bridgecrewio · marynaKK · Sep 29, 2022 · Sep 28, 2022 · Sep 28, 2022 · Sep 28, 2022
diff --git a/checkov/secrets/plugins/entropy_keyword_combinator.py b/checkov/secrets/plugins/entropy_keyword_combinator.py
@@ -12,12 +12,13 @@
     from detect_secrets.util.code_snippet import CodeSnippet
 
 MAX_LINE_LENGTH = 10000
+ENTROPY_KEYWORD_COMBINATOR_LIMIT = 3
 
 
 class EntropyKeywordCombinator(BasePlugin):
     secret_type = ""  # nosec  # noqa: CCE003  # a static attribute
 
-    def __init__(self, limit: float) -> None:
+    def __init__(self, limit: float = ENTROPY_KEYWORD_COMBINATOR_LIMIT) -> None:
         self.high_entropy_scanners = (Base64HighEntropyString(limit=limit), HexHighEntropyString(limit=limit))
         self.keyword_scanner = KeywordDetector()
 
@@ -34,22 +35,14 @@ def analyze_line(
         one of the entropy scanners find a match (on a line which was already matched by keyword plugin) - it is returned.
         for source code files run and merge the two plugins.
         """
-        entropy_matches = set()
         if len(line) <= MAX_LINE_LENGTH:
-            keyword_matches = self.keyword_scanner.analyze_line(filename, line, line_number, **kwargs)
-            if f".{filename.split('.')[-1]}" in SOURCE_CODE_EXTENSION:
-                for entropy_scanner in self.high_entropy_scanners:
-                    matches = entropy_scanner.analyze_line(filename, line, line_number, **kwargs)
-                    if matches:
-                        entropy_matches = matches
-                        break
-                keyword_entropy = keyword_matches.union(entropy_matches)
-                return keyword_entropy
-            if keyword_matches:
-                for entropy_scanner in self.high_entropy_scanners:
-                    matches = entropy_scanner.analyze_line(filename, line, line_number, **kwargs)
-                    if matches:
-                        return matches
+            if f".{filename.split('.')[-1]}" not in SOURCE_CODE_EXTENSION:
+                keyword_matches = self.keyword_scanner.analyze_line(filename, line, line_number, **kwargs)
+                if keyword_matches:
+                    for entropy_scanner in self.high_entropy_scanners:
+                        matches = entropy_scanner.analyze_line(filename, line, line_number, **kwargs)
+                        if matches:
+                            return matches
         return set()
 
     def analyze_string(self, string: str) -> Generator[str, None, None]:

diff --git a/checkov/secrets/runner.py b/checkov/secrets/runner.py
@@ -60,7 +60,6 @@
 }
 CHECK_ID_TO_SECRET_TYPE = {v: k for k, v in SECRET_TYPE_TO_ID.items()}
 
-ENTROPY_KEYWORD_LIMIT = 3
 PROHIBITED_FILES = ['Pipfile.lock', 'yarn.lock', 'package-lock.json', 'requirements.txt']
 
 MAX_FILE_SIZE = int(os.getenv('CHECKOV_MAX_FILE_SIZE', '5000000'))  # 5 MB is default limit
@@ -69,62 +68,36 @@
 class Runner(BaseRunner[None]):
     check_type = CheckType.SECRETS  # noqa: CCE003  # a static attribute
 
-    def run(
-            self,
+    def run(self,
             root_folder: str | None,
             external_checks_dir: list[str] | None = None,
             files: list[str] | None = None,
             runner_filter: RunnerFilter | None = None,
             collect_skip_comments: bool = True
-    ) -> Report:
+            ) -> Report:
         runner_filter = runner_filter or RunnerFilter()
         current_dir = Path(__file__).parent
         secrets = SecretsCollection()
         plugins_used = \
             [
-                {
-                    'name': 'AWSKeyDetector'
-                },
-                {
-                    'name': 'ArtifactoryDetector'
-                },
-                {
-                    'name': 'AzureStorageKeyDetector'
-                },
-                {
-                    'name': 'BasicAuthDetector'
-                },
-                {
-                    'name': 'CloudantDetector'
-                },
-                {
-                    'name': 'IbmCloudIamDetector'
-                },
-                {
-                    'name': 'MailchimpDetector'
-                },
-                {
-                    'name': 'PrivateKeyDetector'
-                },
-                {
-                    'name': 'SlackDetector'
-                },
-                {
-                    'name': 'SoftlayerDetector'
-                },
-                {
-                    'name': 'SquareOAuthDetector'
-                },
-                {
-                    'name': 'StripeDetector'
-                },
-                {
-                    'name': 'TwilioKeyDetector'
-                },
+                {'name': 'AWSKeyDetector'},
+                {'name': 'ArtifactoryDetector'},
+                {'name': 'AzureStorageKeyDetector'},
+                {'name': 'BasicAuthDetector'},
+                {'name': 'CloudantDetector'},
+                {'name': 'IbmCloudIamDetector'},
+                {'name': 'MailchimpDetector'},
+                {'name': 'PrivateKeyDetector'},
+                {'name': 'SlackDetector'},
+                {'name': 'SoftlayerDetector'},
+                {'name': 'SquareOAuthDetector'},
+                {'name': 'StripeDetector'},
+                {'name': 'TwilioKeyDetector'},
+                {'name': 'Base64HighEntropyString'},  # default limit from secrets lib is 4.5
+                {'name': 'HexHighEntropyString'},  # default limit from secrets lib is 4.5
                 {
                     'name': 'EntropyKeywordCombinator',
-                    'path': f'file://{current_dir}/plugins/entropy_keyword_combinator.py',
-                    'limit': ENTROPY_KEYWORD_LIMIT
+                    'path': f'file://{current_dir}/plugins/entropy_keyword_combinator.py'
                 }
             ]
         custom_plugins = os.getenv("CHECKOV_CUSTOM_DETECTOR_PLUGINS_PATH")
@@ -284,4 +257,4 @@ def search_for_suppression(
                     "result": CheckResult.SKIPPED,
                     "suppress_comment": skip_search.group(3)[1:] if skip_search.group(3) else "No comment provided"
                 }
-        return None
+        return None
diff --git a/tests/secrets/resources/cfn/secret-no-false-positive.yml b/tests/secrets/resources/cfn/secret-no-false-positive.yml
@@ -0,0 +1,29 @@
+"""
+
+no False Positive - where it's not an actual secret
+check_metadata_values = ('bafadssda$#%2', 'bdfsver#$@%')
+CHECKOV_METADATA_RESULT = 'checkov_results5243gvr'
+check1 = {'blabla': 'blabla1'}
+check2 = {'blabla': 'blabla2'}
+check1['some_key_1235#$@'] = check2.get('some_value_1235')
+
+
+"""
+
+  CleanBucketFunction:
+    Type: "AWS::Lambda::Function"
+    DependsOn: CleanupRole
+    Properties:
+      Handler: index.clearS3Bucket
+      Role:
+        Fn::GetAtt: CleanupRole.Arn
+      Runtime: nodejs12.x
+      Timeout: 25
+      Code:
+        ZipFile: |
+          no False Positive - where it's not an actual secret
+          check_metadata_values = ('bafadssda$#%2', 'bdfsver#$@%')
+          CHECKOV_METADATA_RESULT = 'checkov_results5243gvr'
+          check1 = {'blabla': 'blabla1'}
+          check2 = {'blabla': 'blabla2'}
+          check1['some_key_1235#$@'] = check2.get('some_value_1235')
diff --git a/tests/secrets/resources/file_type/test.py b/tests/secrets/resources/file_type/test.py
@@ -1,3 +1,11 @@
+# no False Positive - where it's not an actual secret
+check_metadata_values = ('bafadssda$#%2', 'bdfsver#$@%')
+CHECKOV_METADATA_RESULT = 'checkov_results5243gvr'
+check1 = {'blabla': 'blabla1'}
+check2 = {'blabla': 'blabla2'}
+check1['some_key_1235#$@'] = check2.get('some_value_1235')
+
+
 access_key = "AKIAIOSFODNN7EXAMPLE"
 secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
 if __name__ == '__main__':

diff --git a/tests/secrets/test_plugin.py b/tests/secrets/test_plugin.py
@@ -1,12 +1,11 @@
 import unittest
 
 from checkov.secrets.plugins.entropy_keyword_combinator import EntropyKeywordCombinator
-from checkov.secrets.runner import ENTROPY_KEYWORD_LIMIT
 
 
 class TestCombinatorPlugin(unittest.TestCase):
     def setUp(self) -> None:
-        self.plugin = EntropyKeywordCombinator(ENTROPY_KEYWORD_LIMIT)
+        self.plugin = EntropyKeywordCombinator()
 
     def test_positive_value(self):
         result = self.plugin.analyze_line("mock.tf", 'api_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMAAAKEY"', 5)
@@ -31,8 +30,6 @@ def test_popular_kubernetes_manifest_password(self):
         self.assertEqual("bfd3617727eab0e800e62a776c76381defbc4145", secret.secret_hash)
 
     def test_source_code_file_value(self):
+        # combinator plugin should ignore source code files
         result = self.plugin.analyze_line("main.py", 'api_key = "7T)G#dl5}c=T>kf$G3Bon^!R?kzF00"', 1)
-        self.assertEqual(1, len(result))
-        secret = result.pop()
-        self.assertEqual("Secret Keyword", secret.type)
-        self.assertEqual("93beaa774e56483f19e4fe916ce87e62d4b3ea85", secret.secret_hash)
+        self.assertEqual(0, len(result))