[Secret scanning] Trivy mistakenly reports gpg/RSA key hash contained in README (Markdown) as "AWS secret access key"

[codethief]

IDs

/

Description

Running Trivy on my image that comes with gitpython pip package (v3.1.41) yields a "critical" vulnerability related to an "AWS Secret Access Key".

However, the offending line (effectively) is this one: https://github.com/gitpython-developers/GitPython/blob/3.1.41/README.md?plain=1#L246 .

1. It's not an access key but an RSA key hash.
2. It originates from a Markdown file and just ended up in the package's MANIFEST file.

Reproduction Steps

1. Create a Docker image, set up Python and run `pip install gitpython=3.1.41`
2. Run Trivy on said image

Target

Container Image

Scanner

Secret

Target OS

Debian 12 "Bookworm" (more specifically "buildpack-deps:bookworm")

Debug Output

$ trivy  --cache-dir .trivycache/ image --exit-code 1 --severity HIGH,CRITICAL --no-progress --ignore-unfixed "<IMAGE NAME>"
2024-01-19T10:43:15.149Z	INFO	Vulnerability scanning is enabled
2024-01-19T10:43:15.149Z	INFO	Secret scanning is enabled
2024-01-19T10:43:15.149Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-01-19T10:43:15.149Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2024-01-19T10:43:17.142Z	INFO	Detected OS: debian
2024-01-19T10:43:17.143Z	INFO	Detecting Debian vulnerabilities...
2024-01-19T10:43:18.341Z	INFO	Number of language-specific files: 6
2024-01-19T10:43:18.341Z	INFO	Detecting gobinary vulnerabilities...
2024-01-19T10:43:18.341Z	INFO	Detecting python-pkg vulnerabilities...
2024-01-19T10:43:18.346Z	INFO	Detecting node-pkg vulnerabilities...
<IMAGE NAME>:c2d2a2cf1552cf09c901f9dea5ff760ca0ef9c70 (debian 12.4)
=============================================================================================================================
Total: 0 (HIGH: 0, CRITICAL: 0)
/workdir/.venv/lib/python3.12/site-packages/GitPython-3.1.41.dist-info/METADATA (secrets)
=========================================================================================
Total: 1 (HIGH: 0, CRITICAL: 1)
CRITICAL: AWS (aws-secret-access-key)
════════════════════════════════════════
AWS Secret Access Key
────────────────────────────────────────
 /workdir/.venv/lib/python3.12/site-packages/GitPython-3.1.41.dist-info/METADATA:291 (added by 'COPY --from=python_dependencies --chown=')
────────────────────────────────────────
 289   
 290   gpg: Signature made Fr  4 Sep 10:04:50 2020 CST
 291 [ gpg:                using RSA key ****************************************
 292   gpg: Good signature from "Sebastian Thiel (YubiKey USB-C) <[email protected]>" [ultimate]
────────────────────────────────────────

Relevant output of --debug -f json:

  "Results": [
    {
      "Target": "<IMAGE NAME> (debian 12.4)",
      "Class": "os-pkgs",
      "Type": "debian"
    },
    {
      "Target": "Python",
      "Class": "lang-pkgs",
      "Type": "python-pkg"
    },
    {
      "Target": "/workdir/.venv/lib/python3.12/site-packages/PyJWT-2.8.0.dist-info/METADATA",
      "Class": "secret"
    },
    {
      "Target": "/workdir/.venv/lib/python3.12/site-packages/GitPython-3.1.41.dist-info/METADATA",
      "Class": "secret",
      "Secrets": [
        {
          "RuleID": "aws-secret-access-key",
          "Category": "AWS",
          "Severity": "CRITICAL",
          "Title": "AWS Secret Access Key",
          "StartLine": 291,
          "EndLine": 291,
          "Code": {
            "Lines": [
              {
                "Number": 289,
                "Content": "```bash",
                "IsCause": false,
                "Annotation": "",
                "Truncated": false,
                "Highlighted": "```bash",
                "FirstCause": false,
                "LastCause": false
              },
              {
                "Number": 290,
                "Content": "gpg: Signature made Fr  4 Sep 10:04:50 2020 CST",
                "IsCause": false,
                "Annotation": "",
                "Truncated": false,
                "Highlighted": "gpg: Signature made Fr  4 Sep 10:04:50 2020 CST",
                "FirstCause": false,
                "LastCause": false
              },
              {
                "Number": 291,
                "Content": "gpg:                using RSA key ****************************************",
                "IsCause": true,
                "Annotation": "",
                "Truncated": false,
                "Highlighted": "gpg:                using RSA key ****************************************",
                "FirstCause": true,
                "LastCause": true
              },
              {
                "Number": 292,
                "Content": "gpg: Good signature from \"Sebastian Thiel (YubiKey USB-C) \[email protected]\u003e\" [ultimate]",
                "IsCause": false,
                "Annotation": "",
                "Truncated": false,
                "Highlighted": "gpg: Good signature from \"Sebastian Thiel (YubiKey USB-C) \[email protected]\u003e\" [ultimate]",
                "FirstCause": false,
                "LastCause": false
              }
            ]
          },
          "Match": "gpg:                using RSA key ****************************************",
          "Layer": {
            "Digest": "sha256:39df5f920e255c5c84ad35f620aa94e95ab1ed05b6c8d2bb763bc4caa21e0468",
            "DiffID": "sha256:cb08098049c9faabeef37ef53511cd3f1de5ff72370f3e89048a21a515818565",
            "CreatedBy": "COPY --from=python_dependencies --chown=user:user /workdir/.venv ./.venv"
          }
        }
      ]
    }
  ]

### Version

```bash
$ trivy --version
0.48.3

### Checklist

- [X] Read [the documentation regarding wrong detection](https://aquasecurity.github.io/trivy/dev/community/contribute/discussion/#false-detection)
- [X] Ran Trivy with `-f json` that shows data sources and confirmed that the security advisory in data sources was correct

[DmitriyLewen]

Duplicate of #5900