From e5289ac8e4d1a14c52f28f34e406e50c3a48ab41 Mon Sep 17 00:00:00 2001 From: Shivasurya Date: Sat, 6 Jan 2024 11:48:41 -0500 Subject: [PATCH] Updated trufflehog sourcegraph secret format (#2254) --- pkg/detectors/sourcegraph/sourcegraph.go | 5 ++++- pkg/detectors/sourcegraph/sourcegraph_test.go | 18 ++++++++++++++---- 2 files changed, 18 insertions(+), 5 deletions(-) diff --git a/pkg/detectors/sourcegraph/sourcegraph.go b/pkg/detectors/sourcegraph/sourcegraph.go index 7580eb35e918..46d3767e93a3 100644 --- a/pkg/detectors/sourcegraph/sourcegraph.go +++ b/pkg/detectors/sourcegraph/sourcegraph.go @@ -22,7 +22,7 @@ var _ detectors.Detector = (*Scanner)(nil) var ( defaultClient = common.SaneHttpClient() // Make sure that your group is surrounded in boundary characters such as below to reduce false positives. - keyPat = regexp.MustCompile(`\b(sgp_[a-f0-9]{40})\b`) + keyPat = regexp.MustCompile(`\b(sgp_(?:[a-fA-F0-9]{16}|local)_[a-fA-F0-9]{40}|sgp_[a-fA-F0-9]{40}|[a-fA-F0-9]{40})\b`) ) // Keywords are used for efficiently pre-filtering chunks. @@ -47,6 +47,9 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result DetectorType: detectorspb.DetectorType_Sourcegraph, Raw: []byte(resMatch), } + s1.ExtraData = map[string]string{ + "rotation_guide": "https://howtorotate.com/docs/tutorials/sourcegraph/", + } if verify { client := s.client diff --git a/pkg/detectors/sourcegraph/sourcegraph_test.go b/pkg/detectors/sourcegraph/sourcegraph_test.go index 83b0de6f7038..a260a63abef6 100644 --- a/pkg/detectors/sourcegraph/sourcegraph_test.go +++ b/pkg/detectors/sourcegraph/sourcegraph_test.go @@ -25,15 +25,24 @@ func TestSourcegraph_FromChunk(t *testing.T) { if err != nil { t.Fatalf("could not get test secrets from GCP: %s", err) } - secret := testSecrets.MustGetField("SOURCEGRAPH") - inactiveSecret := testSecrets.MustGetField("SOURCEGRAPH_INACTIVE") + + secretV1 := testSecrets.MustGetField("SOURCEGRAPH_V1") + secretV2 := testSecrets.MustGetField("SOURCEGRAPH_V2") + secretV3 := testSecrets.MustGetField("SOURCEGRAPH_V3") + + inactiveSecretV1 := testSecrets.MustGetField("SOURCEGRAPH_INACTIVE_V1") + inactiveSecretV2 := testSecrets.MustGetField("SOURCEGRAPH_INACTIVE_V2") + inactiveSecretV3 := testSecrets.MustGetField("SOURCEGRAPH_INACTIVE_V3") + + secrets := []string{secretV1, secretV2, secretV3, inactiveSecretV1, inactiveSecretV2, inactiveSecretV3} type args struct { ctx context.Context data []byte verify bool } - tests := []struct { + for _, secret := range secrets { + tests = append(tests, []struct { name string s Scanner args args @@ -122,6 +131,7 @@ func TestSourcegraph_FromChunk(t *testing.T) { wantVerificationErr: true, }, } +} for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { got, err := tt.s.FromData(tt.args.ctx, tt.args.verify, tt.args.data) @@ -137,7 +147,7 @@ func TestSourcegraph_FromChunk(t *testing.T) { t.Fatalf("wantVerificationError = %v, verification error = %v", tt.wantVerificationErr, got[i].VerificationError()) } } - ignoreOpts := cmpopts.IgnoreFields(detectors.Result{}, "Raw", "verificationError") + ignoreOpts := cmpopts.IgnoreFields(detectors.Result{}, "Raw", "VerificationError", "ExtraData") if diff := cmp.Diff(got, tt.want, ignoreOpts); diff != "" { t.Errorf("Sourcegraph.FromData() %s diff: (-got +want)\n%s", tt.name, diff) }