gitlab-secret_detection 0.19.0 → 0.21.0

data/lib/gitlab/secret_detection/grpc/scanner_service.rb

@@ -32,6 +32,7 @@ module Gitlab
     module GRPC
       class ScannerService < Scanner::Service
         include SDLogger
+        include IntegratedErrorTracking
 
         # Maximum timeout value that can be given as the input. This guards
         # against the misuse of timeouts.
@@ -45,19 +46,34 @@ module Gitlab
         }.freeze
 
         # Implementation for /Scan RPC method
-        def scan(request, _call)
-          scan_request_action(request)
+        def scan(request, call)
+          scan_request_action(request, call)
         end
 
         # Implementation for /ScanStream RPC method
-        def scan_stream(requests, _call)
-          request_action = ->(r) { scan_request_action(r) }
+        def scan_stream(requests, call)
+          request_action = ->(r) { scan_request_action(r, call) }
           StreamEnumerator.new(requests, request_action).each_item
         end
 
         private
 
-        def scan_request_action(request)
+        def scan_request_action(request, call)
+          if request.nil?
+            logger.error(
+              message: "FATAL: Secret Detection gRPC scan request is `nil`",
+              deadline: call.deadline,
+              cancelled: call.cancelled?
+            )
+            return Gitlab::SecretDetection::GRPC::ScanResponse.new(
+              results: [],
+              status: Gitlab::SecretDetection::GRPC::ScanResponse::Status::STATUS_INPUT_ERROR,
+              applied_exclusions: []
+            )
+          end
+
+          logger.info(message: "Secret Detection gRPC scan request received")
+
           validate_request(request)
 
           payloads = request.payloads.to_a
@@ -66,7 +82,7 @@ module Gitlab
           request.exclusions.each do |exclusion|
             case exclusion.exclusion_type
             when :EXCLUSION_TYPE_RAW_VALUE
-              exclusions[:raw] << exclusion
+              exclusions[:raw_value] << exclusion
             when :EXCLUSION_TYPE_RULE
               exclusions[:rule] << exclusion
             when :EXCLUSION_TYPE_PATH
@@ -85,7 +101,8 @@ module Gitlab
               payload_timeout: request.payload_timeout_secs
             )
           rescue StandardError => e
-            logger.error("Failed to run the scan: #{e}")
+            logger.error(message: "Failed to run the secret detection scan", exception: e.message)
+            track_exception(e)
             raise ::GRPC::Unknown, e.message
           end
 

data/lib/gitlab/secret_detection/grpc.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require_relative 'grpc/integrated_error_tracking'
 require_relative 'grpc/scanner_service'
 require_relative 'grpc/client/stream_request_enumerator'
 require_relative 'grpc/client/grpc_client'

data/lib/gitlab/secret_detection/utils/masker.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module SecretDetection
+    module Utils
+      class Masker
+        DEFAULT_VISIBLE_CHAR_COUNT = 3
+        DEFAULT_MASK_CHAR_COUNT = 5
+        DEFAULT_MASK_CHAR = '*'
+
+        class << self
+          def mask_secret(
+            raw_secret_value,
+            mask_char: DEFAULT_MASK_CHAR,
+            visible_chars_count: DEFAULT_VISIBLE_CHAR_COUNT,
+            mask_chars_count: DEFAULT_MASK_CHAR_COUNT
+          )
+            return '' if raw_secret_value.nil? || raw_secret_value.empty?
+            return raw_secret_value if raw_secret_value.length <= visible_chars_count # Too short to mask
+
+            chars = raw_secret_value.chars
+            position = 0
+
+            while position < chars.length
+              # Show 'visible_chars_count' characters
+              position += visible_chars_count
+
+              # Mask next 'mask_chars' characters if available
+              mask_chars_count.times do
+                break if position >= chars.length
+
+                chars[position] = mask_char
+                position += 1
+              end
+            end
+
+            chars.join
+          end
+        end
+      end
+    end
+  end
+end

data/lib/gitlab/secret_detection/utils.rb

@@ -2,6 +2,7 @@
 
 require_relative 'utils/certificate'
 require_relative 'utils/memoize'
+require_relative 'utils/masker'
 
 module Gitlab
   module SecretDetection

data/lib/gitlab/secret_detection/version.rb

@@ -3,12 +3,9 @@
 module Gitlab
   module SecretDetection
     class Gem
-      # TODO: This is a temporary fix to avoid runtime issues
-      # More details are available here:
-      #  https://gitlab.com/gitlab-org/gitlab/-/issues/514015
-      #
       # Ensure to maintain the same version in CHANGELOG file.
-      VERSION = "0.19.0"
+      # More details available under 'Release Process' section in the README.md file.
+      VERSION = "0.21.0"
 
       # SD_ENV env var is used to determine which environment the
       # server is running. This var is defined in `.runway/env-<env>.yml` files.

data/proto/secret_detection.proto

@@ -18,6 +18,7 @@ enum ExclusionType {
   EXCLUSION_TYPE_RULE = 1; // Rule ID to exclude
   EXCLUSION_TYPE_RAW_VALUE = 2; // Raw value to exclude
   EXCLUSION_TYPE_PATH = 3; // Specific file path to exclude
+  EXCLUSION_TYPE_REGEX_PATTERN = 4; // Regular expression to exclude
 }
 
 /* Request arg for triggering Scan/ScanStream method */
@@ -40,6 +41,7 @@ message ScanRequest {
 }
 
 /* Response from Scan/ScanStream method */
+/* Any changes to these definitions must be matched by changes in the Core classes that correspond to them */
 message ScanResponse {
   // Represents a secret finding identified within a payload
   message Finding {

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: gitlab-secret_detection
 version: !ruby/object:Gem::Version
-  version: 0.19.0
+  version: 0.21.0
 platform: ruby
 authors:
 - group::secret detection
@@ -10,7 +10,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-02-13 00:00:00.000000000 Z
+date: 2025-03-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: grpc
@@ -82,6 +82,34 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.7'
+- !ruby/object:Gem::Dependency
+  name: sentry-ruby
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.22'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.22'
+- !ruby/object:Gem::Dependency
+  name: stackprof
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.2.27
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.2.27
 - !ruby/object:Gem::Dependency
   name: toml-rb
   requirement: !ruby/object:Gem::Requirement
@@ -124,9 +152,11 @@ files:
 - lib/gitlab/secret_detection/grpc/generated/.gitkeep
 - lib/gitlab/secret_detection/grpc/generated/secret_detection_pb.rb
 - lib/gitlab/secret_detection/grpc/generated/secret_detection_services_pb.rb
+- lib/gitlab/secret_detection/grpc/integrated_error_tracking.rb
 - lib/gitlab/secret_detection/grpc/scanner_service.rb
 - lib/gitlab/secret_detection/utils.rb
 - lib/gitlab/secret_detection/utils/certificate.rb
+- lib/gitlab/secret_detection/utils/masker.rb
 - lib/gitlab/secret_detection/utils/memoize.rb
 - lib/gitlab/secret_detection/version.rb
 - proto/secret_detection.proto