Add configurable detectors (#1139)

* JDBC detector ignore patterns * Remove newline --------- Co-authored-by: Bill Rich <bill.rich@trufflesec.com>
2024-11-10 15:14:38 +00:00 · 2023-04-20 11:44:28 -07:00 · 2023-04-20 11:44:28 -07:00 · a6902ae9cb
commit a6902ae9cb
parent 6dd24d17d4
2 changed files with 89 additions and 1 deletions
--- a/pkg/detectors/jdbc/jdbc.go
+++ b/pkg/detectors/jdbc/jdbc.go
@ -4,6 +4,7 @@ import (
 	"context"
 	"database/sql"
 	"errors"
+	"fmt"
 	"regexp"
 	"strings"
 	"time"
@ -12,7 +13,35 @@ import (
 	"github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb"
 )

-type Scanner struct{}
+type Scanner struct {
+	ignorePatterns []regexp.Regexp
+}
+
+func New(opts ...func(*Scanner)) *Scanner {
+	scanner := &Scanner{
+		ignorePatterns: []regexp.Regexp{},
+	}
+	for _, opt := range opts {
+		opt(scanner)
+	}
+
+	return scanner
+}
+
+func WithIgnorePattern(ignoreStrings []string) func(*Scanner) {
+	return func(s *Scanner) {
+		ignorePatterns := []regexp.Regexp{}
+		for _, ignoreString := range ignoreStrings {
+			ignorePattern, err := regexp.Compile(ignoreString)
+			if err != nil {
+				panic(fmt.Sprintf("%s is not a valid regex, error received: %v", ignoreString, err))
+			}
+			ignorePatterns = append(ignorePatterns, *ignorePattern)
+		}
+
+		s.ignorePatterns = ignorePatterns
+	}
+}

 // Ensure the Scanner satisfies the interface at compile time.
 var _ detectors.Detector = (*Scanner)(nil)
@ -32,7 +61,15 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result
 	dataStr := string(data)

 	matches := keyPat.FindAllStringSubmatch(dataStr, -1)
+matchLoop:
 	for _, match := range matches {
+		if len(s.ignorePatterns) != 0 {
+			for _, ignore := range s.ignorePatterns {
+				if ignore.MatchString(match[0]) {
+					continue matchLoop
+				}
+			}
+		}
 		jdbcConn := match[0]

 		s := detectors.Result{
--- a/pkg/detectors/jdbc/jdbc_test.go
+++ b/pkg/detectors/jdbc/jdbc_test.go
@ -156,6 +156,57 @@ func TestJdbc_FromChunk(t *testing.T) {
 	}
 }

+func TestJdbc_FromDataWithIgnorePattern(t *testing.T) {
+	type args struct {
+		ctx    context.Context
+		data   []byte
+		verify bool
+	}
+	tests := []struct {
+		name           string
+		args           args
+		want           []detectors.Result
+		ignorePatterns []string
+		wantErr        bool
+	}{
+		{
+			name: "not found",
+			args: args{
+				ctx:    context.Background(),
+				data:   []byte("jdbc:sqlite::secretpattern:"),
+				verify: false,
+			},
+			want: nil,
+			ignorePatterns: []string{
+				".*secretpattern.*",
+			},
+			wantErr: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			s := New(WithIgnorePattern(tt.ignorePatterns))
+			got, err := s.FromData(tt.args.ctx, tt.args.verify, tt.args.data)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("Jdbc.FromDataWithConfig() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if os.Getenv("FORCE_PASS_DIFF") == "true" {
+				return
+			}
+			for i := range got {
+				if len(got[i].Raw) == 0 {
+					t.Fatal("no raw secret present")
+				}
+				got[i].Raw = nil
+			}
+			if diff := pretty.Compare(got, tt.want); diff != "" {
+				t.Errorf("Jdbc.FromDataWithConfig() %s diff: (-got +want)\n%s", tt.name, diff)
+			}
+		})
+	}
+}
+
 func BenchmarkFromData(benchmark *testing.B) {
 	ctx := context.Background()
 	s := Scanner{}