Hello,

I have verified the reported code locations for cloudkitty: they are all random strings used in unit tests. This report is invalid.

Regards,
Pierre Riteau (priteau)

On Tue, 13 Aug 2024 at 14:54, <jiawei_zhou@seu.edu.cn> wrote:

Dear developers of the project(cloudkitty),

We are software security researchers, currently conducting research on secret detection and leakage risk within the open-source ecosystem.

In our analysis, we identified potential secret leakage risks in your project, cloudkitty.

We provide the detail of our findings in the attachment, which allows you to locate the potential leaked secrets. Below is an interpretation of the attached data:

{   'file': '',                 #The file containing the secret
                                            #The project name, version or commit_hash may be reflected in the file path
    'line_start': 1,    #location: Start line of the secret
    'line_end': 28,             #location: End line of the secret
    'col_start': 1,             #location: Start column of the secret
    'col_end': 1,               #location: End column of the secret
    'index_start': 0,   #location: Start index of the secret
    'index_end': 1675,  #location: End index of the secret
}


Declaration: we hereby declare that we have *NOT* conducted any verification test or exploit on the identified secrets. we plan to publish related research papers in the future, and the relevant content MIGHT BE ACCESS TO THE PUBLIC due to the 90-day disclosure policy.

Some advise:

1. If the leaked secret is sensitive and still valid, invalid and rotate the secret immediately.
2. Some secrets seem to be used only in testing environment. Although probably harmless, it is considered bad practices to include secrets for test environment in release builds.

Best regards,