Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix audit report that verifies a secret #620

Merged
merged 3 commits into from
Sep 27, 2022
Merged

Fix audit report that verifies a secret #620

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
57cc319
Pass in context to analyze function so verify functions that use cont…
jpdakran Sep 22, 2022
f439653
Merge branch 'master' into dakranj-611-fix-audit-report-failing
jpdakran Sep 26, 2022
07e8244
Make snippet with all lines so verify can look around for information…
jpdakran Sep 27, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions detect_secrets/audit/common.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
from ..transformers import get_transformed_file
from ..types import NamedIO
from ..util.inject import call_function_with_arguments
from detect_secrets.util.code_snippet import get_code_snippet


def get_baseline_from_file(filename: str) -> SecretsCollection:
Expand Down Expand Up @@ -91,6 +92,7 @@ def get_raw_secrets_from_file(
line_numbers = list(range(len(lines_to_scan)))

for line_number, line in zip(line_numbers, lines_to_scan):
context = get_code_snippet(lines=line_getter.lines, line_number=line_number + 1)
identified_secrets = call_function_with_arguments(
plugin.analyze_line,
filename=secret.filename,
Expand All @@ -100,6 +102,7 @@ def get_raw_secrets_from_file(
# We enable eager search, because we *know* there's a secret here -- the baseline
# flagged it after all.
enable_eager_search=bool(secret.line_number),
context=context,
)

for identified_secret in (identified_secrets or []):
Expand Down
40 changes: 38 additions & 2 deletions tests/audit/report_test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@
from detect_secrets.constants import VerifiedResult
from detect_secrets.core import baseline
from detect_secrets.core.secrets_collection import SecretsCollection
from detect_secrets.plugins.aws import AWSKeyDetector
from detect_secrets.plugins.basic_auth import BasicAuthDetector
from detect_secrets.plugins.jwt import JwtTokenDetector
from detect_secrets.settings import transient_settings
Expand All @@ -20,13 +21,14 @@
first_secret = 'value1'
second_secret = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ' # noqa: E501
random_secret = ''.join(random.choice(string.ascii_letters) for _ in range(8))
aws_secret = 'AKIAZZZZZZZZZZZZZZZZ'


@pytest.mark.parametrize(
'class_to_print, expected_real, expected_false, expected_output',
[
(
None, 3, 1,
None, 4, 1,
{
'results': [
{
Expand Down Expand Up @@ -71,11 +73,21 @@
BasicAuthDetector.secret_type,
],
},
{
'category': 'VERIFIED_TRUE',
'lines': {
1: 'aws_access_key = {}'.format(aws_secret),
},
'secrets': aws_secret,
'types': [
AWSKeyDetector.secret_type,
],
},
],
},
),
(
SecretClassToPrint.REAL_SECRET, 3, 0,
SecretClassToPrint.REAL_SECRET, 4, 0,
{
'results': [
{
Expand Down Expand Up @@ -109,6 +121,16 @@
JwtTokenDetector.secret_type,
],
},
{
'category': 'VERIFIED_TRUE',
'lines': {
1: 'aws_access_key = {}'.format(aws_secret),
},
'secrets': aws_secret,
'types': [
AWSKeyDetector.secret_type,
],
},
],
},
),
Expand Down Expand Up @@ -193,27 +215,41 @@ def baseline_file():
url = {url_format.format(second_secret)}
example = {url_format.format(random_secret)}
""")[1:]
third_content = textwrap.dedent(f"""
aws_access_key = {aws_secret}
""")[1:]

with create_file_with_content(first_content) as first_file, \
create_file_with_content(second_content) as second_file, \
create_file_with_content(third_content) as third_file, \
mock_named_temporary_file() as baseline_file, \
transient_settings({
'plugins_used': [
{'name': 'BasicAuthDetector'},
{'name': 'JwtTokenDetector'},
{'name': 'AWSKeyDetector'},

],
'filters_used': [
{
'path':
'detect_secrets.filters.common.is_ignored_due_to_verification_policies',
'min_level': 2,
},
],
}):
secrets = SecretsCollection()
secrets.scan_file(first_file)
secrets.scan_file(second_file)
secrets.scan_file(third_file)
labels = {
(first_file, BasicAuthDetector.secret_type, 1): True,
(first_file, BasicAuthDetector.secret_type, 2): None,
(first_file, BasicAuthDetector.secret_type, 3): True,
(second_file, JwtTokenDetector.secret_type, 1): True,
(second_file, BasicAuthDetector.secret_type, 1): False,
(second_file, BasicAuthDetector.secret_type, 2): False,
(third_file, AWSKeyDetector.secret_type, 1): True,
}
for item in secrets:
_, secret = item
Expand Down