From 21bd179836bdf677be3deebd0e2f72e51f0408cb Mon Sep 17 00:00:00 2001 From: very-doge-wow <95224950+very-doge-wow@users.noreply.github.com> Date: Tue, 31 Oct 2023 13:46:56 +0100 Subject: [PATCH 1/4] feat: add built-in rule for JWT tokens Currently the secret scanning does not detect JWT tokens, which are used for example by Artifactory as Authentication mechanism. For example, if a user builds an OCI image and installs dependencies from a private Artifactory repository during build-time and has passed those credentials in an insecure manner to the builder (for example using ARG statements), trivy needs to detect this leak. --- pkg/fanal/secret/builtin-rules.go | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/pkg/fanal/secret/builtin-rules.go b/pkg/fanal/secret/builtin-rules.go index 1fc282d02d8..0cf13609ac0 100644 --- a/pkg/fanal/secret/builtin-rules.go +++ b/pkg/fanal/secret/builtin-rules.go @@ -49,6 +49,7 @@ var ( CategoryHubSpot = types.SecretRuleCategory("HubSpot") CategoryIntercom = types.SecretRuleCategory("Intercom") CategoryIonic = types.SecretRuleCategory("Ionic") + CategoryJWT = types.SecretRuleCategory("JWT") CategoryLinear = types.SecretRuleCategory("Linear") CategoryLob = types.SecretRuleCategory("Lob") CategoryMailchimp = types.SecretRuleCategory("Mailchimp") @@ -562,6 +563,13 @@ var builtinRules = []Rule{ Regex: MustCompile(`(?i)(ionic[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"](ion_[a-z0-9]{42})['\"]`), Keywords: []string{"ionic"}, }, + { + ID: "jwt-token", + Category: CategoryJWT, + Title: "JWT token", + Regex: MustCompile(`^([a-zA-Z0-9_=]+)\.([a-zA-Z0-9_=]+)\.([a-zA-Z0-9_\-\+\/=]*)`), + Keywords: []string{"jwt"}, + }, { ID: "linear-api-token", Category: CategoryLinear, From d0d3315894935873657ef10a5568353b85a5b66e Mon Sep 17 00:00:00 2001 From: very-doge-wow <95224950+very-doge-wow@users.noreply.github.com> Date: Tue, 31 Oct 2023 14:08:06 +0100 Subject: [PATCH 2/4] refactor(secret): more specific rule for JWT tokens As used by gitleaks: https://github.com/gitleaks/gitleaks/blob/master/cmd/generate/config/rules/jwt.go --- pkg/fanal/secret/builtin-rules.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/fanal/secret/builtin-rules.go b/pkg/fanal/secret/builtin-rules.go index 0cf13609ac0..d6abe208e01 100644 --- a/pkg/fanal/secret/builtin-rules.go +++ b/pkg/fanal/secret/builtin-rules.go @@ -567,7 +567,7 @@ var builtinRules = []Rule{ ID: "jwt-token", Category: CategoryJWT, Title: "JWT token", - Regex: MustCompile(`^([a-zA-Z0-9_=]+)\.([a-zA-Z0-9_=]+)\.([a-zA-Z0-9_\-\+\/=]*)`), + Regex: MustCompile(`ey[a-zA-Z0-9]{17,}\.ey[a-zA-Z0-9\/\\_-]{17,}\.(?:[a-zA-Z0-9\/\\_-]{10,}={0,2})?`), Keywords: []string{"jwt"}, }, { From 4dff433188dcd21b0eb965800ad075e124913dda Mon Sep 17 00:00:00 2001 From: very-doge-wow <95224950+very-doge-wow@users.noreply.github.com> Date: Tue, 7 Nov 2023 12:58:33 +0000 Subject: [PATCH 3/4] refactor(secret): add CRITICAL severity to new JWT rule --- pkg/fanal/secret/builtin-rules.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/fanal/secret/builtin-rules.go b/pkg/fanal/secret/builtin-rules.go index d6abe208e01..60a8c6bf2c7 100644 --- a/pkg/fanal/secret/builtin-rules.go +++ b/pkg/fanal/secret/builtin-rules.go @@ -567,6 +567,7 @@ var builtinRules = []Rule{ ID: "jwt-token", Category: CategoryJWT, Title: "JWT token", + Severity: "CRITICAL", Regex: MustCompile(`ey[a-zA-Z0-9]{17,}\.ey[a-zA-Z0-9\/\\_-]{17,}\.(?:[a-zA-Z0-9\/\\_-]{10,}={0,2})?`), Keywords: []string{"jwt"}, }, From a12c43c395956b60b1be109a9f671ead9ca806a9 Mon Sep 17 00:00:00 2001 From: very-doge-wow <95224950+very-doge-wow@users.noreply.github.com> Date: Wed, 8 Nov 2023 09:08:41 +0000 Subject: [PATCH 4/4] refactor(secret): jwt severity as MEDIUM --- pkg/fanal/secret/builtin-rules.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/fanal/secret/builtin-rules.go b/pkg/fanal/secret/builtin-rules.go index 60a8c6bf2c7..58330c91686 100644 --- a/pkg/fanal/secret/builtin-rules.go +++ b/pkg/fanal/secret/builtin-rules.go @@ -567,7 +567,7 @@ var builtinRules = []Rule{ ID: "jwt-token", Category: CategoryJWT, Title: "JWT token", - Severity: "CRITICAL", + Severity: "MEDIUM", Regex: MustCompile(`ey[a-zA-Z0-9]{17,}\.ey[a-zA-Z0-9\/\\_-]{17,}\.(?:[a-zA-Z0-9\/\\_-]{10,}={0,2})?`), Keywords: []string{"jwt"}, },