Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix adhoc scan verify #336

Merged
merged 2 commits into from
Aug 27, 2020
Merged

Fix adhoc scan verify #336

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b775308
Fix typo
Aug 27, 2020
54e8d46
Fix verify in adhoc scanning
Aug 27, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions detect_secrets/plugins/aws.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,8 +27,8 @@ class AWSKeyDetector(RegexBasedDetector):
def disable_flag_text(cls):
return 'no-aws-key-scan'

def verify(self, token, content):
secret_access_key_candidates = get_secret_access_keys(content)
def verify(self, token, context):
secret_access_key_candidates = get_secret_access_keys(context)
if not secret_access_key_candidates:
return VerifiedResult.UNVERIFIED

Expand Down
6 changes: 3 additions & 3 deletions detect_secrets/plugins/base.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -144,7 +144,7 @@ def analyze(self, file, filename):
lines_of_context=LINES_OF_CONTEXT,
)

is_verified = self.verify(result.secret_value, content=str(snippet))
is_verified = self.verify(result.secret_value, context=str(snippet))
if is_verified == VerifiedResult.VERIFIED_TRUE:
result.is_verified = True

Expand Down Expand Up @@ -226,7 +226,7 @@ def adhoc_scan(self, string):

verified_result = VerifiedResult.UNVERIFIED
for result in results:
is_verified = self.verify(result.secret_value)
is_verified = self.verify(result.secret_value, string)
if is_verified != VerifiedResult.UNVERIFIED:
verified_result = is_verified
break
Expand All @@ -239,7 +239,7 @@ def adhoc_scan(self, string):

return output[verified_result]

def verify(self, token, content=''):
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's actually meant to be context.

A couple of lines down, it reads:

:param context: lines of context around identified secret

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right, that's why I renamed it to context.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤦 I must be getting cross-eyed.

def verify(self, token, context=''):
"""
To increase accuracy and reduce false positives, plugins can also
optionally declare a method to verify their status.
Expand Down
8 changes: 4 additions & 4 deletions detect_secrets/plugins/cloudant.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,9 +60,9 @@ class CloudantDetector(RegexBasedDetector):
),
]

def verify(self, token, content):
def verify(self, token, context):

hosts = find_account(content)
hosts = find_account(context)
if not hosts:
return VerifiedResult.UNVERIFIED

Expand All @@ -72,7 +72,7 @@ def verify(self, token, content):
return VerifiedResult.VERIFIED_FALSE


def find_account(content):
def find_account(context):
opt_hostname_keyword = r'(?:hostname|host|username|id|user|userid|user-id|user-name|' \
'name|user_id|user_name|uname|account)'
account = r'(\w[\w\-]*)'
Expand All @@ -98,7 +98,7 @@ def find_account(content):

return [
match
for line in content.splitlines()
for line in context.splitlines()
for regex in regexes
for match in regex.findall(line)
]
Expand Down
8 changes: 4 additions & 4 deletions detect_secrets/plugins/ibm_cos_hmac.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,8 +29,8 @@ class IbmCosHmacDetector(RegexBasedDetector):
),
)

def verify(self, token, content):
key_id_matches = find_access_key_id(content)
def verify(self, token, context):
key_id_matches = find_access_key_id(context)

if not key_id_matches:
return VerifiedResult.UNVERIFIED
Expand All @@ -48,7 +48,7 @@ def verify(self, token, content):
return VerifiedResult.VERIFIED_FALSE


def find_access_key_id(content):
def find_access_key_id(context):
key_id_keyword_regex = r'(?:access[-_]?(?:key)?[-_]?(?:id)?|key[-_]?id)'
key_id_regex = r'([a-f0-9]{32})'

Expand All @@ -60,7 +60,7 @@ def find_access_key_id(content):

return [
match
for line in content.splitlines()
for line in context.splitlines()
for match in regex.findall(line)
]

Expand Down
8 changes: 4 additions & 4 deletions detect_secrets/plugins/softlayer.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,8 +28,8 @@ class SoftlayerDetector(RegexBasedDetector):
),
]

def verify(self, token, content):
usernames = find_username(content)
def verify(self, token, context):
usernames = find_username(context)
if not usernames:
return VerifiedResult.UNVERIFIED

Expand All @@ -39,7 +39,7 @@ def verify(self, token, content):
return VerifiedResult.VERIFIED_FALSE


def find_username(content):
def find_username(context):
# opt means optional
username_keyword = (
r'(?:'
Expand All @@ -58,7 +58,7 @@ def find_username(content):

return [
match
for line in content.splitlines()
for line in context.splitlines()
for match in regex.findall(line)
]

Expand Down