Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VMR Credential Scanner failed #4486

Closed
Winniexu01 opened this issue Jul 1, 2024 · 7 comments · Fixed by dotnet/sdk#41882 or dotnet/sdk#41943
Closed

VMR Credential Scanner failed #4486

Winniexu01 opened this issue Jul 1, 2024 · 7 comments · Fixed by dotnet/sdk#41882 or dotnet/sdk#41943
Labels
ops-monitor Issues created/handled by the source build monitor role untriaged

Comments

@Winniexu01
Copy link
Member

Failing build (internal Microsoft link)

Guardian: Post Analysis failed:

##[error]141. Credential Scanner Error CSCAN-GENERAL0020 - File: src/runtime/src/libraries/Common/tests/System/Security/Cryptography/X509Certificates/TestData.cs. Line: 2745. Column 1. 
Signature: 021fed5848180fe5621ad74694ec18568bec71289fa7d8451a52b4d758264428
Tool: Credential Scanner: Rule: CSCAN-GENERAL0020 (Found X.509 Certificate Private Key.). 
{Searcher}CSCAN-GENERAL0020
{Code}See TestData.cs line 2745 for the code resulting in match
{Info}Found X.509 Certificate Private Key.
{Suggest}Validate file contains secrets, remove, roll credential, and use approved store. For additional information on secret remediation see https://aka.ms/credscan 
##[error]142. Credential Scanner Error CSCAN-GENERAL0020 - File: src/runtime/src/libraries/Common/tests/System/Security/Cryptography/X509Certificates/TestData.cs. Line: 2881. Column 1. 
Signature: 3ede7dcbf68154b1d70720520f28286d2f23e67941ea8c61975ecce559bdc7eb
Tool: Credential Scanner: Rule: CSCAN-GENERAL0020 (Found X.509 Certificate Private Key.). 
{Searcher}CSCAN-GENERAL0020
{Code}See TestData.cs line 2881 for the code resulting in match
{Info}Found X.509 Certificate Private Key.
{Suggest}Validate file contains secrets, remove, roll credential, and use approved store. For additional information on secret remediation see https://aka.ms/credscan 
##[error]143. Credential Scanner Error CSCAN-GENERAL0020 - File: src/runtime/src/libraries/Common/tests/System/Security/Cryptography/X509Certificates/TestData.cs. Line: 2964. Column 1. 
Signature: 99ae1c49501757abc08f033236305eb273f96f58e4f636d38c4a4fa81fc15980
Tool: Credential Scanner: Rule: CSCAN-GENERAL0020 (Found X.509 Certificate Private Key.). 
{Searcher}CSCAN-GENERAL0020
{Code}See TestData.cs line 2964 for the code resulting in match
{Info}Found X.509 Certificate Private Key.
{Suggest}Validate file contains secrets, remove, roll credential, and use approved store. For additional information on secret remediation see https://aka.ms/credscan
@dotnet-issue-labeler dotnet-issue-labeler
Copy link

I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.

1 similar comment
@dotnet-issue-labeler dotnet-issue-labeler
Copy link

I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.

@Winniexu01 Winniexu01 added ops-monitor Issues created/handled by the source build monitor role untriaged and removed untriaged labels Jul 1, 2024
@mthalman
Copy link
Member

mthalman commented Jul 1, 2024

I see some work was done in dotnet/runtime#104086 as part of addressing credscan issues. But I don't see any suppressions for these particular failures. Not sure why runtime isn't encountering these. /cc @akoeplinger

@akoeplinger
Copy link
Member

We have them suppressed in https://github.com/dotnet/runtime/blob/53a8a01fe1d421a3e02120b1629a6077d341465d/.config/CredScanSuppressions.json#L5-L15

But these suppressions for the private keyes are not new so I'm a bit confused why this only shows up now?

We also have #4259 which tracks making an aggregate suppression file for the VMR.

@akoeplinger
Copy link
Member

akoeplinger commented Jul 1, 2024
edited
Loading

But these suppressions for the private keyes are not new so I'm a bit confused why this only shows up now?

Ah I know why, we suppressed them in the VMR via
https://github.com/dotnet/sdk/blob/main/src/SourceBuild/content/.config/guardian/.gdnbaselines#L1004-L1031

We need to update the paths there.

@akoeplinger akoeplinger mentioned this issue Jul 1, 2024
Merged
@Winniexu01 Winniexu01 reopened this Jul 3, 2024
@Winniexu01
Copy link
Member Author

Reopen the issue, the latest build (internal Microsoft link) is still failed with new credential scanner errors:

##[error]1. Credential Scanner Error CSCAN-GENERAL0130 - File: src/aspire/tests/Aspire.Dashboard.Tests/Integration/OtlpServiceTests.cs. Line: 128. Column 1. 
Signature: 0a527cd60eacba9f7c0c83e3a97e25270578b40a637372cdf80b702b9b87b261
Tool: Credential Scanner: Rule: CSCAN-GENERAL0130 (Found Client Secret / Api Key.). 
{Searcher}CSCAN-GENERAL0130
{Code}See OtlpServiceTests.cs line 128 for the code resulting in match
{Info}Found Client Secret / Api Key.
{Suggest}Validate file contains secrets, remove, roll credential, and use approved store. For additional information on secret remediation see https://aka.ms/credscan 
##[error]2. Credential Scanner Error CSCAN-MSFT0090 - File: src/aspire/tests/Aspire.Hosting.Tests/RabbitMQ/AddRabbitMQTests.cs. Line: 66. Column 1. 
Signature: 6ddef357a244a95890f464728bfe7d498172c7d0a154a1b7505de8cf5d2e6940
Tool: Credential Scanner: Rule: CSCAN-MSFT0090 (Found Internal Common Default Password.). 
{Searcher}CSCAN-MSFT0090
{Code}See AddRabbitMQTests.cs line 66 for the code resulting in match
{Info}Found Internal Common Default Password.
{Suggest}Validate file contains secrets, remove, roll credential, and use approved store. For additional information on secret remediation see https://aka.ms/credscan 
##[error]3. Credential Scanner Error CSCAN-MSFT0090 - File: src/aspire/tests/Aspire.Hosting.Tests/RabbitMQ/AddRabbitMQTests.cs. Line: 81. Column 1. 
Signature: 7b17c8b64bd83dc326d4257677bed760c9cf6ab817acfbc7472f13f64b855e40
Tool: Credential Scanner: Rule: CSCAN-MSFT0090 (Found Internal Common Default Password.). 
{Searcher}CSCAN-MSFT0090
{Code}See AddRabbitMQTests.cs line 81 for the code resulting in match
{Info}Found Internal Common Default Password.
{Suggest}Validate file contains secrets, remove, roll credential, and use approved store. For additional information on secret remediation see https://aka.ms/credscan 
##[error]4. Credential Scanner Error CSCAN-MSFT0090 - File: src/aspire/tests/Aspire.Hosting.Tests/SqlServer/AddSqlServerTests.cs. Line: 76. Column 1. 
Signature: 5c2b6a4651bcb596fc2e5db714b851d389abfea6e55903a8d0582ce51da047ff
Tool: Credential Scanner: Rule: CSCAN-MSFT0090 (Found Internal Common Default Password.). 
{Searcher}CSCAN-MSFT0090
{Code}See AddSqlServerTests.cs line 76 for the code resulting in match
{Info}Found Internal Common Default Password.
{Suggest}Validate file contains secrets, remove, roll credential, and use approved store. For additional information on secret remediation see https://aka.ms/credscan 
##[error]5. Credential Scanner Error CSCAN-MSFT0090 - File: src/aspire/tests/Aspire.Hosting.Tests/SqlServer/AddSqlServerTests.cs. Line: 84. Column 1. 
Signature: 80a85deb6369e399563ca12ec488875ae9fadc6a4c8d4a4343fe2294ddf2a7a4
Tool: Credential Scanner: Rule: CSCAN-MSFT0090 (Found Internal Common Default Password.). 
{Searcher}CSCAN-MSFT0090
{Code}See AddSqlServerTests.cs line 84 for the code resulting in match
{Info}Found Internal Common Default Password.
{Suggest}Validate file contains secrets, remove, roll credential, and use approved store. For additional information on secret remediation see https://aka.ms/credscan 
##[error]6. Credential Scanner Error CSCAN-MSFT0090 - File: src/aspire/tests/Aspire.Hosting.Tests/SqlServer/AddSqlServerTests.cs. Line: 100. Column 1. 
Signature: 0b30610f2eb9817ff650cd53154bc2ac98d6209750a9d628c5af700608bdb36e
Tool: Credential Scanner: Rule: CSCAN-MSFT0090 (Found Internal Common Default Password.). 
{Searcher}CSCAN-MSFT0090
{Code}See AddSqlServerTests.cs line 100 for the code resulting in match
{Info}Found Internal Common Default Password.
{Suggest}Validate file contains secrets, remove, roll credential, and use approved store. For additional information on secret remediation see https://aka.ms/credscan 
##[error]7. Credential Scanner Error CSCAN-GENERAL0020 - File: src/aspire/tests/Shared/TestCertificates/eku.client.pfx. Line: 1. Column 1. 
Signature: 52cfa490ade643a3ec287dec67888d444752a73f7e4355a7f1924b0af54df466
Tool: Credential Scanner: Rule: CSCAN-GENERAL0020 (Found X.509 Certificate Private Key.). 
{Searcher}CSCAN-GENERAL0020
{Code}See eku.client.pfx line 1 for the code resulting in match
{Info}Found X.509 Certificate Private Key.
{Suggest}Validate file contains secrets, remove, roll credential, and use approved store. For additional information on secret remediation see https://aka.ms/credscan

@akoeplinger akoeplinger mentioned this issue Jul 3, 2024
Merged
@akoeplinger
Copy link
Member

Will be fixed by dotnet/sdk#41943

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
ops-monitor Issues created/handled by the source build monitor role untriaged
Projects
.NET Source Build
Status: Done
Milestone
No milestone
3 participants
@akoeplinger @mthalman @Winniexu01