Skip to content

Python: clear-text logging of X.509 certificate #15942

@woodruffw

Description

@woodruffw

Description of the false positive

In Python codebases, CodeQL appears to detect cryptography.x509.Certificates and treat them as sensitive materials, resulting in an advisory whenever CodeQL is able to observe dataflow from a Certificate object to an output or sink (e.g. print(...)).

CodeQL treats this as "Clear-text logging of sensitive information," which is incorrect: X.509 certificates are definitionally public materials, as evidenced by the fact that they carry public keys and are typically exported via functions with "public" in their name, like cert.public_bytes(...).

As such, I believe this is a false positive: CodeQL may choose to flag these for interest, but they are neither sensitive material nor a "High" severity finding.

Code samples or links to source code

Here's an example finding, demonstrating the false positive: https://github.com/sigstore/sigstore-python/security/code-scanning/71

Metadata

Metadata

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions