Added logic for checking first if JFROG_CLI_ENCRYPTION_KEY is filepat… by naveenku-jfrog · Pull Request #1464 · jfrog/jfrog-cli-core

naveenku-jfrog · 2025-09-22T19:41:55Z

…h and then key

All tests passed. If this feature is not already covered by the tests, I added new tests.
All static analysis checks passed.
This pull request is on the master branch.
I used gofmt for formatting the code before submitting the pull request.

Description:
https://jfrog-int.atlassian.net/browse/RTECO-389

JFROG_CLI_ENCRYPTION_KEY is stored in os env due to which it is accessible in logs.

Solution:
Instead of storing encryption key itself in os env, we have stored the path where encryption key is stored, in this way, we are only exposing file path in logs which is local path only, so no risk of information leakage.

…h and then key

utils/config/encryption.go

github-actions · 2025-09-29T05:46:51Z

📗 Scan Summary

Frogbot scanned for vulnerabilities and found 4 issues

Scan Category	Status	Security Issues
Software Composition Analysis	✅ Done	Not Found
Contextual Analysis	✅ Done	-
Static Application Security Testing (SAST)	✅ Done	4 Issues Found 4 Low
Secrets	✅ Done	-
Infrastructure as Code (IaC)	✅ Done	Not Found

🐸 JFrog Frogbot

github-actions · 2025-09-29T05:46:52Z

{
		ResolverPrefix + Url: "http://some.url.com",
		DeployerPrefix + Url: "http://some.other.url.com",
	}

at common/build/buildinfoproperties_test.go (line 146)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity	Finding
Low	Detected usage of communication methods lacking encryption.

Full description

Vulnerability Details


Rule ID:	go-insecure-protocol

Overview

Using insecure protocols—such as HTTP, FTP, or LDAP—can expose sensitive
data during transmission, making it vulnerable to eavesdropping and man-in-the-middle
attacks. Secure protocols like HTTPS and FTPS should be used to ensure data
encryption during communication.

Vulnerable example

In this example, the application uses insecure protocols to communicate,
taking the protocol type from hardcoded strings.

package main

import (
    "fmt"
)

type SwampService struct {
    InsecureHttpProtocol string
    InsecureFtpProtocol  string
}

func NewSwampService() *SwampService {
    return &SwampService{
        InsecureHttpProtocol: "http://", // Insecure protocol
        InsecureFtpProtocol:  "ftp://",  // Insecure protocol
    }
}

func (s *SwampService) ConnectToFrogService(server string) {
    url := s.InsecureHttpProtocol + server + "/frogEndpoint"
    s.connect(url)

    url = s.InsecureFtpProtocol + server + "/frogFile"
    s.connect(url)
}

func (s *SwampService) connect(url string) {
    fmt.Printf("Connecting to %s\n", url)
    // Logic to connect to the service
}

func main() {
    service := NewSwampService()
    service.ConnectToFrogService("example.com")
}

In this vulnerable example, the ConnectToFrogService method uses hardcoded
insecure protocols (HTTP and FTP) to connect, making communications susceptible
to attacks.

Remediation

To mitigate the use of insecure protocols, replace them with secure alternatives
such as HTTPS or FTPS.

package main

import (
    "fmt"
)

type SwampService struct {
    InsecureHttpProtocol string
    InsecureFtpProtocol  string
}

func NewSwampService() *SwampService {
    return &SwampService{
        InsecureHttpProtocol: "http://", // Insecure protocol
        InsecureFtpProtocol:  "ftp://",  // Insecure protocol
    }
}

func (s *SwampService) ConnectToFrogService(server string) {
    url := s.InsecureHttpProtocol + server + "/frogEndpoint"
    s.connect(url)

    url = s.InsecureFtpProtocol + server + "/frogFile"
    s.connect(url)
}

func (s *SwampService) connect(url string) {
    fmt.Printf("Connecting to %s\n", url)
    // Logic to connect to the service
}

func main() {
    service := NewSwampService()
    service.ConnectToFrogService("example.com")
}

In this remediated example, the ConnectToFrogService method utilizes
secure protocols (HTTPS and FTPS) to ensure that communications are encrypted,
thereby protecting sensitive data.

🐸 JFrog Frogbot

github-actions · 2025-09-29T05:46:53Z

{"repo", "http://url/art", "http://url/art/api/npm/repo"}

at artifactory/commands/utils/npmcmdutils_test.go (line 17)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity	Finding
Low	Detected usage of communication methods lacking encryption.

Full description

Vulnerability Details


Rule ID:	go-insecure-protocol

Overview

Using insecure protocols—such as HTTP, FTP, or LDAP—can expose sensitive
data during transmission, making it vulnerable to eavesdropping and man-in-the-middle
attacks. Secure protocols like HTTPS and FTPS should be used to ensure data
encryption during communication.

Vulnerable example

In this example, the application uses insecure protocols to communicate,
taking the protocol type from hardcoded strings.

package main

import (
    "fmt"
)

type SwampService struct {
    InsecureHttpProtocol string
    InsecureFtpProtocol  string
}

func NewSwampService() *SwampService {
    return &SwampService{
        InsecureHttpProtocol: "http://", // Insecure protocol
        InsecureFtpProtocol:  "ftp://",  // Insecure protocol
    }
}

func (s *SwampService) ConnectToFrogService(server string) {
    url := s.InsecureHttpProtocol + server + "/frogEndpoint"
    s.connect(url)

    url = s.InsecureFtpProtocol + server + "/frogFile"
    s.connect(url)
}

func (s *SwampService) connect(url string) {
    fmt.Printf("Connecting to %s\n", url)
    // Logic to connect to the service
}

func main() {
    service := NewSwampService()
    service.ConnectToFrogService("example.com")
}

In this vulnerable example, the ConnectToFrogService method uses hardcoded
insecure protocols (HTTP and FTP) to connect, making communications susceptible
to attacks.

Remediation

To mitigate the use of insecure protocols, replace them with secure alternatives
such as HTTPS or FTPS.

package main

import (
    "fmt"
)

type SwampService struct {
    InsecureHttpProtocol string
    InsecureFtpProtocol  string
}

func NewSwampService() *SwampService {
    return &SwampService{
        InsecureHttpProtocol: "http://", // Insecure protocol
        InsecureFtpProtocol:  "ftp://",  // Insecure protocol
    }
}

func (s *SwampService) ConnectToFrogService(server string) {
    url := s.InsecureHttpProtocol + server + "/frogEndpoint"
    s.connect(url)

    url = s.InsecureFtpProtocol + server + "/frogFile"
    s.connect(url)
}

func (s *SwampService) connect(url string) {
    fmt.Printf("Connecting to %s\n", url)
    // Logic to connect to the service
}

func main() {
    service := NewSwampService()
    service.ConnectToFrogService("example.com")
}

In this remediated example, the ConnectToFrogService method utilizes
secure protocols (HTTPS and FTPS) to ensure that communications are encrypted,
thereby protecting sensitive data.

🐸 JFrog Frogbot

github-actions · 2025-09-29T05:46:54Z

{"repo", "http://url/art/", "http://url/art/api/npm/repo"}

at artifactory/commands/utils/npmcmdutils_test.go (line 18)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity	Finding
Low	Detected usage of communication methods lacking encryption.

Full description

Vulnerability Details


Rule ID:	go-insecure-protocol

Overview

Using insecure protocols—such as HTTP, FTP, or LDAP—can expose sensitive
data during transmission, making it vulnerable to eavesdropping and man-in-the-middle
attacks. Secure protocols like HTTPS and FTPS should be used to ensure data
encryption during communication.

Vulnerable example

In this example, the application uses insecure protocols to communicate,
taking the protocol type from hardcoded strings.

package main

import (
    "fmt"
)

type SwampService struct {
    InsecureHttpProtocol string
    InsecureFtpProtocol  string
}

func NewSwampService() *SwampService {
    return &SwampService{
        InsecureHttpProtocol: "http://", // Insecure protocol
        InsecureFtpProtocol:  "ftp://",  // Insecure protocol
    }
}

func (s *SwampService) ConnectToFrogService(server string) {
    url := s.InsecureHttpProtocol + server + "/frogEndpoint"
    s.connect(url)

    url = s.InsecureFtpProtocol + server + "/frogFile"
    s.connect(url)
}

func (s *SwampService) connect(url string) {
    fmt.Printf("Connecting to %s\n", url)
    // Logic to connect to the service
}

func main() {
    service := NewSwampService()
    service.ConnectToFrogService("example.com")
}

In this vulnerable example, the ConnectToFrogService method uses hardcoded
insecure protocols (HTTP and FTP) to connect, making communications susceptible
to attacks.

Remediation

To mitigate the use of insecure protocols, replace them with secure alternatives
such as HTTPS or FTPS.

package main

import (
    "fmt"
)

type SwampService struct {
    InsecureHttpProtocol string
    InsecureFtpProtocol  string
}

func NewSwampService() *SwampService {
    return &SwampService{
        InsecureHttpProtocol: "http://", // Insecure protocol
        InsecureFtpProtocol:  "ftp://",  // Insecure protocol
    }
}

func (s *SwampService) ConnectToFrogService(server string) {
    url := s.InsecureHttpProtocol + server + "/frogEndpoint"
    s.connect(url)

    url = s.InsecureFtpProtocol + server + "/frogFile"
    s.connect(url)
}

func (s *SwampService) connect(url string) {
    fmt.Printf("Connecting to %s\n", url)
    // Logic to connect to the service
}

func main() {
    service := NewSwampService()
    service.ConnectToFrogService("example.com")
}

In this remediated example, the ConnectToFrogService method utilizes
secure protocols (HTTPS and FTPS) to ensure that communications are encrypted,
thereby protecting sensitive data.

🐸 JFrog Frogbot

github-actions · 2025-09-29T05:46:55Z

{"", "http://url/art", "http://url/art/api/npm/"}

at artifactory/commands/utils/npmcmdutils_test.go (line 20)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity	Finding
Low	Detected usage of communication methods lacking encryption.

Full description

Vulnerability Details


Rule ID:	go-insecure-protocol

Overview

Using insecure protocols—such as HTTP, FTP, or LDAP—can expose sensitive
data during transmission, making it vulnerable to eavesdropping and man-in-the-middle
attacks. Secure protocols like HTTPS and FTPS should be used to ensure data
encryption during communication.

Vulnerable example

In this example, the application uses insecure protocols to communicate,
taking the protocol type from hardcoded strings.

package main

import (
    "fmt"
)

type SwampService struct {
    InsecureHttpProtocol string
    InsecureFtpProtocol  string
}

func NewSwampService() *SwampService {
    return &SwampService{
        InsecureHttpProtocol: "http://", // Insecure protocol
        InsecureFtpProtocol:  "ftp://",  // Insecure protocol
    }
}

func (s *SwampService) ConnectToFrogService(server string) {
    url := s.InsecureHttpProtocol + server + "/frogEndpoint"
    s.connect(url)

    url = s.InsecureFtpProtocol + server + "/frogFile"
    s.connect(url)
}

func (s *SwampService) connect(url string) {
    fmt.Printf("Connecting to %s\n", url)
    // Logic to connect to the service
}

func main() {
    service := NewSwampService()
    service.ConnectToFrogService("example.com")
}

In this vulnerable example, the ConnectToFrogService method uses hardcoded
insecure protocols (HTTP and FTP) to connect, making communications susceptible
to attacks.

Remediation

To mitigate the use of insecure protocols, replace them with secure alternatives
such as HTTPS or FTPS.

package main

import (
    "fmt"
)

type SwampService struct {
    InsecureHttpProtocol string
    InsecureFtpProtocol  string
}

func NewSwampService() *SwampService {
    return &SwampService{
        InsecureHttpProtocol: "http://", // Insecure protocol
        InsecureFtpProtocol:  "ftp://",  // Insecure protocol
    }
}

func (s *SwampService) ConnectToFrogService(server string) {
    url := s.InsecureHttpProtocol + server + "/frogEndpoint"
    s.connect(url)

    url = s.InsecureFtpProtocol + server + "/frogFile"
    s.connect(url)
}

func (s *SwampService) connect(url string) {
    fmt.Printf("Connecting to %s\n", url)
    // Logic to connect to the service
}

func main() {
    service := NewSwampService()
    service.ConnectToFrogService("example.com")
}

In this remediated example, the ConnectToFrogService method utilizes
secure protocols (HTTPS and FTPS) to ensure that communications are encrypted,
thereby protecting sensitive data.

🐸 JFrog Frogbot

Added logic for checking first if JFROG_CLI_ENCRYPTION_KEY is filepat…

6001901

…h and then key

nitinp19 approved these changes Sep 24, 2025

View reviewed changes

utils/config/encryption.go Show resolved Hide resolved

Added suffix check

a797dc1

naveenku-jfrog added the safe-to-test label Sep 29, 2025

naveenku-jfrog merged commit 7ec3208 into jfrog:master Sep 29, 2025
8 of 9 checks passed

Conversation

naveenku-jfrog commented Sep 22, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

github-actions bot commented Sep 29, 2025

📗 Scan Summary

Uh oh!

github-actions bot commented Sep 29, 2025

🎯 Static Application Security Testing (SAST) Vulnerability

Vulnerability Details

Overview

Vulnerable example

Remediation

Uh oh!

github-actions bot commented Sep 29, 2025

🎯 Static Application Security Testing (SAST) Vulnerability

Vulnerability Details

Overview

Vulnerable example

Remediation

Uh oh!

github-actions bot commented Sep 29, 2025

🎯 Static Application Security Testing (SAST) Vulnerability

Vulnerability Details

Overview

Vulnerable example

Remediation

Uh oh!

github-actions bot commented Sep 29, 2025

🎯 Static Application Security Testing (SAST) Vulnerability

Vulnerability Details

Overview

Vulnerable example

Remediation

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

naveenku-jfrog commented Sep 22, 2025 •

edited

Loading