Trivy is reporting XML file "entry key" with exactly 40 chars long as AWS Secret Access Key (CRITICAL Vulnerability)

[ejtavares]

IDs

AWS Secret Access Key

Description

Any "entry key" in a XML resource file with exactly 40 chars long is being reported as aws-secret-access-key violation.

Exactly 40 chars long is flagged:
Internal Error: This is just a test.

Anything with length different then 40 are not flagged:
Internal Error: This is just a test.
Internal Error: This is just a test.

Found issue #4093 but I don't think they are the same issue...

Reproduction Steps

1. Create an XML file using this content (i.e., my_resource_file.xml):

<?xml version="1.0" encoding="UTF-8" ?>
 <rsccat version="1.0" locale="en_US">
   <message>
	 <entry key="OkNotSureWhyButThisIsJustAResourceFileOk"  translate="false">Internal Error: This is just a test.</entry>
    </message>
 </rsccat>

2. trivy fs .

Target

Filesystem

Scanner

Vulnerability

Target OS

No response

Debug Output

trivy fs . --debug
2023-09-12T17:28:47.544-0400    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-09-12T17:28:47.544-0400    DEBUG   Ignore statuses {"statuses": null}
2023-09-12T17:28:47.554-0400    DEBUG   cache dir:  ***
2023-09-12T17:28:47.554-0400    DEBUG   DB update was skipped because the local DB is the latest
2023-09-12T17:28:47.554-0400    DEBUG   DB Schema: 2, UpdatedAt: 2023-09-12 18:14:14.384627623 +0000 UTC, NextUpdate: 2023-09-13 00:14:14.384627123 +0000 UTC, DownloadedAt: 2023-09-12 21:28:41.337332972 +0000 UTC
2023-09-12T17:28:47.554-0400    INFO    Vulnerability scanning is enabled
2023-09-12T17:28:47.554-0400    DEBUG   Vulnerability type:  [os library]
2023-09-12T17:28:47.554-0400    INFO    Secret scanning is enabled
2023-09-12T17:28:47.554-0400    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-09-12T17:28:47.554-0400    INFO    Please see also https://aquasecurity.github.io/trivy/v0.45/docs/scanner/secret/#recommendation for faster secret detection
2023-09-12T17:28:47.554-0400    DEBUG   No secret config detected: trivy-secret.yaml
2023-09-12T17:28:47.554-0400    DEBUG   Walk the file tree rooted at '.' in parallel
2023-09-12T17:28:47.572-0400    DEBUG   OS is not detected.
2023-09-12T17:28:47.572-0400    DEBUG   Detected OS: unknown
2023-09-12T17:28:47.572-0400    INFO    Number of language-specific files: 0
2023-09-12T17:28:47.573-0400    DEBUG   Secret file: my_resource_file.xml

my_resource_file.xml (secrets)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)

CRITICAL: AWS (aws-secret-access-key)
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
AWS Secret Access Key
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 my_resource_file.xml:4
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   2    <rsccat version="1.0" locale="en_US">
   3      <message>
   4 [   <entry key="****************************************"  translate="false">Internal Error: This is just a test.</entry>
   5       </message>
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Version

trivy --version
Version: 0.45.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-09-12 18:14:14.384627623 +0000 UTC
  NextUpdate: 2023-09-13 00:14:14.384627123 +0000 UTC
  DownloadedAt: 2023-09-12 21:28:41.337332972 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-07-25 01:03:52.169192765 +0000 UTC
  NextUpdate: 2023-07-28 01:03:52.169192565 +0000 UTC
  DownloadedAt: 2023-07-25 15:53:37.009134572 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[nikpivkin]

Hi @ejtavares !

I couldn't reproduce your example. AWS Secret Access Key is detected by the following regular expression, so it is incorrect to say that any key with a length of 40 characters gives a false positive result.

[ejtavares]

Hi @nikpivkin,

Thank you for the quick response. I realized probably the XML format is having an impact here so I went ahead and used a text file instead. Here is the text file content with a length of 40 characters (adding or removing a char will make the false positive result go away):

key="OkNotSureWhyButThisIsJustAResourceFileOk"

Then:
trivy fs . --debug

2023-09-13T18:48:20.012-0400 INFO Number of language-specific files: 0
2023-09-13T18:48:20.012-0400 DEBUG Secret file: my_resource_file.txt

my_resource_file.txt (secrets)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)

CRITICAL: AWS (aws-secret-access-key)
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
AWS Secret Access Key
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
my_resource_file.txt:1
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 [ key="****************************************"
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Thanks and looking forward to hear from you!

[nikpivkin]

Hi @ejtavares !

I'm a little confused, but this example didn't produce a positive result either.