New JWT detection finds sample code in dependency docs #5772
Replies: 4 comments 6 replies
-
Note that I'm not asking about any of the CVEs; just the false positive JWT detection, which may be an actual JWT, just one that was intentionally leaked by the PyJWT maintainers in their usage example! |
Beta Was this translation helpful? Give feedback.
-
Having the same issue when scanning containers that contain the PyJWT package -- for now I have unilaterally disabled the I'm curious if there are plans to disable secret scanning rules with more granularity (e.g. disable for specific paths/packages), as the secret scanning feature is awesome beyond this. Couldn't find an obvious resolution in the docs so thought to ask! |
Beta Was this translation helpful? Give feedback.
-
Hello all! But looks like it doesn't work in this case. We can't exclude this secret: If you have any ideas, tell us and we will try to fix it. |
Beta Was this translation helpful? Give feedback.
-
Any update on this? PyJWT 2.9.0 still has this "vulnerability". |
Beta Was this translation helpful? Give feedback.
-
IDs
(secrets) JWT in PyJWT-2.8.0
Description
Recently our builds started failing & after some exploration, we realized that we had upgraded from trivy 0.47 to 0.48, which introduced JWT secret scanning.
I Googled the particular context provided by trivy (see below) & was taken directly to the docs for the module that had the secret found . . . i.e. it's sample code from the docs (https://pyjwt.readthedocs.io/en/latest/usage.html)
I'm curious about where the responsibility lies here to mitigate this . . . do I just exclude & move on, do I raise this with y'all, do I raise it with the PyJWT maintainers? At the moment I figured I'd start this discussion, since (a) it's a brand new feature and (b) I might not be the only one who tripped over this, so putting this here will make it find-able by others :)
Reproduction Steps
Target
Container Image
Scanner
Secret
Target OS
No response
Debug Output
Version
Checklist
-f json
that shows data sources and confirmed that the security advisory in data sources was correctBeta Was this translation helpful? Give feedback.
All reactions