Closed huornlmj closed 1 year ago
The intent of the docker files is to more easily deploy the entire virtual topology (Device Manager, SW Agents, etc.) to show how the entire architecture works. In an actual datacenter, it is expected that the DC will have its own deployment process.
This was fixed with #52
https://github.com/opencomputeproject/HWMgmt-DeviceMgr-DeviceManager/blob/b68d37cccc7503cef47b0940ad8bcf72f155b69b/device_key/https-server.key#L4
Hi. There is a hard coded private key here that is copied into the running container in the Dockerfile https://github.com/opencomputeproject/HWMgmt-DeviceMgr-DeviceManager/blob/main/docker/Dockerfile#L27. If this container is used as-is then a network adversary can sniff the traffic and decrypt the data wherever this is deployed, as the private key is available to anyone who has access to the repo.
This is CWE-321: Use of Hard-coded Cryptographic Key.