trufflehog/pkg/detectors/falsepositives.go

package detectors

import (
	_ "embed"
	"math"
	"strings"
	"unicode"
	"unicode/utf8"

	ahocorasick "github.com/BobuSumisu/aho-corasick"
)

var DefaultFalsePositives = []FalsePositive{"example", "xxxxxx", "aaaaaa", "abcde", "00000", "sample", "www"}

type FalsePositive string

//go:embed "badlist.txt"
var badList []byte

//go:embed "words.txt"
var wordList []byte

//go:embed "programmingbooks.txt"
var programmingBookWords []byte

var filter *ahocorasick.Trie

func init() {
	builder := ahocorasick.NewTrieBuilder()

	wordList := bytesToCleanWordList(wordList)
	builder.AddStrings(wordList)

	badList := bytesToCleanWordList(badList)
	builder.AddStrings(badList)

	programmingBookWords := bytesToCleanWordList(programmingBookWords)
	builder.AddStrings(programmingBookWords)

	filter = builder.Build()
}

// IsKnownFalsePositives will not return a valid secret finding if any of the disqualifying conditions are met
// Currently that includes: No number, english word in key, or matches common example pattens.
// Only the secret key material should be passed into this function
func IsKnownFalsePositive(match string, falsePositives []FalsePositive, wordCheck bool) bool {
	if !utf8.ValidString(match) {
		return true
	}
	lower := strings.ToLower(match)
	for _, fp := range falsePositives {
		if strings.Contains(lower, string(fp)) {
			return true
		}
	}

	if wordCheck {
		if filter.MatchFirstString(lower) != nil {
			return true
		}
	}

	return false
}

func HasDigit(key string) bool {
	for _, ch := range key {
		if unicode.IsDigit(ch) {
			return true
		}
	}

	return false
}

func bytesToCleanWordList(data []byte) []string {
	words := make(map[string]struct{})
	for _, word := range strings.Split(string(data), "\n") {
		if strings.TrimSpace(word) != "" {
			words[strings.TrimSpace(strings.ToLower(word))] = struct{}{}
		}
	}

	wordList := make([]string, 0, len(words))
	for word := range words {
		wordList = append(wordList, word)
	}
	return wordList
}

func StringShannonEntropy(input string) float64 {
	chars := make(map[rune]float64)
	inverseTotal := 1 / float64(len(input)) // precompute the inverse

	for _, char := range input {
		chars[char]++
	}

	entropy := 0.0
	for _, count := range chars {
		probability := count * inverseTotal
		entropy += probability * math.Log2(probability)
	}

	return -entropy
}

// FilterResultsWithEntropy filters out determinately unverified results that have a shannon entropy below the given value.
func FilterResultsWithEntropy(results []Result, entropy float64) []Result {
	var filteredResults []Result
	for _, result := range results {
		if !result.Verified {
			if result.RawV2 != nil {
				if StringShannonEntropy(string(result.RawV2)) >= entropy {
					filteredResults = append(filteredResults, result)
				}
			} else {
				if StringShannonEntropy(string(result.Raw)) >= entropy {
					filteredResults = append(filteredResults, result)
				}
			}
		}
	}
	return filteredResults
}
more detectors 2022-01-19 06:24:42 +00:00			`package detectors`

			`import (`
			`_ "embed"`
Add an option to filter unverified results using shannon entropy (#1875) * Add an option to filter unverified results using shannon entropy * lint * add test, update test, and optimize 2023-10-09 02:52:28 +00:00			`"math"`
more detectors 2022-01-19 06:24:42 +00:00			`"strings"`
			`"unicode"`
[chore] Speedup IsKnownFalsePositive using sets (#2090) Also check that the match is a valid UTF-8 string. 2023-11-03 15:45:00 +00:00			`"unicode/utf8"`
Improve fp ignore logic (#2351) * forgot field change * use aho corasick for filter * reduce wordlist sensitivity 2024-01-29 19:28:46 +00:00
			`ahocorasick "github.com/BobuSumisu/aho-corasick"`
more detectors 2022-01-19 06:24:42 +00:00			`)`

prevent www from being a key to prevent fp (#1418) 2023-06-25 15:55:11 +00:00			`var DefaultFalsePositives = []FalsePositive{"example", "xxxxxx", "aaaaaa", "abcde", "00000", "sample", "www"}`
more detectors 2022-01-19 06:24:42 +00:00
			`type FalsePositive string`

			`//go:embed "badlist.txt"`
			`var badList []byte`

			`//go:embed "words.txt"`
			`var wordList []byte`

			`//go:embed "programmingbooks.txt"`
			`var programmingBookWords []byte`

Improve fp ignore logic (#2351) * forgot field change * use aho corasick for filter * reduce wordlist sensitivity 2024-01-29 19:28:46 +00:00			`var filter *ahocorasick.Trie`

			`func init() {`
			`builder := ahocorasick.NewTrieBuilder()`

			`wordList := bytesToCleanWordList(wordList)`
			`builder.AddStrings(wordList)`
more detectors 2022-01-19 06:24:42 +00:00
Improve fp ignore logic (#2351) * forgot field change * use aho corasick for filter * reduce wordlist sensitivity 2024-01-29 19:28:46 +00:00			`badList := bytesToCleanWordList(badList)`
			`builder.AddStrings(badList)`

			`programmingBookWords := bytesToCleanWordList(programmingBookWords)`
			`builder.AddStrings(programmingBookWords)`

			`filter = builder.Build()`
more detectors 2022-01-19 06:24:42 +00:00			`}`

prevent www from being a key to prevent fp (#1418) 2023-06-25 15:55:11 +00:00			`// IsKnownFalsePositives will not return a valid secret finding if any of the disqualifying conditions are met`
			`// Currently that includes: No number, english word in key, or matches common example pattens.`
			`// Only the secret key material should be passed into this function`
more detectors 2022-01-19 06:24:42 +00:00			`func IsKnownFalsePositive(match string, falsePositives []FalsePositive, wordCheck bool) bool {`
[chore] Speedup IsKnownFalsePositive using sets (#2090) Also check that the match is a valid UTF-8 string. 2023-11-03 15:45:00 +00:00			`if !utf8.ValidString(match) {`
			`return true`
			`}`
			`lower := strings.ToLower(match)`
more detectors 2022-01-19 06:24:42 +00:00			`for _, fp := range falsePositives {`
[chore] Speedup IsKnownFalsePositive using sets (#2090) Also check that the match is a valid UTF-8 string. 2023-11-03 15:45:00 +00:00			`if strings.Contains(lower, string(fp)) {`
more detectors 2022-01-19 06:24:42 +00:00			`return true`
			`}`
			`}`

			`if wordCheck {`
Improve fp ignore logic (#2351) * forgot field change * use aho corasick for filter * reduce wordlist sensitivity 2024-01-29 19:28:46 +00:00			`if filter.MatchFirstString(lower) != nil {`
more detectors 2022-01-19 06:24:42 +00:00			`return true`
			`}`
			`}`
Improve fp ignore logic (#2351) * forgot field change * use aho corasick for filter * reduce wordlist sensitivity 2024-01-29 19:28:46 +00:00
more detectors 2022-01-19 06:24:42 +00:00			`return false`
			`}`

			`func HasDigit(key string) bool {`
			`for _, ch := range key {`
			`if unicode.IsDigit(ch) {`
			`return true`
			`}`
			`}`

			`return false`
			`}`

Improve fp ignore logic (#2351) * forgot field change * use aho corasick for filter * reduce wordlist sensitivity 2024-01-29 19:28:46 +00:00			`func bytesToCleanWordList(data []byte) []string {`
[chore] Speedup IsKnownFalsePositive using sets (#2090) Also check that the match is a valid UTF-8 string. 2023-11-03 15:45:00 +00:00			`words := make(map[string]struct{})`
more detectors 2022-01-19 06:24:42 +00:00			`for _, word := range strings.Split(string(data), "\n") {`
			`if strings.TrimSpace(word) != "" {`
[chore] Speedup IsKnownFalsePositive using sets (#2090) Also check that the match is a valid UTF-8 string. 2023-11-03 15:45:00 +00:00			`words[strings.TrimSpace(strings.ToLower(word))] = struct{}{}`
more detectors 2022-01-19 06:24:42 +00:00			`}`
			`}`
Improve fp ignore logic (#2351) * forgot field change * use aho corasick for filter * reduce wordlist sensitivity 2024-01-29 19:28:46 +00:00
			`wordList := make([]string, 0, len(words))`
			`for word := range words {`
			`wordList = append(wordList, word)`
			`}`
			`return wordList`
more detectors 2022-01-19 06:24:42 +00:00			`}`
Add an option to filter unverified results using shannon entropy (#1875) * Add an option to filter unverified results using shannon entropy * lint * add test, update test, and optimize 2023-10-09 02:52:28 +00:00
			`func StringShannonEntropy(input string) float64 {`
			`chars := make(map[rune]float64)`
			`inverseTotal := 1 / float64(len(input)) // precompute the inverse`

			`for _, char := range input {`
			`chars[char]++`
			`}`

			`entropy := 0.0`
			`for _, count := range chars {`
			`probability := count * inverseTotal`
			`entropy += probability * math.Log2(probability)`
			`}`

			`return -entropy`
			`}`

			`// FilterResultsWithEntropy filters out determinately unverified results that have a shannon entropy below the given value.`
			`func FilterResultsWithEntropy(results []Result, entropy float64) []Result {`
make empty slice delcration consistent (#2144) 2023-12-01 19:03:44 +00:00			`var filteredResults []Result`
Add an option to filter unverified results using shannon entropy (#1875) * Add an option to filter unverified results using shannon entropy * lint * add test, update test, and optimize 2023-10-09 02:52:28 +00:00			`for _, result := range results {`
added azuresearchadminkey detector (#2348) * added azuresearchadminkey detector * additional update * update import * fix raw fields for new detectors and entropy check --------- Co-authored-by: Dustin Decker <dustin@trufflesec.com> 2024-01-29 17:55:46 +00:00			`if !result.Verified {`
Add an option to filter unverified results using shannon entropy (#1875) * Add an option to filter unverified results using shannon entropy * lint * add test, update test, and optimize 2023-10-09 02:52:28 +00:00			`if result.RawV2 != nil {`
			`if StringShannonEntropy(string(result.RawV2)) >= entropy {`
			`filteredResults = append(filteredResults, result)`
			`}`
			`} else {`
			`if StringShannonEntropy(string(result.Raw)) >= entropy {`
			`filteredResults = append(filteredResults, result)`
			`}`
			`}`
			`}`
			`}`
			`return filteredResults`
			`}`