Merge pull request #23 from grinish21/chore/address-fps

chore: address false positives around passwords
americanexpress · Jun 29, 2021 · 6d5a8a5 · 6d5a8a5
2 parents e583783 + 55af71a
commit 6d5a8a5
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 17 deletions.
diff --git a/config/falsepositives/false-positives.yaml b/config/falsepositives/false-positives.yaml
@@ -513,11 +513,10 @@ rules:
       - 3075
       - 6001
       - 6002
-    Pattern: (?i)((password|secret|credentials|passphrase)['"]? ?[:=] ?['"]?([a-z]+[\._]+)+(password|pass|pwd|pswd|secret|passphrase)['"]?$)
+    Pattern: "(?i)((password|secret|credentials|passphrase)['\"]? ?[:=] ?['\"]?([a-z]+[\\._\\s]+)+(password|pass|pwd|pswd|secret|passphrase)['\"]?$)"
     FileExtensions: []
     UseFullLine: true
-    Description: 'Ignore variable definitions as password values eg: password = mongo.password
-    or password: couchbase_db_password'
+    Description: 'Ignore variable definitions as password values eg: password = mongo.password or password: couchbase_db_password'
   - Codes:
       - 3001
       - 3003
@@ -1406,14 +1405,13 @@ rules:
       - ".xml"
       - ".properties"
     UseFullLine: true
-    Description: 'Ignore password definitions that refer to files, example strmojo.WH.Password:
-    mojo/js/source/WH/Password.js'
+    Description: 'Ignore password definitions that refer to files, example api.auth.Password: src/js/util/Password.js'
   - Codes:
       - 3057
-    Pattern: "(?i)password ?[>:=] ?([a-z0-9]+\\.?)+.+(\\().+(\\))"
+    Pattern: "(?i)password ?[>:=] ?([a-z0-9]+\\.?)+.+((\\().+(\\))|\\[\\d+\\])"
     FileExtensions: []
     UseFullLine: true
-    Description: Ignore functions string, example- `password = context.decrypt("%%ARCHIVAL_DB_PWD%%")`
+    Description: Ignore functions string, example- `password = context.decrypt("%%SOME_DB_PWD%%")` or as array `password = params[0]`
   - Codes:
       - 3035
       - 3036

diff --git a/pkg/scan/falsePositives_test.go b/pkg/scan/falsePositives_test.go
@@ -362,7 +362,7 @@ func Test_findFalsePositive(t *testing.T) {
 			hit: Hit{
 				Code:     3001,
 				Filename: "test.json",
-				LineValue: `		"IV_PSK_INPUT_LABEL_GENERIC_PASSWORD": "xxxxxx"`,
+				LineValue: `		"INPUT_LABEL_GENERIC_PASSWORD": "xxxxxx"`,
 			},
 			wantIsFP: false,
 		},
@@ -371,7 +371,7 @@ func Test_findFalsePositive(t *testing.T) {
 			hit: Hit{
 				Code:     3001,
 				Filename: "test.properties",
-				LineValue: `		IV_PSK_INPUT_LABEL_GENERIC_PASSWORD= xxxxxxxx`,
+				LineValue: `		INPUT_LABEL_GENERIC_PASSWORD= xxxxxxxx`,
 			},
 			wantIsFP: false,
 		},
@@ -380,7 +380,7 @@ func Test_findFalsePositive(t *testing.T) {
 			hit: Hit{
 				Code:     3001,
 				Filename: "test.properties",
-				LineValue: `		IV_PSK_INPUT_LABEL_GENERIC_PASSWORD= "xxxxxxxx"`,
+				LineValue: `		INPUT_LABEL_GENERIC_PASSWORD= "xxxxxxxx"`,
 			},
 			wantIsFP: false,
 		},
@@ -443,7 +443,7 @@ func Test_findFalsePositive(t *testing.T) {
 			hit: Hit{
 				Code:      3036,
 				Filename:  "source.txt",
-				LineValue: `client_secret_key : 'e2.apigee.client.secret.key'`,
+				LineValue: `client_secret_key : 'e2.api.client.secret.key'`,
 			},
 			wantIsFP: true,
 		},
@@ -488,7 +488,7 @@ func Test_findFalsePositive(t *testing.T) {
 			hit: Hit{
 				Code:      3057,
 				Filename:  "jsclassinfo.properties",
-				LineValue: `mstrmojo.WH.Password: mojo/js/source/WH/Password.js`,
+				LineValue: `api.auth.Password: /foo/bar/Password.js`,
 			},
 			wantIsFP: true,
 		},
@@ -587,7 +587,7 @@ func Test_findFalsePositive(t *testing.T) {
 			hit: Hit{
 				Code:      3001,
 				Filename:  "source.js",
-				LineValue: `EPASS_ENV_VAR_SSLPASSWORD = 'KEYFILE_PASSWORD'`,
+				LineValue: `ENV_VAR_SSLPASSWORD = 'KEYFILE_PASSWORD'`,
 			},
 			wantIsFP: true,
 		},
@@ -596,7 +596,7 @@ func Test_findFalsePositive(t *testing.T) {
 			hit: Hit{
 				Code:     3057,
 				Filename: "source.scala",
-				LineValue: `		val GPpassword = appConfig.getString("greenplum.jdbc.pwd")`,
+				LineValue: `		val DBpassword = appConfig.getString("db.jdbc.pwd")`,
 			},
 			wantIsFP: true,
 		},
@@ -605,7 +605,7 @@ func Test_findFalsePositive(t *testing.T) {
 			hit: Hit{
 				Code:     3057,
 				Filename: "source.xml",
-				LineValue: `		String password = context.decrypt("%%ARCHIVAL_DB_PWD%%");`,
+				LineValue: `		String password = context.decrypt("%%MONGO_DB_PWD%%");`,
 			},
 			wantIsFP: true,
 		},
@@ -614,7 +614,7 @@ func Test_findFalsePositive(t *testing.T) {
 			hit: Hit{
 				Code:     3057,
 				Filename: "source.xml",
-				LineValue: `		password = generatePolicyPassword(context, identity, "AXP Directory")`,
+				LineValue: `		password = generatePassword(context)`,
 			},
 			wantIsFP: true,
 		},
@@ -623,7 +623,7 @@ func Test_findFalsePositive(t *testing.T) {
 			hit: Hit{
 				Code:     3057,
 				Filename: "source.xml",
-				LineValue: `		logger.debug("Password Rule Library : generateNotAPolicyPassword :hasDigit :" + hasDigit);`,
+				LineValue: `		logger.debug("Password is : generatePassword :data :" + data);`,
 			},
 			wantIsFP: false,
 		},
@@ -663,6 +663,24 @@ func Test_findFalsePositive(t *testing.T) {
 			},
 			wantIsFP: false,
 		},
+		{
+			name: "Skip password that is is being read from array",
+			hit: Hit{
+				Code:     3057,
+				Filename: "source.xml",
+				LineValue: `		String password = param[0];`,
+			},
+			wantIsFP: true,
+		},
+		{
+			name: "Do not skip password that is is not being read from array",
+			hit: Hit{
+				Code:     3057,
+				Filename: "source.xml",
+				LineValue: `		String password = pa$$[@ee4@]`,
+			},
+			wantIsFP: false,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {