From 8f299ff8cd115d61029c937b9128d9a2903072fd Mon Sep 17 00:00:00 2001 From: Cody Rose Date: Fri, 23 Aug 2024 10:59:07 -0400 Subject: [PATCH] Skip filtration for targeted scans #3243 There is a scenario in which results filtration is known to cause problems, and this PR disables it in that scenario. (It should cause problems more generally, but lacking any concrete cases of that, I want to tread lightly.) --- pkg/engine/engine.go | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/pkg/engine/engine.go b/pkg/engine/engine.go index 4b524d45c..b19b0054d 100644 --- a/pkg/engine/engine.go +++ b/pkg/engine/engine.go @@ -905,7 +905,15 @@ func (e *Engine) verificationOverlapWorker(ctx context.Context) { detectorKeysWithResults[detector.Key] = detector } - results = e.filterResults(ctx, detector, results) + // If results filtration eliminates a rotated secret, then that rotation will never be reported. This + // problem can theoretically occur for any scan, but we've only actually seen it in practice during + // targeted scans. (The reason for this discrepancy is unclear.) The simplest fix is therefore to + // disable filtration for targeted scans, but if you're here because this problem surfaced for a + // non-targeted scan then we'll have to solve it correctly. + if chunk.chunk.SecretID == 0 { + results = e.filterResults(ctx, detector, results) + } + for _, res := range results { var val []byte if res.RawV2 != nil { @@ -1043,7 +1051,14 @@ func (e *Engine) detectChunk(ctx context.Context, data detectableChunk) { e.metrics.detectorAvgTime.Store(detectorName, avgTime) } - results = e.filterResults(ctx, data.detector, results) + // If results filtration eliminates a rotated secret, then that rotation will never be reported. This problem + // can theoretically occur for any scan, but we've only actually seen it in practice during targeted scans. (The + // reason for this discrepancy is unclear.) The simplest fix is therefore to disable filtration for targeted + // scans, but if you're here because this problem surfaced for a non-targeted scan then we'll have to solve it + // correctly. + if data.chunk.SecretID == 0 { + results = e.filterResults(ctx, data.detector, results) + } for _, res := range results { e.processResult(ctx, data, res, isFalsePositive)