Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Suppress credscan warnings in X.509 test files #91041

Merged
merged 1 commit into from
Aug 24, 2023
Merged

Suppress credscan warnings in X.509 test files #91041

merged 1 commit into from
Aug 24, 2023

Conversation

GrabYourPitchforks
Copy link
Member

Recent updates to the unit test files are triggering credscan violations (AzDO 1840538). Our usage on line 56 is safe since there's no private key data present, and our usage on line 3063 is safe since it's a self-signed cert we generated specifically for unit test inclusion. No real creds (either prod or test) are present in these files.

After consulting with the Guardian team via email, the consensus suggestion was not to update the existing CredScanSuppressions.json file to recognize this secret, but instead to suppress the credscan checks at the two field definitions themselves.

CredScan requires a suppression either on the same line or on the line immediately preceding where the cred starts. Using the /* ... */ pattern here seemed cleaner than other alternatives which would have required me to shift whitespace and other code blocks around. I opted for the smallest possible code change here.

@ghost
Copy link

ghost commented Aug 24, 2023

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

Recent updates to the unit test files are triggering credscan violations (AzDO 1840538). Our usage on line 56 is safe since there's no private key data present, and our usage on line 3063 is safe since it's a self-signed cert we generated specifically for unit test inclusion. No real creds (either prod or test) are present in these files.

After consulting with the Guardian team via email, the consensus suggestion was not to update the existing CredScanSuppressions.json file to recognize this secret, but instead to suppress the credscan checks at the two field definitions themselves.

CredScan requires a suppression either on the same line or on the line immediately preceding where the cred starts. Using the /* ... */ pattern here seemed cleaner than other alternatives which would have required me to shift whitespace and other code blocks around. I opted for the smallest possible code change here.

Author: GrabYourPitchforks
Assignees: -
Labels:

area-System.Security
Milestone: -

This was referenced Aug 24, 2023
Closed
Open
@jozkee jozkee merged commit 5a46cf1 into dotnet:main Aug 24, 2023
102 of 105 checks passed
@GrabYourPitchforks GrabYourPitchforks deleted the fix-credscan branch August 24, 2023 17:40
@GrabYourPitchforks
Copy link
Member Author

/backport to release/8.0

@github-actions
Copy link
Contributor

Started backporting to release/8.0: https://github.com/dotnet/runtime/actions/runs/5967094123

@github-actions github-actions bot mentioned this pull request Aug 24, 2023
Merged
@ghost ghost locked as resolved and limited conversation to collaborators Sep 23, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@krwq krwq krwq approved these changes

@vcsjones vcsjones vcsjones approved these changes

Assignees

@GrabYourPitchforks GrabYourPitchforks

Labels
area-System.Security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@GrabYourPitchforks @vcsjones @krwq @jozkee