Add parent results to ignore list (#47)

* Add parent results to ignore list

* Force concurrency to 1 when base commit is set

main.go

@@ -73,6 +73,11 @@ func main() {
 
 	cmd := kingpin.MustParse(cli.Parse(os.Args[1:]))
 
+	// When setting a base commit, chunks must be scanned in order.
+	if *gitScanSinceCommit != "" {
+		*concurrency = 1
+	}
+
 	if *jsonOut {
 		logrus.SetFormatter(&logrus.JSONFormatter{})
 	}

pkg/engine/engine.go

@@ -211,7 +211,9 @@ func (e *Engine) detectorWorker(ctx context.Context) {
 								e.detectedSecret.sync.Unlock()
 							}
 						}
-						e.results <- detectors.CopyMetadata(chunk, result)
+						if !chunk.IgnoreResult {
+							e.results <- detectors.CopyMetadata(chunk, result)
+						}
 					}
 					if len(results) > 0 {
 						elasped := time.Since(start)

pkg/engine/git_test.go

@@ -39,6 +39,13 @@ func TestGitEngine(t *testing.T) {
 			},
 			filter: common.FilterEmpty(),
 		},
+		"base_commit": {
+			expected: map[string]string{
+				"70001020fab32b1fcf2f1f0e5c66424eae649826": "AKIAXYZDQCEN4B6JSJQI",
+			},
+			filter: common.FilterEmpty(),
+			base:   "2f251b8c1e72135a375b659951097ec7749d4af9",
+		},
 	} {
 		e := Start(ctx,
 			WithConcurrency(1),

pkg/sources/git/git.go

@@ -262,15 +262,23 @@ func (s *Git) ScanCommits(repo *git.Repository, scanOptions *ScanOptions, chunks
 	commits := map[int64][]*object.Commit{}
 
 	depth := int64(0)
-	reachedBase := false
+
+	if scanOptions.BaseCommit != nil {
+		parentHashes := scanOptions.BaseCommit.ParentHashes
+		for _, parentHash := range parentHashes {
+			parentCommit, err := repo.CommitObject(parentHash)
+			if err != nil {
+				log.WithError(err).WithField("parentHash", parentHash.String()).WithField("commit", scanOptions.BaseCommit.Hash.String()).Debug("could not find parent commit")
+			}
+			dummyMap := map[plumbing.Hash]bool{}
+			s.scanCommit(repo, parentCommit, &dummyMap, scanOptions, true, chunksChan)
+		}
+	}
+
 	// Create a map of timestamps to commits.
 	commitIter.ForEach(func(commit *object.Commit) error {
-		if scanOptions.BaseCommit != nil && !reachedBase {
-			if commit.Hash == scanOptions.BaseCommit.Hash {
-				reachedBase = true
-			} else {
-				return nil
-			}
+		if scanOptions.BaseCommit != nil && commit.Hash.String() == scanOptions.BaseCommit.Hash.String() {
+			return errors.New("reached base commit")
 		}
 		time := commit.Committer.When.Unix()
 		if _, ok := commits[time]; !ok {
@@ -323,13 +331,13 @@ func (s *Git) ScanCommits(repo *git.Repository, scanOptions *ScanOptions, chunks
 				commits[laterParent] = append(commits[laterParent], commit)
 			}
 
-			s.scanCommit(repo, commit, &seenMap, scanOptions, chunksChan)
+			s.scanCommit(repo, commit, &seenMap, scanOptions, false, chunksChan)
 		}
 	}
 	return nil
 }
 
-func (s *Git) scanCommit(repo *git.Repository, commit *object.Commit, seenMap *map[plumbing.Hash]bool, scanOptions *ScanOptions, chunksChan chan *sources.Chunk) {
+func (s *Git) scanCommit(repo *git.Repository, commit *object.Commit, seenMap *map[plumbing.Hash]bool, scanOptions *ScanOptions, ignoreResult bool, chunksChan chan *sources.Chunk) {
 	remote, err := repo.Remote("origin")
 	if err != nil {
 		log.Errorf("error getting repo name: %s", err)
@@ -374,6 +382,7 @@ func (s *Git) scanCommit(repo *git.Repository, commit *object.Commit, seenMap *m
 			SourceMetadata: metadata,
 			Data:           bytes,
 			Verify:         s.verify,
+			IgnoreResult:   ignoreResult,
 		}
 		(*seenMap)[file.Hash] = true
 		return nil

pkg/sources/sources.go

@@ -24,6 +24,8 @@ type Chunk struct {
 	Data []byte
 	// Verify specifies whether any secrets in the Chunk should be verified.
 	Verify bool
+	// Do not report any results that came from this chunk.
+	IgnoreResult bool
 }
 
 // Source defines the interface required to implement a source chunker.