I got below message when I push on bitbucket:

Repository https://git.xx.xxx/scm/appXXXx/appxxx-xx-gateway.git
pre-receive hook declined
Push rejected due to security vulnerabilities detected by security hook.
GENERIC_PASSWORD vulnerability detected in file src/main/resources/application.yml (678a59ebfee39534b4a68e1ad01c36f3cf2f9a2b) on line 14.

The reason of this message is because the word 'password 'is in the Application.xml as par below example:

mail:
host: myhost.xxx.com
port: 123
    username: ${MAIL_USERNAME}
    password: ENC(${MAIL_PASSWORD})

Do you guys have an idea how to overcome this?

Your help is great appreciated Thank you

CodePudding user response：

The error is coming from some commit policy set up at bitbucket level. You need to ask your repository's maintainers about this. A temporary fix can be that you change the name of the property in your yml file and then create a configuration bean that reads the props and then initialize your javamailsender.

Note: If MAIL_USERNAME and MAIL_PASSWORD are passed as command line arguments and the jar is instantiated using a script in the server, then you are not having that much of a vulnerability that the commit reject message is implying. You are also encrypting the password here.

CodePudding user response：

A lot of people have been adding “gates” and “checks” to automate quality. It’s all a “process over people” thing … luckily as a “team_leader” on the project you can bypass all that (use it, don’t abuse it).

The check is per “push”, so you can disable it, push and re-enable it. In this case having a password coming from the shell’s environment and being injected in the spring configuration is not that offensive.

1. Repository settings
2- Hooks
3- Reject Vulnerable Commits

Disable it, push, re-enable it