high security report reported by trivy
oupala opened this issue · comments
- Mojolicious version: last from CPAN
- Perl version: 5
- Operating system: alpine linux
Steps to reproduce the behavior
run apk add perl libpq perl-crypt-rijndael perl-io-socket-ssl perl-net-ssleay su-exec shared-mime-info libressl
Expected behavior
No *high security issue reported by trivy.
Actual behavior
Our trivy instance is reporting an issue
myimage/snapshot:develop (alpine 3.15.8)
=============================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
/home/local/lib/perl5/Mojo/IOLoop/resources/server.key (secrets)
======================================================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
HIGH: AsymmetricPrivateKey (private-key)
════════════════════════════════════════
Asymmetric Private Key
────────────────────────────────────────
/home/local/lib/perl5/Mojo/IOLoop/resources/server.key:1 (added by 'RUN apk --no-cache add perl~=5 ')
────────────────────────────────────────
1 [ -----BEGIN RSA PRIVATE KEY-----**********************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END RSA PRIVATE KEY-----
2
This is due to an asymmetric private key stored in the git repository:
https://github.com/mojolicious/mojo/tree/main/lib/Mojo/IOLoop/resources
It is generally considered as unsafe to store private key in a public repository.
That's intentional.