diff --git a/README.md b/README.md index 3051b61..2a28a7e 100644 --- a/README.md +++ b/README.md @@ -10,6 +10,8 @@ This application is written in Go language and is based on the framework provide The tool checks the content using a series of rules that are designed to identify a wide range of sensitive items such as AWS access token, Bitbucket Client ID, GitHub PAT etc. For a complete list of rules, see [docs/list-of-rules.md](docs/list-of-rules.md). +Additionally, the tool incorporates a scoring system based on the Common Vulnerability Scoring System (CVSS) to help prioritize remediation efforts. + # Installation The following sections explain how to install 2ms using the following methods: @@ -397,6 +399,8 @@ The result of the validation can be: If the `--validate` flag is not provided, the validation field will be omitted from the output, or its value will be an empty string. +> **Note:** The validity check also impacts the score field. If the flag is not provided, the validity is assumed to be "unknown" in the score formula. + ### Special Rules Special rules are rules that are configured in 2ms but are not run as part of the default ruleset, usually because they are too noisy or too specific. You can use the `--add-special-rule` flag to add special rules by rule ID. diff --git a/cmd/main.go b/cmd/main.go index 69027f9..921ef49 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -76,6 +76,7 @@ var report = reporting.Init() var secretsChan = make(chan *secrets.Secret) var secretsExtrasChan = make(chan *secrets.Secret) var validationChan = make(chan *secrets.Secret) +var cvssScoreWithoutValidationChan = make(chan *secrets.Secret) func Execute() (int, error) { vConfig.SetEnvPrefix(envPrefix) @@ -149,9 +150,12 @@ func preRun(pluginName string, cmd *cobra.Command, args []string) error { if validateVar { channels.WaitGroup.Add(1) - go processValidation(engine) + go processValidationAndScoreWithValidation(engine) } + channels.WaitGroup.Add(1) + go processScoreWithoutValidation(engine) + return nil } diff --git a/cmd/workers.go b/cmd/workers.go index 6d26236..ced1e4c 100644 --- a/cmd/workers.go +++ b/cmd/workers.go @@ -1,6 +1,7 @@ package cmd import ( + "github.com/checkmarx/2ms/lib/secrets" "sync" "github.com/checkmarx/2ms/engine" @@ -28,11 +29,14 @@ func processSecrets() { secretsExtrasChan <- secret if validateVar { validationChan <- secret + } else { + cvssScoreWithoutValidationChan <- secret } report.Results[secret.ID] = append(report.Results[secret.ID], secret) } close(secretsExtrasChan) close(validationChan) + close(cvssScoreWithoutValidationChan) } func processSecretsExtras() { @@ -46,15 +50,29 @@ func processSecretsExtras() { wgExtras.Wait() } -func processValidation(engine *engine.Engine) { +func processValidationAndScoreWithValidation(engine *engine.Engine) { defer channels.WaitGroup.Done() wgValidation := &sync.WaitGroup{} for secret := range validationChan { - wgValidation.Add(1) - go engine.RegisterForValidation(secret, wgValidation) + wgValidation.Add(2) + go func(secret *secrets.Secret, wg *sync.WaitGroup) { + engine.RegisterForValidation(secret, wg) + engine.Score(secret, true, wg) + }(secret, wgValidation) } wgValidation.Wait() engine.Validate() } + +func processScoreWithoutValidation(engine *engine.Engine) { + defer channels.WaitGroup.Done() + + wgScore := &sync.WaitGroup{} + for secret := range cvssScoreWithoutValidationChan { + wgScore.Add(1) + go engine.Score(secret, false, wgScore) + } + wgScore.Wait() +} diff --git a/engine/engine.go b/engine/engine.go index fe1a4c6..e11e3c1 100644 --- a/engine/engine.go +++ b/engine/engine.go @@ -3,6 +3,7 @@ package engine import ( "crypto/sha1" "fmt" + "github.com/checkmarx/2ms/engine/score" "os" "regexp" "strings" @@ -21,9 +22,10 @@ import ( ) type Engine struct { - rules map[string]config.Rule - detector detect.Detector - validator validation.Validator + rules map[string]config.Rule + rulesBaseRiskScore map[string]float64 + detector detect.Detector + validator validation.Validator ignoredIds []string allowedValues []string @@ -49,9 +51,11 @@ func Init(engineConfig EngineConfig) (*Engine, error) { } rulesToBeApplied := make(map[string]config.Rule) + rulesBaseRiskScore := make(map[string]float64) keywords := []string{} for _, rule := range *selectedRules { rulesToBeApplied[rule.Rule.RuleID] = rule.Rule + rulesBaseRiskScore[rule.Rule.RuleID] = score.GetBaseRiskScore(rule.ScoreParameters.Category, rule.ScoreParameters.RuleType) for _, keyword := range rule.Rule.Keywords { keywords = append(keywords, strings.ToLower(keyword)) } @@ -63,9 +67,10 @@ func Init(engineConfig EngineConfig) (*Engine, error) { detector.MaxTargetMegaBytes = engineConfig.MaxTargetMegabytes return &Engine{ - rules: rulesToBeApplied, - detector: *detector, - validator: *validation.NewValidator(), + rules: rulesToBeApplied, + rulesBaseRiskScore: rulesBaseRiskScore, + detector: *detector, + validator: *validation.NewValidator(), ignoredIds: engineConfig.IgnoredIds, allowedValues: engineConfig.AllowedValues, @@ -131,6 +136,15 @@ func (s *Engine) RegisterForValidation(secret *secrets.Secret, wg *sync.WaitGrou s.validator.RegisterForValidation(secret) } +func (s *Engine) Score(secret *secrets.Secret, validateFlag bool, wg *sync.WaitGroup) { + defer wg.Done() + validationStatus := secrets.UnknownResult // default validity + if validateFlag { + validationStatus = secret.ValidationStatus + } + secret.CvssScore = score.GetCvssScore(s.GetRuleBaseRiskScore(secret.RuleID), validationStatus) +} + func (s *Engine) Validate() { s.validator.Validate() } @@ -191,3 +205,7 @@ func GetRulesCommand(engineConfig *EngineConfig) *cobra.Command { }, } } + +func (s *Engine) GetRuleBaseRiskScore(ruleId string) float64 { + return s.rulesBaseRiskScore[ruleId] +} diff --git a/engine/rules/rule.go b/engine/rules/rule.go index 0d70419..c25f441 100644 --- a/engine/rules/rule.go +++ b/engine/rules/rule.go @@ -8,9 +8,15 @@ import ( "github.com/zricethezav/gitleaks/v8/detect" ) +type ScoreParameters struct { + Category RuleCategory + RuleType uint8 +} + type Rule struct { - Rule config.Rule - Tags []string + Rule config.Rule + Tags []string + ScoreParameters ScoreParameters } // Copied from https://github.com/gitleaks/gitleaks/blob/463d24618fa42fc7629dc30c9744ebe36c5df1ab/cmd/generate/config/rules/rule.go diff --git a/engine/rules/rules.go b/engine/rules/rules.go index 70b0f16..b306057 100644 --- a/engine/rules/rules.go +++ b/engine/rules/rules.go @@ -7,6 +7,49 @@ import ( "github.com/zricethezav/gitleaks/v8/cmd/generate/config/rules" ) +type RuleCategory string + +const ( + CategoryAuthenticationAndAuthorization RuleCategory = "Authentication and Authorization" + CategoryCryptocurrencyExchange RuleCategory = "Cryptocurrency Exchange" + CategoryFinancialServices RuleCategory = "Financial Services" + CategoryPaymentProcessing RuleCategory = "Payment Processing" + CategorySecurity RuleCategory = "Security" + CategoryAPIAccess RuleCategory = "API Access" + CategoryCICD RuleCategory = "CI/CD" + CategoryCloudPlatform RuleCategory = "Cloud Platform" + CategoryDatabaseAsAService RuleCategory = "Database as a Service" + CategoryDevelopmentPlatform RuleCategory = "Development Platform" + CategoryEmailDeliveryService RuleCategory = "Email Delivery Service" + CategoryInfrastructureAsCode RuleCategory = "Infrastructure as Code (IaC)" + CategoryPackageManagement RuleCategory = "Package Management" + CategorySourceCodeManagement RuleCategory = "Source Code Management" + CategoryWebHostingAndDeployment RuleCategory = "Web Hosting and Deployment" + CategoryBackgroundProcessingService RuleCategory = "Background Processing Service" + CategoryCDN RuleCategory = "CDN (Content Delivery Network)" + CategoryContentManagementSystem RuleCategory = "Content Management System (CMS)" + CategoryCustomerSupport RuleCategory = "Customer Support" + CategoryDataAnalytics RuleCategory = "Data Analytics" + CategoryFileStorageAndSharing RuleCategory = "File Storage and Sharing" + CategoryIoTPlatform RuleCategory = "IoT platform" + CategoryMappingAndLocationServices RuleCategory = "Mapping and Location Services" + CategoryNetworking RuleCategory = "Networking" + CategoryPhotoSharing RuleCategory = "Photo Sharing" + CategorySaaS RuleCategory = "SaaS" + CategoryShipping RuleCategory = "Shipping" + CategorySoftwareDevelopment RuleCategory = "Software Development" + CategoryAIAndMachineLearning RuleCategory = "AI and Machine Learning" + CategoryApplicationMonitoring RuleCategory = "Application Monitoring" + CategoryECommercePlatform RuleCategory = "E-commerce Platform" + CategoryMarketingAutomation RuleCategory = "Marketing Automation" + CategoryNewsAndMedia RuleCategory = "News and Media" + CategoryOnlineSurveyPlatform RuleCategory = "Online Survey Platform" + CategoryProjectManagement RuleCategory = "Project Management" + CategorySearchService RuleCategory = "Search Service" + CategorySocialMedia RuleCategory = "Social Media" + CategoryGeneralOrUnknown RuleCategory = "general or unknown" +) + const TagApiKey = "api-key" const TagClientId = "client-id" const TagClientSecret = "client-secret" @@ -29,173 +72,173 @@ const TagWebhook = "webhook" func getDefaultRules() *[]Rule { allRules := &[]Rule{ - {Rule: *rules.AdafruitAPIKey(), Tags: []string{TagApiKey}}, - {Rule: *rules.AdobeClientID(), Tags: []string{TagClientId}}, - {Rule: *rules.AdobeClientSecret(), Tags: []string{TagClientSecret}}, - {Rule: *rules.AgeSecretKey(), Tags: []string{TagSecretKey}}, - {Rule: *rules.Airtable(), Tags: []string{TagApiKey}}, - {Rule: *rules.AlgoliaApiKey(), Tags: []string{TagApiKey}}, - {Rule: *rules.AlibabaAccessKey(), Tags: []string{TagAccessKey, TagAccessId}}, - {Rule: *rules.AlibabaSecretKey(), Tags: []string{TagSecretKey}}, - {Rule: *rules.AsanaClientID(), Tags: []string{TagClientId}}, - {Rule: *rules.AsanaClientSecret(), Tags: []string{TagClientSecret}}, - {Rule: *rules.Atlassian(), Tags: []string{TagApiToken}}, - {Rule: *rules.Authress(), Tags: []string{TagAccessToken}}, - {Rule: *rules.AWS(), Tags: []string{TagAccessToken}}, - {Rule: *rules.BitBucketClientID(), Tags: []string{TagClientId}}, - {Rule: *rules.BitBucketClientSecret(), Tags: []string{TagClientSecret}}, - {Rule: *rules.BittrexAccessKey(), Tags: []string{TagAccessKey}}, - {Rule: *rules.BittrexSecretKey(), Tags: []string{TagSecretKey}}, - {Rule: *rules.Beamer(), Tags: []string{TagApiToken}}, - {Rule: *rules.CodecovAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.CoinbaseAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.Clojars(), Tags: []string{TagApiToken}}, - {Rule: *rules.ConfluentAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.ConfluentSecretKey(), Tags: []string{TagSecretKey}}, - {Rule: *rules.Contentful(), Tags: []string{TagApiToken}}, - {Rule: *rules.Databricks(), Tags: []string{TagApiToken}}, - {Rule: *rules.DatadogtokenAccessToken(), Tags: []string{TagAccessToken, TagClientId}}, - {Rule: *rules.DefinedNetworkingAPIToken(), Tags: []string{TagApiToken}}, - {Rule: *rules.DigitalOceanPAT(), Tags: []string{TagAccessToken}}, - {Rule: *rules.DigitalOceanOAuthToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.DigitalOceanRefreshToken(), Tags: []string{TagRefreshToken}}, - {Rule: *rules.DiscordAPIToken(), Tags: []string{TagApiKey, TagApiToken}}, - {Rule: *rules.DiscordClientID(), Tags: []string{TagClientId}}, - {Rule: *rules.DiscordClientSecret(), Tags: []string{TagClientSecret}}, - {Rule: *rules.Doppler(), Tags: []string{TagApiToken}}, - {Rule: *rules.DropBoxAPISecret(), Tags: []string{TagApiToken}}, - {Rule: *rules.DropBoxShortLivedAPIToken(), Tags: []string{TagApiToken}}, - {Rule: *rules.DropBoxLongLivedAPIToken(), Tags: []string{TagApiToken}}, - {Rule: *rules.DroneciAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.Duffel(), Tags: []string{TagApiToken}}, - {Rule: *rules.Dynatrace(), Tags: []string{TagApiToken}}, - {Rule: *rules.EasyPost(), Tags: []string{TagApiToken}}, - {Rule: *rules.EasyPostTestAPI(), Tags: []string{TagApiToken}}, - {Rule: *rules.EtsyAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.Facebook(), Tags: []string{TagApiToken}}, - {Rule: *rules.FastlyAPIToken(), Tags: []string{TagApiToken, TagApiKey}}, - {Rule: *rules.FinicityClientSecret(), Tags: []string{TagClientSecret}}, - {Rule: *rules.FinicityAPIToken(), Tags: []string{TagApiToken}}, - {Rule: *rules.FlickrAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.FinnhubAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.FlutterwavePublicKey(), Tags: []string{TagPublicKey}}, - {Rule: *rules.FlutterwaveSecretKey(), Tags: []string{TagSecretKey}}, - {Rule: *rules.FlutterwaveEncKey(), Tags: []string{TagEncryptionKey}}, - {Rule: *rules.FrameIO(), Tags: []string{TagApiToken}}, - {Rule: *rules.FreshbooksAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.GCPAPIKey(), Tags: []string{TagApiKey}}, - {Rule: *rules.GenericCredential(), Tags: []string{TagApiKey}}, - {Rule: *rules.GitHubPat(), Tags: []string{TagAccessToken}}, - {Rule: *rules.GitHubFineGrainedPat(), Tags: []string{TagAccessToken}}, - {Rule: *rules.GitHubOauth(), Tags: []string{TagAccessToken}}, - {Rule: *rules.GitHubApp(), Tags: []string{TagAccessToken}}, - {Rule: *rules.GitHubRefresh(), Tags: []string{TagRefreshToken}}, - {Rule: *rules.GitlabPat(), Tags: []string{TagAccessToken}}, - {Rule: *rules.GitlabPipelineTriggerToken(), Tags: []string{TagTriggerToken}}, - {Rule: *rules.GitlabRunnerRegistrationToken(), Tags: []string{TagRegistrationToken}}, - {Rule: *rules.GitterAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.GoCardless(), Tags: []string{TagApiToken}}, - {Rule: *rules.GrafanaApiKey(), Tags: []string{TagApiKey}}, - {Rule: *rules.GrafanaCloudApiToken(), Tags: []string{TagApiToken}}, - {Rule: *rules.GrafanaServiceAccountToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.Hashicorp(), Tags: []string{TagApiToken}}, - {Rule: *rules.HashicorpField(), Tags: []string{TagPassword}}, - {Rule: *rules.Heroku(), Tags: []string{TagApiKey}}, - {Rule: *rules.HubSpot(), Tags: []string{TagApiToken, TagApiKey}}, - {Rule: *rules.HuggingFaceAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.HuggingFaceOrganizationApiToken(), Tags: []string{TagApiToken}}, - {Rule: *rules.InfracostAPIToken(), Tags: []string{TagApiToken}}, - {Rule: *rules.Intercom(), Tags: []string{TagApiToken, TagApiKey}}, - {Rule: *rules.JFrogAPIKey(), Tags: []string{TagApiKey}}, - {Rule: *rules.JFrogIdentityToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.JWT(), Tags: []string{TagAccessToken}}, - {Rule: *rules.JWTBase64(), Tags: []string{TagAccessToken}}, - {Rule: *rules.KrakenAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.KucoinAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.KucoinSecretKey(), Tags: []string{TagSecretKey}}, - {Rule: *rules.LaunchDarklyAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.LinearAPIToken(), Tags: []string{TagApiToken, TagApiKey}}, - {Rule: *rules.LinearClientSecret(), Tags: []string{TagClientSecret}}, - {Rule: *rules.LinkedinClientID(), Tags: []string{TagClientId}}, - {Rule: *rules.LinkedinClientSecret(), Tags: []string{TagClientSecret}}, - {Rule: *rules.LobAPIToken(), Tags: []string{TagApiKey}}, - {Rule: *rules.LobPubAPIToken(), Tags: []string{TagApiKey}}, - {Rule: *rules.MailChimp(), Tags: []string{TagApiKey}}, - {Rule: *rules.MailGunPubAPIToken(), Tags: []string{TagPublicKey}}, - {Rule: *rules.MailGunPrivateAPIToken(), Tags: []string{TagPrivateKey}}, - {Rule: *rules.MailGunSigningKey(), Tags: []string{TagApiKey}}, - {Rule: *rules.MapBox(), Tags: []string{TagApiToken}}, - {Rule: *rules.MattermostAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.MessageBirdAPIToken(), Tags: []string{TagApiToken}}, - {Rule: *rules.MessageBirdClientID(), Tags: []string{TagClientId}}, - {Rule: *rules.NetlifyAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.NewRelicUserID(), Tags: []string{TagApiKey}}, - {Rule: *rules.NewRelicUserKey(), Tags: []string{TagAccessId}}, - {Rule: *rules.NewRelicBrowserAPIKey(), Tags: []string{TagApiToken}}, - {Rule: *rules.NPM(), Tags: []string{TagAccessToken}}, - {Rule: *rules.NytimesAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.OktaAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.OpenAI(), Tags: []string{TagApiKey}}, - {Rule: *PlaidAccessID(), Tags: []string{TagClientId}}, - // {Rule: *rules.PlaidSecretKey(), Tags: []string{TagSecretKey}}, https://github.com/Checkmarx/2ms/issues/226 - // {Rule: *rules.PlaidAccessToken(), Tags: []string{TagApiToken}}, https://github.com/Checkmarx/2ms/issues/226 - {Rule: *rules.PlanetScalePassword(), Tags: []string{TagPassword}}, - {Rule: *rules.PlanetScaleAPIToken(), Tags: []string{TagApiToken}}, - {Rule: *rules.PlanetScaleOAuthToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.PostManAPI(), Tags: []string{TagApiToken}}, - {Rule: *rules.Prefect(), Tags: []string{TagApiToken}}, - {Rule: *rules.PrivateKey(), Tags: []string{TagPrivateKey}}, - {Rule: *rules.PulumiAPIToken(), Tags: []string{TagApiToken}}, - {Rule: *rules.PyPiUploadToken(), Tags: []string{TagUploadToken}}, - {Rule: *rules.RapidAPIAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.ReadMe(), Tags: []string{TagApiToken}}, - {Rule: *rules.RubyGemsAPIToken(), Tags: []string{TagApiToken}}, - // {Rule: *rules.ScalingoAPIToken(), Tags: []string{TagApiToken}}, https://github.com/Checkmarx/2ms/issues/226 - {Rule: *rules.SendbirdAccessID(), Tags: []string{TagAccessId}}, - {Rule: *rules.SendbirdAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.SendGridAPIToken(), Tags: []string{TagApiToken}}, - {Rule: *rules.SendInBlueAPIToken(), Tags: []string{TagApiToken}}, - {Rule: *rules.SentryAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.ShippoAPIToken(), Tags: []string{TagApiToken}}, - {Rule: *rules.ShopifyAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.ShopifyCustomAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.ShopifyPrivateAppAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.ShopifySharedSecret(), Tags: []string{TagPublicSecret}}, - {Rule: *rules.SidekiqSecret(), Tags: []string{TagSecretKey}}, - {Rule: *rules.SidekiqSensitiveUrl(), Tags: []string{TagSensitiveUrl}}, - {Rule: *rules.SlackBotToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.SlackAppLevelToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.SlackLegacyToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.SlackUserToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.SlackConfigurationToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.SlackConfigurationRefreshToken(), Tags: []string{TagRefreshToken}}, - {Rule: *rules.SlackLegacyBotToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.SlackLegacyWorkspaceToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.SlackWebHookUrl(), Tags: []string{TagWebhook}}, - {Rule: *rules.StripeAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.SquareAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.SquareSpaceAccessToken(), Tags: []string{TagAccessToken}}, - // {Rule: *rules.SumoLogicAccessID(), Tags: []string{TagAccessId}}, https://github.com/Checkmarx/2ms/issues/226 - {Rule: *rules.SumoLogicAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.Snyk(), Tags: []string{TagApiKey}}, - {Rule: *rules.TeamsWebhook(), Tags: []string{TagWebhook}}, - {Rule: *rules.TelegramBotToken(), Tags: []string{TagApiToken}}, - {Rule: *rules.TravisCIAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.Twilio(), Tags: []string{TagApiKey}}, - {Rule: *rules.TwitchAPIToken(), Tags: []string{TagApiToken}}, - {Rule: *rules.TwitterAPIKey(), Tags: []string{TagApiKey}}, - {Rule: *rules.TwitterAPISecret(), Tags: []string{TagApiKey}}, - {Rule: *rules.TwitterAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.TwitterAccessSecret(), Tags: []string{TagPublicSecret}}, - {Rule: *rules.TwitterBearerToken(), Tags: []string{TagApiToken}}, - {Rule: *rules.Typeform(), Tags: []string{TagApiToken}}, - {Rule: *rules.VaultBatchToken(), Tags: []string{TagApiToken}}, - {Rule: *VaultServiceToken(), Tags: []string{TagApiToken}}, - {Rule: *rules.YandexAPIKey(), Tags: []string{TagApiKey}}, - {Rule: *rules.YandexAWSAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.YandexAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.ZendeskSecretKey(), Tags: []string{TagSecretKey}}, - {Rule: *AuthenticatedURL(), Tags: []string{TagSensitiveUrl}}, + {Rule: *rules.AdafruitAPIKey(), Tags: []string{TagApiKey}, ScoreParameters: ScoreParameters{Category: CategoryIoTPlatform, RuleType: 4}}, + {Rule: *rules.AdobeClientID(), Tags: []string{TagClientId}, ScoreParameters: ScoreParameters{Category: CategorySaaS, RuleType: 1}}, + {Rule: *rules.AdobeClientSecret(), Tags: []string{TagClientSecret}, ScoreParameters: ScoreParameters{Category: CategorySaaS, RuleType: 4}}, + {Rule: *rules.AgeSecretKey(), Tags: []string{TagSecretKey}, ScoreParameters: ScoreParameters{Category: CategoryGeneralOrUnknown, RuleType: 4}}, + {Rule: *rules.Airtable(), Tags: []string{TagApiKey}, ScoreParameters: ScoreParameters{Category: CategoryDatabaseAsAService, RuleType: 4}}, + {Rule: *rules.AlgoliaApiKey(), Tags: []string{TagApiKey}, ScoreParameters: ScoreParameters{Category: CategorySearchService, RuleType: 4}}, + {Rule: *rules.AlibabaAccessKey(), Tags: []string{TagAccessKey, TagAccessId}, ScoreParameters: ScoreParameters{Category: CategoryCloudPlatform, RuleType: 1}}, + {Rule: *rules.AlibabaSecretKey(), Tags: []string{TagSecretKey}, ScoreParameters: ScoreParameters{Category: CategoryCloudPlatform, RuleType: 4}}, + {Rule: *rules.AsanaClientID(), Tags: []string{TagClientId}, ScoreParameters: ScoreParameters{Category: CategoryProjectManagement, RuleType: 1}}, + {Rule: *rules.AsanaClientSecret(), Tags: []string{TagClientSecret}, ScoreParameters: ScoreParameters{Category: CategoryProjectManagement, RuleType: 4}}, + {Rule: *rules.Atlassian(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategorySoftwareDevelopment, RuleType: 4}}, + {Rule: *rules.Authress(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryAuthenticationAndAuthorization, RuleType: 4}}, + {Rule: *rules.AWS(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryAuthenticationAndAuthorization, RuleType: 4}}, + {Rule: *rules.BitBucketClientID(), Tags: []string{TagClientId}, ScoreParameters: ScoreParameters{Category: CategorySourceCodeManagement, RuleType: 1}}, + {Rule: *rules.BitBucketClientSecret(), Tags: []string{TagClientSecret}, ScoreParameters: ScoreParameters{Category: CategorySourceCodeManagement, RuleType: 4}}, + {Rule: *rules.BittrexAccessKey(), Tags: []string{TagAccessKey}, ScoreParameters: ScoreParameters{Category: CategoryCryptocurrencyExchange, RuleType: 4}}, + {Rule: *rules.BittrexSecretKey(), Tags: []string{TagSecretKey}, ScoreParameters: ScoreParameters{Category: CategoryCryptocurrencyExchange, RuleType: 4}}, + {Rule: *rules.Beamer(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryNewsAndMedia, RuleType: 4}}, + {Rule: *rules.CodecovAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategorySecurity, RuleType: 4}}, + {Rule: *rules.CoinbaseAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryCryptocurrencyExchange, RuleType: 4}}, + {Rule: *rules.Clojars(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryPackageManagement, RuleType: 4}}, + {Rule: *rules.ConfluentAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.ConfluentSecretKey(), Tags: []string{TagSecretKey}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.Contentful(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryContentManagementSystem, RuleType: 4}}, + {Rule: *rules.Databricks(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryDataAnalytics, RuleType: 4}}, + {Rule: *rules.DatadogtokenAccessToken(), Tags: []string{TagAccessToken, TagClientId}, ScoreParameters: ScoreParameters{Category: CategoryApplicationMonitoring, RuleType: 4}}, + {Rule: *rules.DefinedNetworkingAPIToken(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryNetworking, RuleType: 4}}, + {Rule: *rules.DigitalOceanPAT(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryCloudPlatform, RuleType: 4}}, + {Rule: *rules.DigitalOceanOAuthToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryCloudPlatform, RuleType: 4}}, + {Rule: *rules.DigitalOceanRefreshToken(), Tags: []string{TagRefreshToken}, ScoreParameters: ScoreParameters{Category: CategoryAPIAccess, RuleType: 4}}, + {Rule: *rules.DiscordAPIToken(), Tags: []string{TagApiKey, TagApiToken}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.DiscordClientID(), Tags: []string{TagClientId}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 1}}, + {Rule: *rules.DiscordClientSecret(), Tags: []string{TagClientSecret}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.Doppler(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryCICD, RuleType: 4}}, + {Rule: *rules.DropBoxAPISecret(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryFileStorageAndSharing, RuleType: 4}}, + {Rule: *rules.DropBoxShortLivedAPIToken(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryFileStorageAndSharing, RuleType: 4}}, + {Rule: *rules.DropBoxLongLivedAPIToken(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryFileStorageAndSharing, RuleType: 4}}, + {Rule: *rules.DroneciAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryCICD, RuleType: 4}}, + {Rule: *rules.Duffel(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryAPIAccess, RuleType: 4}}, + {Rule: *rules.Dynatrace(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryApplicationMonitoring, RuleType: 4}}, + {Rule: *rules.EasyPost(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryShipping, RuleType: 4}}, + {Rule: *rules.EasyPostTestAPI(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryShipping, RuleType: 4}}, + {Rule: *rules.EtsyAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryECommercePlatform, RuleType: 4}}, + {Rule: *rules.Facebook(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.FastlyAPIToken(), Tags: []string{TagApiToken, TagApiKey}, ScoreParameters: ScoreParameters{Category: CategoryCDN, RuleType: 4}}, + {Rule: *rules.FinicityClientSecret(), Tags: []string{TagClientSecret}, ScoreParameters: ScoreParameters{Category: CategoryFinancialServices, RuleType: 4}}, + {Rule: *rules.FinicityAPIToken(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryFinancialServices, RuleType: 4}}, + {Rule: *rules.FlickrAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryPhotoSharing, RuleType: 4}}, + {Rule: *rules.FinnhubAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryFinancialServices, RuleType: 4}}, + {Rule: *rules.FlutterwavePublicKey(), Tags: []string{TagPublicKey}, ScoreParameters: ScoreParameters{Category: CategoryPaymentProcessing, RuleType: 4}}, + {Rule: *rules.FlutterwaveSecretKey(), Tags: []string{TagSecretKey}, ScoreParameters: ScoreParameters{Category: CategoryPaymentProcessing, RuleType: 4}}, + {Rule: *rules.FlutterwaveEncKey(), Tags: []string{TagEncryptionKey}, ScoreParameters: ScoreParameters{Category: CategoryPaymentProcessing, RuleType: 4}}, + {Rule: *rules.FrameIO(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryNewsAndMedia, RuleType: 4}}, + {Rule: *rules.FreshbooksAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryFinancialServices, RuleType: 4}}, + {Rule: *rules.GCPAPIKey(), Tags: []string{TagApiKey}, ScoreParameters: ScoreParameters{Category: CategoryCloudPlatform, RuleType: 4}}, + {Rule: *rules.GenericCredential(), Tags: []string{TagApiKey}, ScoreParameters: ScoreParameters{Category: CategoryGeneralOrUnknown, RuleType: 4}}, + {Rule: *rules.GitHubPat(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryDevelopmentPlatform, RuleType: 4}}, + {Rule: *rules.GitHubFineGrainedPat(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryAPIAccess, RuleType: 4}}, + {Rule: *rules.GitHubOauth(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryAuthenticationAndAuthorization, RuleType: 4}}, + {Rule: *rules.GitHubApp(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryCICD, RuleType: 4}}, + {Rule: *rules.GitHubRefresh(), Tags: []string{TagRefreshToken}, ScoreParameters: ScoreParameters{Category: CategoryAuthenticationAndAuthorization, RuleType: 4}}, + {Rule: *rules.GitlabPat(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategorySourceCodeManagement, RuleType: 4}}, + {Rule: *rules.GitlabPipelineTriggerToken(), Tags: []string{TagTriggerToken}, ScoreParameters: ScoreParameters{Category: CategoryCICD, RuleType: 4}}, + {Rule: *rules.GitlabRunnerRegistrationToken(), Tags: []string{TagRegistrationToken}, ScoreParameters: ScoreParameters{Category: CategoryCICD, RuleType: 4}}, + {Rule: *rules.GitterAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.GoCardless(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryPaymentProcessing, RuleType: 4}}, + {Rule: *rules.GrafanaApiKey(), Tags: []string{TagApiKey}, ScoreParameters: ScoreParameters{Category: CategoryApplicationMonitoring, RuleType: 4}}, + {Rule: *rules.GrafanaCloudApiToken(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryApplicationMonitoring, RuleType: 4}}, + {Rule: *rules.GrafanaServiceAccountToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryApplicationMonitoring, RuleType: 4}}, + {Rule: *rules.Hashicorp(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryInfrastructureAsCode, RuleType: 4}}, + {Rule: *rules.HashicorpField(), Tags: []string{TagPassword}, ScoreParameters: ScoreParameters{Category: CategoryInfrastructureAsCode, RuleType: 4}}, + {Rule: *rules.Heroku(), Tags: []string{TagApiKey}, ScoreParameters: ScoreParameters{Category: CategorySaaS, RuleType: 4}}, + {Rule: *rules.HubSpot(), Tags: []string{TagApiToken, TagApiKey}, ScoreParameters: ScoreParameters{Category: CategoryMarketingAutomation, RuleType: 4}}, + {Rule: *rules.HuggingFaceAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryAIAndMachineLearning, RuleType: 4}}, + {Rule: *rules.HuggingFaceOrganizationApiToken(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryAIAndMachineLearning, RuleType: 4}}, + {Rule: *rules.InfracostAPIToken(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryFinancialServices, RuleType: 4}}, + {Rule: *rules.Intercom(), Tags: []string{TagApiToken, TagApiKey}, ScoreParameters: ScoreParameters{Category: CategoryCustomerSupport, RuleType: 4}}, + {Rule: *rules.JFrogAPIKey(), Tags: []string{TagApiKey}, ScoreParameters: ScoreParameters{Category: CategoryCICD, RuleType: 4}}, + {Rule: *rules.JFrogIdentityToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryCICD, RuleType: 4}}, + {Rule: *rules.JWT(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryGeneralOrUnknown, RuleType: 4}}, + {Rule: *rules.JWTBase64(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryGeneralOrUnknown, RuleType: 4}}, + {Rule: *rules.KrakenAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryAuthenticationAndAuthorization, RuleType: 4}}, + {Rule: *rules.KucoinAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryCryptocurrencyExchange, RuleType: 4}}, + {Rule: *rules.KucoinSecretKey(), Tags: []string{TagSecretKey}, ScoreParameters: ScoreParameters{Category: CategoryCryptocurrencyExchange, RuleType: 4}}, + {Rule: *rules.LaunchDarklyAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategorySourceCodeManagement, RuleType: 4}}, + {Rule: *rules.LinearAPIToken(), Tags: []string{TagApiToken, TagApiKey}, ScoreParameters: ScoreParameters{Category: CategoryAPIAccess, RuleType: 4}}, + {Rule: *rules.LinearClientSecret(), Tags: []string{TagClientSecret}, ScoreParameters: ScoreParameters{Category: CategoryAuthenticationAndAuthorization, RuleType: 4}}, + {Rule: *rules.LinkedinClientID(), Tags: []string{TagClientId}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 1}}, + {Rule: *rules.LinkedinClientSecret(), Tags: []string{TagClientSecret}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.LobAPIToken(), Tags: []string{TagApiKey}, ScoreParameters: ScoreParameters{Category: CategoryAPIAccess, RuleType: 4}}, + {Rule: *rules.LobPubAPIToken(), Tags: []string{TagApiKey}, ScoreParameters: ScoreParameters{Category: CategoryAPIAccess, RuleType: 4}}, + {Rule: *rules.MailChimp(), Tags: []string{TagApiKey}, ScoreParameters: ScoreParameters{Category: CategoryEmailDeliveryService, RuleType: 4}}, + {Rule: *rules.MailGunPubAPIToken(), Tags: []string{TagPublicKey}, ScoreParameters: ScoreParameters{Category: CategoryEmailDeliveryService, RuleType: 4}}, + {Rule: *rules.MailGunPrivateAPIToken(), Tags: []string{TagPrivateKey}, ScoreParameters: ScoreParameters{Category: CategoryEmailDeliveryService, RuleType: 4}}, + {Rule: *rules.MailGunSigningKey(), Tags: []string{TagApiKey}, ScoreParameters: ScoreParameters{Category: CategoryEmailDeliveryService, RuleType: 4}}, + {Rule: *rules.MapBox(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryMappingAndLocationServices, RuleType: 4}}, + {Rule: *rules.MattermostAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.MessageBirdAPIToken(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.MessageBirdClientID(), Tags: []string{TagClientId}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 1}}, + {Rule: *rules.NetlifyAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryWebHostingAndDeployment, RuleType: 4}}, + {Rule: *rules.NewRelicUserID(), Tags: []string{TagApiKey}, ScoreParameters: ScoreParameters{Category: CategoryApplicationMonitoring, RuleType: 1}}, + {Rule: *rules.NewRelicUserKey(), Tags: []string{TagAccessId}, ScoreParameters: ScoreParameters{Category: CategoryApplicationMonitoring, RuleType: 4}}, + {Rule: *rules.NewRelicBrowserAPIKey(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryApplicationMonitoring, RuleType: 4}}, + {Rule: *rules.NPM(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryPackageManagement, RuleType: 4}}, + {Rule: *rules.NytimesAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryNewsAndMedia, RuleType: 4}}, + {Rule: *rules.OktaAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryAuthenticationAndAuthorization, RuleType: 4}}, + {Rule: *rules.OpenAI(), Tags: []string{TagApiKey}, ScoreParameters: ScoreParameters{Category: CategoryAIAndMachineLearning, RuleType: 4}}, + {Rule: *PlaidAccessID(), Tags: []string{TagClientId}, ScoreParameters: ScoreParameters{Category: CategoryFinancialServices, RuleType: 1}}, + // {Rule: *rules.PlaidSecretKey(), Tags: []string{TagSecretKey}, ScoreParameters: ScoreParameters{Category: CategoryFinancialServices, RuleType: 4}}, https://github.com/Checkmarx/2ms/issues/226 + // {Rule: *rules.PlaidAccessToken(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryFinancialServices, RuleType: 4}}, https://github.com/Checkmarx/2ms/issues/226 + {Rule: *rules.PlanetScalePassword(), Tags: []string{TagPassword}, ScoreParameters: ScoreParameters{Category: CategoryDatabaseAsAService, RuleType: 4}}, + {Rule: *rules.PlanetScaleAPIToken(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryDatabaseAsAService, RuleType: 4}}, + {Rule: *rules.PlanetScaleOAuthToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryDatabaseAsAService, RuleType: 4}}, + {Rule: *rules.PostManAPI(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryAPIAccess, RuleType: 4}}, + {Rule: *rules.Prefect(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryAPIAccess, RuleType: 4}}, + {Rule: *rules.PrivateKey(), Tags: []string{TagPrivateKey}, ScoreParameters: ScoreParameters{Category: CategoryGeneralOrUnknown, RuleType: 4}}, + {Rule: *rules.PulumiAPIToken(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryCloudPlatform, RuleType: 4}}, + {Rule: *rules.PyPiUploadToken(), Tags: []string{TagUploadToken}, ScoreParameters: ScoreParameters{Category: CategoryPackageManagement, RuleType: 4}}, + {Rule: *rules.RapidAPIAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryAPIAccess, RuleType: 4}}, + {Rule: *rules.ReadMe(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryAPIAccess, RuleType: 4}}, + {Rule: *rules.RubyGemsAPIToken(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryPackageManagement, RuleType: 4}}, + // {Rule: *rules.ScalingoAPIToken(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryWebHostingAndDeployment, RuleType: 4}}, https://github.com/Checkmarx/2ms/issues/226 + {Rule: *rules.SendbirdAccessID(), Tags: []string{TagAccessId}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 1}}, + {Rule: *rules.SendbirdAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.SendGridAPIToken(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryEmailDeliveryService, RuleType: 4}}, + {Rule: *rules.SendInBlueAPIToken(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryEmailDeliveryService, RuleType: 4}}, + {Rule: *rules.SentryAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryApplicationMonitoring, RuleType: 4}}, + {Rule: *rules.ShippoAPIToken(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryShipping, RuleType: 4}}, + {Rule: *rules.ShopifyAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryECommercePlatform, RuleType: 4}}, + {Rule: *rules.ShopifyCustomAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryECommercePlatform, RuleType: 4}}, + {Rule: *rules.ShopifyPrivateAppAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryECommercePlatform, RuleType: 4}}, + {Rule: *rules.ShopifySharedSecret(), Tags: []string{TagPublicSecret}, ScoreParameters: ScoreParameters{Category: CategoryECommercePlatform, RuleType: 4}}, + {Rule: *rules.SidekiqSecret(), Tags: []string{TagSecretKey}, ScoreParameters: ScoreParameters{Category: CategoryBackgroundProcessingService, RuleType: 4}}, + {Rule: *rules.SidekiqSensitiveUrl(), Tags: []string{TagSensitiveUrl}, ScoreParameters: ScoreParameters{Category: CategoryBackgroundProcessingService, RuleType: 4}}, + {Rule: *rules.SlackBotToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.SlackAppLevelToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.SlackLegacyToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.SlackUserToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.SlackConfigurationToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.SlackConfigurationRefreshToken(), Tags: []string{TagRefreshToken}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.SlackLegacyBotToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.SlackLegacyWorkspaceToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.SlackWebHookUrl(), Tags: []string{TagWebhook}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.StripeAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryPaymentProcessing, RuleType: 4}}, + {Rule: *rules.SquareAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryPaymentProcessing, RuleType: 4}}, + {Rule: *rules.SquareSpaceAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryWebHostingAndDeployment, RuleType: 4}}, + // {Rule: *rules.SumoLogicAccessID(), Tags: []string{TagAccessId}, ScoreParameters: ScoreParameters{Category: CategoryApplicationMonitoring, RuleType: 4}}, https://github.com/Checkmarx/2ms/issues/226 + {Rule: *rules.SumoLogicAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryApplicationMonitoring, RuleType: 4}}, + {Rule: *rules.Snyk(), Tags: []string{TagApiKey}, ScoreParameters: ScoreParameters{Category: CategorySecurity, RuleType: 4}}, + {Rule: *rules.TeamsWebhook(), Tags: []string{TagWebhook}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.TelegramBotToken(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.TravisCIAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryCICD, RuleType: 4}}, + {Rule: *rules.Twilio(), Tags: []string{TagApiKey}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.TwitchAPIToken(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryNewsAndMedia, RuleType: 4}}, + {Rule: *rules.TwitterAPIKey(), Tags: []string{TagApiKey}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.TwitterAPISecret(), Tags: []string{TagApiKey}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.TwitterAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.TwitterAccessSecret(), Tags: []string{TagPublicSecret}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.TwitterBearerToken(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.Typeform(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryOnlineSurveyPlatform, RuleType: 4}}, + {Rule: *rules.VaultBatchToken(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategorySecurity, RuleType: 4}}, + {Rule: *VaultServiceToken(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryAuthenticationAndAuthorization, RuleType: 4}}, + {Rule: *rules.YandexAPIKey(), Tags: []string{TagApiKey}, ScoreParameters: ScoreParameters{Category: CategoryCloudPlatform, RuleType: 4}}, + {Rule: *rules.YandexAWSAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryCloudPlatform, RuleType: 4}}, + {Rule: *rules.YandexAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryCloudPlatform, RuleType: 4}}, + {Rule: *rules.ZendeskSecretKey(), Tags: []string{TagSecretKey}, ScoreParameters: ScoreParameters{Category: CategoryCustomerSupport, RuleType: 4}}, + {Rule: *AuthenticatedURL(), Tags: []string{TagSensitiveUrl}, ScoreParameters: ScoreParameters{Category: CategoryGeneralOrUnknown, RuleType: 4}}, } return allRules @@ -203,7 +246,7 @@ func getDefaultRules() *[]Rule { func getSpecialRules() *[]Rule { specialRules := []Rule{ - {Rule: *HardcodedPassword(), Tags: []string{TagPassword}}, + {Rule: *HardcodedPassword(), Tags: []string{TagPassword}, ScoreParameters: ScoreParameters{Category: CategoryGeneralOrUnknown, RuleType: 4}}, } return &specialRules diff --git a/engine/score/score.go b/engine/score/score.go new file mode 100644 index 0000000..8045ff6 --- /dev/null +++ b/engine/score/score.go @@ -0,0 +1,72 @@ +package score + +import ( + "github.com/checkmarx/2ms/engine/rules" + "github.com/checkmarx/2ms/lib/secrets" + "math" +) + +func getCategoryScore(category rules.RuleCategory) uint8 { + CategoryScore := map[rules.RuleCategory]uint8{ + rules.CategoryAuthenticationAndAuthorization: 4, + rules.CategoryCryptocurrencyExchange: 4, + rules.CategoryFinancialServices: 4, + rules.CategoryPaymentProcessing: 4, + rules.CategorySecurity: 4, + rules.CategoryAPIAccess: 3, + rules.CategoryCICD: 3, + rules.CategoryCloudPlatform: 3, + rules.CategoryDatabaseAsAService: 3, + rules.CategoryDevelopmentPlatform: 3, + rules.CategoryEmailDeliveryService: 3, + rules.CategoryGeneralOrUnknown: 3, + rules.CategoryInfrastructureAsCode: 3, + rules.CategoryPackageManagement: 3, + rules.CategorySourceCodeManagement: 3, + rules.CategoryWebHostingAndDeployment: 3, + rules.CategoryBackgroundProcessingService: 2, + rules.CategoryCDN: 2, + rules.CategoryContentManagementSystem: 2, + rules.CategoryCustomerSupport: 2, + rules.CategoryDataAnalytics: 2, + rules.CategoryFileStorageAndSharing: 2, + rules.CategoryIoTPlatform: 2, + rules.CategoryMappingAndLocationServices: 2, + rules.CategoryNetworking: 2, + rules.CategoryPhotoSharing: 2, + rules.CategorySaaS: 2, + rules.CategoryShipping: 2, + rules.CategorySoftwareDevelopment: 2, + rules.CategoryAIAndMachineLearning: 1, + rules.CategoryApplicationMonitoring: 1, + rules.CategoryECommercePlatform: 1, + rules.CategoryMarketingAutomation: 1, + rules.CategoryNewsAndMedia: 1, + rules.CategoryOnlineSurveyPlatform: 1, + rules.CategoryProjectManagement: 1, + rules.CategorySearchService: 1, + rules.CategorySocialMedia: 1, + } + return CategoryScore[category] +} + +func getValidityScore(baseRiskScore float64, validationStatus secrets.ValidationResult) float64 { + switch validationStatus { + case secrets.ValidResult: + return math.Min(1, 4-baseRiskScore) + case secrets.InvalidResult: + return math.Max(-1, 1-baseRiskScore) + } + return 0.0 +} + +func GetBaseRiskScore(category rules.RuleCategory, ruleType uint8) float64 { + categoryScore := getCategoryScore(category) + return float64(categoryScore)*0.6 + float64(ruleType)*0.4 +} + +func GetCvssScore(baseRiskScore float64, validationStatus secrets.ValidationResult) float64 { + validityScore := getValidityScore(baseRiskScore, validationStatus) + cvssScore := (baseRiskScore+validityScore-1)*3 + 1 + return math.Round(cvssScore*10) / 10 +} diff --git a/engine/score/score_test.go b/engine/score/score_test.go new file mode 100644 index 0000000..164d452 --- /dev/null +++ b/engine/score/score_test.go @@ -0,0 +1,234 @@ +package score_test + +import ( + . "github.com/checkmarx/2ms/engine" + "github.com/checkmarx/2ms/engine/rules" + "github.com/checkmarx/2ms/engine/score" + "github.com/checkmarx/2ms/lib/secrets" + "github.com/stretchr/testify/assert" + ruleConfig "github.com/zricethezav/gitleaks/v8/cmd/generate/config/rules" + "sync" + "testing" +) + +func TestScore(t *testing.T) { + specialRule := rules.HardcodedPassword() + allRules := *rules.FilterRules([]string{}, []string{}, []string{specialRule.RuleID}) + + engineConfig := EngineConfig{SpecialList: []string{specialRule.RuleID}} + engine, err := Init(engineConfig) + assert.NoError(t, err) + + expectedCvssScores := map[string][3]float64{ // ruleID -> Valid, Invalid, Unknown + ruleConfig.AdafruitAPIKey().RuleID: {9.4, 3.4, 6.4}, + ruleConfig.AdobeClientID().RuleID: {5.8, 1, 2.8}, + ruleConfig.AdobeClientSecret().RuleID: {9.4, 3.4, 6.4}, + ruleConfig.AgeSecretKey().RuleID: {10, 5.2, 8.2}, + ruleConfig.Airtable().RuleID: {10, 5.2, 8.2}, + ruleConfig.AlgoliaApiKey().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.AlibabaAccessKey().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.AlibabaSecretKey().RuleID: {10, 5.2, 8.2}, + ruleConfig.AsanaClientID().RuleID: {4, 1, 1}, + ruleConfig.AsanaClientSecret().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.Atlassian().RuleID: {9.4, 3.4, 6.4}, + ruleConfig.Authress().RuleID: {10, 7, 10}, + ruleConfig.AWS().RuleID: {10, 7, 10}, + ruleConfig.BitBucketClientID().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.BitBucketClientSecret().RuleID: {10, 5.2, 8.2}, + ruleConfig.BittrexAccessKey().RuleID: {10, 7, 10}, + ruleConfig.BittrexSecretKey().RuleID: {10, 7, 10}, + ruleConfig.Beamer().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.CodecovAccessToken().RuleID: {10, 7, 10}, + ruleConfig.CoinbaseAccessToken().RuleID: {10, 7, 10}, + ruleConfig.Clojars().RuleID: {10, 5.2, 8.2}, + ruleConfig.ConfluentAccessToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.ConfluentSecretKey().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.Contentful().RuleID: {9.4, 3.4, 6.4}, + ruleConfig.Databricks().RuleID: {9.4, 3.4, 6.4}, + ruleConfig.DatadogtokenAccessToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.DefinedNetworkingAPIToken().RuleID: {9.4, 3.4, 6.4}, + ruleConfig.DigitalOceanPAT().RuleID: {10, 5.2, 8.2}, + ruleConfig.DigitalOceanOAuthToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.DigitalOceanRefreshToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.DiscordAPIToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.DiscordClientID().RuleID: {4, 1, 1}, + ruleConfig.DiscordClientSecret().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.Doppler().RuleID: {10, 5.2, 8.2}, + ruleConfig.DropBoxAPISecret().RuleID: {9.4, 3.4, 6.4}, + ruleConfig.DropBoxShortLivedAPIToken().RuleID: {9.4, 3.4, 6.4}, + ruleConfig.DropBoxLongLivedAPIToken().RuleID: {9.4, 3.4, 6.4}, + ruleConfig.DroneciAccessToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.Duffel().RuleID: {10, 5.2, 8.2}, + ruleConfig.Dynatrace().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.EasyPost().RuleID: {9.4, 3.4, 6.4}, + ruleConfig.EasyPostTestAPI().RuleID: {9.4, 3.4, 6.4}, + ruleConfig.EtsyAccessToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.Facebook().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.FastlyAPIToken().RuleID: {9.4, 3.4, 6.4}, + ruleConfig.FinicityClientSecret().RuleID: {10, 7, 10}, + ruleConfig.FinicityAPIToken().RuleID: {10, 7, 10}, + ruleConfig.FlickrAccessToken().RuleID: {9.4, 3.4, 6.4}, + ruleConfig.FinnhubAccessToken().RuleID: {10, 7, 10}, + ruleConfig.FlutterwavePublicKey().RuleID: {10, 7, 10}, + ruleConfig.FlutterwaveSecretKey().RuleID: {10, 7, 10}, + ruleConfig.FlutterwaveEncKey().RuleID: {10, 7, 10}, + ruleConfig.FrameIO().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.FreshbooksAccessToken().RuleID: {10, 7, 10}, + ruleConfig.GCPAPIKey().RuleID: {10, 5.2, 8.2}, + ruleConfig.GenericCredential().RuleID: {10, 5.2, 8.2}, + ruleConfig.GitHubPat().RuleID: {10, 5.2, 8.2}, + ruleConfig.GitHubFineGrainedPat().RuleID: {10, 5.2, 8.2}, + ruleConfig.GitHubOauth().RuleID: {10, 7, 10}, + ruleConfig.GitHubApp().RuleID: {10, 5.2, 8.2}, + ruleConfig.GitHubRefresh().RuleID: {10, 7, 10}, + ruleConfig.GitlabPat().RuleID: {10, 5.2, 8.2}, + ruleConfig.GitlabPipelineTriggerToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.GitlabRunnerRegistrationToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.GitterAccessToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.GoCardless().RuleID: {10, 7, 10}, + ruleConfig.GrafanaApiKey().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.GrafanaCloudApiToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.GrafanaServiceAccountToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.Hashicorp().RuleID: {10, 5.2, 8.2}, + ruleConfig.HashicorpField().RuleID: {10, 5.2, 8.2}, + ruleConfig.Heroku().RuleID: {9.4, 3.4, 6.4}, + ruleConfig.HubSpot().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.HuggingFaceAccessToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.HuggingFaceOrganizationApiToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.InfracostAPIToken().RuleID: {10, 7, 10}, + ruleConfig.Intercom().RuleID: {9.4, 3.4, 6.4}, + ruleConfig.JFrogAPIKey().RuleID: {10, 5.2, 8.2}, + ruleConfig.JFrogIdentityToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.JWT().RuleID: {10, 5.2, 8.2}, + ruleConfig.JWTBase64().RuleID: {10, 5.2, 8.2}, + ruleConfig.KrakenAccessToken().RuleID: {10, 7, 10}, + ruleConfig.KucoinAccessToken().RuleID: {10, 7, 10}, + ruleConfig.KucoinSecretKey().RuleID: {10, 7, 10}, + ruleConfig.LaunchDarklyAccessToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.LinearAPIToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.LinearClientSecret().RuleID: {10, 7, 10}, + ruleConfig.LinkedinClientID().RuleID: {4, 1, 1}, + ruleConfig.LinkedinClientSecret().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.LobAPIToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.LobPubAPIToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.MailChimp().RuleID: {10, 5.2, 8.2}, + ruleConfig.MailGunPubAPIToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.MailGunPrivateAPIToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.MailGunSigningKey().RuleID: {10, 5.2, 8.2}, + ruleConfig.MapBox().RuleID: {9.4, 3.4, 6.4}, + ruleConfig.MattermostAccessToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.MessageBirdAPIToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.MessageBirdClientID().RuleID: {4, 1, 1}, + ruleConfig.NetlifyAccessToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.NewRelicUserID().RuleID: {4, 1, 1}, + ruleConfig.NewRelicUserKey().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.NewRelicBrowserAPIKey().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.NPM().RuleID: {10, 5.2, 8.2}, + ruleConfig.NytimesAccessToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.OktaAccessToken().RuleID: {10, 7, 10}, + ruleConfig.OpenAI().RuleID: {7.6, 1.6, 4.6}, + rules.PlaidAccessID().RuleID: {9.4, 3.4, 6.4}, + ruleConfig.PlaidSecretKey().RuleID: {10, 7, 10}, + ruleConfig.PlaidAccessToken().RuleID: {10, 7, 10}, + ruleConfig.PlanetScalePassword().RuleID: {10, 5.2, 8.2}, + ruleConfig.PlanetScaleAPIToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.PlanetScaleOAuthToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.PostManAPI().RuleID: {10, 5.2, 8.2}, + ruleConfig.Prefect().RuleID: {10, 5.2, 8.2}, + ruleConfig.PrivateKey().RuleID: {10, 5.2, 8.2}, + ruleConfig.PulumiAPIToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.PyPiUploadToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.RapidAPIAccessToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.ReadMe().RuleID: {10, 5.2, 8.2}, + ruleConfig.RubyGemsAPIToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.ScalingoAPIToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.SendbirdAccessID().RuleID: {4, 1, 1}, + ruleConfig.SendbirdAccessToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.SendGridAPIToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.SendInBlueAPIToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.SentryAccessToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.ShippoAPIToken().RuleID: {9.4, 3.4, 6.4}, + ruleConfig.ShopifyAccessToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.ShopifyCustomAccessToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.ShopifyPrivateAppAccessToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.ShopifySharedSecret().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.SidekiqSecret().RuleID: {9.4, 3.4, 6.4}, + ruleConfig.SidekiqSensitiveUrl().RuleID: {9.4, 3.4, 6.4}, + ruleConfig.SlackBotToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.SlackAppLevelToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.SlackLegacyToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.SlackUserToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.SlackConfigurationToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.SlackConfigurationRefreshToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.SlackLegacyBotToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.SlackLegacyWorkspaceToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.SlackWebHookUrl().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.StripeAccessToken().RuleID: {10, 7, 10}, + ruleConfig.SquareAccessToken().RuleID: {10, 7, 10}, + ruleConfig.SquareSpaceAccessToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.SumoLogicAccessID().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.SumoLogicAccessToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.Snyk().RuleID: {10, 7, 10}, + ruleConfig.TeamsWebhook().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.TelegramBotToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.TravisCIAccessToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.Twilio().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.TwitchAPIToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.TwitterAPIKey().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.TwitterAPISecret().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.TwitterAccessToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.TwitterAccessSecret().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.TwitterBearerToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.Typeform().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.VaultBatchToken().RuleID: {10, 7, 10}, + rules.VaultServiceToken().RuleID: {10, 7, 10}, + ruleConfig.YandexAPIKey().RuleID: {10, 5.2, 8.2}, + ruleConfig.YandexAWSAccessToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.YandexAccessToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.ZendeskSecretKey().RuleID: {9.4, 3.4, 6.4}, + rules.AuthenticatedURL().RuleID: {10, 5.2, 8.2}, + specialRule.RuleID: {10, 5.2, 8.2}, + } + for _, rule := range allRules { + expectedRuleScores := expectedCvssScores[rule.Rule.RuleID] + baseRiskScore := score.GetBaseRiskScore(rule.ScoreParameters.Category, rule.ScoreParameters.RuleType) + ruleBaseRiskScore := engine.GetRuleBaseRiskScore(rule.Rule.RuleID) + assert.Equal(t, ruleBaseRiskScore, baseRiskScore, "rule: %s", rule.Rule.RuleID) + assert.Equal(t, expectedRuleScores[0], score.GetCvssScore(baseRiskScore, secrets.ValidResult), "rule: %s", rule.Rule.RuleID) + assert.Equal(t, expectedRuleScores[1], score.GetCvssScore(baseRiskScore, secrets.InvalidResult), "rule: %s", rule.Rule.RuleID) + assert.Equal(t, expectedRuleScores[2], score.GetCvssScore(baseRiskScore, secrets.UnknownResult), "rule: %s", rule.Rule.RuleID) + } + + var allSecrets []*secrets.Secret + for _, rule := range allRules { + var secretValid, secretInvalid, secretUnknown secrets.Secret + secretValid.RuleID = rule.Rule.RuleID + secretValid.ValidationStatus = secrets.ValidResult + secretInvalid.RuleID = rule.Rule.RuleID + secretInvalid.ValidationStatus = secrets.InvalidResult + secretUnknown.RuleID = rule.Rule.RuleID + secretUnknown.ValidationStatus = secrets.UnknownResult + allSecrets = append(allSecrets, &secretValid, &secretInvalid, &secretUnknown) + } + for _, secret := range allSecrets { + var wg sync.WaitGroup + wg.Add(2) + expectedRuleScores := expectedCvssScores[secret.RuleID] + validityIndex := getValidityIndex(secret.ValidationStatus) + unknownIndex := getValidityIndex(secrets.UnknownResult) + engine.Score(secret, true, &wg) + assert.Equal(t, expectedRuleScores[validityIndex], secret.CvssScore, "rule: %s", secret.RuleID) + engine.Score(secret, false, &wg) + assert.Equal(t, expectedRuleScores[unknownIndex], secret.CvssScore, "rule: %s", secret.RuleID) + } +} + +func getValidityIndex(validity secrets.ValidationResult) int { + switch validity { + case secrets.ValidResult: + return 0 + case secrets.InvalidResult: + return 1 + } + return 2 +} diff --git a/lib/reporting/report_test.go b/lib/reporting/report_test.go index 946059c..0eef1dc 100644 --- a/lib/reporting/report_test.go +++ b/lib/reporting/report_test.go @@ -29,6 +29,7 @@ var ( EndColumn: 150, Value: "value", ValidationStatus: secrets.ValidResult, + CvssScore: 10.0, RuleDescription: "Rule Description", } // this result has a different rule than result1 @@ -43,6 +44,7 @@ var ( EndColumn: 160, Value: "value 2", ValidationStatus: secrets.InvalidResult, + CvssScore: 4.5, RuleDescription: "Rule Description2", } // this result has the same rule as result1 @@ -57,6 +59,7 @@ var ( EndColumn: 130, Value: "value 3", ValidationStatus: secrets.UnknownResult, + CvssScore: 0.0, RuleDescription: "Rule Description", } ) @@ -105,6 +108,7 @@ var ( }, Properties: Properties{ "validationStatus": string(result1.ValidationStatus), + "cvssScore": result1.CvssScore, }, } result2Sarif = Results{ @@ -135,6 +139,7 @@ var ( }, Properties: Properties{ "validationStatus": string(result2.ValidationStatus), + "cvssScore": result2.CvssScore, }, } result3Sarif = Results{ @@ -165,6 +170,7 @@ var ( }, Properties: Properties{ "validationStatus": string(result3.ValidationStatus), + "cvssScore": result3.CvssScore, }, } ) diff --git a/lib/reporting/sarif.go b/lib/reporting/sarif.go index 090931a..27cc714 100644 --- a/lib/reporting/sarif.go +++ b/lib/reporting/sarif.go @@ -91,6 +91,7 @@ func getResults(report Report) []Results { Locations: getLocation(secret), Properties: Properties{ "validationStatus": secret.ValidationStatus, + "cvssScore": secret.CvssScore, }, } results = append(results, r) diff --git a/lib/secrets/secret.go b/lib/secrets/secret.go index 2485d12..5d50551 100644 --- a/lib/secrets/secret.go +++ b/lib/secrets/secret.go @@ -45,4 +45,5 @@ type Secret struct { ValidationStatus ValidationResult `json:"validationStatus,omitempty"` RuleDescription string `json:"ruleDescription,omitempty"` ExtraDetails map[string]interface{} `json:"extraDetails,omitempty"` + CvssScore float64 `json:"cvssScore,omitempty"` }