potential Compliance Issue with these Certs -- Need to confirm

[lsalazar1]

Overview

Hi, my name is Liam Salazar. Our team is pulling a postgreSQL image that uses this project. When we ran a security scan against that image, it flagged these certs as being on the image:

"complianceIssues": [
    {
      "description": "Found: /usr/share/doc/perl-IO-Socket-SSL/certs/client-key.enc, /usr/share/doc/perl-IO-Socket-SSL/certs/client-key.pem, /usr/share/doc/perl-IO-Socket-SSL/certs/server-ecc-key.pem, /usr/share/doc/perl-IO-Socket-SSL/certs/server-key.enc, /usr/share/doc/perl-IO-Socket-SSL/certs/server-key.pem, /usr/share/doc/perl-IO-Socket-SSL/certs/server2-key.pem, /usr/share/doc/perl-Net-SSLeay/examples/server_key.pem - twistlock",
      "platforms": [
        "amd64"
      ],
      "severity": {
        "twistlock": "high"
      },
      "title": "Private keys stored in image"
    }
  ],

We have two questions: 1.) What is the purpose of these certs? 2.) Are they there just as examples or they actually used by the library?

[noxxi]

These certificates are only used for the test suite inside IO::Socket::SSL. Like the tests they are part of the distribution archive, but they do not get installed on the system when running make install. I don't know why they end up in /usr/share/doc/ on your system - looks like CentOS packages it this way for some unknown reason. It is not supposed to end up there.