From 2b9f08d5e0a5f557c71a38f0500ca8fd45c0b3b8 Mon Sep 17 00:00:00 2001 From: Maitray Shah Date: Tue, 28 Mar 2023 15:31:43 -0700 Subject: [PATCH 1/8] Trufflehog - Exclude files --- docs/scanners/truffle_hog.md | 3 ++ lib/salus/scanners/trufflehog.rb | 10 ++++++ spec/fixtures/sarifs/diff/git_diff_yarn.txt | 36 --------------------- 3 files changed, 13 insertions(+), 36 deletions(-) delete mode 100644 spec/fixtures/sarifs/diff/git_diff_yarn.txt diff --git a/docs/scanners/truffle_hog.md b/docs/scanners/truffle_hog.md index c5495996..e8d995d3 100644 --- a/docs/scanners/truffle_hog.md +++ b/docs/scanners/truffle_hog.md @@ -9,6 +9,9 @@ The following config options are available. ```yaml scanner_configs: Trufflehog: + exclude: + - filename1.txt + - filename2.txt only-verified: false # Only output verified results. # true by default exceptions: # whitelist finding diff --git a/lib/salus/scanners/trufflehog.rb b/lib/salus/scanners/trufflehog.rb index 33d7e75f..92b710bf 100644 --- a/lib/salus/scanners/trufflehog.rb +++ b/lib/salus/scanners/trufflehog.rb @@ -32,6 +32,16 @@ def command if @config['only-verified'].to_s == 'true' || @config['only-verified'].to_s == '' cmd += ' --only-verified' end + + # fetch exclusions + if @config.fetch('exclude', []) + cmd += ' -x' + excludes = @config.fetch('exclude', []) + excludes.each do |exclude| + cmd += ' ' + exclude + end + end + cmd end diff --git a/spec/fixtures/sarifs/diff/git_diff_yarn.txt b/spec/fixtures/sarifs/diff/git_diff_yarn.txt deleted file mode 100644 index 10815378..00000000 --- a/spec/fixtures/sarifs/diff/git_diff_yarn.txt +++ /dev/null @@ -1,36 +0,0 @@ -diff --git a/yarn.lock b/yarn.lock -index 06e7d3ba9ef..e3f8fbb5889 100644 ---- a/yarn.lock -+++ b/yarn.lock -@@ -10599,10 +10599,10 @@ base64-arraybuffer@^0.2.0: - resolved "https://registry-npm.com/base64-arraybuffer/-/base64-arraybuffer-0.2.0.tgz#4b944fac0191aa5907afe2d8c999ccc57ce80f45" - integrity sha512-7emyCsu1/xiBXgQZrscw/8KPRT44I4Yq9Pe6EGs3aPRTsWuggML1/1DTuZUuIaJPIm1FTDUVXl4x/yW8s0kQDQ== - --jspdf@2.5.1: -- version "2.5.1" -- resolved "https://registry.yarnpkg.com/jspdf/-/jspdf-2.5.1.tgz#00c85250abf5447a05f3b32ab9935ab4a56592cc" -- integrity sha512-hXObxz7ZqoyhxET78+XR34Xu2qFGrJJ2I2bE5w4SM8eFaFEkW2xcGRVUss360fYelwRSid/jT078kbNvmoW0QA== -+jspdf@2.3.1: -+ version "2.3.1" -+ resolved "https://registry-npm.com/jspdf/-/jspdf-2.3.1.tgz#313d117234b546469694a1fd81a1e02411647576" -+ integrity sha512-1vp0USP1mQi1h7NKpwxjFgQkJ5ncZvtH858aLpycUc/M+r/RpWJT8PixAU7Cw/3fPd4fpC8eB/Bj42LnsR21YQ== - dependencies: -- "@babel/runtime" "^7.14.0" - atob "^2.1.2" - btoa "^1.2.1" - fflate "^0.4.8" -@@ -31897,12 +31889,12 @@ text-encoding@0.7.0: - resolved "https://registry-npm.com/text-encoding/-/text-encoding-0.7.0.tgz#f895e836e45990624086601798ea98e8f36ee643" - integrity sha512-oJQ3f1hrOnbRLOcwKz0Liq2IcrvDeZRHXhd9RgLrsT+DjWY/nty1Hi7v3dtkaEYbPYe0mUoOfzRrMwfXXwgPUA== - --text-segmentation@^1.0.2, text-segmentation@^1.0.3: -- version "1.0.3" -- resolved "https://registry.yarnpkg.com/text-segmentation/-/text-segmentation-1.0.3.tgz#52a388159efffe746b24a63ba311b6ac9f2d7943" -- integrity sha512-iOiPUo/BGnZ6+54OsWxZidGCsdU8YbE4PSpdPinp7DeMtUJNJBoJ/ouUSTJjHkh1KntHaltHl/gDs2FC4i5+Nw== -+text-segmentation@^1.0.2: -+ version "1.0.2" -+ resolved "https://registry-npm.com/text-segmentation/-/text-segmentation-1.0.2.tgz#1f828fa14aa101c114ded1bda35ba7dcc17c9858" -+ integrity sha512-uTqvLxdBrVnx/CFQOtnf8tfzSXFm+1Qxau7Xi54j4OPTZokuDOX8qncQzrg2G8ZicAMOM8TgzFAYTb+AqNO4Cw== - dependencies: -- utrie "^1.0.2" -+ utrie "^1.0.1" From cdfdc69efd2c5e37064bc848239f67d339f375a6 Mon Sep 17 00:00:00 2001 From: Maitray Shah Date: Tue, 28 Mar 2023 15:35:30 -0700 Subject: [PATCH 2/8] rubocop fix --- lib/salus/scanners/trufflehog.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/salus/scanners/trufflehog.rb b/lib/salus/scanners/trufflehog.rb index 92b710bf..78f5e501 100644 --- a/lib/salus/scanners/trufflehog.rb +++ b/lib/salus/scanners/trufflehog.rb @@ -38,10 +38,10 @@ def command cmd += ' -x' excludes = @config.fetch('exclude', []) excludes.each do |exclude| - cmd += ' ' + exclude + cmd += ' ' + exclude end end - + cmd end From ee1f25bfc69ecd415d633068bf53547a1291834b Mon Sep 17 00:00:00 2001 From: Maitray Shah Date: Wed, 29 Mar 2023 12:36:33 -0700 Subject: [PATCH 3/8] fix logic --- docs/scanners/truffle_hog.md | 5 ++--- lib/salus/scanners/trufflehog.rb | 16 +++++++++++----- 2 files changed, 13 insertions(+), 8 deletions(-) diff --git a/docs/scanners/truffle_hog.md b/docs/scanners/truffle_hog.md index e8d995d3..7c212872 100644 --- a/docs/scanners/truffle_hog.md +++ b/docs/scanners/truffle_hog.md @@ -9,9 +9,8 @@ The following config options are available. ```yaml scanner_configs: Trufflehog: - exclude: - - filename1.txt - - filename2.txt + exclude_files: # List of file paths to ignore + - env.json only-verified: false # Only output verified results. # true by default exceptions: # whitelist finding diff --git a/lib/salus/scanners/trufflehog.rb b/lib/salus/scanners/trufflehog.rb index 78f5e501..3fdc9bd8 100644 --- a/lib/salus/scanners/trufflehog.rb +++ b/lib/salus/scanners/trufflehog.rb @@ -7,6 +7,8 @@ module Salus::Scanners class Trufflehog < Base + FILTER_FILE = 'filter.txt' + def should_run? true end @@ -34,12 +36,16 @@ def command end # fetch exclusions - if @config.fetch('exclude', []) - cmd += ' -x' - excludes = @config.fetch('exclude', []) - excludes.each do |exclude| - cmd += ' ' + exclude + if @config.fetch('exclude_files', false) + exclusion_content = "" + exclusions = @config.fetch('exclude_files', []) + exclusions.each do |exclude| + exclusion_content += exclude + "\n" + end + File.open("#{@repository.path_to_repo}/#{FILTER_FILE}", "w") do |f| + f.write(exclusion_content) end + cmd += ' -x ' + "#{@repository.path_to_repo}/#{FILTER_FILE}" end cmd From b44bbc6a9cb16e2f4218911e5405945cc351a4f0 Mon Sep 17 00:00:00 2001 From: Maitray Shah Date: Wed, 29 Mar 2023 12:39:41 -0700 Subject: [PATCH 4/8] nit --- lib/salus/scanners/trufflehog.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/salus/scanners/trufflehog.rb b/lib/salus/scanners/trufflehog.rb index 3fdc9bd8..817bf45a 100644 --- a/lib/salus/scanners/trufflehog.rb +++ b/lib/salus/scanners/trufflehog.rb @@ -7,7 +7,7 @@ module Salus::Scanners class Trufflehog < Base - FILTER_FILE = 'filter.txt' + FILTER_FILE = 'filter.txt'.freeze def should_run? true @@ -42,8 +42,8 @@ def command exclusions.each do |exclude| exclusion_content += exclude + "\n" end - File.open("#{@repository.path_to_repo}/#{FILTER_FILE}", "w") do |f| - f.write(exclusion_content) + File.open("#{@repository.path_to_repo}/#{FILTER_FILE}", "w") do |f| + f.write(exclusion_content) end cmd += ' -x ' + "#{@repository.path_to_repo}/#{FILTER_FILE}" end From 31aefa4a6f7dd5c269da044c727ae7819a1639e0 Mon Sep 17 00:00:00 2001 From: Maitray Shah Date: Fri, 31 Mar 2023 08:54:06 -0700 Subject: [PATCH 5/8] config change --- docs/scanners/truffle_hog.md | 1 + spec/fixtures/secrets/filter.txt | 2 ++ spec/lib/salus/scanners/trufflehog_spec.rb | 26 ++++++++++++++++++++++ 3 files changed, 29 insertions(+) create mode 100644 spec/fixtures/secrets/filter.txt diff --git a/docs/scanners/truffle_hog.md b/docs/scanners/truffle_hog.md index 7c212872..e8f3b7a0 100644 --- a/docs/scanners/truffle_hog.md +++ b/docs/scanners/truffle_hog.md @@ -11,6 +11,7 @@ scanner_configs: Trufflehog: exclude_files: # List of file paths to ignore - env.json + - secrets.txt only-verified: false # Only output verified results. # true by default exceptions: # whitelist finding diff --git a/spec/fixtures/secrets/filter.txt b/spec/fixtures/secrets/filter.txt new file mode 100644 index 00000000..632b2e0c --- /dev/null +++ b/spec/fixtures/secrets/filter.txt @@ -0,0 +1,2 @@ +url.txt +logins.txt diff --git a/spec/lib/salus/scanners/trufflehog_spec.rb b/spec/lib/salus/scanners/trufflehog_spec.rb index 364beea3..f2457213 100644 --- a/spec/lib/salus/scanners/trufflehog_spec.rb +++ b/spec/lib/salus/scanners/trufflehog_spec.rb @@ -126,8 +126,34 @@ expect(report_h[:info]).to eq({}) expect(report_h[:errors]).to eq([]) end + + it 'should honor exclude in the config to ignore findings and pass' do + repo = Salus::Repo.new('spec/fixtures/secrets') + config = { "exclude_files" => ["url.txt", "logins.txt" ] } + scanner = Salus::Scanners::Trufflehog.new(repository: repo, config: config) + scanner.run + + report_h = scanner.report.to_h + expect(report_h[:passed]).to eq(true) + expect(report_h[:logs]).to be_nil + expect(report_h[:warn]).to eq({}) + expect(report_h[:info]).to eq({}) + expect(report_h[:errors]).to eq([]) + end + + it 'should honor exclude in the config to ignore findings and fail' do + repo = Salus::Repo.new('spec/fixtures/secrets') + config = { "exclude_files" => ["url.txt"] } + scanner = Salus::Scanners::Trufflehog.new(repository: repo, config: config) + scanner.run + + report_h = scanner.report.to_h + expect(report_h[:passed]).to eq(false) + end end + + describe '#version_valid?' do context 'scanner version is valid' do it 'should return true' do From 4b56bba32037958d09d40219771cfa965159d7d6 Mon Sep 17 00:00:00 2001 From: Maitray Shah Date: Fri, 31 Mar 2023 09:28:29 -0700 Subject: [PATCH 6/8] fix tests --- spec/fixtures/secrets/filter.txt | 2 -- spec/fixtures/secrets/salus.yaml | 7 +++++++ spec/lib/salus/scanners/trufflehog_spec.rb | 5 +++-- 3 files changed, 10 insertions(+), 4 deletions(-) delete mode 100644 spec/fixtures/secrets/filter.txt create mode 100644 spec/fixtures/secrets/salus.yaml diff --git a/spec/fixtures/secrets/filter.txt b/spec/fixtures/secrets/filter.txt deleted file mode 100644 index 632b2e0c..00000000 --- a/spec/fixtures/secrets/filter.txt +++ /dev/null @@ -1,2 +0,0 @@ -url.txt -logins.txt diff --git a/spec/fixtures/secrets/salus.yaml b/spec/fixtures/secrets/salus.yaml new file mode 100644 index 00000000..11131e9a --- /dev/null +++ b/spec/fixtures/secrets/salus.yaml @@ -0,0 +1,7 @@ +scanner_configs: + Trufflehog: + exclude_files: # List of file paths to ignore + - url.txt + - logins.txt + only-verified: false # Only output verified results. + # true by default \ No newline at end of file diff --git a/spec/lib/salus/scanners/trufflehog_spec.rb b/spec/lib/salus/scanners/trufflehog_spec.rb index f2457213..bae72e05 100644 --- a/spec/lib/salus/scanners/trufflehog_spec.rb +++ b/spec/lib/salus/scanners/trufflehog_spec.rb @@ -129,8 +129,9 @@ it 'should honor exclude in the config to ignore findings and pass' do repo = Salus::Repo.new('spec/fixtures/secrets') - config = { "exclude_files" => ["url.txt", "logins.txt" ] } - scanner = Salus::Scanners::Trufflehog.new(repository: repo, config: config) + config_data = YAML.load_file('spec/fixtures/secrets/salus.yaml') + + scanner = Salus::Scanners::Trufflehog.new(repository: repo, config: config_data) scanner.run report_h = scanner.report.to_h From c2a83659b08337d4cf4ba8e0f95b62cee4911090 Mon Sep 17 00:00:00 2001 From: Maitray Shah Date: Fri, 31 Mar 2023 09:29:44 -0700 Subject: [PATCH 7/8] nit --- spec/lib/salus/scanners/trufflehog_spec.rb | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/spec/lib/salus/scanners/trufflehog_spec.rb b/spec/lib/salus/scanners/trufflehog_spec.rb index bae72e05..321d1d5b 100644 --- a/spec/lib/salus/scanners/trufflehog_spec.rb +++ b/spec/lib/salus/scanners/trufflehog_spec.rb @@ -130,7 +130,7 @@ it 'should honor exclude in the config to ignore findings and pass' do repo = Salus::Repo.new('spec/fixtures/secrets') config_data = YAML.load_file('spec/fixtures/secrets/salus.yaml') - + scanner = Salus::Scanners::Trufflehog.new(repository: repo, config: config_data) scanner.run @@ -153,8 +153,6 @@ end end - - describe '#version_valid?' do context 'scanner version is valid' do it 'should return true' do From bbfe553172299ec18572961454558999898295bf Mon Sep 17 00:00:00 2001 From: Maitray Shah Date: Fri, 31 Mar 2023 11:50:28 -0700 Subject: [PATCH 8/8] id switch --- .../npm_audit/success_with_exceptions/salus-sarif.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/spec/fixtures/npm_audit/success_with_exceptions/salus-sarif.yaml b/spec/fixtures/npm_audit/success_with_exceptions/salus-sarif.yaml index 2a60ddca..04366100 100644 --- a/spec/fixtures/npm_audit/success_with_exceptions/salus-sarif.yaml +++ b/spec/fixtures/npm_audit/success_with_exceptions/salus-sarif.yaml @@ -20,4 +20,9 @@ scanner_configs: advisory_id: "1091018", changed_by: "joshua.ostrom", notes: "See https://www.npmjs.com/advisories/48. We're not vulnerable to this because this is a regex dos and we have nothing that puts user input into it. The impact is also minimal.", + } + - { + advisory_id: "1091497", + changed_by: "maitray.shah", + notes: "See https://www.npmjs.com/advisories/48. We're not vulnerable to this because this is a regex dos and we have nothing that puts user input into it. The impact is also minimal.", } \ No newline at end of file