GENERIC_PASSWORD vulnerability Spring boot

Question

I got below message when I push on bitbucket:

Repository https://git.xx.xxx/scm/appXXXx/appxxx-xx-gateway.git
pre-receive hook declined
Push rejected due to security vulnerabilities detected by security hook.
GENERIC_PASSWORD vulnerability detected in file src/main/resources/application.yml (678a59ebfee39534b4a68e1ad01c36f3cf2f9a2b) on line 14.

The reason of this message is because the word 'password 'is in the Application.xml as par below example:

mail:
host: myhost.xxx.com
port: 123
    username: ${MAIL_USERNAME}
    password: ENC(${MAIL_PASSWORD})

Do you guys have an idea how to overcome this?

Your help is great appreciated Thank you

Answer 1

A lot of people have been adding “gates” and “checks” to automate quality. It’s all a “process over people” thing … luckily as a “team_leader” on the project you can bypass all that (use it, don’t abuse it).

The check is per “push”, so you can disable it, push and re-enable it. In this case having a password coming from the shell’s environment and being injected in the spring configuration is not that offensive.

1. Repository settings
2- Hooks
3- Reject Vulnerable Commits

Disable it, push, re-enable it

Answer 2

The error is coming from some commit policy set up at bitbucket level. You need to ask your repository's maintainers about this. A temporary fix can be that you change the name of the property in your yml file and then create a configuration bean that reads the props and then initialize your javamailsender.

Note: If MAIL_USERNAME and MAIL_PASSWORD are passed as command line arguments and the jar is instantiated using a script in the server, then you are not having that much of a vulnerability that the commit reject message is implying. You are also encrypting the password here.