Nokogiri dependencies.yml RSA KEY false positive

[wagnerpereira]

IDs

CRITICAL: AWS (aws-secret-access-key)

Description

Trivy start to give this false positive in the last builds in oure pipeline.

/usr/local/bundle/gems/nokogiri-1.15.5/dependencies.yml (secrets)

Total: 1 (CRITICAL: 1)

CRITICAL: AWS (aws-secret-access-key)
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
AWS Secret Access Key
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
/usr/local/bundle/gems/nokogiri-1.15.5/dependencies.yml:36 (added by 'COPY /usr/local/bundle/ /usr/local/bundl')
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
34 # - gpg --verify libiconv-1.17.tar.gz.sig ports/archives/libiconv-1.17.tar.gz
35 # gpg: Signature made Sun 15 May 2022 11:26:42 AM EDT
36 [ # gpg: using RSA key ****************************************
37 # gpg: Good signature from "Bruno Haible (Open Source Development) [email protected]" [unknown]
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Reproduction Steps

1. Build my image that depends on nokogiri gem
2. Run Trivy on this image
3. Trivy show this false aws-secret-access-key critical error

Target

Container Image

Scanner

Secret

Target OS

debian 12.4

Debug Output

$ trivy image my-image:latest --severity CRITICAL --ignore-unfixed --debug

2023-12-11T21:26:12.443-0300	DEBUG	Severities: ["CRITICAL"]
2023-12-11T21:26:12.443-0300	DEBUG	Ignore statuses	{"statuses": ["unknown","not_affected","affected","under_investigation","will_not_fix","fix_deferred","end_of_life"]}
2023-12-11T21:26:12.452-0300	DEBUG	cache dir:  /Users/wagner/Library/Caches/trivy
2023-12-11T21:26:12.452-0300	DEBUG	DB update was skipped because the local DB was downloaded during the last hour
2023-12-11T21:26:12.452-0300	DEBUG	DB Schema: 2, UpdatedAt: 2023-12-11 18:11:01.766139561 +0000 UTC, NextUpdate: 2023-12-12 00:11:01.76613918 +0000 UTC, DownloadedAt: 2023-12-12 00:17:44.645728 +0000 UTC
2023-12-11T21:26:12.452-0300	INFO	Vulnerability scanning is enabled
2023-12-11T21:26:12.452-0300	DEBUG	Vulnerability type:  [os library]
2023-12-11T21:26:12.452-0300	INFO	Secret scanning is enabled
2023-12-11T21:26:12.452-0300	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-12-11T21:26:12.452-0300	INFO	Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2023-12-11T21:26:12.452-0300	DEBUG	Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan]
2023-12-11T21:26:12.466-0300	DEBUG	No secret config detected: trivy-secret.yaml
2023-12-11T21:26:12.466-0300	DEBUG	The nuget packages directory couldn't be found. License search disabled
2023-12-11T21:26:12.466-0300	DEBUG	No secret config detected: trivy-secret.yaml
2023-12-11T21:26:12.466-0300	DEBUG	Image ID: sha256:e70e12cedb74f9104aff431b2e5ef598ca6560b4c117635651e33be334a38f19
2023-12-11T21:26:12.466-0300	DEBUG	Diff IDs: [sha256:cb4596cc145400fb1f2aa56d41516b39a366ecdee7bf3f9191116444aacd8c90 sha256:59c86fca9a7368f0a7e3a07cf8e4c7109d63db74ee16866cb9e5220abed96a07 sha256:18fcaa610edd37a1c34e56d70f28865d3ddd08cf7479965d54384abfec350704 sha256:b216daa742554ce9fc8c870deeff5dcd1dd9153ab9dd37e57c290bcf82390598 sha256:4f05f94f3b9630496ed3b0c9b04e5dd9c373f405c803a1c9db87166937647666 sha256:7803842a4d728ed2536e6b1e20a18a9e21c2f7c8d4da2b3aeba39076d4d89cf6 sha256:4134fbb8d08c1f35f46db8d2bce75c0ab642e710b76e429548ec3be21885d8be sha256:715601637a07619b85563f9cc0b4067349615d9b92b6f796bcb43646c85eaf72 sha256:c36d9d53c8748489e00cd1e2add39a4015a474f28b8386f2b35823a75f165c1b sha256:5bc1303d2f87a9ffe22254e292bfa016f33d1a641399426357da3c9c24614c37 sha256:9545f5f62850e38929a4d20ad63bed6d2a1b16031f4d3163fdbd8fd22e92c778 sha256:e406881ef20a111400aaea11fa2a185f279c4cece94ff4e9c2bac2bf51230ed7]
2023-12-11T21:26:12.466-0300	DEBUG	Base Layers: [sha256:cb4596cc145400fb1f2aa56d41516b39a366ecdee7bf3f9191116444aacd8c90 sha256:59c86fca9a7368f0a7e3a07cf8e4c7109d63db74ee16866cb9e5220abed96a07 sha256:18fcaa610edd37a1c34e56d70f28865d3ddd08cf7479965d54384abfec350704 sha256:b216daa742554ce9fc8c870deeff5dcd1dd9153ab9dd37e57c290bcf82390598 sha256:4f05f94f3b9630496ed3b0c9b04e5dd9c373f405c803a1c9db87166937647666]
2023-12-11T21:26:12.491-0300	INFO	Detected OS: debian
2023-12-11T21:26:12.491-0300	INFO	Detecting Debian vulnerabilities...
2023-12-11T21:26:12.491-0300	DEBUG	debian: os version: 12
2023-12-11T21:26:12.491-0300	DEBUG	debian: the number of packages: 188
2023-12-11T21:26:12.509-0300	INFO	Number of language-specific files: 2
2023-12-11T21:26:12.509-0300	INFO	Detecting gemspec vulnerabilities...
2023-12-11T21:26:12.509-0300	DEBUG	Detecting library vulnerabilities, type: gemspec, path:
2023-12-11T21:26:12.516-0300	INFO	Detecting node-pkg vulnerabilities...
2023-12-11T21:26:12.516-0300	DEBUG	Detecting library vulnerabilities, type: node-pkg, path:
2023-12-11T21:26:12.516-0300	DEBUG	Secret file: /usr/local/bundle/gems/nokogiri-1.15.5/dependencies.yml

my-image:latest (debian 12.4)

Total: 0 (CRITICAL: 0)


/usr/local/bundle/gems/nokogiri-1.15.5/dependencies.yml (secrets)

Total: 1 (CRITICAL: 1)

CRITICAL: AWS (aws-secret-access-key)
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
AWS Secret Access Key
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 /usr/local/bundle/gems/nokogiri-1.15.5/dependencies.yml:36 (added by 'COPY /usr/local/bundle/ /usr/local/bundl')
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  34     # - gpg --verify libiconv-1.17.tar.gz.sig ports/archives/libiconv-1.17.tar.gz
  35     #     gpg: Signature made Sun 15 May 2022 11:26:42 AM EDT
  36 [   #     gpg:                using RSA key ****************************************
  37     #     gpg: Good signature from "Bruno Haible (Open Source Development) <[email protected]>" [unknown]
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Version

$ trivy --version
Version: 0.48.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-12-11 18:11:01.766139561 +0000 UTC
  NextUpdate: 2023-12-12 00:11:01.76613918 +0000 UTC
  DownloadedAt: 2023-12-12 00:17:44.645728 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-12-11 00:49:01.121535103 +0000 UTC
  NextUpdate: 2023-12-14 00:49:01.121534983 +0000 UTC
  DownloadedAt: 2023-12-11 22:57:40.761151 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[DmitriyLewen]

Hello @wagnerpereira
Thanks for your report!

Looks like we can't update aws-secret-access-key to avoid false positive in your case.
But you can skip this file or disable aws-secret-access-key rule.

Regards, Dmitriy

[wagnerpereira]

I already skipped this false positive as a hotfix to bypass this issue in our pipeline.

I'll ping nokogiri folks about this issue. Thanks!

[DmitriyLewen]

I close this discussion.
Feel free to reopen this discussion if you still have questions.

Regards, Dmitriy