Generated SBOM contains access token

[mbleichner]

Describe the bug

When executed from a git repo, the plugin writes the value of git remote get-url origin into the generated SBOM. In case of a Gitlab-CI build, this URL contains an access token, e.g. https://gitlab-ci-token:[email protected]/group-name/repo-name.git.

Although this token has a very limited lifespan, it could in theory allow a short attack window if some process can access the generated SBOM file.

Also it triggers a warning in the secret detection scanner.

To Reproduce

Execute the plugin via Gitlab-CI job

Expected behavior

Access tokens should be removed from the output. Alternatively, the inclusion of the git URL should be optional.

Environment (please complete the following information):

• OS: Linux
• Gradle version: 8.12.1
• CycloneDX Plugin version: 2.0.0

[skhokhlov]

It is possible to disable VCS resolution by setting it manually in build.gradle file:

cyclonedxBom {
    setVCSGit { vcs ->
        vcs.url = ""
    }
}

[mbleichner]

Thanks. Somehow I must have missed this part in the docs.

But the question still stands - shouldn't it be the default to remove any credentials from the URL? If you disagree, feel free to close this issue.

[skhokhlov]

It must be fixed, probably by removing username and password from VCS URI.