-
Notifications
You must be signed in to change notification settings - Fork 1.9k
Description
Description of the false positive
In Python codebases, CodeQL appears to detect cryptography.x509.Certificates and treat them as sensitive materials, resulting in an advisory whenever CodeQL is able to observe dataflow from a Certificate object to an output or sink (e.g. print(...)).
CodeQL treats this as "Clear-text logging of sensitive information," which is incorrect: X.509 certificates are definitionally public materials, as evidenced by the fact that they carry public keys and are typically exported via functions with "public" in their name, like cert.public_bytes(...).
As such, I believe this is a false positive: CodeQL may choose to flag these for interest, but they are neither sensitive material nor a "High" severity finding.
Code samples or links to source code
Here's an example finding, demonstrating the false positive: https://github.com/sigstore/sigstore-python/security/code-scanning/71