Security scan may warn about a plaintext aws access key stored in the TIBCO CABI (JasperServer) resource: aws.properties
The file is usually present in the following files:
c:\Program Files (x86)\Nimsoft\c\buildomatic\conf_source\iePro\classes\aws.properties
C:\Program Files (x86)\Nimsoft\c\buildomatic\install_resources\war\jasperserver-pro\WEB-INF\classes\aws.properties
C:\Program Files (x86)\Nimsoft\probes\service\wasp\webapps\cabijs\WEB-INF\classes\aws.properties
# Copyright (C) 2005 - 2020 TIBCO Software Inc. All rights reserved.
# http://www.jaspersoft.com.
#
# Unless you have purchased a commercial license agreement from Jaspersoft,
# the following license terms apply:
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
aws.accessKey=####################
aws.secretKey=###/##################################
aws.queuesuffix=_aws3
aws.topicsuffix=_aws3
aws.nevadoTopicName=##########
aws.nevadoQueueName=##########
aws.clientID=###########
aws.threadCount=1
Are these files vulnerable?
Can attackers use this key from these files?
DX UIM 20.4.x / DX UIM 23.4
TIBCO considers this not vulnerable
TIBCO has confirmed that the key present in the aws.properties file is a dummy key and it is not a real aws access key.
Hence this security warning can be safely ignored as it does not represent a threat. The key is only an example.
Note: The files itself, or the example keys, can be safely deleted from the paths indicated as they are not used.