Feat/add fingerprint no git (#952)

* no-git support fingerprint support * updating gitleaksignore w/ no-git false positives * fix test
gitleaks · Aug 12, 2022 · 1b3f10c · 1b3f10c
1 parent 6748a89
commit 1b3f10c
Show file tree

Hide file tree

Showing 4 changed files with 69 additions and 1 deletion.
diff --git a/.gitleaksignore b/.gitleaksignore
@@ -651,3 +651,65 @@ bc26e979c5911cf647c1bede0b3700ebaaa454c8:checks_test.go:aws-access-token:36
 8f352bd840f028b481dc725b77d2f4904b77913b:checks_test.go:aws-access-token:34
 ec2fc9d6cb0954fb3b57201cf6133c48d8ca0d29:checks_test.go:aws-access-token:37
 06c9e824d5985c8e8789321ae70de7ace3b093dc:main.go:aws-access-token:15
+
+README.md:aws-access-token:204
+README.md:aws-access-token:205
+README.md:aws-access-token:244
+cmd/generate/config/rules/privatekey.go:private-key:19
+cmd/generate/config/rules/generic.go:clojars-api-token:43
+cmd/generate/config/rules/generic.go:generic-api-key:45
+cmd/generate/config/rules/generic.go:generic-api-key:46
+cmd/generate/config/rules/sidekiq.go:sidekiq-secret:22
+cmd/generate/config/rules/sidekiq.go:sidekiq-secret:23
+cmd/generate/config/rules/sidekiq.go:sidekiq-secret:24
+cmd/generate/config/rules/sidekiq.go:sidekiq-secret:28
+cmd/generate/config/rules/sidekiq.go:sidekiq-secret:29
+cmd/generate/config/rules/sidekiq.go:sidekiq-sensitive-url:46
+cmd/generate/config/rules/sidekiq.go:sidekiq-sensitive-url:48
+cmd/generate/config/rules/sidekiq.go:sidekiq-sensitive-url:50
+cmd/generate/config/rules/sidekiq.go:sidekiq-sensitive-url:52
+cmd/generate/config/rules/sidekiq.go:sidekiq-sensitive-url:54
+cmd/generate/config/rules/sidekiq.go:sidekiq-sensitive-url:55
+cmd/generate/config/rules/sidekiq.go:sidekiq-sensitive-url:56
+cmd/generate/config/rules/sidekiq.go:sidekiq-sensitive-url:57
+config/config_test.go:aws-access-token:31
+detect/detect_test.go:sidekiq-secret:120
+detect/detect_test.go:sidekiq-secret:126
+detect/detect_test.go:sidekiq-secret:142
+detect/detect_test.go:aws-access-token:50
+detect/detect_test.go:aws-access-token:60
+detect/detect_test.go:aws-access-token:61
+detect/detect_test.go:aws-access-token:98
+detect/detect_test.go:aws-access-token:104
+detect/detect_test.go:aws-access-token:105
+detect/detect_test.go:aws-access-token:186
+detect/detect_test.go:aws-access-token:194
+detect/detect_test.go:aws-access-token:202
+detect/detect_test.go:aws-access-token:288
+detect/detect_test.go:aws-access-token:296
+detect/detect_test.go:aws-access-token:359
+detect/detect_test.go:aws-access-token:360
+detect/detect_test.go:aws-access-token:378
+detect/detect_test.go:aws-access-token:379
+detect/detect_test.go:aws-access-token:404
+detect/detect_test.go:aws-access-token:405
+detect/detect_test.go:aws-access-token:480
+detect/detect_test.go:aws-access-token:481
+detect/detect_test.go:aws-access-token:499
+detect/detect_test.go:aws-access-token:500
+detect/detect_test.go:sidekiq-sensitive-url:164
+detect/detect_test.go:sidekiq-sensitive-url:170
+detect/detect_test.go:pypi-upload-token:76
+detect/detect_test.go:pypi-upload-token:82
+detect/detect_test.go:pypi-upload-token:83
+detect/detect_test.go:discord-api-token:211
+detect/detect_test.go:discord-api-token:233
+detect/detect_test.go:discord-api-token:241
+detect/detect_test.go:discord-api-token:263
+detect/detect_test.go:discord-api-token:279
+testdata/config/allow_aws_re.toml:aws-access-token:9
+testdata/config/allow_global_aws_re.toml:aws-access-token:8
+testdata/expected/git/small-branch-foo.txt:aws-access-token:15
+testdata/expected/git/small.txt:aws-access-token:15
+testdata/expected/git/small.txt:aws-access-token:44
+testdata/repos/nogit/main.go:aws-access-token:20
diff --git a/detect/detect.go b/detect/detect.go
@@ -450,6 +450,11 @@ func (d *Detector) Detect(fragment Fragment) []report.Finding {
 
 // addFinding synchronously adds a finding to the findings slice
 func (d *Detector) addFinding(finding report.Finding) {
+	if finding.Commit == "" {
+		finding.Fingerprint = fmt.Sprintf("%s:%s:%d", finding.File, finding.RuleID, finding.StartLine)
+	} else {
+		finding.Fingerprint = fmt.Sprintf("%s:%s:%s:%d", finding.Commit, finding.File, finding.RuleID, finding.StartLine)
+	}
 	// check if we should ignore this finding
 	if _, ok := d.gitleaksIgnore[finding.Fingerprint]; ok {
 		log.Debug().Msgf("ignoring finding with Fingerprint %s",

diff --git a/detect/detect_test.go b/detect/detect_test.go
@@ -483,6 +483,7 @@ func TestFromFiles(t *testing.T) {
 					RuleID:      "aws-access-key",
 					Tags:        []string{"key", "AWS"},
 					Entropy:     3.0841837,
+					Fingerprint: "../testdata/repos/nogit/main.go:aws-access-key:20",
 				},
 			},
 		},
@@ -502,6 +503,7 @@ func TestFromFiles(t *testing.T) {
 					RuleID:      "aws-access-key",
 					Tags:        []string{"key", "AWS"},
 					Entropy:     3.0841837,
+					Fingerprint: "../testdata/repos/nogit/main.go:aws-access-key:20",
 				},
 			},
 		},

diff --git a/detect/utils.go b/detect/utils.go
@@ -30,7 +30,6 @@ func augmentGitFinding(finding report.Finding, textFragment *gitdiff.TextFragmen
 		}
 		finding.Date = f.PatchHeader.AuthorDate.UTC().Format(time.RFC3339)
 	}
-	finding.Fingerprint = fmt.Sprintf("%s:%s:%s:%d", finding.Commit, finding.File, finding.RuleID, finding.StartLine)
 	return finding
 }