Use of Hard-coded Password

[rajeevdodda]

When we scanned our application using a static scan tool, it reported a security vulnerabity in the below line with a category of "Use of Hard-coded Password"

prop-types/lib/ReactPropTypesSecret.js

Line 10 in 4de0644

var ReactPropTypesSecret = 'SECRET_DO_NOT_PASS_THIS_OR_YOU_WILL_BE_FIRED';

[sdoppalapudi]

When we scanned our application using a static scan tool(Veracode), it reported a security vulnerabity in the below line with a category of "Use of Hard-coded Password"

prop-types/lib/ReactPropTypesSecret.js

Line 10 in 4de0644

var ReactPropTypesSecret = 'SECRET_DO_NOT_PASS_THIS_OR_YOU_WILL_BE_FIRED';

[ljharb]

Then your tool is pretty silly - just because a variable has the name “secret” doesn’t mean it’s actually a secret value, and your tool shouldn’t be warning you about third-party code.

[sdoppalapudi]

mean

@ljharb Thanks for the reply. But the scan tool veracode(static code scan) will scan all the build files and libraries used in the application. So, it reported this issue.

Looks it found a string 'SECRET_DO_NOT_PASS_THIS_OR_YOU_WILL_BE_FIRED' which has some SECRET in it. So, as part of our process, we need to report this vulnerability to the library GitHub and take confirmation.

can you please confirm is this an issue? I mean this piece of code in the library will not create any issue?.

[ljharb]

It is not an issue, and it is not a secret. The word “secret” isn’t a vulnerability.

[sdoppalapudi]

Thanks for the confirmation @ljharb.

[ljharb]

There’s no point in scanning third-party code for secrets, even if it’s included in your application, because they won’t be your secrets, and because there’s nothing you can do to fix it anyways.