Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWSSDK.Core triggers CWE-798 - Hardcoded credentials #3240

Closed
skirk-mpr opened this issue Apr 1, 2024 · 9 comments
Closed

AWSSDK.Core triggers CWE-798 - Hardcoded credentials #3240

skirk-mpr opened this issue Apr 1, 2024 · 9 comments
Labels
bug This issue is a bug. module/sdk-core queued service-api This issue is due to a problem in a service API, not the SDK implementation.

Comments

@skirk-mpr
Copy link

Describe the bug

This is more of an FYI but our organization just turned on AWS Inspector for AWS Lambda and we are getting false positives for the finding CWE-798 - Hardcoded credentials in AWSSDK.Core.

From the finding it looks like its complaining because the string 'password' is contained within the name of a property (EC2InstancePassword).

image

Expected Behavior

Not trigger CWE-798 - Hardcoded credentials

Current Behavior

Triggers CWE-798 - Hardcoded credentials

Reproduction Steps

Deploy Lambda with AWSSDK.Core and run AWS Inspector against it.

Possible Solution

No response

Additional Information/Context

No response

AWS .NET SDK and/or Package version used

AWSSDK.Core

Targeted .NET Platform

.NET 6

Operating System and version

AmazonLinux
@skirk-mpr skirk-mpr added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Apr 1, 2024
@ashishdhingra
Copy link
Contributor

ashishdhingra commented Apr 1, 2024
edited
Loading

This appears to be false CWE at

aws-sdk-net/sdk/src/Core/Amazon.Runtime/Internal/Settings/SettingsConstants.cs

Line 82 in 81f29dc

public const string EC2InstancePassword = "EC2InstancePassword";
. It's just a constant name that is used in downstream logic. Needs review with the team if there is a workaround to ignore this CWE.

@ashishdhingra ashishdhingra added needs-review and removed needs-triage This issue or PR still needs to be triaged. labels Apr 1, 2024
@ashishdhingra
Copy link
Contributor

P124646133

@ashishdhingra
Copy link
Contributor

@skirk-mpr I reviewed this issue with the team. There doesn't appear to be a way to ignore this false positive reported by AWS Inspector. I have opened internal ticket with AWS Inspector team to get their inputs on how to disable such false positives. Would report any updates here as it is available.

@ashishdhingra ashishdhingra added the service-api This issue is due to a problem in a service API, not the SDK implementation. label Apr 2, 2024
@skirk-mpr
Copy link
Author

@ashishdhingra -- thanks so much, appreciate you circling back regarding this! Figured there wasn't really something warranting a fix on the SDK side, but either way, wanted to flag it so your team was aware.

Also, somilar thing is also getting flagged with Amazon.Extensions.CognitoAuthenitcation

image

@ashishdhingra
Copy link
Contributor

ashishdhingra commented Apr 2, 2024
edited
Loading

@skirk-mpr Additionally you might refer Suppressing Amazon Inspector findings with suppression rules on how to create rule to suppress such warnings.

@skirk-mpr
Copy link
Author

Thank you, @ashishdhingra!

@ashishdhingra
Copy link
Contributor

@skirk-mpr I would close this issue for now since I have created ticket for the service team. They are working internally on a fix.

@github-actions GitHub Actions
Copy link

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@ashishdhingra
Copy link
Contributor

@skirk-mpr Based on communication from service team, looks like they have implemented fix to exclude AWS SDK(s) from scanning.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue is a bug. module/sdk-core queued service-api This issue is due to a problem in a service API, not the SDK implementation.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@skirk-mpr @ashishdhingra