Giters

mojolicious / mojo

:sparkles: Mojolicious - Perl real-time web framework

Home Page:https://mojolicious.org

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

high security report reported by trivy

oupala opened this issue · comments

commented
  • Mojolicious version: last from CPAN
  • Perl version: 5
  • Operating system: alpine linux

Steps to reproduce the behavior

run apk add perl libpq perl-crypt-rijndael perl-io-socket-ssl perl-net-ssleay su-exec shared-mime-info libressl

Expected behavior

No *high security issue reported by trivy.

Actual behavior

Our trivy instance is reporting an issue

myimage/snapshot:develop (alpine 3.15.8)
=============================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
/home/local/lib/perl5/Mojo/IOLoop/resources/server.key (secrets)
======================================================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
HIGH: AsymmetricPrivateKey (private-key)
════════════════════════════════════════
Asymmetric Private Key
────────────────────────────────────────
/home/local/lib/perl5/Mojo/IOLoop/resources/server.key:1 (added by 'RUN apk --no-cache add perl~=5 ')
────────────────────────────────────────
1 [ -----BEGIN RSA PRIVATE KEY-----**********************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END RSA PRIVATE KEY-----
2

This is due to an asymmetric private key stored in the git repository:

https://github.com/mojolicious/mojo/tree/main/lib/Mojo/IOLoop/resources

It is generally considered as unsafe to store private key in a public repository.

commented

That's intentional.