PyPI - credsweeper - Versions diffs - 1.11.5__py3-none-any.whl → 1.13.3__py3-none-any.whl - Mend

credsweeper 1.11.5py3-none-any.whl → 1.13.3py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of credsweeper might be problematic. Click here for more details.

Files changed (145) hide show

credsweeper/__init__.py +21 -15
credsweeper/__main__.py +158 -42
credsweeper/app.py +18 -13
credsweeper/common/keyword_pattern.py +19 -18
credsweeper/common/morpheme_checklist.txt +28 -6
credsweeper/config/__init__.py +0 -1
credsweeper/config/config.py +4 -3
credsweeper/credentials/__init__.py +0 -5
credsweeper/credentials/augment_candidates.py +1 -1
credsweeper/credentials/candidate.py +1 -1
credsweeper/credentials/credential_manager.py +1 -1
credsweeper/credentials/line_data.py +43 -8
credsweeper/deep_scanner/__init__.py +0 -1
credsweeper/deep_scanner/abstract_scanner.py +4 -3
credsweeper/deep_scanner/byte_scanner.py +1 -1
credsweeper/deep_scanner/bzip2_scanner.py +2 -2
credsweeper/deep_scanner/csv_scanner.py +71 -0
credsweeper/deep_scanner/deb_scanner.py +1 -1
credsweeper/deep_scanner/deep_scanner.py +22 -12
credsweeper/deep_scanner/docx_scanner.py +1 -1
credsweeper/deep_scanner/eml_scanner.py +1 -1
credsweeper/deep_scanner/encoder_scanner.py +1 -1
credsweeper/deep_scanner/gzip_scanner.py +2 -2
credsweeper/deep_scanner/html_scanner.py +1 -1
credsweeper/deep_scanner/jclass_scanner.py +1 -1
credsweeper/deep_scanner/jks_scanner.py +12 -3
credsweeper/deep_scanner/lang_scanner.py +1 -1
credsweeper/deep_scanner/lzma_scanner.py +2 -2
credsweeper/deep_scanner/mxfile_scanner.py +1 -1
credsweeper/deep_scanner/pdf_scanner.py +1 -1
credsweeper/deep_scanner/pkcs_scanner.py +6 -2
credsweeper/deep_scanner/pptx_scanner.py +1 -1
credsweeper/deep_scanner/rpm_scanner.py +1 -1
credsweeper/deep_scanner/rtf_scanner.py +41 -0
credsweeper/deep_scanner/strings_scanner.py +52 -0
credsweeper/deep_scanner/tar_scanner.py +2 -2
credsweeper/deep_scanner/tmx_scanner.py +2 -2
credsweeper/deep_scanner/xlsx_scanner.py +2 -2
credsweeper/deep_scanner/xml_scanner.py +1 -1
credsweeper/deep_scanner/zip_scanner.py +2 -2
credsweeper/file_handler/__init__.py +0 -15
credsweeper/file_handler/abstract_provider.py +3 -4
credsweeper/file_handler/byte_content_provider.py +11 -2
credsweeper/file_handler/content_provider.py +1 -1
credsweeper/file_handler/data_content_provider.py +1 -1
credsweeper/file_handler/diff_content_provider.py +133 -3
credsweeper/file_handler/file_path_extractor.py +4 -2
credsweeper/file_handler/files_provider.py +4 -4
credsweeper/file_handler/patches_provider.py +7 -8
credsweeper/file_handler/text_content_provider.py +8 -2
credsweeper/filters/__init__.py +3 -4
credsweeper/filters/filter.py +5 -3
credsweeper/filters/group/__init__.py +0 -2
credsweeper/filters/group/general_keyword.py +2 -2
credsweeper/filters/group/general_pattern.py +2 -2
credsweeper/filters/group/group.py +38 -36
credsweeper/filters/group/password_keyword.py +9 -8
credsweeper/filters/group/token_pattern.py +5 -5
credsweeper/filters/group/url_credentials_group.py +8 -8
credsweeper/filters/group/weird_base36_token.py +6 -6
credsweeper/filters/group/weird_base64_token.py +5 -5
credsweeper/filters/line_git_binary_check.py +5 -4
credsweeper/filters/line_specific_key_check.py +6 -5
credsweeper/filters/line_uue_part_check.py +5 -4
credsweeper/filters/value_allowlist_check.py +6 -5
credsweeper/filters/value_array_dictionary_check.py +8 -6
credsweeper/filters/value_atlassian_token_check.py +6 -5
credsweeper/filters/value_azure_token_check.py +6 -5
credsweeper/filters/value_base32_data_check.py +8 -5
credsweeper/filters/value_base64_data_check.py +6 -5
credsweeper/filters/value_base64_encoded_pem_check.py +6 -5
credsweeper/filters/value_base64_key_check.py +6 -5
credsweeper/filters/value_base64_part_check.py +6 -5
credsweeper/filters/value_basic_auth_check.py +37 -0
credsweeper/filters/value_blocklist_check.py +6 -4
credsweeper/filters/value_camel_case_check.py +8 -7
credsweeper/filters/value_dictionary_keyword_check.py +6 -4
credsweeper/filters/value_discord_bot_check.py +6 -5
credsweeper/filters/value_entropy_base_check.py +6 -5
credsweeper/filters/value_file_path_check.py +13 -8
credsweeper/filters/value_github_check.py +8 -6
credsweeper/filters/value_grafana_check.py +6 -5
credsweeper/filters/value_grafana_service_check.py +5 -4
credsweeper/filters/value_hex_number_check.py +5 -4
credsweeper/filters/value_jfrog_token_check.py +6 -5
credsweeper/filters/value_json_web_key_check.py +6 -5
credsweeper/filters/value_json_web_token_check.py +6 -5
credsweeper/filters/value_last_word_check.py +6 -4
credsweeper/filters/{value_dictionary_value_length_check.py → value_length_check.py} +12 -6
credsweeper/filters/value_method_check.py +5 -4
credsweeper/filters/value_morphemes_check.py +43 -0
credsweeper/filters/value_not_allowed_pattern_check.py +6 -5
credsweeper/filters/value_not_part_encoded_check.py +4 -4
credsweeper/filters/value_number_check.py +5 -4
credsweeper/filters/value_pattern_check.py +61 -41
credsweeper/filters/value_similarity_check.py +6 -4
credsweeper/filters/value_split_keyword_check.py +5 -4
credsweeper/filters/value_string_type_check.py +10 -7
credsweeper/filters/value_token_base_check.py +5 -4
credsweeper/filters/value_token_check.py +6 -5
credsweeper/logger/__init__.py +0 -1
credsweeper/logger/logger.py +1 -1
credsweeper/ml_model/__init__.py +0 -1
credsweeper/ml_model/features/__init__.py +1 -0
credsweeper/ml_model/features/entropy_evaluation.py +1 -1
credsweeper/ml_model/features/feature.py +2 -19
credsweeper/ml_model/features/file_extension.py +2 -2
credsweeper/ml_model/features/has_html_tag.py +12 -10
credsweeper/ml_model/features/is_secret_numeric.py +5 -4
credsweeper/ml_model/features/length_of_attribute.py +1 -1
credsweeper/ml_model/features/morpheme_dense.py +15 -8
credsweeper/ml_model/features/rule_name.py +2 -2
credsweeper/ml_model/features/rule_severity.py +21 -0
credsweeper/ml_model/features/search_in_attribute.py +1 -1
credsweeper/ml_model/features/word_in.py +10 -33
credsweeper/ml_model/features/word_in_path.py +6 -4
credsweeper/ml_model/features/word_in_postamble.py +2 -5
credsweeper/ml_model/features/word_in_preamble.py +2 -5
credsweeper/ml_model/features/word_in_transition.py +2 -5
credsweeper/ml_model/features/word_in_value.py +3 -4
credsweeper/ml_model/features/word_in_variable.py +3 -4
credsweeper/ml_model/ml_config.json +140 -27
credsweeper/ml_model/ml_model.onnx +0 -0
credsweeper/ml_model/ml_validator.py +4 -3
credsweeper/rules/__init__.py +0 -1
credsweeper/rules/config.yaml +329 -239
credsweeper/rules/rule.py +4 -3
credsweeper/scanner/__init__.py +0 -1
credsweeper/scanner/scan_type/__init__.py +0 -5
credsweeper/scanner/scan_type/multi_pattern.py +4 -4
credsweeper/scanner/scan_type/pem_key_pattern.py +4 -4
credsweeper/scanner/scan_type/scan_type.py +4 -4
credsweeper/scanner/scan_type/single_pattern.py +4 -4
credsweeper/scanner/scanner.py +24 -15
credsweeper/secret/config.json +19 -6
credsweeper/utils/__init__.py +0 -1
credsweeper/utils/pem_key_detector.py +3 -3
credsweeper/utils/util.py +24 -150
{credsweeper-1.11.5.dist-info → credsweeper-1.13.3.dist-info}/METADATA +7 -7
credsweeper-1.13.3.dist-info/RECORD +164 -0
credsweeper/filters/value_couple_keyword_check.py +0 -26
credsweeper-1.11.5.dist-info/RECORD +0 -159
{credsweeper-1.11.5.dist-info → credsweeper-1.13.3.dist-info}/WHEEL +0 -0
{credsweeper-1.11.5.dist-info → credsweeper-1.13.3.dist-info}/entry_points.txt +0 -0
{credsweeper-1.11.5.dist-info → credsweeper-1.13.3.dist-info}/licenses/LICENSE +0 -0

credsweeper/__init__.py CHANGED Viewed

@@ -1,21 +1,27 @@
 from credsweeper.app import CredSweeper
-from credsweeper.common.constants import ThresholdPreset
-from credsweeper.file_handler import ContentProvider, ByteContentProvider, DiffContentProvider, StringContentProvider, \
-    DataContentProvider, \
-    TextContentProvider
+from credsweeper.common.constants import ThresholdPreset, Severity, Confidence
+from credsweeper.file_handler.byte_content_provider import ByteContentProvider
+from credsweeper.file_handler.content_provider import ContentProvider
+from credsweeper.file_handler.data_content_provider import DataContentProvider
+from credsweeper.file_handler.diff_content_provider import DiffContentProvider
+from credsweeper.file_handler.string_content_provider import StringContentProvider
+from credsweeper.file_handler.text_content_provider import TextContentProvider
 from credsweeper.ml_model.ml_validator import MlValidator
 __all__ = [
-    'ByteContentProvider',  #
-    'ContentProvider',  #
-    'CredSweeper',  #
-    'DataContentProvider',  #
-    'DiffContentProvider',  #
-    'MlValidator',  #
-    'StringContentProvider',  #
-    'TextContentProvider',  #
-    'ThresholdPreset',  #
-    '__version__'
+    "ByteContentProvider",  #
+    "Confidence",  #
+    "ContentProvider",  #
+    "CredSweeper",  #
+    "DataContentProvider",  #
+    "DiffContentProvider",  #
+    "MlValidator",  #
+    "Severity",  #
+    "StringContentProvider",  #
+    "TextContentProvider",  #
+    "ThresholdPreset",  #
+    "__version__"
 ]
-__version__ = "1.11.5"
+__version__ = "1.13.3"

credsweeper/__main__.py CHANGED Viewed

@@ -1,20 +1,24 @@
 import binascii
+import contextlib
 import logging
 import os
 import sys
 import time
 from argparse import ArgumentParser, ArgumentTypeError, Namespace, BooleanOptionalAction
 from pathlib import Path
-from typing import Any, Union, Dict
+from typing import Any, Union, Dict, Tuple, Sequence
+from git import Repo, Commit
 from credsweeper import __version__
 from credsweeper.app import APP_PATH, CredSweeper
 from credsweeper.common.constants import ThresholdPreset, Severity, RuleType, DiffRowType, ML_HUNK
 from credsweeper.file_handler.abstract_provider import AbstractProvider
+from credsweeper.file_handler.byte_content_provider import ByteContentProvider
 from credsweeper.file_handler.files_provider import FilesProvider
 from credsweeper.file_handler.patches_provider import PatchesProvider
 from credsweeper.logger.logger import Logger
-from credsweeper.utils import Util
+from credsweeper.utils.util import Util
 EXIT_SUCCESS = 0
 EXIT_FAILURE = 1
@@ -31,24 +35,24 @@ def positive_int(value: Any) -> int:
     return int_value
-def threshold_or_float(arg: str) -> Union[float, ThresholdPreset]:
+def threshold_or_float_or_zero(arg: str) -> Union[int, float, ThresholdPreset]:
     """Return ThresholdPreset or a float from the input string
     Args:
         arg: string that either a float or one of allowed values in ThresholdPreset
     Returns:
-        float if arg convertible to float, ThresholdPreset if one of the allowed values
+        int = 0 to disable ML validator, float if arg convertible to float, ThresholdPreset if one of the allowed values
     Raises:
         ArgumentTypeError: if arg cannot be interpreted as float or ThresholdPreset
     """
     allowed_presents = [e.value for e in ThresholdPreset]
-    try:
+    if '0' == arg:
+        return 0
+    with contextlib.suppress(ValueError):
         return float(arg)  # try convert to float
-    except ValueError:
-        pass
     if arg in allowed_presents:
         return ThresholdPreset[arg]
     raise ArgumentTypeError(f"value must be a float or one of {allowed_presents}")
@@ -118,6 +122,11 @@ def get_arguments() -> Namespace:
                        const="log.yaml",
                        dest="export_log_config",
                        metavar="PATH")
+    group.add_argument("--git", help="git repo to scan", dest="git", metavar="PATH")
+    parser.add_argument("--ref",
+                        help="scan git repo from the ref, otherwise - all branches were scanned (slow)",
+                        dest="ref",
+                        type=str)
     parser.add_argument("--rules",
                         help="path of rule config file (default: credsweeper/rules/config.yaml). "
                         f"severity:{[i.value for i in Severity]} "
@@ -150,6 +159,10 @@ def get_arguments() -> Namespace:
                         help="find files by predefined extension",
                         dest="find_by_ext",
                         action="store_true")
+    parser.add_argument("--pedantic",
+                        help="process files without extension",
+                        action=BooleanOptionalAction,
+                        default=False)
     parser.add_argument("--depth",
                         help="additional recursive search in data (experimental)",
                         type=positive_int,
@@ -164,11 +177,11 @@ def get_arguments() -> Namespace:
                         "The lower the threshold - the more credentials will be reported. "
                         f"Allowed values: float between 0 and 1, or any of {[e.value for e in ThresholdPreset]} "
                         "(default: medium)",
-                        type=threshold_or_float,
+                        type=threshold_or_float_or_zero,
                         default=ThresholdPreset.medium,
                         dest="ml_threshold",
                         required=False,
-                        metavar="FLOAT_OR_STR")
+                        metavar="THRESHOLD_OR_FLOAT_OR_ZERO")
     parser.add_argument("--ml_batch_size",
                         "-b",
                         help="batch size for model inference (default: 16)",
@@ -246,8 +259,8 @@ def get_arguments() -> Namespace:
                         default=False)
     parser.add_argument("--log",
                         "-l",
-                        help=f"provide logging level of {list(Logger.LEVELS.keys())}"
-                        f"(default: 'warning', case insensitive)",
+                        help=(f"provide logging level of {list(Logger.LEVELS.keys())}"
+                              f" (default: 'warning', case insensitive)"),
                         default="warning",
                         dest="log",
                         metavar="LOG_LEVEL",
@@ -268,6 +281,40 @@ def get_arguments() -> Namespace:
     return parser.parse_args()
+def get_credsweeper(args: Namespace) -> CredSweeper:
+    """Common function to create the instance"""
+    if args.denylist_path is not None:
+        denylist = [line for line in Util.read_file(args.denylist_path) if line]
+    else:
+        denylist = []
+    return CredSweeper(rule_path=args.rule_path,
+                       config_path=args.config_path,
+                       json_filename=args.json_filename,
+                       xlsx_filename=args.xlsx_filename,
+                       stdout=args.stdout,
+                       color=args.color,
+                       hashed=args.hashed,
+                       subtext=args.subtext,
+                       sort_output=args.sort_output,
+                       use_filters=args.no_filters,
+                       pool_count=args.jobs,
+                       ml_batch_size=args.ml_batch_size,
+                       ml_threshold=args.ml_threshold,
+                       ml_config=args.ml_config,
+                       ml_model=args.ml_model,
+                       ml_providers=args.ml_providers,
+                       find_by_ext=args.find_by_ext,
+                       pedantic=args.pedantic,
+                       depth=args.depth,
+                       doc=args.doc,
+                       severity=args.severity,
+                       size_limit=args.size_limit,
+                       exclude_lines=denylist,
+                       exclude_values=denylist,
+                       thrifty=args.thrifty,
+                       log_level=args.log)
 def scan(args: Namespace, content_provider: AbstractProvider) -> int:
     """Scan content_provider data, print results or save them to json_filename is not None
@@ -283,42 +330,105 @@ def scan(args: Namespace, content_provider: AbstractProvider) -> int:
     """
     try:
-        if args.denylist_path is not None:
-            denylist = [line for line in Util.read_file(args.denylist_path) if line]
-        else:
-            denylist = []
-        credsweeper = CredSweeper(rule_path=args.rule_path,
-                                  config_path=args.config_path,
-                                  json_filename=args.json_filename,
-                                  xlsx_filename=args.xlsx_filename,
-                                  stdout=args.stdout,
-                                  color=args.color,
-                                  hashed=args.hashed,
-                                  subtext=args.subtext,
-                                  sort_output=args.sort_output,
-                                  use_filters=args.no_filters,
-                                  pool_count=args.jobs,
-                                  ml_batch_size=args.ml_batch_size,
-                                  ml_threshold=args.ml_threshold,
-                                  ml_config=args.ml_config,
-                                  ml_model=args.ml_model,
-                                  ml_providers=args.ml_providers,
-                                  find_by_ext=args.find_by_ext,
-                                  depth=args.depth,
-                                  doc=args.doc,
-                                  severity=args.severity,
-                                  size_limit=args.size_limit,
-                                  exclude_lines=denylist,
-                                  exclude_values=denylist,
-                                  thrifty=args.thrifty,
-                                  log_level=args.log)
+        credsweeper = get_credsweeper(args)
         return credsweeper.run(content_provider=content_provider)
     except Exception as exc:
         logger.critical(exc, exc_info=True)
+        logger.exception(exc)
     return -1
+def get_commit_providers(commit: Commit, repo: Repo) -> Sequence[ByteContentProvider]:
+    """Process a commit and for providers"""
+    result = {}
+    # use the hardcoded sha1 until sha256 objects are not supported by GitPython
+    ancestors = commit.parents or [repo.tree("4b825dc642cb6eb9a060e54bf8d69288fbee4904")]
+    for parent in ancestors:
+        for diff in parent.diff(commit):
+            # only result files
+            blob_b = diff.b_blob
+            if blob_b and blob_b.path not in result:
+                try:
+                    result[blob_b.path] = ByteContentProvider(content=blob_b.data_stream.read(),
+                                                              file_path=str(blob_b.path),
+                                                              info=DiffRowType.ADDED.value)
+                except Exception as exc:
+                    logger.warning(f"A submodule was not properly initialized or commit was removed: {exc}")
+    return list(result.values())
+def drill(args: Namespace) -> Tuple[int, int]:
+    """Scan repository for branches and commits
+    Returns:
+        total credentials found
+        total scanned commits
+    """
+    total_credentials = 0
+    total_commits = 0
+    try:
+        # repo init first
+        repo = Repo(args.git)
+        if args.ref:
+            commits_sha1 = set(x.commit.hexsha for x in repo.refs if x.name == args.ref)
+            if not commits_sha1:
+                commits_sha1 = {args.ref}  # single commit sha1 reference
+        else:
+            commits_sha1 = set(x.commit.hexsha for x in repo.refs
+                               if x.name.startswith('origin/') or x.name.startswith('refs/heads/'))
+        logger.info(f"Git repository {args.git} with commits: {commits_sha1}")
+        # then - credsweeper
+        credsweeper = get_credsweeper(args)
+        # use flat iterations to avoid recursive limits
+        to_scan = set(commits_sha1)
+        # local speedup for already scanned commits - avoid file system interactive
+        scanned = set()
+        # to avoid double-check
+        skipped = set()
+        while to_scan:
+            commit_sha1 = to_scan.pop()
+            if commit_sha1 in scanned:
+                # the commit was scanned in this launch
+                continue
+            commit = repo.commit(commit_sha1)
+            if commit.parents:
+                # add parents only when they were not skipped or scanned previously
+                to_scan.update(x.hexsha for x in commit.parents if x.hexsha not in skipped and x.hexsha not in scanned)
+            # check whether the commit has been checked and the report is present
+            skip_already_scanned = False
+            if args.json_filename:
+                json_path = Path(args.json_filename)
+                json_path = json_path.with_suffix(f".{commit_sha1}{json_path.suffix}")
+                if json_path.exists():
+                    skip_already_scanned = True
+                else:
+                    credsweeper.json_filename = json_path
+            if args.xlsx_filename:
+                xlsx_path = Path(args.xlsx_filename)
+                xlsx_path = xlsx_path.with_suffix(f".{commit_sha1}{xlsx_path.suffix}")
+                if xlsx_path.exists():
+                    skip_already_scanned = True
+                else:
+                    credsweeper.xlsx_filename = xlsx_path
+            if skip_already_scanned:
+                skipped.add(commit_sha1)
+                logger.info("Skip already scanned commit: %s %s", commit_sha1, commit.committed_datetime.isoformat())
+                continue
+            logger.info("Scan commit: %s %s", commit_sha1, commit.committed_datetime.isoformat())
+            # prepare all files to scan in the commit with bytes->IO transformation to avoid a multiprocess issue
+            if providers := get_commit_providers(commit, repo):
+                credsweeper.credential_manager.candidates.clear()
+                credsweeper.scan(providers)
+                credsweeper.post_processing()
+                credsweeper.export_results()
+                total_credentials += credsweeper.credential_manager.len_credentials()
+            total_commits += 1
+            scanned.add(commit_sha1)
+    except Exception as exc:
+        logger.critical(exc, exc_info=True)
+        return -1, total_commits
+    return total_credentials, total_commits
 def main() -> int:
     """Main function"""
     result = EXIT_FAILURE
@@ -328,7 +438,7 @@ def main() -> int:
     if args.banner:
         print(f"CredSweeper {__version__} crc32:{check_integrity():08x}")
     Logger.init_logging(args.log, args.log_config_path)
-    logger.info(f"Init CredSweeper object with arguments: {args}")
+    logger.info(f"Init CredSweeper object with arguments: {args} CWD: {os.getcwd()}")
     summary: Dict[str, int] = {}
     if args.path:
         logger.info(f"Run analyzer on path: {args.path}")
@@ -353,6 +463,12 @@ def main() -> int:
             result = EXIT_SUCCESS
             # collect number of all found credential to produce error code when necessary
             credentials_number = add_credentials_number + del_credentials_number
+    elif args.git:
+        logger.info(f"Run analyzer on GIT: {args.git}")
+        credentials_number, commits_number = drill(args)
+        summary[f"Detected Credentials in {args.git} for {commits_number} commits "] = credentials_number
+        if 0 <= credentials_number:
+            result = EXIT_SUCCESS
     elif args.export_config:
         logging.info(f"Exporting default config to file: {args.export_config}")
         config_dict = Util.json_load(APP_PATH / "secret" / "config.json")

credsweeper/app.py CHANGED Viewed

@@ -11,18 +11,18 @@ from colorama import Style
 # Directory of credsweeper sources MUST be placed before imports to avoid circular import error
 APP_PATH = Path(__file__).resolve().parent
+from credsweeper.scanner.scanner import Scanner
 from credsweeper.common.constants import Severity, ThresholdPreset, DiffRowType, DEFAULT_ENCODING
-from credsweeper.config import Config
-from credsweeper.credentials import Candidate, CredentialManager, CandidateKey
+from credsweeper.config.config import Config
+from credsweeper.credentials.candidate import Candidate
+from credsweeper.credentials.candidate_key import CandidateKey
+from credsweeper.credentials.credential_manager import CredentialManager
 from credsweeper.deep_scanner.deep_scanner import DeepScanner
 from credsweeper.file_handler.content_provider import ContentProvider
-from credsweeper.file_handler.diff_content_provider import DiffContentProvider
 from credsweeper.file_handler.file_path_extractor import FilePathExtractor
 from credsweeper.file_handler.abstract_provider import AbstractProvider
-from credsweeper.file_handler.text_content_provider import TextContentProvider
-from credsweeper.scanner import Scanner
 from credsweeper.ml_model.ml_validator import MlValidator
-from credsweeper.utils import Util
+from credsweeper.utils.util import Util
 logger = logging.getLogger(__name__)
@@ -52,11 +52,12 @@ class CredSweeper:
                  use_filters: bool = True,
                  pool_count: int = 1,
                  ml_batch_size: Optional[int] = None,
-                 ml_threshold: Union[float, ThresholdPreset] = ThresholdPreset.medium,
+                 ml_threshold: Union[int, float, ThresholdPreset] = ThresholdPreset.medium,
                  ml_config: Union[None, str, Path] = None,
                  ml_model: Union[None, str, Path] = None,
                  ml_providers: Optional[str] = None,
                  find_by_ext: bool = False,
+                 pedantic: bool = False,
                  depth: int = 0,
                  doc: bool = False,
                  severity: Union[Severity, str] = Severity.INFO,
@@ -86,6 +87,7 @@ class CredSweeper:
             ml_model: str or Path to set custom ml model
             ml_providers: str - comma separated list with providers
             find_by_ext: boolean - files will be reported by extension
+            pedantic: boolean - scan all files
             depth: int - how deep container files will be scanned
             doc: boolean - document-specific scanning
             severity: Severity - minimum severity level of rule
@@ -103,6 +105,7 @@ class CredSweeper:
         config_dict = self._get_config_dict(config_path=config_path,
                                             use_filters=use_filters,
                                             find_by_ext=find_by_ext,
+                                            pedantic=pedantic,
                                             depth=depth,
                                             doc=doc,
                                             severity=_severity,
@@ -145,6 +148,7 @@ class CredSweeper:
             config_path: Optional[str],  #
             use_filters: bool,  #
             find_by_ext: bool,  #
+            pedantic: bool,  #
             depth: int,  #
             doc: bool,  #
             severity: Severity,  #
@@ -155,6 +159,7 @@ class CredSweeper:
         config_dict["use_filters"] = use_filters
         config_dict["find_by_ext"] = find_by_ext
         config_dict["size_limit"] = size_limit
+        config_dict["pedantic"] = pedantic
         config_dict["depth"] = depth
         config_dict["doc"] = doc
         config_dict["severity"] = severity.value
@@ -169,7 +174,7 @@ class CredSweeper:
     # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
     def _use_ml_validation(self) -> bool:
-        if isinstance(self.ml_threshold, (float, int)) and 0 >= self.ml_threshold:
+        if isinstance(self.ml_threshold, int) and 0 == self.ml_threshold:
             logger.info("ML validation is disabled")
             return False
         if not self.credential_manager.candidates:
@@ -215,7 +220,7 @@ class CredSweeper:
             content_provider: path objects to scan
         """
-        _empty_list: Sequence[Union[DiffContentProvider, TextContentProvider]] = []
+        _empty_list: Sequence[ContentProvider] = []
         file_extractors = content_provider.get_scannable_files(self.config) if content_provider else _empty_list
         if not file_extractors:
             logger.info(f"No scannable targets for {len(content_provider.paths)} paths")
@@ -229,7 +234,7 @@ class CredSweeper:
     # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
-    def scan(self, content_providers: Sequence[Union[DiffContentProvider, TextContentProvider]]) -> None:
+    def scan(self, content_providers: Sequence[ContentProvider]) -> None:
         """Run scanning of files from an argument "content_providers".
         Args:
@@ -243,7 +248,7 @@ class CredSweeper:
     # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
-    def __single_job_scan(self, content_providers: Sequence[Union[DiffContentProvider, TextContentProvider]]) -> None:
+    def __single_job_scan(self, content_providers: Sequence[ContentProvider]) -> None:
         """Performs scan in main thread"""
         logger.info(f"Scan for {len(content_providers)} providers")
         all_cred = self.files_scan(content_providers)
@@ -251,7 +256,7 @@ class CredSweeper:
     # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
-    def __multi_jobs_scan(self, content_providers: Sequence[Union[DiffContentProvider, TextContentProvider]]) -> None:
+    def __multi_jobs_scan(self, content_providers: Sequence[ContentProvider]) -> None:
         """Performs scan with multiple jobs"""
         # use this separation to satisfy YAPF formatter
         yapfix = "%(asctime)s | %(levelname)s | %(processName)s:%(threadName)s | %(filename)s:%(lineno)s | %(message)s"
@@ -265,7 +270,7 @@ class CredSweeper:
         logger.info(f"Scan in {pool_count} processes for {len(content_providers)} providers")
         with multiprocessing.get_context("spawn").Pool(processes=pool_count,
                                                        initializer=CredSweeper.pool_initializer,
-                                                       initargs=(log_kwargs, )) as pool:
+                                                       initargs=(log_kwargs,)) as pool:  # yapf: disable
             try:
                 for scan_results in pool.imap_unordered(self.files_scan,
                                                         (content_providers[x::pool_count] for x in range(pool_count))):

credsweeper/common/keyword_pattern.py CHANGED Viewed

@@ -3,47 +3,48 @@ import re
 class KeywordPattern:
     """Pattern set of keyword types"""
-    directive = r"(?P<directive>(?:(?:[#%]define|%global)(?:\s|\\t)|\bset))?"
-    key_left = r"(?:\\[nrt]|%[0-9a-f]{2}|\s)*" \
-               r"(?P<variable>(([`'\"]{1,8}[^:='\"`}<>\\/&?]*|[^:='\"`}<>\s()\\/&?;,%]*)" \
-               r"(?P<keyword>"
-    # there will be inserted a keyword
-    key_right = r")" \
-                r"[^%:='\"`<>({?!&;\n]*" \
+    directive = r"(?P<directive>(?:" \
+                r"(?:[#%]define|define(?=(\s|\\{1,8}[tnr])*\()|%global)" \
+                r"(?:\s?\(|\s|\\{1,8}[tnr]){1,8}|\bset(?=\b|\w*(\s|\\{1,8}[tnr])*\()" \
+                r"))?"
+    key_left = r"(?:\\[nrt]|(\\\\*u00|%)[0-9a-f]{2}|\s)*" \
+               r"(?P<variable>(([\"'`]{1,8}[^:=\"'`}<>\\/&?]*|[^:=\"'`}<>\s()\\/&?;,%]*)"
+    # keyword will be inserted here
+    key_right = r"[^%:=\"'`<>({?!&;\n]{0,80}" \
                 r")" \
-                r"(&(quot|apos);|%[0-9a-f]{2}|[`'\"])*" \
+                r"(&(quot|apos|#3[49]);|(\\\\*u00|%)[0-9a-f]{2}|[\"'`])*" \
                 r")"  # <variable>
     separator = r"(?(directive)|(\s|\\{1,8}[tnr])*\]?(\s|\\{1,8}[tnr])*)" \
                 r"(?P<separator>:(\s[a-z]{3,9}[?]?\s)?=|:(?!:)|=(>|&gt;|(\\\\*u00|%)26gt;)|!==|!=|===|==|=~|=" \
-                r"|(?(directive)(\\t|\s|\((?!\))){1,80}|%3d))" \
+                r"|(?(directive)(,|\\t|\s|\((?!\))){1,80}|%3d))" \
                 r"(\s|\\{1,8}[tnr])*"
     # might be curly, square or parenthesis with words before
     wrap = r"(?P<wrap>(" \
-           r"(new(\s|\\{1,8}[tnr]|byte|char|string|\[\]){1,8})?" \
+           r"((\s|\\{1,8}[tnr]|new|byte|char|string|\[\]){1,8})?" \
            r"(?P<get>([_a-z][0-9a-z_.\[\]]*\.)get|(os\.)?getenv)?" \
            r"([0-9a-z_.]|::|-(>|&gt;))*" \
            r"\s*" \
            r"(\[(?!\])|\((?!\))|\{(?!\}))" \
            r"(\s|\\{1,8}[tnr])*" \
-           r"(?(get)('[^']+'|\"[^\"]+\")\s*,\s*|)" \
+           r"(?(get)('[^']{1,31}'|\"[^\"]{1,31}\")\s*,\s*|)" \
            r"([0-9a-z_]{1,32}\s*[:=]\s*)?" \
            r"){1,8})?"
-    string_prefix = r"(((b|r|br|rb|u|f|rf|fr|l|@)(?=(\\*[`'\"])))?"
-    left_quote = r"(?P<value_leftquote>((?P<esq>\\{1,8})?([`'\"]|&(quot|apos);)){1,4}))?"
+    string_prefix = r"(((b|r|br|rb|u|f|rf|fr|l|@)(?=(\\*[\"'`])))?"
+    left_quote = r"(?P<value_leftquote>((?P<esq>\\{1,8})?([\"'`]|&(quot|apos|#3[49]);)){1,4}))?"
     # Authentication scheme ( oauth | basic | bearer | apikey ) precedes to credential
     auth_keywords = r"(\s?(oauth|bot|basic|bearer|apikey|accesskey|ssws|ntlm)\s)?"
     value = r"(?P<value>" \
             r"(?(value_leftquote)" \
             r"(" \
             r"(?!(?P=value_leftquote))" \
-            r"(?(esq)((?!(?P=esq)([`'\"]|&(quot|apos);)).)|((?!(?P=value_leftquote)).)))" \
+            r"(?(esq)((?!(?P=esq)([\"'`]|&(quot|apos|#3[49]);)).)|((?!(?P=value_leftquote)).)))" \
             r"|" \
-            r"(?!&(quot|apos);)" \
-            r"(\\{1,8}([ tnr]|[^\s`'\"])" \
+            r"(?!&(quot|apos|#3[49]);)" \
+            r"(\\{1,8}([ tnr]|[^\s\"'`])" \
             r"|" \
             r"(?P<url_esc>%[0-9a-f]{2})" \
             r"|" \
-            r"(?(url_esc)[^\s`'\",;\\&]|[^\s`'\",;\\])" \
+            r"(?(url_esc)[^\s\"'`,;\\&]|[^\s\"'`,;\\])" \
             r")" \
             r"){4,8000}" \
             r"|" \
@@ -67,7 +68,7 @@ class KeywordPattern:
         expression = ''.join([  #
             cls.directive,  #
             cls.key_left,  #
-            keyword,  #
+            fr"(?P<keyword>{keyword})",  # named group required
             cls.key_right,  #
             cls.separator,  #
             cls.wrap,  #

credsweeper 1.11.5__py3-none-any.whl → 1.13.3__py3-none-any.whl

Potentially problematic release.

credsweeper 1.11.5py3-none-any.whl → 1.13.3py3-none-any.whl