PyJWT has sample in METADATA

[atombrella]

IDs

Secret detection

Description

https://pypi.org/project/PyJWT/

Trivy finds a secret in the METADATA. I think that's a false positive that should be excluded.

But perhaps this report should go to https://github.com/owenrumney/squealer ?

I can silence the warning of course, but we are using https://learn.microsoft.com/en-us/azure/aks/image-cleaner which uses Trivy.

Reproduction Steps

https://dev.to/sukkergris/install-azure-cli-in-an-alpine-container-4b2e You can use the Dockerfile in this blog post to test.

Target

Container Image

Scanner

Vulnerability

Target OS

No response

Debug Output

https://dev.to/sukkergris/install-azure-cli-in-an-alpine-container-4b2e

trivy image azure-cli:2.67.0

This will find the JWT token.

Version

0.58.1

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[knqyf263]

It's a correct behavior for Trivy to detect a valid JWT. As you said, you can suppress the finding on your end. What do you suggest?

[atombrella]

It's in the metadata section of the package (dist-info directory), which could be ignored by Trivy.

I can try to silence/suppress the warning in Azure as I think Trivy is also used in Cloud Defender.

[knqyf263]

Do you think we can ignore it in any case? If so, we can add a new rule here.
https://github.com/aquasecurity/trivy/blob/bbc5a85444ec86b7bb26d6db27803d199431a8e6/pkg/fanal/secret/builtin-allow-rules.go

[atombrella]

I'm leaning towards a yes: https://packaging.python.org/en/latest/specifications/recording-installed-packages/
I believe the METADATA file should be ignored. In the documentation, I don't see that it can be called with the
https://packaging.python.org/en/latest/specifications/binary-distribution-format/

It seems to contain metadata with paths.

I found this semi-related issue: #4067

[knqyf263]

Thanks. Created #8212