ECS Custom Password vulnerability when pushing to Bitbucket

[CharlesIrvineKC]

Hi,

This might be tricky to fix. I was getting ready to deploy your plugin to our Camunda instances, but when I tried to push the plugin *.js files to my git repo, I got a bunch security related output and my repo refused to accept the push. See error messages below.

Any ideas on how to fix or what is being complained about?

Thanks

remote: ECS Custom Password vulnerability detected in file src/main/resources/home/camunda/camunda/server/apache-tomcat-9.0.36/webapps/camunda/app/cockpit/scripts/camunda-cockpit-ui.js (0b9d64e6bea6a4eda324b1f86643ea98c1246361) on line 18.
remote: ECS Custom Password vulnerability detected in file src/main/resources/home/camunda/camunda/server/apache-tomcat-9.0.36/webapps/camunda/app/cockpit/scripts/camunda-cockpit-ui.js (0b9d64e6bea6a4eda324b1f86643ea98c1246361) on line 40.
remote: ECS Custom Password vulnerability detected in file src/main/resources/home/camunda/camunda/server/apache-tomcat-9.0.36/webapps/camunda/app/cockpit/scripts/camunda-cockpit-ui.js (0b9d64e6bea6a4eda324b1f86643ea98c1246361) on line 72.
remote: ECS Custom Password vulnerability detected in file src/main/resources/home/camunda/camunda/server/apache-tomcat-9.0.36/webapps/camunda/app/cockpit/scripts/camunda-cockpit-ui.js (0b9d64e6bea6a4eda324b1f86643ea98c1246361) on line 80.
remote: ECS Custom Password vulnerability detected in file src/main/resources/home/camunda/camunda/server/apache-tomcat-9.0.36/webapps/camunda/app/cockpit/scripts/definition-historic-activities.js (0b9d64e6bea6a4eda324b1f86643ea98c1246361) on line 346.
remote: ECS Custom Password vulnerability detected in file src/main/resources/home/camunda/camunda/server/apache-tomcat-9.0.36/webapps/camunda/app/cockpit/scripts/definition-historic-activities.js (0b9d64e6bea6a4eda324b1f86643ea98c1246361) on line 747.
remote: ECS Custom Password vulnerability detected in file src/main/resources/home/camunda/camunda/server/apache-tomcat-9.0.36/webapps/camunda/app/cockpit/scripts/definition-historic-activities.js (0b9d64e6bea6a4eda324b1f86643ea98c1246361) on line 826.
remote: ECS Custom Password vulnerability detected in file src/main/resources/home/camunda/camunda/server/apache-tomcat-9.0.36/webapps/camunda/app/cockpit/scripts/definition-historic-activities.js (0b9d64e6bea6a4eda324b1f86643ea98c1246361) on line 827.
remote: ECS Custom Password vulnerability detected in file src/main/resources/home/camunda/camunda/server/apache-tomcat-9.0.36/webapps/camunda/app/cockpit/scripts/definition-historic-activities.js (0b9d64e6bea6a4eda324b1f86643ea98c1246361) on line 829.
remote: ECS Custom Password vulnerability detected in file src/main/resources/home/camunda/camunda/server/apache-tomcat-9.0.36/webapps/camunda/app/cockpit/scripts/definition-historic-activities.js (0b9d64e6bea6a4eda324b1f86643ea98c1246361) on line 978.
remote: ECS Custom Password vulnerability detected in file src/main/resources/home/camunda/camunda/server/apache-tomcat-9.0.36/webapps/camunda/app/cockpit/scripts/definition-historic-activities.js (0b9d64e6bea6a4eda324b1f86643ea98c1246361) on line 10209.
remote: ECS Custom Password vulnerability detected in file src/main/resources/home/camunda/camunda/server/apache-tomcat-9.0.36/webapps/camunda/app/cockpit/scripts/definition-historic-activities.js (0b9d64e6bea6a4eda324b1f86643ea98c1246361) on line 10365.
remote: ECS Custom Password vulnerability detected in file src/main/resources/home/camunda/camunda/server/apache-tomcat-9.0.36/webapps/camunda/app/cockpit/scripts/instance-historic-activities.js (0b9d64e6bea6a4eda324b1f86643ea98c1246361) on line 340.
remote: ECS Custom Password vulnerability detected in file src/main/resources/home/camunda/camunda/server/apache-tomcat-9.0.36/webapps/camunda/app/cockpit/scripts/instance-historic-activities.js (0b9d64e6bea6a4eda324b1f86643ea98c1246361) on line 6343.
remote: ECS Custom Password vulnerability detected in file src/main/resources/home/camunda/camunda/server/apache-tomcat-9.0.36/webapps/camunda/app/cockpit/scripts/instance-route-history.js (0b9d64e6bea6a4eda324b1f86643ea98c1246361) on line 377.
remote: ECS Custom Password vulnerability detected in file src/main/resources/home/camunda/camunda/server/apache-tomcat-9.0.36/webapps/camunda/app/cockpit/scripts/instance-route-history.js (0b9d64e6bea6a4eda324b1f86643ea98c1246361) on line 778.
remote: ECS Custom Password vulnerability detected in file src/main/resources/home/camunda/camunda/server/apache-tomcat-9.0.36/webapps/camunda/app/cockpit/scripts/instance-route-history.js (0b9d64e6bea6a4eda324b1f86643ea98c1246361) on line 857.
remote: ECS Custom Password vulnerability detected in file src/main/resources/home/camunda/camunda/server/apache-tomcat-9.0.36/webapps/camunda/app/cockpit/scripts/instance-route-history.js (0b9d64e6bea6a4eda324b1f86643ea98c1246361) on line 858.
remote: ECS Custom Password vulnerability detected in file src/main/resources/home/camunda/camunda/server/apache-tomcat-9.0.36/webapps/camunda/app/cockpit/scripts/instance-route-history.js (0b9d64e6bea6a4eda324b1f86643ea98c1246361) on line 860.
remote: ECS Custom Password vulnerability detected in file src/main/resources/home/camunda/camunda/server/apache-tomcat-9.0.36/webapps/camunda/app/cockpit/scripts/instance-route-history.js (0b9d64e6bea6a4eda324b1f86643ea98c1246361) on line 1009.
remote: ECS Custom Password vulnerability detected in file src/main/resources/home/camunda/camunda/server/apache-tomcat-9.0.36/webapps/camunda/app/cockpit/scripts/instance-route-history.js (0b9d64e6bea6a4eda324b1f86643ea98c1246361) on line 10119.
remote: ECS Custom Password vulnerability detected in file src/main/resources/home/camunda/camunda/server/apache-tomcat-9.0.36/webapps/camunda/app/cockpit/scripts/instance-route-history.js (0b9d64e6bea6a4eda324b1f86643ea98c1246361) on line 62525.
remote: ECS Custom Password vulnerability detected in file src/main/resources/home/camunda/camunda/server/apache-tomcat-9.0.36/webapps/camunda/app/cockpit/scripts/instance-tab-modify.js (0b9d64e6bea6a4eda324b1f86643ea98c1246361) on line 313.
remote: ECS Custom Password vulnerability detected in file src/main/resources/home/camunda/camunda/server/apache-tomcat-9.0.36/webapps/camunda/app/cockpit/scripts/tasklist-audit-log.js (0b9d64e6bea6a4eda324b1f86643ea98c1246361) on line 330.
remote: ECS Custom Password vulnerability detected in file src/main/resources/home/camunda/camunda/server/apache-tomcat-9.0.36/webapps/camunda/app/cockpit/scripts/tasklist-audit-log.js (0b9d64e6bea6a4eda324b1f86643ea98c1246361) on line 6333.
remote:
To ssh://itec-stash.fmr.com/pr172363/camunda_ami_artifacts.git
 ! [remote rejected] feature/2866-cockpit-history-plugin -> feature/2866-cockpit-history-plugin (pre-receive hook declined)
error: failed to push some refs to 'ssh://itec-stash.fmr.com/pr172363/camunda_ami_art

[datakurre]

camunda-cockpit-ui.js is from Camunda and should not be required in usual setups. It is mentioned in README, because it is required with the Docker setup mentioned in README due to how Docker volume mounts work.

That aside, the error sounds like a custom check, and it is impossible for me to know what it is checking and how to fix it.

I'm quite sure that the error could be fixed by pushing source files instead of the final bundles and building those bundles in CI, but I cannot help in that.

[CharlesIrvineKC]

I expected that you wouldn't be able to help without significant additional information. I'll work on acquiring that and I'll also I'll look into the alternate deployment method that you described. Thanks.

[CharlesIrvineKC]

I have a little more information. Our security scanner thinks that it sees a hardcoded user id or password. The relevant files are:

definition-historic-activities.js
instance-historic-activities.js
instance-route-history.js
instance-tab-modify.js
tasklist-audit-log.js

I'll be looking at source files today to try to find the problem.

[CharlesIrvineKC]

@datakurre After further looking into things, all of the security warnings were false positives. I'll can fix things by white listing. Thanks