Add source type label to chunk size metric (#4543)

We're tracking chunk size - but not by source type, which means we can't use the metric to locate potential chunking anomalies by source type. It's really easy to add a source type label, so I did.

Remove depaware (#4515)

depaware is a dependency monitoring tool that we have wired up but don't actually use. This commit removes it so that we don't have to keep maintaining the dependency.

bump rardecode (#4503)

Version 2.2.0 of rardecode appears to have a compilation bug that sometimes causes problems with applications that vendor this one. This commit attempts to roll forward past the bug.

Local Git Config Sanitization (#4502)

This commit prevents TruffleHog from executing arbitrary commands located in archived malicious git repositories. Thanks to Adam Reiser at Cisco Talos for pointing this out!

This approach uses Git's recommended best practice for sanitizing untrusted git configs: git clone all local file:// git repos prior to scanning. Executing git clone does not execute any of the potentially malicious git configs in the untrusted repo directory, and the output only includes "safe" default configs, similar to what we see when cloning from remote.

We explored a few other approaches (allowlist, denylist, etc), but those carried lots of complications.

A few notes about how this works:

This only applies to local repositories scanned using the git subcommand.
Remote git targets are not impacted.
Local git targets are now cloned to temp by default prior to scanning. Users can specify a --clone-path argument if they don't want to use the default temp dir. Users can specify --trust-local-git-config if they want to trust the repo as is and bypass cloning.
Local --bare repos are handled appropriately.
This approach knocks out (most...all?) of this class of malicious git config vulnerabilities.
Testing:
There's coverage for most of the new code, including: test cases for the specific issue reported, local bare clones, local repos with staged commits, etc. All are passing.

Bump github.com/nwaples/rardecode/v2 (#4501)

Bumps [github.com/nwaples/rardecode/v2](https://github.com/nwaples/rardecode) from 2.0.0-beta.4.0.20241112120701-034e449c6e78 to 2.2.0.
- [Commits](https://github.com/nwaples/rardecode/commits/v2.2.0)

---
updated-dependencies:
- dependency-name: github.com/nwaples/rardecode/v2
  dependency-version: 2.2.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Pre-filter GitHub v1 findings to prevent large numbers of validation …

…requests (#4468)

Add metrics to SaneHTTPClient (#4471)

* Add metrics to SaneHTTPClient
1. Increment counter for URL
2. Time the latency
3. Increment counter for non-200 calls
Added Tests

* resolve lint issues

Added feature flag to configure projects per page in gitlab enumerati…

…on (#4437)

* Added flag to configure projects per page in gitlab enumeration

* changed comments wording

* Resolved conflicts

* use features instead of flag

* updated comment

Update proto definitions for custom bitbucket oauth (#4390)

Update the proto definitions found for Bitbucket sources to have OAuth option in the config file. Also regenerated the Protobuf files with the changes.

added User to proto (#4378)

* added User to proto

* ran make protos

---------

Co-authored-by: Amaan Ullah <aman.ullah.jalal@trufflesec.com>