Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positive with new text-based bun.lock #3770

Open
notramo opened this issue Dec 12, 2024 · 0 comments
Open

False positive with new text-based bun.lock #3770

notramo opened this issue Dec 12, 2024 · 0 comments
Labels
bug

Comments

@notramo
Copy link

notramo commented Dec 12, 2024

A text-based lockfile (bun.lock) was recently added to Bun (to replace the previously used binary bun.lockb file). It can be created with bun install --save-text-lockfile. (Currently only the nightly builds have this feature.)

The plain-text file contains many checksums, and trufflehog mistakenly detects some checksums as access tokens.

This is a line from bun.lock that triggers a false positive:

    "@oxlint/linux-x64-gnu": ["@oxlint/[email protected]", "", { "os": "linux", "cpu": "x64" }, "sha512-e/KSj4fg5EFdK/bJLJjGRzaw2KZdYgr2mTt3k9HF9YIGl0UnBoX5h+q0hJ9scDTNNailT8qytvOjuiUhyJpAPA=="],

It says q0hJ9scDTNNailT8qytvOjuiUhyJpAPA (part of the checksum) is a Box access token.
@notramo notramo added the bug label Dec 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Milestone
No milestone
Development

No branches or pull requests
1 participant
@notramo