gitlab-secret_detection 0.20.2 → 0.20.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 5c7ff10984ce1af1372aa46a2cd7583305f51641bbf8872f5c5fb90c92ea0d82
|
|
4
|
+
data.tar.gz: add8b9353eb3d2f24d39d58c7f1695f02bc92e896fa5838553ba9f060bf23a1c
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 77a3b885d321e938fecd389f4d3063ed65da6422aeec14d3a09ea466c9625e720d49e96d6033827a0d5a64fa2e6549e4dc1d2e79b363a1c375de302a54218a81
|
|
7
|
+
data.tar.gz: 607b3a1bc04502208418ec177dee2f4c3d868d50c17b4f510b8bbdc714ab036420565c7ae4525e495484ded7f186a95ba1e3647411a7287a9110f67bfea77573
|
data/README.md
CHANGED
|
@@ -167,9 +167,9 @@ You should see the following response as a result:
|
|
|
167
167
|
|
|
168
168
|
|
|
169
169
|
```shell
|
|
170
|
-
|
|
171
|
-
localhost:50001 \
|
|
170
|
+
grpcurl -plaintext -d @ \
|
|
172
171
|
-rpc-header 'x-sd-auth:12345' \
|
|
172
|
+
localhost:50001 \
|
|
173
173
|
gitlab.secret_detection.Scanner/Scan <<EOM
|
|
174
174
|
{
|
|
175
175
|
"payloads": [
|
|
@@ -38,7 +38,7 @@ module Gitlab
|
|
|
38
38
|
tags: DEFAULT_PATTERN_MATCHER_TAGS,
|
|
39
39
|
include_missing_tags: false
|
|
40
40
|
)
|
|
41
|
-
@default_pattern_matcher = build_pattern_matcher(
|
|
41
|
+
@default_pattern_matcher, @default_rules = build_pattern_matcher(
|
|
42
42
|
tags: DEFAULT_PATTERN_MATCHER_TAGS,
|
|
43
43
|
include_missing_tags: false
|
|
44
44
|
) # includes only gitlab_blocking rules
|
|
@@ -97,11 +97,15 @@ module Gitlab
|
|
|
97
97
|
|
|
98
98
|
next Core::Response.new(status: Core::Status::NOT_FOUND) if matched_payloads.empty?
|
|
99
99
|
|
|
100
|
+
# the pattern matcher will filter rules by tags so we use the filtered rule list
|
|
101
|
+
pattern_matcher, active_rules = build_pattern_matcher(tags:)
|
|
102
|
+
|
|
100
103
|
scan_args = {
|
|
101
104
|
payloads: matched_payloads,
|
|
102
105
|
payload_timeout:,
|
|
103
|
-
pattern_matcher
|
|
104
|
-
exclusions
|
|
106
|
+
pattern_matcher:,
|
|
107
|
+
exclusions:,
|
|
108
|
+
rules: active_rules
|
|
105
109
|
}.freeze
|
|
106
110
|
|
|
107
111
|
logger.info(
|
|
@@ -135,7 +139,7 @@ module Gitlab
|
|
|
135
139
|
|
|
136
140
|
private
|
|
137
141
|
|
|
138
|
-
attr_reader :logger, :rules, :keywords, :default_pattern_matcher, :default_keyword_matcher
|
|
142
|
+
attr_reader :logger, :rules, :keywords, :default_pattern_matcher, :default_keyword_matcher, :default_rules
|
|
139
143
|
|
|
140
144
|
# Builds RE2::Set pattern matcher for the given combination of rules
|
|
141
145
|
# and tags. It also allows a choice(via `include_missing_tags`) to consider rules
|
|
@@ -147,7 +151,7 @@ module Gitlab
|
|
|
147
151
|
logger.info(
|
|
148
152
|
message: "Given tags input matches default matcher tags, using pre-defined RE2 Pattern Matcher"
|
|
149
153
|
)
|
|
150
|
-
return default_pattern_matcher
|
|
154
|
+
return [default_pattern_matcher, default_rules]
|
|
151
155
|
end
|
|
152
156
|
|
|
153
157
|
logger.info(
|
|
@@ -155,21 +159,28 @@ module Gitlab
|
|
|
155
159
|
tags:,
|
|
156
160
|
include_missing_tags:
|
|
157
161
|
)
|
|
162
|
+
active_rules = []
|
|
158
163
|
|
|
159
164
|
matcher = RE2::Set.new
|
|
160
165
|
|
|
161
|
-
|
|
162
|
-
|
|
166
|
+
begin
|
|
167
|
+
rules.each do |rule|
|
|
168
|
+
rule_tags = rule[:tags]
|
|
163
169
|
|
|
164
|
-
|
|
165
|
-
|
|
166
|
-
|
|
167
|
-
|
|
168
|
-
|
|
169
|
-
|
|
170
|
-
|
|
170
|
+
include_rule = if tags.empty?
|
|
171
|
+
true
|
|
172
|
+
elsif rule_tags
|
|
173
|
+
tags.intersect?(rule_tags)
|
|
174
|
+
else
|
|
175
|
+
include_missing_tags
|
|
176
|
+
end
|
|
171
177
|
|
|
172
|
-
|
|
178
|
+
active_rules << rule if include_rule
|
|
179
|
+
matcher.add(rule[:regex]) if include_rule
|
|
180
|
+
end
|
|
181
|
+
rescue StandardError => e
|
|
182
|
+
logger.error "Failed to add regex secret detection ruleset in RE::Set: #{e.message}"
|
|
183
|
+
raise Core::Ruleset::RulesetCompilationError, cause: e
|
|
173
184
|
end
|
|
174
185
|
|
|
175
186
|
unless matcher.compile
|
|
@@ -178,7 +189,7 @@ module Gitlab
|
|
|
178
189
|
raise Core::Ruleset::RulesetCompilationError
|
|
179
190
|
end
|
|
180
191
|
|
|
181
|
-
matcher
|
|
192
|
+
[matcher, active_rules]
|
|
182
193
|
end
|
|
183
194
|
|
|
184
195
|
# Creates and returns the unique set of rule matching keywords
|
|
@@ -271,7 +282,8 @@ module Gitlab
|
|
|
271
282
|
payloads:,
|
|
272
283
|
payload_timeout:,
|
|
273
284
|
pattern_matcher:,
|
|
274
|
-
exclusions: {}
|
|
285
|
+
exclusions: {},
|
|
286
|
+
rules: []
|
|
275
287
|
)
|
|
276
288
|
all_applied_exclusions = Set.new
|
|
277
289
|
|
|
@@ -285,7 +297,8 @@ module Gitlab
|
|
|
285
297
|
findings, applied_exclusions = find_secrets_in_payload(
|
|
286
298
|
payload:,
|
|
287
299
|
pattern_matcher:,
|
|
288
|
-
exclusions
|
|
300
|
+
exclusions:,
|
|
301
|
+
rules:
|
|
289
302
|
)
|
|
290
303
|
all_applied_exclusions.merge(applied_exclusions)
|
|
291
304
|
findings
|
|
@@ -303,9 +316,11 @@ module Gitlab
|
|
|
303
316
|
payloads:,
|
|
304
317
|
payload_timeout:,
|
|
305
318
|
pattern_matcher:,
|
|
306
|
-
exclusions: {}
|
|
319
|
+
exclusions: {},
|
|
320
|
+
rules: []
|
|
307
321
|
)
|
|
308
322
|
all_applied_exclusions = Set.new
|
|
323
|
+
|
|
309
324
|
payload_sizes = payloads.map(&:size)
|
|
310
325
|
grouped_payload_indices = group_by_chunk_size(payload_sizes)
|
|
311
326
|
|
|
@@ -327,7 +342,8 @@ module Gitlab
|
|
|
327
342
|
findings, applied_exclusions = find_secrets_in_payload(
|
|
328
343
|
payload:,
|
|
329
344
|
pattern_matcher:,
|
|
330
|
-
exclusions
|
|
345
|
+
exclusions:,
|
|
346
|
+
rules:
|
|
331
347
|
)
|
|
332
348
|
all_applied_exclusions.merge(applied_exclusions)
|
|
333
349
|
findings
|
|
@@ -345,7 +361,7 @@ module Gitlab
|
|
|
345
361
|
# Finds secrets in the given payload guarded with a timeout as a circuit breaker. It accepts
|
|
346
362
|
# literal values to exclude from the input before the scan, also SD rules to exclude during
|
|
347
363
|
# the scan.
|
|
348
|
-
def find_secrets_in_payload(payload:, pattern_matcher:, exclusions: {})
|
|
364
|
+
def find_secrets_in_payload(payload:, pattern_matcher:, exclusions: {}, rules: @default_rules)
|
|
349
365
|
findings = []
|
|
350
366
|
applied_exclusions = Set.new
|
|
351
367
|
|
|
@@ -421,7 +437,7 @@ module Gitlab
|
|
|
421
437
|
end
|
|
422
438
|
|
|
423
439
|
payloads.all? do |payload|
|
|
424
|
-
has_valid_fields = payload.respond_to?(:id) && payload.respond_to?(:data)
|
|
440
|
+
has_valid_fields = payload.respond_to?(:id) && payload.respond_to?(:data) && payload.data.is_a?(String)
|
|
425
441
|
unless has_valid_fields
|
|
426
442
|
logger.debug(
|
|
427
443
|
message: "Scan input validation error: one of the payloads does not respond to `id` or `data`"
|
|
@@ -8,7 +8,7 @@ module Gitlab
|
|
|
8
8
|
# https://gitlab.com/gitlab-org/gitlab/-/issues/514015
|
|
9
9
|
#
|
|
10
10
|
# Ensure to maintain the same version in CHANGELOG file.
|
|
11
|
-
VERSION = "0.20.
|
|
11
|
+
VERSION = "0.20.3"
|
|
12
12
|
|
|
13
13
|
# SD_ENV env var is used to determine which environment the
|
|
14
14
|
# server is running. This var is defined in `.runway/env-<env>.yml` files.
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: gitlab-secret_detection
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.20.
|
|
4
|
+
version: 0.20.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- group::secret detection
|
|
@@ -10,7 +10,7 @@ authors:
|
|
|
10
10
|
autorequire:
|
|
11
11
|
bindir: bin
|
|
12
12
|
cert_chain: []
|
|
13
|
-
date: 2025-03-
|
|
13
|
+
date: 2025-03-07 00:00:00.000000000 Z
|
|
14
14
|
dependencies:
|
|
15
15
|
- !ruby/object:Gem::Dependency
|
|
16
16
|
name: grpc
|