From 1fcff0a807ae847e87f24de0b6e05bda579655cc Mon Sep 17 00:00:00 2001 From: Sahil Silare Date: Tue, 15 Oct 2024 23:38:11 +0530 Subject: [PATCH 1/6] [detector] feat: added rootly detector --- pkg/detectors/rootly/rootly.go | 77 +++++++++++ .../rootly/rootly_integration_test.go | 120 ++++++++++++++++++ pkg/detectors/rootly/rootly_test.go | 86 +++++++++++++ pkg/engine/defaults.go | 2 + pkg/pb/detectorspb/detectors.pb.go | 16 ++- proto/detectors.proto | 1 + 6 files changed, 296 insertions(+), 6 deletions(-) create mode 100644 pkg/detectors/rootly/rootly.go create mode 100644 pkg/detectors/rootly/rootly_integration_test.go create mode 100644 pkg/detectors/rootly/rootly_test.go diff --git a/pkg/detectors/rootly/rootly.go b/pkg/detectors/rootly/rootly.go new file mode 100644 index 000000000000..7244ea27f4ce --- /dev/null +++ b/pkg/detectors/rootly/rootly.go @@ -0,0 +1,77 @@ +package rootly + +import ( + "context" + "net/http" + "strings" + + regexp "github.com/wasilibs/go-re2" + + "github.com/trufflesecurity/trufflehog/v3/pkg/common" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" +) + +type Scanner struct{} + +// Ensure the Scanner satisfies the interface at compile time. +var _ detectors.Detector = (*Scanner)(nil) + +var ( + client = common.SaneHttpClient() + + // Make sure that your group is surrounded in boundary characters such as below to reduce false positives. + keyPat = regexp.MustCompile(`\brootly_[a-f0-9]{64}\b`) +) + +// Keywords are used for efficiently pre-filtering chunks. +// Use identifiers in the secret preferably, or the provider name. +func (s Scanner) Keywords() []string { + return []string{"rootly"} +} + +// FromData will find and optionally verify Rootly secrets in a given set of bytes. +func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) { + dataStr := string(data) + + matches := keyPat.FindAllStringSubmatch(dataStr, -1) + + for _, match := range matches { + if len(match) != 1 { + continue + } + resMatch := strings.TrimSpace(match[0]) + + s1 := detectors.Result{ + DetectorType: detectorspb.DetectorType_Rootly, + Raw: []byte(resMatch), + } + + if verify { + req, err := http.NewRequestWithContext(ctx, "GET", "https://api.rootly.com/v1/users/me", nil) + if err != nil { + continue + } + req.Header.Add("Authorization", "Bearer "+resMatch) + res, err := client.Do(req) + if err == nil { + defer res.Body.Close() + if res.StatusCode >= 200 && res.StatusCode < 300 { + s1.Verified = true + } + } + } + + results = append(results, s1) + } + + return results, nil +} + +func (s Scanner) Type() detectorspb.DetectorType { + return detectorspb.DetectorType_Rootly +} + +func (s Scanner) Description() string { + return "Rootly is an incident management platform. Rootly API keys can be used to access and manage incident data and other services." +} diff --git a/pkg/detectors/rootly/rootly_integration_test.go b/pkg/detectors/rootly/rootly_integration_test.go new file mode 100644 index 000000000000..3bf76852fbe3 --- /dev/null +++ b/pkg/detectors/rootly/rootly_integration_test.go @@ -0,0 +1,120 @@ +//go:build detectors +// +build detectors + +package rootly + +import ( + "context" + "fmt" + "testing" + "time" + + "github.com/kylelemons/godebug/pretty" + + "github.com/trufflesecurity/trufflehog/v3/pkg/common" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" +) + +func TestRootly_FromChunk(t *testing.T) { + ctx, cancel := context.WithTimeout(context.Background(), time.Second*5) + defer cancel() + testSecrets, err := common.GetSecret(ctx, "trufflehog-testing", "detectors1") + if err != nil { + t.Fatalf("could not get test secrets from GCP: %s", err) + } + secret := testSecrets.MustGetField("ROOTLY") + inactiveSecret := testSecrets.MustGetField("ROOTLY_INACTIVE") + + type args struct { + ctx context.Context + data []byte + verify bool + } + tests := []struct { + name string + s Scanner + args args + want []detectors.Result + wantErr bool + }{ + { + name: "found, verified", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a rootly secret %s within", secret)), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_Rootly, + Verified: true, + }, + }, + wantErr: false, + }, + { + name: "found, unverified", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a rootly secret %s within but not valid", inactiveSecret)), // the secret would satisfy the regex but not pass validation + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_Rootly, + Verified: false, + }, + }, + wantErr: false, + }, + { + name: "not found", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte("You cannot find the secret within"), + verify: true, + }, + want: nil, + wantErr: false, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + s := Scanner{} + got, err := s.FromData(tt.args.ctx, tt.args.verify, tt.args.data) + if (err != nil) != tt.wantErr { + t.Errorf("Rootly.FromData() error = %v, wantErr %v", err, tt.wantErr) + return + } + for i := range got { + if len(got[i].Raw) == 0 { + t.Fatalf("no raw secret present: \n %+v", got[i]) + } + got[i].Raw = nil + } + if diff := pretty.Compare(got, tt.want); diff != "" { + t.Errorf("Rootly.FromData() %s diff: (-got +want)\n%s", tt.name, diff) + } + }) + } +} + +func BenchmarkFromData(benchmark *testing.B) { + ctx := context.Background() + s := Scanner{} + for name, data := range detectors.MustGetBenchmarkData() { + benchmark.Run(name, func(b *testing.B) { + b.ResetTimer() + for n := 0; n < b.N; n++ { + _, err := s.FromData(ctx, false, data) + if err != nil { + b.Fatal(err) + } + } + }) + } +} diff --git a/pkg/detectors/rootly/rootly_test.go b/pkg/detectors/rootly/rootly_test.go new file mode 100644 index 000000000000..04fded66e348 --- /dev/null +++ b/pkg/detectors/rootly/rootly_test.go @@ -0,0 +1,86 @@ +package rootly + +import ( + "context" + "fmt" + "testing" + + "github.com/google/go-cmp/cmp" + + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/engine/ahocorasick" +) + +var ( + validPattern = "rootly_a3b9f8c1e2d4f5b6c7d8e9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9" + invalidPattern = "rootly_A$3b9f8c1e2d4f5b6c7d8e9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d" +) + +func TestRootly_Pattern(t *testing.T) { + d := Scanner{} + ahoCorasickCore := ahocorasick.NewAhoCorasickCore([]detectors.Detector{d}) + + tests := []struct { + name string + input string + want []string + }{ + { + name: "valid pattern", + input: fmt.Sprintf("rootly: '%s'", validPattern), + want: []string{validPattern}, + }, + { + name: "valid pattern - key out of prefix range", + input: fmt.Sprintf("rootly keyword is not close to the real key in the data\n = '%s'", validPattern), + want: []string{validPattern}, + }, + { + name: "invalid pattern", + input: fmt.Sprintf("rootly: '%s'", invalidPattern), + want: nil, + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + matchedDetectors := ahoCorasickCore.FindDetectorMatches([]byte(test.input)) + if len(matchedDetectors) == 0 { + t.Errorf("keywords '%v' not matched by: %s", d.Keywords(), test.input) + return + } + + results, err := d.FromData(context.Background(), false, []byte(test.input)) + if err != nil { + t.Errorf("error = %v", err) + return + } + + if len(results) != len(test.want) { + if len(results) == 0 { + t.Errorf("did not receive result") + } else { + t.Errorf("expected %d results, only received %d", len(test.want), len(results)) + } + return + } + + actual := make(map[string]struct{}, len(results)) + for _, r := range results { + if len(r.RawV2) > 0 { + actual[string(r.RawV2)] = struct{}{} + } else { + actual[string(r.Raw)] = struct{}{} + } + } + expected := make(map[string]struct{}, len(test.want)) + for _, v := range test.want { + expected[v] = struct{}{} + } + + if diff := cmp.Diff(expected, actual); diff != "" { + t.Errorf("%s diff: (-want +got)\n%s", test.name, diff) + } + }) + } +} diff --git a/pkg/engine/defaults.go b/pkg/engine/defaults.go index 96604628c3b5..fea4c0f4b618 100644 --- a/pkg/engine/defaults.go +++ b/pkg/engine/defaults.go @@ -587,6 +587,7 @@ import ( "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/rocketreach" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/rockset" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/roninapp" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/rootly" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/route4me" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/rownd" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/rubygems" @@ -1642,6 +1643,7 @@ func DefaultDetectors() []detectors.Detector { meraki.Scanner{}, saladcloudapikey.Scanner{}, boxoauth.Scanner{}, + rootly.Scanner{}, } // Automatically initialize all detectors that implement diff --git a/pkg/pb/detectorspb/detectors.pb.go b/pkg/pb/detectorspb/detectors.pb.go index fabebd5dbf29..f54844773175 100644 --- a/pkg/pb/detectorspb/detectors.pb.go +++ b/pkg/pb/detectorspb/detectors.pb.go @@ -1105,6 +1105,7 @@ const ( DetectorType_SaladCloudApiKey DetectorType = 1001 DetectorType_Box DetectorType = 1002 DetectorType_BoxOauth DetectorType = 1003 + DetectorType_Rootly DetectorType = 1004 ) // Enum value maps for DetectorType. @@ -2110,6 +2111,7 @@ var ( 1001: "SaladCloudApiKey", 1002: "Box", 1003: "BoxOauth", + 1004: "Rootly", } DetectorType_value = map[string]int32{ "Alibaba": 0, @@ -3112,6 +3114,7 @@ var ( "SaladCloudApiKey": 1001, "Box": 1002, "BoxOauth": 1003, + "Rootly": 1004, } ) @@ -3565,7 +3568,7 @@ var file_detectors_proto_rawDesc = []byte{ 0x4c, 0x41, 0x49, 0x4e, 0x10, 0x01, 0x12, 0x0a, 0x0a, 0x06, 0x42, 0x41, 0x53, 0x45, 0x36, 0x34, 0x10, 0x02, 0x12, 0x09, 0x0a, 0x05, 0x55, 0x54, 0x46, 0x31, 0x36, 0x10, 0x03, 0x12, 0x13, 0x0a, 0x0f, 0x45, 0x53, 0x43, 0x41, 0x50, 0x45, 0x44, 0x5f, 0x55, 0x4e, 0x49, 0x43, 0x4f, 0x44, 0x45, - 0x10, 0x04, 0x2a, 0x93, 0x80, 0x01, 0x0a, 0x0c, 0x44, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, + 0x10, 0x04, 0x2a, 0xa0, 0x80, 0x01, 0x0a, 0x0c, 0x44, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x54, 0x79, 0x70, 0x65, 0x12, 0x0b, 0x0a, 0x07, 0x41, 0x6c, 0x69, 0x62, 0x61, 0x62, 0x61, 0x10, 0x00, 0x12, 0x08, 0x0a, 0x04, 0x41, 0x4d, 0x51, 0x50, 0x10, 0x01, 0x12, 0x07, 0x0a, 0x03, 0x41, 0x57, 0x53, 0x10, 0x02, 0x12, 0x09, 0x0a, 0x05, 0x41, 0x7a, 0x75, 0x72, 0x65, 0x10, 0x03, 0x12, @@ -4590,11 +4593,12 @@ var file_detectors_proto_rawDesc = []byte{ 0x4d, 0x65, 0x72, 0x61, 0x6b, 0x69, 0x10, 0xe8, 0x07, 0x12, 0x15, 0x0a, 0x10, 0x53, 0x61, 0x6c, 0x61, 0x64, 0x43, 0x6c, 0x6f, 0x75, 0x64, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x10, 0xe9, 0x07, 0x12, 0x08, 0x0a, 0x03, 0x42, 0x6f, 0x78, 0x10, 0xea, 0x07, 0x12, 0x0d, 0x0a, 0x08, 0x42, 0x6f, - 0x78, 0x4f, 0x61, 0x75, 0x74, 0x68, 0x10, 0xeb, 0x07, 0x42, 0x3d, 0x5a, 0x3b, 0x67, 0x69, 0x74, - 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, 0x73, - 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, 0x68, - 0x6f, 0x67, 0x2f, 0x76, 0x33, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x70, 0x62, 0x2f, 0x64, 0x65, 0x74, - 0x65, 0x63, 0x74, 0x6f, 0x72, 0x73, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x78, 0x4f, 0x61, 0x75, 0x74, 0x68, 0x10, 0xeb, 0x07, 0x12, 0x0b, 0x0a, 0x06, 0x52, 0x6f, 0x6f, + 0x74, 0x6c, 0x79, 0x10, 0xec, 0x07, 0x42, 0x3d, 0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, + 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, 0x73, 0x65, 0x63, 0x75, + 0x72, 0x69, 0x74, 0x79, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, 0x68, 0x6f, 0x67, 0x2f, + 0x76, 0x33, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x70, 0x62, 0x2f, 0x64, 0x65, 0x74, 0x65, 0x63, 0x74, + 0x6f, 0x72, 0x73, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/proto/detectors.proto b/proto/detectors.proto index 6f220b09d153..de8aaf8ee6d9 100644 --- a/proto/detectors.proto +++ b/proto/detectors.proto @@ -1013,6 +1013,7 @@ enum DetectorType { SaladCloudApiKey = 1001; Box = 1002; BoxOauth = 1003; + Rootly = 1004; } message Result { From 12686705a8dcfb587557a6b6a119e7b9ae9e0bb1 Mon Sep 17 00:00:00 2001 From: Sahil Silare Date: Wed, 16 Oct 2024 01:40:43 +0530 Subject: [PATCH 2/6] feat: throws error when directory is not found --- pkg/sources/git/git.go | 14 ++++++++++---- pkg/sources/source_manager.go | 2 ++ 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/pkg/sources/git/git.go b/pkg/sources/git/git.go index c18c93879a9c..03418892ba7d 100644 --- a/pkg/sources/git/git.go +++ b/pkg/sources/git/git.go @@ -314,8 +314,8 @@ func (s *Source) scanDirs(ctx context.Context, reporter sources.ChunkReporter) e continue } if err := s.scanDir(ctx, gitDir, reporter); err != nil { - ctx.Logger().Info("error scanning repository", "repo", gitDir, "error", err) - continue + ctx.Logger().Error(err, "error scanning repository", "repo", gitDir, "error", err) + return err // Return the error instead of continuing } } return nil @@ -327,10 +327,16 @@ func (s *Source) scanDir(ctx context.Context, gitDir string, reporter sources.Ch // TODO: Figure out why we skip directories ending in "git". return nil } + + // Check if the directory exists + if _, err := os.Stat(gitDir); os.IsNotExist(err) { + return fmt.Errorf("directory does not exist: %s", gitDir) + } + // try paths instead of url repo, err := RepoFromPath(gitDir, s.scanOptions.Bare) if err != nil { - return reporter.ChunkErr(ctx, err) + return fmt.Errorf("error opening repo from path: %w", err) } err = func() error { @@ -341,7 +347,7 @@ func (s *Source) scanDir(ctx context.Context, gitDir string, reporter sources.Ch return s.git.ScanRepo(ctx, repo, gitDir, s.scanOptions, reporter) }() if err != nil { - return reporter.ChunkErr(ctx, err) + return err } return nil } diff --git a/pkg/sources/source_manager.go b/pkg/sources/source_manager.go index d3ba4a711952..11f1b621951d 100644 --- a/pkg/sources/source_manager.go +++ b/pkg/sources/source_manager.go @@ -309,6 +309,8 @@ func (s *SourceManager) runWithoutUnits(ctx context.Context, source Source, repo defer wg.Wait() defer close(ch) if err := source.Chunks(ctx, ch, targets...); err != nil { + // Log the error + ctx.Logger().Error(err, "Error scanning chunks", "error", err) report.ReportError(Fatal{err}) return Fatal{err} } From 541ad60557454fe0570c7f783c2aa11b97b02465 Mon Sep 17 00:00:00 2001 From: Sahil Silare Date: Wed, 16 Oct 2024 10:53:03 +0530 Subject: [PATCH 3/6] [detector] feat: added one password detector --- pkg/detectors/onepassword/onepassword.go | 71 ++++++++++ .../onepassword_integration_test.go | 127 ++++++++++++++++++ pkg/detectors/onepassword/onepassword_test.go | 82 +++++++++++ pkg/engine/defaults.go | 2 + pkg/pb/detectorspb/detectors.pb.go | 16 ++- proto/detectors.proto | 1 + 6 files changed, 293 insertions(+), 6 deletions(-) create mode 100644 pkg/detectors/onepassword/onepassword.go create mode 100644 pkg/detectors/onepassword/onepassword_integration_test.go create mode 100644 pkg/detectors/onepassword/onepassword_test.go diff --git a/pkg/detectors/onepassword/onepassword.go b/pkg/detectors/onepassword/onepassword.go new file mode 100644 index 000000000000..66cfe44fb314 --- /dev/null +++ b/pkg/detectors/onepassword/onepassword.go @@ -0,0 +1,71 @@ +package onepassword + +import ( + "context" + "encoding/base64" + + regexp "github.com/wasilibs/go-re2" + + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" +) + +type Scanner struct{} + +// Ensure the Scanner satisfies the interface at compile time. +var _ detectors.Detector = (*Scanner)(nil) + +var ( + // Pattern to match "ops_" followed by a base64 encoded string + keyPat = regexp.MustCompile(`\bops_([A-Za-z0-9+/]{100,}=*)`) +) + +// Keywords are used for efficiently pre-filtering chunks. +func (s Scanner) Keywords() []string { + return []string{"ops_"} +} + +// FromData will find and optionally verify OnePassword Service Account tokens in a given set of bytes. +func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) { + dataStr := string(data) + + matches := keyPat.FindAllStringSubmatch(dataStr, -1) + + for _, match := range matches { + if len(match) != 2 { + continue + } + + token := match[0] + + s1 := detectors.Result{ + DetectorType: detectorspb.DetectorType_OnePassword, + Raw: []byte(token), + } + + if verify { + s1.Verified = verifyToken(token) + } + + results = append(results, s1) + } + + return results, nil +} + +func verifyToken(token string) bool { + // Remove the "ops_" prefix + encodedJWT := token[4:] + + _, err := base64.StdEncoding.DecodeString(encodedJWT) + + return err == nil +} + +func (s Scanner) Type() detectorspb.DetectorType { + return detectorspb.DetectorType_OnePassword +} + +func (s Scanner) Description() string { + return "OnePassword Service Account tokens are used to read/write secrets for an entire 1Password account, often in CI/CD environments." +} diff --git a/pkg/detectors/onepassword/onepassword_integration_test.go b/pkg/detectors/onepassword/onepassword_integration_test.go new file mode 100644 index 000000000000..ec669311b18b --- /dev/null +++ b/pkg/detectors/onepassword/onepassword_integration_test.go @@ -0,0 +1,127 @@ +//go:build detectors +// +build detectors + +package onepassword + +import ( + "context" + "fmt" + "testing" + "time" + + "github.com/google/go-cmp/cmp" + "github.com/google/go-cmp/cmp/cmpopts" + + "github.com/trufflesecurity/trufflehog/v3/pkg/common" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" +) + +func TestOnePassword_FromChunk(t *testing.T) { + ctx, cancel := context.WithTimeout(context.Background(), time.Second*5) + defer cancel() + testSecrets, err := common.GetSecret(ctx, "trufflehog-testing", "detectors5") + if err != nil { + t.Fatalf("could not get test secrets from GCP: %s", err) + } + secret := testSecrets.MustGetField("ONEPASSWORD") + inactiveSecret := testSecrets.MustGetField("ONEPASSWORD_INACTIVE") + + type args struct { + ctx context.Context + data []byte + verify bool + } + tests := []struct { + name string + s Scanner + args args + want []detectors.Result + wantErr bool + wantVerificationErr bool + }{ + { + name: "found, verified", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a onepassword secret %s within", secret)), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_OnePassword, + Verified: true, + }, + }, + wantErr: false, + wantVerificationErr: false, + }, + { + name: "found, unverified", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a onepassword secret %s within but not valid", inactiveSecret)), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_OnePassword, + Verified: false, + }, + }, + wantErr: false, + wantVerificationErr: false, + }, + { + name: "not found", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte("You cannot find the secret within"), + verify: true, + }, + want: nil, + wantErr: false, + wantVerificationErr: false, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got, err := tt.s.FromData(tt.args.ctx, tt.args.verify, tt.args.data) + if (err != nil) != tt.wantErr { + t.Errorf("OnePassword.FromData() error = %v, wantErr %v", err, tt.wantErr) + return + } + for i := range got { + if len(got[i].Raw) == 0 { + t.Fatalf("no raw secret present: \n %+v", got[i]) + } + if (got[i].VerificationError() != nil) != tt.wantVerificationErr { + t.Fatalf("wantVerificationError = %v, verification error = %v", tt.wantVerificationErr, got[i].VerificationError()) + } + } + ignoreOpts := cmpopts.IgnoreFields(detectors.Result{}, "Raw", "verificationError") + if diff := cmp.Diff(got, tt.want, ignoreOpts); diff != "" { + t.Errorf("OnePassword.FromData() %s diff: (-got +want)\n%s", tt.name, diff) + } + }) + } +} + +func BenchmarkFromData(benchmark *testing.B) { + ctx := context.Background() + s := Scanner{} + for name, data := range detectors.MustGetBenchmarkData() { + benchmark.Run(name, func(b *testing.B) { + b.ResetTimer() + for n := 0; n < b.N; n++ { + _, err := s.FromData(ctx, false, data) + if err != nil { + b.Fatal(err) + } + } + }) + } +} diff --git a/pkg/detectors/onepassword/onepassword_test.go b/pkg/detectors/onepassword/onepassword_test.go new file mode 100644 index 000000000000..540fb9bd810e --- /dev/null +++ b/pkg/detectors/onepassword/onepassword_test.go @@ -0,0 +1,82 @@ +package onepassword + +import ( + "context" + "testing" + + "github.com/google/go-cmp/cmp" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/engine/ahocorasick" +) + +func TestOnePassword_Pattern(t *testing.T) { + d := Scanner{} + ahoCorasickCore := ahocorasick.NewAhoCorasickCore([]detectors.Detector{d}) + tests := []struct { + name string + input string + want []string + }{ + { + name: "typical pattern", + input: "ops_eyJlbWFpbCI6ImVqd2U2NHFtbHhocmlAMXBhc3N3b3Jkc2VydmljZWFjY291bnRzLmxjbCIsIm11ayI6eyJhbGciOiJBMjU2R0NNIiwiZXh0Ijp0cnVlLCJrIjoiTThWUGZJYzhWRWZUaGNNWExhS0NLRjhzTWg1Sk1ac1BBdHU5MmZRTmItbyIsImtleV9vcHMiOlsiZW5jcnlwdCIsImRlY3J5cHQiXSwia3R5Ijoib2N0Iiwia2lkIjoibXAifSwic2VjcmV0S2V5IjoiQTMtQzRaSk1OLVBRVFpUTC1IR0w4NC1HNjRNNy1LVlpSTi00WlZQNiIsInNycFgiOiI4NzBkNjdhOWU2MjY2MjVkOWUzNjg1MDc4MDRjOWMzMmU2NjFjNTdlN2U1NTg3NzgyOTFiZjI5ZDVhMjc5YWUxIiwic2lnbkluQWRkcmVzcyI6ImdvdGhhbS5iNWxvY2FsLmNvbTo0MDAwIiwidXNlckF1dGgiOnsibWV0aG9kIjoiU1JQZy00MDk2IiwiYWxnIjoiUEJFUzJnLUhTMjU2IiwiaXRlcmF0aW9ucyI6MTAwMDAwLCJzYWx0IjoiRk1SVVBpeXJONFhmXzhIb2g2WVJYUSJ9fQ", + want: []string{"ops_eyJlbWFpbCI6ImVqd2U2NHFtbHhocmlAMXBhc3N3b3Jkc2VydmljZWFjY291bnRzLmxjbCIsIm11ayI6eyJhbGciOiJBMjU2R0NNIiwiZXh0Ijp0cnVlLCJrIjoiTThWUGZJYzhWRWZUaGNNWExhS0NLRjhzTWg1Sk1ac1BBdHU5MmZRTmItbyIsImtleV9vcHMiOlsiZW5jcnlwdCIsImRlY3J5cHQiXSwia3R5Ijoib2N0Iiwia2lkIjoibXAifSwic2VjcmV0S2V5IjoiQTMtQzRaSk1OLVBRVFpUTC1IR0w4NC1HNjRNNy1LVlpSTi00WlZQNiIsInNycFgiOiI4NzBkNjdhOWU2MjY2MjVkOWUzNjg1MDc4MDRjOWMzMmU2NjFjNTdlN2U1NTg3NzgyOTFiZjI5ZDVhMjc5YWUxIiwic2lnbkluQWRkcmVzcyI6ImdvdGhhbS5iNWxvY2FsLmNvbTo0MDAwIiwidXNlckF1dGgiOnsibWV0aG9kIjoiU1JQZy00MDk2IiwiYWxnIjoiUEJFUzJnLUhTMjU2IiwiaXRlcmF0aW9ucyI6MTAwMDAwLCJzYWx0IjoiRk1SVVBpeXJONFhmXzhIb2g2WVJYUSJ9fQ"}, + }, + { + name: "finds all matches", + input: `ops_eyJlbWFpbCI6ImVqd2U2NHFtbHhocmlAMXBhc3N3b3Jkc2VydmljZWFjY291bnRzLmxjbCIsIm11ayI6eyJhbGciOiJBMjU2R0NNIiwiZXh0Ijp0cnVlLCJrIjoiTThWUGZJYzhWRWZUaGNNWExhS0NLRjhzTWg1Sk1ac1BBdHU5MmZRTmItbyIsImtleV9vcHMiOlsiZW5jcnlwdCIsImRlY3J5cHQiXSwia3R5Ijoib2N0Iiwia2lkIjoibXAifSwic2VjcmV0S2V5IjoiQTMtQzRaSk1OLVBRVFpUTC1IR0w4NC1HNjRNNy1LVlpSTi00WlZQNiIsInNycFgiOiI4NzBkNjdhOWU2MjY2MjVkOWUzNjg1MDc4MDRjOWMzMmU2NjFjNTdlN2U1NTg3NzgyOTFiZjI5ZDVhMjc5YWUxIiwic2lnbkluQWRkcmVzcyI6ImdvdGhhbS5iNWxvY2FsLmNvbTo0MDAwIiwidXNlckF1dGgiOnsibWV0aG9kIjoiU1JQZy00MDk2IiwiYWxnIjoiUEJFUzJnLUhTMjU2IiwiaXRlcmF0aW9ucyI6MTAwMDAwLCJzYWx0IjoiRk1SVsBpeXJONFhmXzhIb2g2WVJYUSJ9fQ +ops_eyJlbWFpbCI6ImVqd2U2NHFtbHhocmlAMXBhc3N3b3Jkc2VydmljZWFjY291bnRzLmxjbCIsIm11ayI6eyJhbGciOiJBMjU2R0NNIiwiZXh0Ijp0cnVlLCJrIjoiTThWUGZJYzhWRWZUaGNNWExhS0NLRjhzTWg1Sk1ac1BBdHU5MmZRTmItbyIsImtleV9vcHMiOlsiZW5jcnlwdCIsImRlY3J5cHQiXSwia3R5Ijoib2N0Iiwia2lkIjoibXAifSwic2VjcmV0S2V5IjoiQTMtQzRaSk1OLVBRVFpUTC1IR0w4NC1HNjRNNy1LVlpSTi00WlZQNiIsInNycFgiOiI4NzBkNjdhOWU2MjY2MjVkOWUzNjg1MDc4MDRjOWMzMmU2NjFjNTdlN2U1NTg3NzgyOTFiZjI5ZDVhMjc5YWUxIiwic2lnbkluQWRkcmVzcyI6ImdvdGhhbS5iNWxvY2FsLmNvbTo0MDAwIiwidXNlckF1dGgiOnsibWV0aG9kIjoiU1JQZy00MDk2IiwiYWxnIjoiUEJFUzJnLUhTMjU2IiwiaXRlcmF0aW9ucyI6MTAwMDAwLCJzYWx0IjoiRk1SVVBpeXJONFhmXzhIb2g2WVJYUSJ9fQ`, + want: []string{ + `ops_eyJlbWFpbCI6ImVqd2U2NHFtbHhocmlAMXBhc3N3b3Jkc2VydmljZWFjY291bnRzLmxjbCIsIm11ayI6eyJhbGciOiJBMjU2R0NNIiwiZXh0Ijp0cnVlLCJrIjoiTThWUGZJYzhWRWZUaGNNWExhS0NLRjhzTWg1Sk1ac1BBdHU5MmZRTmItbyIsImtleV9vcHMiOlsiZW5jcnlwdCIsImRlY3J5cHQiXSwia3R5Ijoib2N0Iiwia2lkIjoibXAifSwic2VjcmV0S2V5IjoiQTMtQzRaSk1OLVBRVFpUTC1IR0w4NC1HNjRNNy1LVlpSTi00WlZQNiIsInNycFgiOiI4NzBkNjdhOWU2MjY2MjVkOWUzNjg1MDc4MDRjOWMzMmU2NjFjNTdlN2U1NTg3NzgyOTFiZjI5ZDVhMjc5YWUxIiwic2lnbkluQWRkcmVzcyI6ImdvdGhhbS5iNWxvY2FsLmNvbTo0MDAwIiwidXNlckF1dGgiOnsibWV0aG9kIjoiU1JQZy00MDk2IiwiYWxnIjoiUEJFUzJnLUhTMjU2IiwiaXRlcmF0aW9ucyI6MTAwMDAwLCJzYWx0IjoiRk1SVsBpeXJONFhmXzhIb2g2WVJYUSJ9fQ`, + `ops_eyJlbWFpbCI6ImVqd2U2NHFtbHhocmlAMXBhc3N3b3Jkc2VydmljZWFjY291bnRzLmxjbCIsIm11ayI6eyJhbGciOiJBMjU2R0NNIiwiZXh0Ijp0cnVlLCJrIjoiTThWUGZJYzhWRWZUaGNNWExhS0NLRjhzTWg1Sk1ac1BBdHU5MmZRTmItbyIsImtleV9vcHMiOlsiZW5jcnlwdCIsImRlY3J5cHQiXSwia3R5Ijoib2N0Iiwia2lkIjoibXAifSwic2VjcmV0S2V5IjoiQTMtQzRaSk1OLVBRVFpUTC1IR0w4NC1HNjRNNy1LVlpSTi00WlZQNiIsInNycFgiOiI4NzBkNjdhOWU2MjY2MjVkOWUzNjg1MDc4MDRjOWMzMmU2NjFjNTdlN2U1NTg3NzgyOTFiZjI5ZDVhMjc5YWUxIiwic2lnbkluQWRkcmVzcyI6ImdvdGhhbS5iNWxvY2FsLmNvbTo0MDAwIiwidXNlckF1dGgiOnsibWV0aG9kIjoiU1JQZy00MDk2IiwiYWxnIjoiUEJFUzJnLUhTMjU2IiwiaXRlcmF0aW9ucyI6MTAwMDAwLCJzYWx0IjoiRk1SVVBpeXJONFhmXzhIb2g2WVJYUSJ9fQ`, + }, + }, + { + name: "invalid pattern", + input: "onepassword_token = 'ops_1a2b3c4d'", + want: []string{}, + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + matchedDetectors := ahoCorasickCore.FindDetectorMatches([]byte(test.input)) + if len(matchedDetectors) == 0 { + t.Errorf("keywords '%v' not matched by: %s", d.Keywords(), test.input) + return + } + + results, err := d.FromData(context.Background(), false, []byte(test.input)) + if err != nil { + t.Errorf("error = %v", err) + return + } + + if len(results) != len(test.want) { + if len(results) == 0 { + t.Errorf("did not receive result") + } else { + t.Errorf("expected %d results, only received %d", len(test.want), len(results)) + } + return + } + + actual := make(map[string]struct{}, len(results)) + for _, r := range results { + if len(r.RawV2) > 0 { + actual[string(r.RawV2)] = struct{}{} + } else { + actual[string(r.Raw)] = struct{}{} + } + } + expected := make(map[string]struct{}, len(test.want)) + for _, v := range test.want { + expected[v] = struct{}{} + } + + if diff := cmp.Diff(expected, actual); diff != "" { + t.Errorf("%s diff: (-want +got)\n%s", test.name, diff) + } + }) + } +} diff --git a/pkg/engine/defaults.go b/pkg/engine/defaults.go index fea4c0f4b618..f67a1c208fa6 100644 --- a/pkg/engine/defaults.go +++ b/pkg/engine/defaults.go @@ -483,6 +483,7 @@ import ( "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/onedesk" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/onelogin" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/onepagecrm" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/onepassword" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/onesignal" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/onfleet" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/oopspam" @@ -1644,6 +1645,7 @@ func DefaultDetectors() []detectors.Detector { saladcloudapikey.Scanner{}, boxoauth.Scanner{}, rootly.Scanner{}, + onepassword.Scanner{}, } // Automatically initialize all detectors that implement diff --git a/pkg/pb/detectorspb/detectors.pb.go b/pkg/pb/detectorspb/detectors.pb.go index f54844773175..624891100c6e 100644 --- a/pkg/pb/detectorspb/detectors.pb.go +++ b/pkg/pb/detectorspb/detectors.pb.go @@ -1106,6 +1106,7 @@ const ( DetectorType_Box DetectorType = 1002 DetectorType_BoxOauth DetectorType = 1003 DetectorType_Rootly DetectorType = 1004 + DetectorType_OnePassword DetectorType = 1005 ) // Enum value maps for DetectorType. @@ -2112,6 +2113,7 @@ var ( 1002: "Box", 1003: "BoxOauth", 1004: "Rootly", + 1005: "OnePassword", } DetectorType_value = map[string]int32{ "Alibaba": 0, @@ -3115,6 +3117,7 @@ var ( "Box": 1002, "BoxOauth": 1003, "Rootly": 1004, + "OnePassword": 1005, } ) @@ -3568,7 +3571,7 @@ var file_detectors_proto_rawDesc = []byte{ 0x4c, 0x41, 0x49, 0x4e, 0x10, 0x01, 0x12, 0x0a, 0x0a, 0x06, 0x42, 0x41, 0x53, 0x45, 0x36, 0x34, 0x10, 0x02, 0x12, 0x09, 0x0a, 0x05, 0x55, 0x54, 0x46, 0x31, 0x36, 0x10, 0x03, 0x12, 0x13, 0x0a, 0x0f, 0x45, 0x53, 0x43, 0x41, 0x50, 0x45, 0x44, 0x5f, 0x55, 0x4e, 0x49, 0x43, 0x4f, 0x44, 0x45, - 0x10, 0x04, 0x2a, 0xa0, 0x80, 0x01, 0x0a, 0x0c, 0x44, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, + 0x10, 0x04, 0x2a, 0xb2, 0x80, 0x01, 0x0a, 0x0c, 0x44, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x54, 0x79, 0x70, 0x65, 0x12, 0x0b, 0x0a, 0x07, 0x41, 0x6c, 0x69, 0x62, 0x61, 0x62, 0x61, 0x10, 0x00, 0x12, 0x08, 0x0a, 0x04, 0x41, 0x4d, 0x51, 0x50, 0x10, 0x01, 0x12, 0x07, 0x0a, 0x03, 0x41, 0x57, 0x53, 0x10, 0x02, 0x12, 0x09, 0x0a, 0x05, 0x41, 0x7a, 0x75, 0x72, 0x65, 0x10, 0x03, 0x12, @@ -4594,11 +4597,12 @@ var file_detectors_proto_rawDesc = []byte{ 0x61, 0x64, 0x43, 0x6c, 0x6f, 0x75, 0x64, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x10, 0xe9, 0x07, 0x12, 0x08, 0x0a, 0x03, 0x42, 0x6f, 0x78, 0x10, 0xea, 0x07, 0x12, 0x0d, 0x0a, 0x08, 0x42, 0x6f, 0x78, 0x4f, 0x61, 0x75, 0x74, 0x68, 0x10, 0xeb, 0x07, 0x12, 0x0b, 0x0a, 0x06, 0x52, 0x6f, 0x6f, - 0x74, 0x6c, 0x79, 0x10, 0xec, 0x07, 0x42, 0x3d, 0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, - 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, 0x73, 0x65, 0x63, 0x75, - 0x72, 0x69, 0x74, 0x79, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, 0x68, 0x6f, 0x67, 0x2f, - 0x76, 0x33, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x70, 0x62, 0x2f, 0x64, 0x65, 0x74, 0x65, 0x63, 0x74, - 0x6f, 0x72, 0x73, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x74, 0x6c, 0x79, 0x10, 0xec, 0x07, 0x12, 0x10, 0x0a, 0x0b, 0x4f, 0x6e, 0x65, 0x50, 0x61, 0x73, + 0x73, 0x77, 0x6f, 0x72, 0x64, 0x10, 0xed, 0x07, 0x42, 0x3d, 0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, + 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, 0x73, 0x65, + 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, 0x68, 0x6f, + 0x67, 0x2f, 0x76, 0x33, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x70, 0x62, 0x2f, 0x64, 0x65, 0x74, 0x65, + 0x63, 0x74, 0x6f, 0x72, 0x73, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/proto/detectors.proto b/proto/detectors.proto index de8aaf8ee6d9..214a48eff627 100644 --- a/proto/detectors.proto +++ b/proto/detectors.proto @@ -1014,6 +1014,7 @@ enum DetectorType { Box = 1002; BoxOauth = 1003; Rootly = 1004; + OnePassword = 1005; } message Result { From 76d4002d9a4599a9edba16812f61f2f1f7f4a545 Mon Sep 17 00:00:00 2001 From: Sahil Silare Date: Wed, 16 Oct 2024 11:00:13 +0530 Subject: [PATCH 4/6] Revert "[detector] feat: added rootly detector" This reverts commit 1fcff0a807ae847e87f24de0b6e05bda579655cc. --- pkg/detectors/rootly/rootly.go | 77 ----------- .../rootly/rootly_integration_test.go | 120 ------------------ pkg/detectors/rootly/rootly_test.go | 86 ------------- pkg/engine/defaults.go | 4 - pkg/pb/detectorspb/detectors.pb.go | 17 +-- proto/detectors.proto | 2 - 6 files changed, 6 insertions(+), 300 deletions(-) delete mode 100644 pkg/detectors/rootly/rootly.go delete mode 100644 pkg/detectors/rootly/rootly_integration_test.go delete mode 100644 pkg/detectors/rootly/rootly_test.go diff --git a/pkg/detectors/rootly/rootly.go b/pkg/detectors/rootly/rootly.go deleted file mode 100644 index 7244ea27f4ce..000000000000 --- a/pkg/detectors/rootly/rootly.go +++ /dev/null @@ -1,77 +0,0 @@ -package rootly - -import ( - "context" - "net/http" - "strings" - - regexp "github.com/wasilibs/go-re2" - - "github.com/trufflesecurity/trufflehog/v3/pkg/common" - "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" - "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" -) - -type Scanner struct{} - -// Ensure the Scanner satisfies the interface at compile time. -var _ detectors.Detector = (*Scanner)(nil) - -var ( - client = common.SaneHttpClient() - - // Make sure that your group is surrounded in boundary characters such as below to reduce false positives. - keyPat = regexp.MustCompile(`\brootly_[a-f0-9]{64}\b`) -) - -// Keywords are used for efficiently pre-filtering chunks. -// Use identifiers in the secret preferably, or the provider name. -func (s Scanner) Keywords() []string { - return []string{"rootly"} -} - -// FromData will find and optionally verify Rootly secrets in a given set of bytes. -func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) { - dataStr := string(data) - - matches := keyPat.FindAllStringSubmatch(dataStr, -1) - - for _, match := range matches { - if len(match) != 1 { - continue - } - resMatch := strings.TrimSpace(match[0]) - - s1 := detectors.Result{ - DetectorType: detectorspb.DetectorType_Rootly, - Raw: []byte(resMatch), - } - - if verify { - req, err := http.NewRequestWithContext(ctx, "GET", "https://api.rootly.com/v1/users/me", nil) - if err != nil { - continue - } - req.Header.Add("Authorization", "Bearer "+resMatch) - res, err := client.Do(req) - if err == nil { - defer res.Body.Close() - if res.StatusCode >= 200 && res.StatusCode < 300 { - s1.Verified = true - } - } - } - - results = append(results, s1) - } - - return results, nil -} - -func (s Scanner) Type() detectorspb.DetectorType { - return detectorspb.DetectorType_Rootly -} - -func (s Scanner) Description() string { - return "Rootly is an incident management platform. Rootly API keys can be used to access and manage incident data and other services." -} diff --git a/pkg/detectors/rootly/rootly_integration_test.go b/pkg/detectors/rootly/rootly_integration_test.go deleted file mode 100644 index 3bf76852fbe3..000000000000 --- a/pkg/detectors/rootly/rootly_integration_test.go +++ /dev/null @@ -1,120 +0,0 @@ -//go:build detectors -// +build detectors - -package rootly - -import ( - "context" - "fmt" - "testing" - "time" - - "github.com/kylelemons/godebug/pretty" - - "github.com/trufflesecurity/trufflehog/v3/pkg/common" - "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" - "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" -) - -func TestRootly_FromChunk(t *testing.T) { - ctx, cancel := context.WithTimeout(context.Background(), time.Second*5) - defer cancel() - testSecrets, err := common.GetSecret(ctx, "trufflehog-testing", "detectors1") - if err != nil { - t.Fatalf("could not get test secrets from GCP: %s", err) - } - secret := testSecrets.MustGetField("ROOTLY") - inactiveSecret := testSecrets.MustGetField("ROOTLY_INACTIVE") - - type args struct { - ctx context.Context - data []byte - verify bool - } - tests := []struct { - name string - s Scanner - args args - want []detectors.Result - wantErr bool - }{ - { - name: "found, verified", - s: Scanner{}, - args: args{ - ctx: context.Background(), - data: []byte(fmt.Sprintf("You can find a rootly secret %s within", secret)), - verify: true, - }, - want: []detectors.Result{ - { - DetectorType: detectorspb.DetectorType_Rootly, - Verified: true, - }, - }, - wantErr: false, - }, - { - name: "found, unverified", - s: Scanner{}, - args: args{ - ctx: context.Background(), - data: []byte(fmt.Sprintf("You can find a rootly secret %s within but not valid", inactiveSecret)), // the secret would satisfy the regex but not pass validation - verify: true, - }, - want: []detectors.Result{ - { - DetectorType: detectorspb.DetectorType_Rootly, - Verified: false, - }, - }, - wantErr: false, - }, - { - name: "not found", - s: Scanner{}, - args: args{ - ctx: context.Background(), - data: []byte("You cannot find the secret within"), - verify: true, - }, - want: nil, - wantErr: false, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - s := Scanner{} - got, err := s.FromData(tt.args.ctx, tt.args.verify, tt.args.data) - if (err != nil) != tt.wantErr { - t.Errorf("Rootly.FromData() error = %v, wantErr %v", err, tt.wantErr) - return - } - for i := range got { - if len(got[i].Raw) == 0 { - t.Fatalf("no raw secret present: \n %+v", got[i]) - } - got[i].Raw = nil - } - if diff := pretty.Compare(got, tt.want); diff != "" { - t.Errorf("Rootly.FromData() %s diff: (-got +want)\n%s", tt.name, diff) - } - }) - } -} - -func BenchmarkFromData(benchmark *testing.B) { - ctx := context.Background() - s := Scanner{} - for name, data := range detectors.MustGetBenchmarkData() { - benchmark.Run(name, func(b *testing.B) { - b.ResetTimer() - for n := 0; n < b.N; n++ { - _, err := s.FromData(ctx, false, data) - if err != nil { - b.Fatal(err) - } - } - }) - } -} diff --git a/pkg/detectors/rootly/rootly_test.go b/pkg/detectors/rootly/rootly_test.go deleted file mode 100644 index 04fded66e348..000000000000 --- a/pkg/detectors/rootly/rootly_test.go +++ /dev/null @@ -1,86 +0,0 @@ -package rootly - -import ( - "context" - "fmt" - "testing" - - "github.com/google/go-cmp/cmp" - - "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" - "github.com/trufflesecurity/trufflehog/v3/pkg/engine/ahocorasick" -) - -var ( - validPattern = "rootly_a3b9f8c1e2d4f5b6c7d8e9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9" - invalidPattern = "rootly_A$3b9f8c1e2d4f5b6c7d8e9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d" -) - -func TestRootly_Pattern(t *testing.T) { - d := Scanner{} - ahoCorasickCore := ahocorasick.NewAhoCorasickCore([]detectors.Detector{d}) - - tests := []struct { - name string - input string - want []string - }{ - { - name: "valid pattern", - input: fmt.Sprintf("rootly: '%s'", validPattern), - want: []string{validPattern}, - }, - { - name: "valid pattern - key out of prefix range", - input: fmt.Sprintf("rootly keyword is not close to the real key in the data\n = '%s'", validPattern), - want: []string{validPattern}, - }, - { - name: "invalid pattern", - input: fmt.Sprintf("rootly: '%s'", invalidPattern), - want: nil, - }, - } - - for _, test := range tests { - t.Run(test.name, func(t *testing.T) { - matchedDetectors := ahoCorasickCore.FindDetectorMatches([]byte(test.input)) - if len(matchedDetectors) == 0 { - t.Errorf("keywords '%v' not matched by: %s", d.Keywords(), test.input) - return - } - - results, err := d.FromData(context.Background(), false, []byte(test.input)) - if err != nil { - t.Errorf("error = %v", err) - return - } - - if len(results) != len(test.want) { - if len(results) == 0 { - t.Errorf("did not receive result") - } else { - t.Errorf("expected %d results, only received %d", len(test.want), len(results)) - } - return - } - - actual := make(map[string]struct{}, len(results)) - for _, r := range results { - if len(r.RawV2) > 0 { - actual[string(r.RawV2)] = struct{}{} - } else { - actual[string(r.Raw)] = struct{}{} - } - } - expected := make(map[string]struct{}, len(test.want)) - for _, v := range test.want { - expected[v] = struct{}{} - } - - if diff := cmp.Diff(expected, actual); diff != "" { - t.Errorf("%s diff: (-want +got)\n%s", test.name, diff) - } - }) - } -} diff --git a/pkg/engine/defaults.go b/pkg/engine/defaults.go index f67a1c208fa6..96604628c3b5 100644 --- a/pkg/engine/defaults.go +++ b/pkg/engine/defaults.go @@ -483,7 +483,6 @@ import ( "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/onedesk" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/onelogin" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/onepagecrm" - "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/onepassword" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/onesignal" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/onfleet" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/oopspam" @@ -588,7 +587,6 @@ import ( "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/rocketreach" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/rockset" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/roninapp" - "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/rootly" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/route4me" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/rownd" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/rubygems" @@ -1644,8 +1642,6 @@ func DefaultDetectors() []detectors.Detector { meraki.Scanner{}, saladcloudapikey.Scanner{}, boxoauth.Scanner{}, - rootly.Scanner{}, - onepassword.Scanner{}, } // Automatically initialize all detectors that implement diff --git a/pkg/pb/detectorspb/detectors.pb.go b/pkg/pb/detectorspb/detectors.pb.go index 624891100c6e..982830e80ff6 100644 --- a/pkg/pb/detectorspb/detectors.pb.go +++ b/pkg/pb/detectorspb/detectors.pb.go @@ -1105,8 +1105,6 @@ const ( DetectorType_SaladCloudApiKey DetectorType = 1001 DetectorType_Box DetectorType = 1002 DetectorType_BoxOauth DetectorType = 1003 - DetectorType_Rootly DetectorType = 1004 - DetectorType_OnePassword DetectorType = 1005 ) // Enum value maps for DetectorType. @@ -2113,7 +2111,6 @@ var ( 1002: "Box", 1003: "BoxOauth", 1004: "Rootly", - 1005: "OnePassword", } DetectorType_value = map[string]int32{ "Alibaba": 0, @@ -3117,7 +3114,6 @@ var ( "Box": 1002, "BoxOauth": 1003, "Rootly": 1004, - "OnePassword": 1005, } ) @@ -3571,7 +3567,7 @@ var file_detectors_proto_rawDesc = []byte{ 0x4c, 0x41, 0x49, 0x4e, 0x10, 0x01, 0x12, 0x0a, 0x0a, 0x06, 0x42, 0x41, 0x53, 0x45, 0x36, 0x34, 0x10, 0x02, 0x12, 0x09, 0x0a, 0x05, 0x55, 0x54, 0x46, 0x31, 0x36, 0x10, 0x03, 0x12, 0x13, 0x0a, 0x0f, 0x45, 0x53, 0x43, 0x41, 0x50, 0x45, 0x44, 0x5f, 0x55, 0x4e, 0x49, 0x43, 0x4f, 0x44, 0x45, - 0x10, 0x04, 0x2a, 0xb2, 0x80, 0x01, 0x0a, 0x0c, 0x44, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, + 0x10, 0x04, 0x2a, 0xa0, 0x80, 0x01, 0x0a, 0x0c, 0x44, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x54, 0x79, 0x70, 0x65, 0x12, 0x0b, 0x0a, 0x07, 0x41, 0x6c, 0x69, 0x62, 0x61, 0x62, 0x61, 0x10, 0x00, 0x12, 0x08, 0x0a, 0x04, 0x41, 0x4d, 0x51, 0x50, 0x10, 0x01, 0x12, 0x07, 0x0a, 0x03, 0x41, 0x57, 0x53, 0x10, 0x02, 0x12, 0x09, 0x0a, 0x05, 0x41, 0x7a, 0x75, 0x72, 0x65, 0x10, 0x03, 0x12, @@ -4597,12 +4593,11 @@ var file_detectors_proto_rawDesc = []byte{ 0x61, 0x64, 0x43, 0x6c, 0x6f, 0x75, 0x64, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x10, 0xe9, 0x07, 0x12, 0x08, 0x0a, 0x03, 0x42, 0x6f, 0x78, 0x10, 0xea, 0x07, 0x12, 0x0d, 0x0a, 0x08, 0x42, 0x6f, 0x78, 0x4f, 0x61, 0x75, 0x74, 0x68, 0x10, 0xeb, 0x07, 0x12, 0x0b, 0x0a, 0x06, 0x52, 0x6f, 0x6f, - 0x74, 0x6c, 0x79, 0x10, 0xec, 0x07, 0x12, 0x10, 0x0a, 0x0b, 0x4f, 0x6e, 0x65, 0x50, 0x61, 0x73, - 0x73, 0x77, 0x6f, 0x72, 0x64, 0x10, 0xed, 0x07, 0x42, 0x3d, 0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, - 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, 0x73, 0x65, - 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, 0x68, 0x6f, - 0x67, 0x2f, 0x76, 0x33, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x70, 0x62, 0x2f, 0x64, 0x65, 0x74, 0x65, - 0x63, 0x74, 0x6f, 0x72, 0x73, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x74, 0x6c, 0x79, 0x10, 0xec, 0x07, 0x42, 0x3d, 0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, + 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, 0x73, 0x65, 0x63, 0x75, + 0x72, 0x69, 0x74, 0x79, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, 0x68, 0x6f, 0x67, 0x2f, + 0x76, 0x33, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x70, 0x62, 0x2f, 0x64, 0x65, 0x74, 0x65, 0x63, 0x74, + 0x6f, 0x72, 0x73, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/proto/detectors.proto b/proto/detectors.proto index 214a48eff627..6f220b09d153 100644 --- a/proto/detectors.proto +++ b/proto/detectors.proto @@ -1013,8 +1013,6 @@ enum DetectorType { SaladCloudApiKey = 1001; Box = 1002; BoxOauth = 1003; - Rootly = 1004; - OnePassword = 1005; } message Result { From f0dbe7db27e3b4e175f89586e97b26dcaa575234 Mon Sep 17 00:00:00 2001 From: Sahil Silare Date: Wed, 16 Oct 2024 11:01:32 +0530 Subject: [PATCH 5/6] feat: added onepassword --- pkg/engine/defaults.go | 2 ++ pkg/pb/detectorspb/detectors.pb.go | 20 +++++++++++--------- proto/detectors.proto | 1 + 3 files changed, 14 insertions(+), 9 deletions(-) diff --git a/pkg/engine/defaults.go b/pkg/engine/defaults.go index 96604628c3b5..afc6d5523db6 100644 --- a/pkg/engine/defaults.go +++ b/pkg/engine/defaults.go @@ -483,6 +483,7 @@ import ( "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/onedesk" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/onelogin" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/onepagecrm" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/onepassword" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/onesignal" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/onfleet" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/oopspam" @@ -1642,6 +1643,7 @@ func DefaultDetectors() []detectors.Detector { meraki.Scanner{}, saladcloudapikey.Scanner{}, boxoauth.Scanner{}, + onepassword.Scanner{}, } // Automatically initialize all detectors that implement diff --git a/pkg/pb/detectorspb/detectors.pb.go b/pkg/pb/detectorspb/detectors.pb.go index 982830e80ff6..74591b29408c 100644 --- a/pkg/pb/detectorspb/detectors.pb.go +++ b/pkg/pb/detectorspb/detectors.pb.go @@ -1105,6 +1105,7 @@ const ( DetectorType_SaladCloudApiKey DetectorType = 1001 DetectorType_Box DetectorType = 1002 DetectorType_BoxOauth DetectorType = 1003 + DetectorType_OnePassword DetectorType = 1004 ) // Enum value maps for DetectorType. @@ -2110,7 +2111,7 @@ var ( 1001: "SaladCloudApiKey", 1002: "Box", 1003: "BoxOauth", - 1004: "Rootly", + 1004: "OnePassword", } DetectorType_value = map[string]int32{ "Alibaba": 0, @@ -3113,7 +3114,7 @@ var ( "SaladCloudApiKey": 1001, "Box": 1002, "BoxOauth": 1003, - "Rootly": 1004, + "OnePassword": 1004, } ) @@ -3567,7 +3568,7 @@ var file_detectors_proto_rawDesc = []byte{ 0x4c, 0x41, 0x49, 0x4e, 0x10, 0x01, 0x12, 0x0a, 0x0a, 0x06, 0x42, 0x41, 0x53, 0x45, 0x36, 0x34, 0x10, 0x02, 0x12, 0x09, 0x0a, 0x05, 0x55, 0x54, 0x46, 0x31, 0x36, 0x10, 0x03, 0x12, 0x13, 0x0a, 0x0f, 0x45, 0x53, 0x43, 0x41, 0x50, 0x45, 0x44, 0x5f, 0x55, 0x4e, 0x49, 0x43, 0x4f, 0x44, 0x45, - 0x10, 0x04, 0x2a, 0xa0, 0x80, 0x01, 0x0a, 0x0c, 0x44, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, + 0x10, 0x04, 0x2a, 0xa5, 0x80, 0x01, 0x0a, 0x0c, 0x44, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x54, 0x79, 0x70, 0x65, 0x12, 0x0b, 0x0a, 0x07, 0x41, 0x6c, 0x69, 0x62, 0x61, 0x62, 0x61, 0x10, 0x00, 0x12, 0x08, 0x0a, 0x04, 0x41, 0x4d, 0x51, 0x50, 0x10, 0x01, 0x12, 0x07, 0x0a, 0x03, 0x41, 0x57, 0x53, 0x10, 0x02, 0x12, 0x09, 0x0a, 0x05, 0x41, 0x7a, 0x75, 0x72, 0x65, 0x10, 0x03, 0x12, @@ -4592,12 +4593,13 @@ var file_detectors_proto_rawDesc = []byte{ 0x4d, 0x65, 0x72, 0x61, 0x6b, 0x69, 0x10, 0xe8, 0x07, 0x12, 0x15, 0x0a, 0x10, 0x53, 0x61, 0x6c, 0x61, 0x64, 0x43, 0x6c, 0x6f, 0x75, 0x64, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x10, 0xe9, 0x07, 0x12, 0x08, 0x0a, 0x03, 0x42, 0x6f, 0x78, 0x10, 0xea, 0x07, 0x12, 0x0d, 0x0a, 0x08, 0x42, 0x6f, - 0x78, 0x4f, 0x61, 0x75, 0x74, 0x68, 0x10, 0xeb, 0x07, 0x12, 0x0b, 0x0a, 0x06, 0x52, 0x6f, 0x6f, - 0x74, 0x6c, 0x79, 0x10, 0xec, 0x07, 0x42, 0x3d, 0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, - 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, 0x73, 0x65, 0x63, 0x75, - 0x72, 0x69, 0x74, 0x79, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, 0x68, 0x6f, 0x67, 0x2f, - 0x76, 0x33, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x70, 0x62, 0x2f, 0x64, 0x65, 0x74, 0x65, 0x63, 0x74, - 0x6f, 0x72, 0x73, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x78, 0x4f, 0x61, 0x75, 0x74, 0x68, 0x10, 0xeb, 0x07, 0x12, 0x10, 0x0a, 0x0b, 0x4f, 0x6e, 0x65, + 0x50, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64, 0x10, 0xec, 0x07, 0x42, 0x3d, 0x5a, 0x3b, 0x67, + 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, + 0x65, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, + 0x65, 0x68, 0x6f, 0x67, 0x2f, 0x76, 0x33, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x70, 0x62, 0x2f, 0x64, + 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x73, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x33, } var ( diff --git a/proto/detectors.proto b/proto/detectors.proto index 6f220b09d153..89e23a6b95f1 100644 --- a/proto/detectors.proto +++ b/proto/detectors.proto @@ -1013,6 +1013,7 @@ enum DetectorType { SaladCloudApiKey = 1001; Box = 1002; BoxOauth = 1003; + OnePassword = 1004; } message Result { From fa2e7984348104067cc1f7738fe538b6149a4c1f Mon Sep 17 00:00:00 2001 From: Sahil Silare Date: Wed, 16 Oct 2024 11:02:44 +0530 Subject: [PATCH 6/6] Revert "feat: throws error when directory is not found" This reverts commit 12686705a8dcfb587557a6b6a119e7b9ae9e0bb1. --- pkg/sources/git/git.go | 14 ++++---------- pkg/sources/source_manager.go | 2 -- 2 files changed, 4 insertions(+), 12 deletions(-) diff --git a/pkg/sources/git/git.go b/pkg/sources/git/git.go index 03418892ba7d..c18c93879a9c 100644 --- a/pkg/sources/git/git.go +++ b/pkg/sources/git/git.go @@ -314,8 +314,8 @@ func (s *Source) scanDirs(ctx context.Context, reporter sources.ChunkReporter) e continue } if err := s.scanDir(ctx, gitDir, reporter); err != nil { - ctx.Logger().Error(err, "error scanning repository", "repo", gitDir, "error", err) - return err // Return the error instead of continuing + ctx.Logger().Info("error scanning repository", "repo", gitDir, "error", err) + continue } } return nil @@ -327,16 +327,10 @@ func (s *Source) scanDir(ctx context.Context, gitDir string, reporter sources.Ch // TODO: Figure out why we skip directories ending in "git". return nil } - - // Check if the directory exists - if _, err := os.Stat(gitDir); os.IsNotExist(err) { - return fmt.Errorf("directory does not exist: %s", gitDir) - } - // try paths instead of url repo, err := RepoFromPath(gitDir, s.scanOptions.Bare) if err != nil { - return fmt.Errorf("error opening repo from path: %w", err) + return reporter.ChunkErr(ctx, err) } err = func() error { @@ -347,7 +341,7 @@ func (s *Source) scanDir(ctx context.Context, gitDir string, reporter sources.Ch return s.git.ScanRepo(ctx, repo, gitDir, s.scanOptions, reporter) }() if err != nil { - return err + return reporter.ChunkErr(ctx, err) } return nil } diff --git a/pkg/sources/source_manager.go b/pkg/sources/source_manager.go index 11f1b621951d..d3ba4a711952 100644 --- a/pkg/sources/source_manager.go +++ b/pkg/sources/source_manager.go @@ -309,8 +309,6 @@ func (s *SourceManager) runWithoutUnits(ctx context.Context, source Source, repo defer wg.Wait() defer close(ch) if err := source.Chunks(ctx, ch, targets...); err != nil { - // Log the error - ctx.Logger().Error(err, "Error scanning chunks", "error", err) report.ReportError(Fatal{err}) return Fatal{err} }