Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: do not leak attestation password or key path to console or SBOM contents #1538

Merged
merged 3 commits into from
Feb 3, 2023
Merged

fix: do not leak attestation password or key path to console or SBOM contents #1538

merged 3 commits into from
Feb 3, 2023

Conversation

spiffcs
Copy link
Contributor

@spiffcs spiffcs commented Feb 3, 2023
edited by wagoodman
Loading

Summary

This PR updates the key and password config fields when running syft attest to not be displayed in the console or encoded into SBOMs.

In the previous state plain text of the fields would be output during a syft run where the config is printed to the console. This is NOT the desired behavior. Instead, this change updates the tag values so that the fields are ignored and not decoded onto the yaml or json outputs displayed by syft.

Note - the code can still use these values, but they are no longer exposed as a part of any logging or encoded into SBOMs.

Affects syft versions >= v0.69.0 && <0.70.0

Related Links:

Signed-off-by: Christopher Phillips christopher.phillips@anchore.com

@spiffcs
fix: update config struct to not decode password/key
e27070a 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@spiffcs spiffcs added the security related to vulnerability remediation label Feb 3, 2023
@github-actions
Copy link

github-actions bot commented Feb 3, 2023
edited
Loading

Benchmark Test Results

Benchmark results from the latest changes vs base branch 
goos: linux
goarch: amd64
pkg: github.com/anchore/syft/test/integration
cpu: Intel(R) Xeon(R) Platinum 8272CL CPU @ 2.60GHz
                                                          │ ./.tmp/benchmark-03f0b52.txt │
                                                          │            sec/op            │
ImagePackageCatalogers/alpmdb-cataloger-2                                   12.12m ±  1%
ImagePackageCatalogers/ruby-gemspec-cataloger-2                             1.308m ± 17%
ImagePackageCatalogers/python-package-cataloger-2                           3.425m ±  1%
ImagePackageCatalogers/php-composer-installed-cataloger-2                   1.108m ±  1%
ImagePackageCatalogers/javascript-package-cataloger-2                       792.7µ ±  2%
ImagePackageCatalogers/dpkgdb-cataloger-2                                   910.1µ ±  1%
ImagePackageCatalogers/rpm-db-cataloger-2                                   1.340m ±  1%
ImagePackageCatalogers/java-cataloger-2                                     14.95m ±  1%
ImagePackageCatalogers/graalvm-native-image-cataloger-2                     7.351µ ±  5%
ImagePackageCatalogers/apkdb-cataloger-2                                    913.9µ ±  1%
ImagePackageCatalogers/go-module-binary-cataloger-2                         16.36µ ±  1%
ImagePackageCatalogers/dotnet-deps-cataloger-2                              1.406m ±  1%
ImagePackageCatalogers/portage-cataloger-2                                  745.5µ ±  0%
ImagePackageCatalogers/sbom-cataloger-2                                     4.715m ±  1%
ImagePackageCatalogers/binary-cataloger-2                                   6.979m ±  1%
geomean                                                                     1.083m

                                                          │ ./.tmp/benchmark-03f0b52.txt │
                                                          │             B/op             │
ImagePackageCatalogers/alpmdb-cataloger-2                                   5.035Mi ± 0%
ImagePackageCatalogers/ruby-gemspec-cataloger-2                             205.3Ki ± 0%
ImagePackageCatalogers/python-package-cataloger-2                           954.3Ki ± 0%
ImagePackageCatalogers/php-composer-installed-cataloger-2                   217.9Ki ± 0%
ImagePackageCatalogers/javascript-package-cataloger-2                       158.3Ki ± 0%
ImagePackageCatalogers/dpkgdb-cataloger-2                                   200.2Ki ± 0%
ImagePackageCatalogers/rpm-db-cataloger-2                                   300.2Ki ± 0%
ImagePackageCatalogers/java-cataloger-2                                     3.300Mi ± 0%
ImagePackageCatalogers/graalvm-native-image-cataloger-2                     1.375Ki ± 0%
ImagePackageCatalogers/apkdb-cataloger-2                                    181.7Ki ± 0%
ImagePackageCatalogers/go-module-binary-cataloger-2                         2.121Ki ± 0%
ImagePackageCatalogers/dotnet-deps-cataloger-2                              378.0Ki ± 0%
ImagePackageCatalogers/portage-cataloger-2                                  138.0Ki ± 0%
ImagePackageCatalogers/sbom-cataloger-2                                     725.1Ki ± 0%
ImagePackageCatalogers/binary-cataloger-2                                   1.092Mi ± 0%
geomean                                                                     222.2Ki

                                                          │ ./.tmp/benchmark-03f0b52.txt │
                                                          │          allocs/op           │
ImagePackageCatalogers/alpmdb-cataloger-2                                    85.84k ± 0%
ImagePackageCatalogers/ruby-gemspec-cataloger-2                              4.349k ± 0%
ImagePackageCatalogers/python-package-cataloger-2                            16.79k ± 0%
ImagePackageCatalogers/php-composer-installed-cataloger-2                    5.603k ± 0%
ImagePackageCatalogers/javascript-package-cataloger-2                        3.432k ± 0%
ImagePackageCatalogers/dpkgdb-cataloger-2                                    4.575k ± 0%
ImagePackageCatalogers/rpm-db-cataloger-2                                    8.318k ± 0%
ImagePackageCatalogers/java-cataloger-2                                      58.66k ± 0%
ImagePackageCatalogers/graalvm-native-image-cataloger-2                       32.00 ± 0%
ImagePackageCatalogers/apkdb-cataloger-2                                     5.331k ± 0%
ImagePackageCatalogers/go-module-binary-cataloger-2                           70.00 ± 0%
ImagePackageCatalogers/dotnet-deps-cataloger-2                               7.206k ± 0%
ImagePackageCatalogers/portage-cataloger-2                                   3.683k ± 0%
ImagePackageCatalogers/sbom-cataloger-2                                      25.34k ± 0%
ImagePackageCatalogers/binary-cataloger-2                                    39.10k ± 0%
geomean                                                                      5.351k

@spiffcs
test: update tests to confirm no secrets in output
ad75b8c 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@spiffcs spiffcs marked this pull request as ready for review February 3, 2023 17:49
@spiffcs
chore: add comments
31341b7 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@spiffcs spiffcs enabled auto-merge (squash) February 3, 2023 18:02
@spiffcs spiffcs merged commit 9995950 into main Feb 3, 2023
@spiffcs spiffcs deleted the password-tags branch February 3, 2023 18:06
@wagoodman wagoodman changed the title fix: update config struct to not decode password/key fix: do not leak attestation password or key path to console or SBOM contents Feb 3, 2023
This was referenced Feb 6, 2023
Closed
Closed
Closed
Merged
Closed
Closed
Closed
Closed
Closed
Closed
Closed
This was referenced Feb 13, 2023
Merged
Closed
Closed
Closed
Closed
GijsCalis pushed a commit to GijsCalis/syft that referenced this pull request Feb 19, 2024
@spiffcs
fix: update config struct to not decode password/key (anchore#1538)
181fd39 
* fix: update config struct to not decode password/key
* test: update tests to confirm no secrets in output

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
---------

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wagoodman wagoodman wagoodman approved these changes

Assignees
No one assigned
Labels
security related to vulnerability remediation
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@spiffcs @wagoodman