Uploaded image for project: 'OpenShift GitOps'
  1. OpenShift GitOps
  2. GITOPS-6631

SENSITIVE_DATA_LEAK (CWE-319)

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Undefined Undefined
    • None
    • None
    • None
    • None
    • False
    • Hide

      None

      Show
      None
    • False

      Description of Problem

      Error: SIGMA.container_storing_secret_in_environment_variable (CWE-526): [#def3] [important]
      argo_cd/app/manifests/base/application-controller-deployment/argocd-application-controller-deployment.yaml:26: Sigma main event: The Kubernetes container stores secrets in environment variables, which could be leaked if the environment is logged.
      argo_cd/app/manifests/base/application-controller-deployment/argocd-application-controller-deployment.yaml:26: 

      1.   24|             valueFrom:
      2.   25|               secretKeyRef:
      3.   26|->               key: auth
      4.   27|                 name: argocd-redis
      5.   28|           - name: ARGOCD_RECONCILIATION_TIMEOUT

      Additional Info

      There are multiple definitions for CWE 526, the complete list of instances can be found here:

      https://cov01.lab.eng.brq2.redhat.com/covscanhub/task/841416/log/openshift-gitops-argocd-container-v1.16.0-15/scan-results-imp.html

      Problem Reproduction

      • SAST scan results from v1.16.0-15 RC

      Fix Approaches

      • Remediation: Provide access to secrets via volume mounts instead of setting `valueFrom.secretKeyRef` in `env`.

      Acceptance Criteria

      • SAST scan results for the next release do not contain CWE 526

              Unassigned Unassigned
              rhn-support-vab Varsha B
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: