Merge 86ee87f into 3d1840d

thoughtworks · Aug 26, 2020 · 41fd201 · 41fd201
2 parents 3d1840d + 86ee87f
commit 41fd201
Show file tree

Hide file tree

Showing 8 changed files with 138 additions and 76 deletions.
diff --git a/.talismanrc b/.talismanrc
@@ -1,26 +1,27 @@
 fileignoreconfig:
-- filename: detector/pattern_detector_test.go
-  checksum: 4d70b790f28f2d23d506f808d489aa43f1efd2514549ae6a83a535e1223382e3
 - filename: detector/detection_results_test.go
   checksum: 69fed055782cddfe0f0d23ea440cef9f9dd0b9e8a3c8a73856741bb26257b223
   ignore_detectors:
   - filecontent
-- filename: detector/match_pattern_test.go
-  checksum: d68aa0e06355e3b848941727d1fcb32cf47e3d615f9921f0db39855325010446
-  ignore_detectors: []
-- filename: global_install_scripts/install.bash
-  checksum: 5d659125ecbe619ea99f5bc71c2d761b586ce3ec9ccab7683ee54f4ebde9f748
 - filename: detector/filecontent/filecontent_detector_test.go
   checksum: affb25839a87476dcef4f4169ccb9b54b2d2f2437cef3aca24f4d3b69d5886c5
+- filename: detector/filename/filename_detector.go
+  checksum: 5404565683a7e812fa98ff2d14237c4d1ba7dc5b4aca2dd3ba663b33dc8ddae7
+- filename: detector/filename/filename_detector_test.go
+  checksum: 0a9c9f113e203ca29d3a9bf0b4802a252e990c2132e1f168a46ab49ed532e6c9
+- filename: detector/match_pattern_test.go
+  checksum: d68aa0e06355e3b848941727d1fcb32cf47e3d615f9921f0db39855325010446
 - filename: detector/pattern/match_pattern_test.go
   checksum: b90530d286fbc0ee864d2350fc0c532e0fb2f01149d51e81339b420439014238
+- filename: detector/pattern/pattern_detector.go
+  checksum: 98c4edddc95b4b974ed9b3e4f48079f2503b5c85309fadf37878a3d28de31e72
 - filename: detector/pattern/pattern_detector_test.go
   checksum: 4d70b790f28f2d23d506f808d489aa43f1efd2514549ae6a83a535e1223382e3
-- filename: detector/pattern/pattern_detector.go
-  checksum: 248bc5f67fa12d39b0fa1b63319a5b125006858a11603a837d8c53dbab2277c3
-- filename: detector/filename/filename_detector.go
-  checksum: 5782cb11c373723ec7b40279a3dd375c0cd1d285ac0d032599f0300d9e133eec
-- filename: detector/filename/filename_detector_test.go
-  checksum: 0a9c9f113e203ca29d3a9bf0b4802a252e990c2132e1f168a46ab49ed532e6c9
+- filename: detector/pattern_detector_test.go
+  checksum: 4d70b790f28f2d23d506f808d489aa43f1efd2514549ae6a83a535e1223382e3
+- filename: detector/severity/severity_config.go
+  checksum: 7e5442d7ee07a6fad12cf636c5dc2880c69b9593fd286e44d567e178ffdd0194
+- filename: global_install_scripts/install.bash
+  checksum: 5d659125ecbe619ea99f5bc71c2d761b586ce3ec9ccab7683ee54f4ebde9f748
 scopeconfig:
 - scope: go
diff --git a/README.md b/README.md
@@ -363,9 +363,9 @@ custom_patterns:
 ## Configuring severity threshold
 
 Each validation is associated with a severity 
-1. low
-2. medium
-3. high
+1. Low
+2. Medium
+3. High
 
 You can specify a threshold in your .talismanrc: 
 
@@ -374,7 +374,9 @@ threshold: medium
 ```
 This will report all Medium severity issues and higher (Potential risks that are below the threshold will be reported in the warnings)
 
-By default, the threshold is set to low
+1. A list of all risks with their severity level can be found in this [configuration file](detector/severity/severity_config.go).
+2. By default, the threshold is set to low.
+3. Any custom search patterns you add, are considered to be of high severity.
 
 ## Talisman as a CLI utility
 

diff --git a/detector/filecontent/filecontent_detector.go b/detector/filecontent/filecontent_detector.go
@@ -85,17 +85,17 @@ func (fc *FileContentDetector) Test(comparator helpers.ChecksumCompare, currentA
 		{
 			contentType: base64Content,
 			fn:          checkBase64,
-			severity:    severity.Medium(),
+			severity:    severity.SeverityConfiguration["Base64Content"],
 		},
 		{
 			contentType: hexContent,
 			fn:          checkHex,
-			severity:    severity.Medium(),
+			severity:    severity.SeverityConfiguration["HexContent"],
 		},
 		{
 			contentType: creditCardContent,
 			fn:          checkCreditCardNumber,
-			severity:    severity.High(),
+			severity:    severity.SeverityConfiguration["CreditCardContent"],
 		},
 	}
 	re := regexp.MustCompile(`(?i)checksum[ \t]*:[ \t]*[0-9a-fA-F]+`)

diff --git a/detector/filename/filename_detector.go b/detector/filename/filename_detector.go
@@ -15,53 +15,53 @@ import (
 
 var (
 	filenamePatterns = []*severity.PatternSeverity{
-		{Pattern: regexp.MustCompile(`^.+_rsa$`), Severity: severity.Low()},
-		{Pattern: regexp.MustCompile(`^.+_dsa.*$`), Severity: severity.High()},
-		{Pattern: regexp.MustCompile(`^.+_ed25519$`), Severity: severity.Low()},
-		{Pattern: regexp.MustCompile(`^.+_ecdsa$`), Severity: severity.Low()},
-		{Pattern: regexp.MustCompile(`^\.\w+_history$`), Severity: severity.Low()},
-		{Pattern: regexp.MustCompile(`^.+\.pem$`), Severity: severity.High()},
-		{Pattern: regexp.MustCompile(`^.+\.ppk$`), Severity: severity.High()},
-		{Pattern: regexp.MustCompile(`^.+\.key(pair)?$`), Severity: severity.High()},
-		{Pattern: regexp.MustCompile(`^.+\.pkcs12$`), Severity: severity.Low()},
-		{Pattern: regexp.MustCompile(`^.+\.pfx$`), Severity: severity.Low()},
-		{Pattern: regexp.MustCompile(`^.+\.p12$`), Severity: severity.Low()},
-		{Pattern: regexp.MustCompile(`^.+\.asc$`), Severity: severity.Low()},
-		{Pattern: regexp.MustCompile(`^\.?htpasswd$`), Severity: severity.Low()},
-		{Pattern: regexp.MustCompile(`^\.?netrc$`), Severity: severity.Low()},
-		{Pattern: regexp.MustCompile(`^.*\.tblk$`), Severity: severity.Low()},
-		{Pattern: regexp.MustCompile(`^.*\.ovpn$`), Severity: severity.Low()},
-		{Pattern: regexp.MustCompile(`^.*\.kdb$`), Severity: severity.Low()},
-		{Pattern: regexp.MustCompile(`^.*\.agilekeychain$`), Severity: severity.Low()},
-		{Pattern: regexp.MustCompile(`^.*\.keychain$`), Severity: severity.Low()},
-		{Pattern: regexp.MustCompile(`^.*\.key(store|ring)$`), Severity: severity.Low()},
-		{Pattern: regexp.MustCompile(`^jenkins\.plugins\.publish_over_ssh\.BapSshPublisherPlugin.xml$`), Severity: severity.Low()},
-		{Pattern: regexp.MustCompile(`^credentials\.xml$`), Severity: severity.Low()},
-		{Pattern: regexp.MustCompile(`^.*\.pubxml(\.user)?$`), Severity: severity.Low()},
-		{Pattern: regexp.MustCompile(`^\.?s3cfg$`), Severity: severity.Low()},
-		{Pattern: regexp.MustCompile(`^\.gitrobrc$`), Severity: severity.Low()},
-		{Pattern: regexp.MustCompile(`^\.?(bash|zsh)rc$`), Severity: severity.Low()},
-		{Pattern: regexp.MustCompile(`^\.?(bash_|zsh_)?profile$`), Severity: severity.Low()},
-		{Pattern: regexp.MustCompile(`^\.?(bash_|zsh_)?aliases$`), Severity: severity.Low()},
-		{Pattern: regexp.MustCompile(`^secret_token.rb$`), Severity: severity.High()},
-		{Pattern: regexp.MustCompile(`^omniauth.rb$`), Severity: severity.Low()},
-		{Pattern: regexp.MustCompile(`^carrierwave.rb$`), Severity: severity.Low()},
-		{Pattern: regexp.MustCompile(`^schema.rb$`), Severity: severity.Low()},
-		{Pattern: regexp.MustCompile(`^database.yml$`), Severity: severity.Low()},
-		{Pattern: regexp.MustCompile(`^settings.py$`), Severity: severity.Low()},
-		{Pattern: regexp.MustCompile(`^.*(config)(\.inc)?\.php$`), Severity: severity.Low()},
-		{Pattern: regexp.MustCompile(`^LocalSettings.php$`), Severity: severity.Low()},
-		{Pattern: regexp.MustCompile(`\.?env`), Severity: severity.Low()},
-		{Pattern: regexp.MustCompile(`\bdump|dump\b`), Severity: severity.Low()},
-		{Pattern: regexp.MustCompile(`\bsql|sql\b`), Severity: severity.Low()},
-		{Pattern: regexp.MustCompile(`\bdump|dump\b`), Severity: severity.Low()},
-		{Pattern: regexp.MustCompile(`password`), Severity: severity.Low()},
-		{Pattern: regexp.MustCompile(`backup`), Severity: severity.Low()},
-		{Pattern: regexp.MustCompile(`private.*key`), Severity: severity.High()},
-		{Pattern: regexp.MustCompile(`(oauth).*(token)`), Severity: severity.Low()},
-		{Pattern: regexp.MustCompile(`^.*\.log$`), Severity: severity.Low()},
-		{Pattern: regexp.MustCompile(`^\.?kwallet$`), Severity: severity.Low()},
-		{Pattern: regexp.MustCompile(`^\.?gnucash$`), Severity: severity.Low()},
+		{Pattern: regexp.MustCompile(`^.+_rsa$`), Severity: severity.SeverityConfiguration["RSAFile"]},
+		{Pattern: regexp.MustCompile(`^.+_dsa.*$`), Severity: severity.SeverityConfiguration["DSAFile"]},
+		{Pattern: regexp.MustCompile(`^.+_ed25519$`), Severity: severity.SeverityConfiguration["DSAFile"]},
+		{Pattern: regexp.MustCompile(`^.+_ecdsa$`), Severity: severity.SeverityConfiguration["DSAFile"]},
+		{Pattern: regexp.MustCompile(`^\.\w+_history$`), Severity: severity.SeverityConfiguration["ShellHistory"]},
+		{Pattern: regexp.MustCompile(`^.+\.pem$`), Severity: severity.SeverityConfiguration["PemFile"]},
+		{Pattern: regexp.MustCompile(`^.+\.ppk$`), Severity: severity.SeverityConfiguration["PpkFile"]},
+		{Pattern: regexp.MustCompile(`^.+\.key(pair)?$`), Severity: severity.SeverityConfiguration["KeyPairFile"]},
+		{Pattern: regexp.MustCompile(`^.+\.pkcs12$`), Severity: severity.SeverityConfiguration["PKCSFile"]},
+		{Pattern: regexp.MustCompile(`^.+\.pfx$`), Severity: severity.SeverityConfiguration["PFXFile"]},
+		{Pattern: regexp.MustCompile(`^.+\.p12$`), Severity: severity.SeverityConfiguration["P12File"]},
+		{Pattern: regexp.MustCompile(`^.+\.asc$`), Severity: severity.SeverityConfiguration["ASCFile"]},
+		{Pattern: regexp.MustCompile(`^\.?htpasswd$`), Severity: severity.SeverityConfiguration["HTPASSWDFile"]},
+		{Pattern: regexp.MustCompile(`^\.?netrc$`), Severity: severity.SeverityConfiguration["NetrcFile"]},
+		{Pattern: regexp.MustCompile(`^.*\.tblk$`), Severity: severity.SeverityConfiguration["TunnelBlockFile"]},
+		{Pattern: regexp.MustCompile(`^.*\.ovpn$`), Severity: severity.SeverityConfiguration["OpenVPNFile"]},
+		{Pattern: regexp.MustCompile(`^.*\.kdb$`), Severity: severity.SeverityConfiguration["KDBFile"]},
+		{Pattern: regexp.MustCompile(`^.*\.agilekeychain$`), Severity: severity.SeverityConfiguration["AgileKeyChainFile"]},
+		{Pattern: regexp.MustCompile(`^.*\.keychain$`), Severity: severity.SeverityConfiguration["KeyChainFile"]},
+		{Pattern: regexp.MustCompile(`^.*\.key(store|ring)$`), Severity: severity.SeverityConfiguration["KeyStoreFile"]},
+		{Pattern: regexp.MustCompile(`^jenkins\.plugins\.publish_over_ssh\.BapSshPublisherPlugin.xml$`), Severity: severity.SeverityConfiguration["JenkinsPublishOverSSHFile"]},
+		{Pattern: regexp.MustCompile(`^credentials\.xml$`), Severity: severity.SeverityConfiguration["CredentialsXML"]},
+		{Pattern: regexp.MustCompile(`^.*\.pubxml(\.user)?$`), Severity: severity.SeverityConfiguration["PubXML"]},
+		{Pattern: regexp.MustCompile(`^\.?s3cfg$`), Severity: severity.SeverityConfiguration["s3Config"]},
+		{Pattern: regexp.MustCompile(`^\.gitrobrc$`), Severity: severity.SeverityConfiguration["GitRobRC"]},
+		{Pattern: regexp.MustCompile(`^\.?(bash|zsh)rc$`), Severity: severity.SeverityConfiguration["ShellRC"]},
+		{Pattern: regexp.MustCompile(`^\.?(bash_|zsh_)?profile$`), Severity: severity.SeverityConfiguration["ShellProfile"]},
+		{Pattern: regexp.MustCompile(`^\.?(bash_|zsh_)?aliases$`), Severity: severity.SeverityConfiguration["ShellAlias"]},
+		{Pattern: regexp.MustCompile(`^secret_token.rb$`), Severity: severity.SeverityConfiguration["SecretToken"]},
+		{Pattern: regexp.MustCompile(`^omniauth.rb$`), Severity: severity.SeverityConfiguration["OmniAuth"]},
+		{Pattern: regexp.MustCompile(`^carrierwave.rb$`), Severity: severity.SeverityConfiguration["CarrierWaveRB"]},
+		{Pattern: regexp.MustCompile(`^schema.rb$`), Severity: severity.SeverityConfiguration["SchemaRB"]},
+		{Pattern: regexp.MustCompile(`^database.yml$`), Severity: severity.SeverityConfiguration["DatabaseYml"]},
+		{Pattern: regexp.MustCompile(`^settings.py$`), Severity: severity.SeverityConfiguration["PythonSettings"]},
+		{Pattern: regexp.MustCompile(`^.*(config)(\.inc)?\.php$`), Severity: severity.SeverityConfiguration["PhpConfig"]},
+		{Pattern: regexp.MustCompile(`^LocalSettings.php$`), Severity: severity.SeverityConfiguration["PhpLocalSettings"]},
+		{Pattern: regexp.MustCompile(`\.?env`), Severity: severity.SeverityConfiguration["EnvFile"]},
+		{Pattern: regexp.MustCompile(`\bdump|dump\b`), Severity: severity.SeverityConfiguration["BDumpFile"]},
+		{Pattern: regexp.MustCompile(`\bsql|sql\b`), Severity: severity.SeverityConfiguration["BSQLFile"]},
+		{Pattern: regexp.MustCompile(`\bdump|dump\b`), Severity: severity.SeverityConfiguration["BDumpFile"]},
+		{Pattern: regexp.MustCompile(`password`), Severity: severity.SeverityConfiguration["PasswordFile"]},
+		{Pattern: regexp.MustCompile(`backup`), Severity: severity.SeverityConfiguration["BackupFile"]},
+		{Pattern: regexp.MustCompile(`private.*key`), Severity: severity.SeverityConfiguration["PrivateKeyFile"]},
+		{Pattern: regexp.MustCompile(`(oauth).*(token)`), Severity: severity.SeverityConfiguration["OauthTokenFile"]},
+		{Pattern: regexp.MustCompile(`^.*\.log$`), Severity: severity.SeverityConfiguration["LogFile"]},
+		{Pattern: regexp.MustCompile(`^\.?kwallet$`), Severity: severity.SeverityConfiguration["KWallet"]},
+		{Pattern: regexp.MustCompile(`^\.?gnucash$`), Severity: severity.SeverityConfiguration["GNUCash"]},
 	}
 )
 

diff --git a/detector/filesize/filesize_detector.go b/detector/filesize/filesize_detector.go
@@ -20,7 +20,7 @@ func NewFileSizeDetector(size int) detector.Detector {
 }
 
 func (fd FileSizeDetector) Test(comparator helpers.ChecksumCompare, currentAdditions []gitrepo.Addition, ignoreConfig *talismanrc.TalismanRC, result *helpers.DetectionResults) {
-	severity := severity.Medium()
+	severity := severity.SeverityConfiguration["LargeFileSize"]
 	for _, addition := range currentAdditions {
 		if ignoreConfig.Deny(addition, "filesize") || comparator.IsScanNotRequired(addition) {
 			log.WithFields(log.Fields{

diff --git a/detector/pattern/match_pattern.go b/detector/pattern/match_pattern.go
@@ -40,7 +40,7 @@ func (pm *PatternMatcher) add(ps talismanrc.PatternString) {
 		return
 	}
 	logrus.Infof("added custom pattern '%s' with high severity", ps)
-	pm.regexes = append(pm.regexes, &severity.PatternSeverity{Pattern: re, Severity: severity.High()})
+	pm.regexes = append(pm.regexes, &severity.PatternSeverity{Pattern: re, Severity: severity.SeverityConfiguration["CustomPattern"]})
 }
 
 func NewPatternMatcher(patterns []*severity.PatternSeverity) *PatternMatcher {

diff --git a/detector/pattern/pattern_detector.go b/detector/pattern/pattern_detector.go
@@ -18,13 +18,13 @@ type PatternDetector struct {
 
 var (
 	detectorPatterns = []*severity.PatternSeverity{
-		{Pattern: regexp.MustCompile(`(?i)((.*)(password|passphrase|secret|key|pwd|pword|pass)(.*) *[:=>][^,;\n]{8,})`), Severity: severity.Medium()},
-		{Pattern: regexp.MustCompile(`(?i)(['"_]?pw['"]? *[:=][^,;\n]{8,})`), Severity: severity.Medium()},
-		{Pattern: regexp.MustCompile(`(?i)(<ConsumerKey>\S*</ConsumerKey>)`), Severity: severity.High()},
-		{Pattern: regexp.MustCompile(`(?i)(<ConsumerSecret>\S*</ConsumerSecret>)`), Severity: severity.High()},
-		{Pattern: regexp.MustCompile(`(?i)(AWS[ \w]+key[ \w]+[:=])`), Severity: severity.High()},
-		{Pattern: regexp.MustCompile(`(?i)(AWS[ \w]+secret[ \w]+[:=])`), Severity: severity.High()},
-		{Pattern: regexp.MustCompile(`(?s)(BEGIN RSA PRIVATE KEY.*END RSA PRIVATE KEY)`), Severity: severity.High()},
+		{Pattern: regexp.MustCompile(`(?i)((.*)(password|passphrase|secret|key|pwd|pword|pass)(.*) *[:=>][^,;\n]{8,})`), Severity: severity.SeverityConfiguration["PasswordPhrasePattern"]},
+		{Pattern: regexp.MustCompile(`(?i)(['"_]?pw['"]? *[:=][^,;\n]{8,})`), Severity: severity.SeverityConfiguration["PasswordPhrasePattern"]},
+		{Pattern: regexp.MustCompile(`(?i)(<ConsumerKey>\S*</ConsumerKey>)`), Severity: severity.SeverityConfiguration["ConsumerKeyPattern"]},
+		{Pattern: regexp.MustCompile(`(?i)(<ConsumerSecret>\S*</ConsumerSecret>)`), Severity: severity.SeverityConfiguration["ConsumerSecretParrern"]},
+		{Pattern: regexp.MustCompile(`(?i)(AWS[ \w]+key[ \w]+[:=])`), Severity: severity.SeverityConfiguration["AWSKeyPattern"]},
+		{Pattern: regexp.MustCompile(`(?i)(AWS[ \w]+secret[ \w]+[:=])`), Severity: severity.SeverityConfiguration["AWSSecretPattern"]},
+		{Pattern: regexp.MustCompile(`(?s)(BEGIN RSA PRIVATE KEY.*END RSA PRIVATE KEY)`), Severity: severity.SeverityConfiguration["RSAKeyPattern"]},
 	}
 )
 

diff --git a/detector/severity/severity_config.go b/detector/severity/severity_config.go
@@ -0,0 +1,59 @@
+package severity
+
+var SeverityConfiguration = map[string]Severity{
+	"ConsumerKeyPattern": High(),
+	"ConsumerSecretParrern": High(),
+	"AWSKeyPattern": High(),
+	"AWSSecretPattern": High(),
+	"RSAKeyPattern": High(),
+	"DSAFile": High(),
+	"PrivateKeyFile":High(),
+	"CreditCardContent": High(),
+	"PemFile": High(),
+	"PpkFile": High(),
+	"SecretToken": High(),
+	"KeyPairFile": High(),
+	"CustomPattern": High(),
+	"PasswordPhrasePattern": Medium(),
+	"LargeFileSize": Medium(),
+	"Base64Content": Medium(),
+	"HexContent": Medium(),
+	"RSAFile": Low(),
+	"ShellHistory": Low(),
+	"PKCSFile": Low(),
+	"PFXFile": Low(),
+	"P12File": Low(),
+	"ASCFile": Low(),
+	"HTPASSWDFile": Low(),
+	"NetrcFile": Low(),
+	"TunnelBlockFile": Low(),
+	"OpenVPNFile": Low(),
+	"KDBFile": Low(),
+	"AgileKeyChainFile": Low(),
+	"KeyChainFile": Low(),
+	"KeyStoreFile": Low(),
+	"JenkinsPublishOverSSHFile": Low(),
+	"CredentialsXML": Low(),
+	"PubXML": Low(),
+	"s3Config": Low(),
+	"GitRobRC": Low(),
+	"ShellRC": Low(),
+	"ShellProfile": Low(),
+	"ShellAlias": Low(),
+	"OmniAuth": Low(),
+	"CarrierWaveRB": Low(),
+	"SchemaRB": Low(),
+	"DatabaseYml": Low(),
+	"PythonSettings": Low(),
+	"PhpConfig": Low(),
+	"PhpLocalSettings": Low(),
+	"EnvFile": Low(),
+	"BDumpFile": Low(),
+	"BSQLFile": Low(),
+	"PasswordFile":Low(),
+	"BackupFile":Low(),
+	"OauthTokenFile":Low(),
+	"LogFile":Low(),
+	"KWallet":Low(),
+	"GNUCash":Low(),
+}