mirror of
https://github.com/trufflesecurity/trufflehog.git
synced 2024-09-20 06:31:57 +00:00
feat(detectors): use map for false positives
This commit is contained in:
Richard Gomez
Richard Gomez
parent
5ecc35cdd2
commit
4e6d5a1ccc
4 changed files with 25 additions and 13 deletions
|
|
@ -14,8 +14,10 @@ import (
|
|||
)
|
||||
|
||||
var (
|
||||
DefaultFalsePositives = []FalsePositive{"example", "xxxxxx", "aaaaaa", "abcde", "00000", "sample", "*****"}
|
||||
UuidFalsePositives []FalsePositive
|
||||
DefaultFalsePositives = map[FalsePositive]struct{}{
|
||||
"example": {}, "xxxxxx": {}, "aaaaaa": {}, "abcde": {}, "00000": {}, "sample": {}, "*****": {},
|
||||
}
|
||||
UuidFalsePositives map[FalsePositive]struct{}
|
||||
)
|
||||
|
||||
type FalsePositive string
|
||||
|
|
@ -59,9 +61,9 @@ func init() {
|
|||
filter = builder.Build()
|
||||
|
||||
// Populate custom FalsePositive list
|
||||
UuidFalsePositives = make([]FalsePositive, len(uuidList))
|
||||
for i, uuid := range uuidList {
|
||||
UuidFalsePositives[i] = FalsePositive(uuid)
|
||||
UuidFalsePositives = make(map[FalsePositive]struct{}, len(uuidList))
|
||||
for _, uuid := range uuidList {
|
||||
UuidFalsePositives[FalsePositive(uuid)] = struct{}{}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -80,16 +82,19 @@ func GetFalsePositiveCheck(detector Detector) func(Result) (bool, string) {
|
|||
//
|
||||
// Currently, this includes: english word in key or matches common example patterns.
|
||||
// Only the secret key material should be passed into this function
|
||||
func IsKnownFalsePositive(match string, falsePositives []FalsePositive, wordCheck bool) (bool, string) {
|
||||
func IsKnownFalsePositive(match string, falsePositives map[FalsePositive]struct{}, wordCheck bool) (bool, string) {
|
||||
if !utf8.ValidString(match) {
|
||||
return true, "invalid utf8"
|
||||
}
|
||||
lower := strings.ToLower(match)
|
||||
for _, fp := range falsePositives {
|
||||
for fp := range falsePositives {
|
||||
fps := string(fp)
|
||||
if strings.Contains(lower, fps) {
|
||||
if lower == fps {
|
||||
return true, "matches term: " + fps
|
||||
}
|
||||
if strings.Contains(lower, fps) {
|
||||
return true, "contains term: " + fps
|
||||
}
|
||||
}
|
||||
|
||||
if wordCheck {
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@ func (d fakeDetector) Type() detectorspb.DetectorType {
|
|||
}
|
||||
|
||||
func (d customFalsePositiveChecker) IsFalsePositive(result Result) (bool, string) {
|
||||
return IsKnownFalsePositive(string(result.Raw), []FalsePositive{"a specific magic string"}, false)
|
||||
return IsKnownFalsePositive(string(result.Raw), map[FalsePositive]struct{}{"a specific magic string": {}}, false)
|
||||
}
|
||||
|
||||
func TestFilterKnownFalsePositives_DefaultLogic(t *testing.T) {
|
||||
|
|
@ -68,7 +68,7 @@ func TestFilterKnownFalsePositives_CustomLogic(t *testing.T) {
|
|||
func TestIsFalsePositive(t *testing.T) {
|
||||
type args struct {
|
||||
match string
|
||||
falsePositives []FalsePositive
|
||||
falsePositives map[FalsePositive]struct{}
|
||||
useWordlist bool
|
||||
}
|
||||
tests := []struct {
|
||||
|
|
|
|||
|
|
@ -103,8 +103,12 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result
|
|||
return results, nil
|
||||
}
|
||||
|
||||
var ftpFalsePositives = map[detectors.FalsePositive]struct{}{
|
||||
detectors.FalsePositive("@ftp.freebsd.org"): {},
|
||||
}
|
||||
|
||||
func (s Scanner) IsFalsePositive(result detectors.Result) (bool, string) {
|
||||
return detectors.IsKnownFalsePositive(string(result.Raw), []detectors.FalsePositive{"@ftp.freebsd.org"}, false)
|
||||
return detectors.IsKnownFalsePositive(string(result.Raw), ftpFalsePositives, false)
|
||||
}
|
||||
|
||||
func isErrDeterminate(e error) bool {
|
||||
|
|
|
|||
|
|
@ -57,6 +57,10 @@ func (s Scanner) Keywords() []string {
|
|||
return []string{"github", "gh", "pat", "token"}
|
||||
}
|
||||
|
||||
var ghFalsePositives = map[detectors.FalsePositive]struct{}{
|
||||
detectors.FalsePositive("github commit"): {},
|
||||
}
|
||||
|
||||
// FromData will find and optionally verify GitHub secrets in a given set of bytes.
|
||||
func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) {
|
||||
dataStr := string(data)
|
||||
|
|
@ -73,8 +77,7 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result
|
|||
|
||||
// Note that this false positive check happens **before** verification! I don't know why it's written this way
|
||||
// but that's why this logic wasn't moved into a CustomFalsePositiveChecker implementation.
|
||||
specificFPs := []detectors.FalsePositive{"github commit"}
|
||||
if isFp, _ := detectors.IsKnownFalsePositive(token, specificFPs, false); isFp {
|
||||
if isFp, _ := detectors.IsKnownFalsePositive(token, ghFalsePositives, false); isFp {
|
||||
continue
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue