Exception when auditing multi-line secrets

[hwine]

[This appears to be a new flavor of #227]

Scanning properly detects secrets in a multi-line yaml value, but the audit function raises a ValueError exception when trying to display the info.

sample yaml file

```yaml - id: example for audit failure keyid: _removed_ passphrase: privatekey: | -----BEGIN PGP PRIVATE KEY BLOCK----- -----END PGP PRIVATE KEY BLOCK----- publickey: | -----BEGIN PGP PUBLIC KEY BLOCK----- -----END PGP PUBLIC KEY BLOCK----- ```

Steps to reproduce (with above yaml as fail.yaml):

$ detect-secrets --version
1.2.0
$ detect-secrets scan fail.yaml >fail.baseline
$ detect-secrets audit fail.baseline
Secret:      1 of 1
Filename:    fail.yaml
Secret Type: Private Key
----------
Traceback (most recent call last):
  File "/home/hwine/.local/bin/detect-secrets", line 8, in <module>
    sys.exit(main())
  File "/home/hwine/.local/pipx/venvs/detect-secrets/lib/python3.10/site-packages/detect_secrets/main.py", line 32, in main
    handle_audit_action(args)
  File "/home/hwine/.local/pipx/venvs/detect-secrets/lib/python3.10/site-packages/detect_secrets/main.py", line 152, in handle_audit_action
    audit.audit_baseline(args.filename[0])
  File "/home/hwine/.local/pipx/venvs/detect-secrets/lib/python3.10/site-packages/detect_secrets/audit/audit.py", line 25, in audit_baseline
    if _classify_secrets(get_secret_iterator(secrets)):
  File "/home/hwine/.local/pipx/venvs/detect-secrets/lib/python3.10/site-packages/detect_secrets/audit/audit.py", line 42, in _classify_secrets
    io.print_context(
  File "/home/hwine/.local/pipx/venvs/detect-secrets/lib/python3.10/site-packages/detect_secrets/audit/io.py", line 37, in print_context
    context.snippet.highlight_line(context.secret.secret_value)
  File "/home/hwine/.local/pipx/venvs/detect-secrets/lib/python3.10/site-packages/detect_secrets/util/code_snippet.py", line 75, in highlight_line
    index_of_payload = self.target_line.lower().index(payload.lower())
ValueError: substring not found

[jpdakran]

Hello, Thanks for reaching out. I have fixed this bug and it will be in the newest release of detect-secrets. The fix is related to catching this exception.

There is a deeper rooted issue here with the YAML File parser which I do have a work item to tackle very soon.

Please see #467 for more info.

[hwine]

In case anyone wanders by before detect-secrets version later than 1.2.0 is released, there is a hacked version which allows detect-secrets audit to be run without error, and with visibility to the yaml multiline secret. This is a hack, and clearly not the direction the detect-secrets team is headed, but it'll get you unblocked today.

• tagged v1.0.2.00001
• changes to upstream
• to install, use pip install git+https://github.com/hwine/detect-secrets@v1.2.00001
  • N.B.: if you do install this way, you'll need to uninstall to pick up the official release

[lorenzodb1]

Hi @hwine, thank you for proposing a way to unblock those who are waiting for the next release of detect-secrets. I came in just to make sure you and the whole community are aware that we always welcome new PRs that aim at improving the project, so feel free to open one if you'd like.

I also wanted to add that you could download the source code in our master branch and run that instead. This might not work for everyone using detect-secrets, but some use-cases might see this as a good enough temporary solution while waiting for the release.

Finally, I wanted to let everyone here know that we're working on releasing a new version of detect-secrets soon, so hang tight! I'll make sure to send another reply here when that happens.

[hwine]

Thanks -- if there wasn't already work in flight, I would have opened a PR. But my hack required undoing some of the current work. :/ (The inflight work doesn't allow use of the audit function to mark the false positive as expected.)

Thanks for the team's efforts -- releases are hard! This is a extremely valuable project that I rely on daily!