From 55af71a5fd7114fa38f7634f7ea3b72c95073555 Mon Sep 17 00:00:00 2001 From: Grinish Nepal Date: Tue, 22 Jun 2021 17:12:22 -0700 Subject: [PATCH] chore: address false positives around passwords --- config/falsepositives/false-positives.yaml | 12 +++---- pkg/scan/falsePositives_test.go | 38 ++++++++++++++++------ 2 files changed, 33 insertions(+), 17 deletions(-) diff --git a/config/falsepositives/false-positives.yaml b/config/falsepositives/false-positives.yaml index b9e88b2..dd58afc 100644 --- a/config/falsepositives/false-positives.yaml +++ b/config/falsepositives/false-positives.yaml @@ -513,11 +513,10 @@ rules: - 3075 - 6001 - 6002 - Pattern: (?i)((password|secret|credentials|passphrase)['"]? ?[:=] ?['"]?([a-z]+[\._]+)+(password|pass|pwd|pswd|secret|passphrase)['"]?$) + Pattern: "(?i)((password|secret|credentials|passphrase)['\"]? ?[:=] ?['\"]?([a-z]+[\\._\\s]+)+(password|pass|pwd|pswd|secret|passphrase)['\"]?$)" FileExtensions: [] UseFullLine: true - Description: 'Ignore variable definitions as password values eg: password = mongo.password - or password: couchbase_db_password' + Description: 'Ignore variable definitions as password values eg: password = mongo.password or password: couchbase_db_password' - Codes: - 3001 - 3003 @@ -1406,14 +1405,13 @@ rules: - ".xml" - ".properties" UseFullLine: true - Description: 'Ignore password definitions that refer to files, example strmojo.WH.Password: - mojo/js/source/WH/Password.js' + Description: 'Ignore password definitions that refer to files, example api.auth.Password: src/js/util/Password.js' - Codes: - 3057 - Pattern: "(?i)password ?[>:=] ?([a-z0-9]+\\.?)+.+(\\().+(\\))" + Pattern: "(?i)password ?[>:=] ?([a-z0-9]+\\.?)+.+((\\().+(\\))|\\[\\d+\\])" FileExtensions: [] UseFullLine: true - Description: Ignore functions string, example- `password = context.decrypt("%%ARCHIVAL_DB_PWD%%")` + Description: Ignore functions string, example- `password = context.decrypt("%%SOME_DB_PWD%%")` or as array `password = params[0]` - Codes: - 3035 - 3036 diff --git a/pkg/scan/falsePositives_test.go b/pkg/scan/falsePositives_test.go index 871cfcc..1af69dc 100644 --- a/pkg/scan/falsePositives_test.go +++ b/pkg/scan/falsePositives_test.go @@ -362,7 +362,7 @@ func Test_findFalsePositive(t *testing.T) { hit: Hit{ Code: 3001, Filename: "test.json", - LineValue: ` "IV_PSK_INPUT_LABEL_GENERIC_PASSWORD": "xxxxxx"`, + LineValue: ` "INPUT_LABEL_GENERIC_PASSWORD": "xxxxxx"`, }, wantIsFP: false, }, @@ -371,7 +371,7 @@ func Test_findFalsePositive(t *testing.T) { hit: Hit{ Code: 3001, Filename: "test.properties", - LineValue: ` IV_PSK_INPUT_LABEL_GENERIC_PASSWORD= xxxxxxxx`, + LineValue: ` INPUT_LABEL_GENERIC_PASSWORD= xxxxxxxx`, }, wantIsFP: false, }, @@ -380,7 +380,7 @@ func Test_findFalsePositive(t *testing.T) { hit: Hit{ Code: 3001, Filename: "test.properties", - LineValue: ` IV_PSK_INPUT_LABEL_GENERIC_PASSWORD= "xxxxxxxx"`, + LineValue: ` INPUT_LABEL_GENERIC_PASSWORD= "xxxxxxxx"`, }, wantIsFP: false, }, @@ -443,7 +443,7 @@ func Test_findFalsePositive(t *testing.T) { hit: Hit{ Code: 3036, Filename: "source.txt", - LineValue: `client_secret_key : 'e2.apigee.client.secret.key'`, + LineValue: `client_secret_key : 'e2.api.client.secret.key'`, }, wantIsFP: true, }, @@ -488,7 +488,7 @@ func Test_findFalsePositive(t *testing.T) { hit: Hit{ Code: 3057, Filename: "jsclassinfo.properties", - LineValue: `mstrmojo.WH.Password: mojo/js/source/WH/Password.js`, + LineValue: `api.auth.Password: /foo/bar/Password.js`, }, wantIsFP: true, }, @@ -587,7 +587,7 @@ func Test_findFalsePositive(t *testing.T) { hit: Hit{ Code: 3001, Filename: "source.js", - LineValue: `EPASS_ENV_VAR_SSLPASSWORD = 'KEYFILE_PASSWORD'`, + LineValue: `ENV_VAR_SSLPASSWORD = 'KEYFILE_PASSWORD'`, }, wantIsFP: true, }, @@ -596,7 +596,7 @@ func Test_findFalsePositive(t *testing.T) { hit: Hit{ Code: 3057, Filename: "source.scala", - LineValue: ` val GPpassword = appConfig.getString("greenplum.jdbc.pwd")`, + LineValue: ` val DBpassword = appConfig.getString("db.jdbc.pwd")`, }, wantIsFP: true, }, @@ -605,7 +605,7 @@ func Test_findFalsePositive(t *testing.T) { hit: Hit{ Code: 3057, Filename: "source.xml", - LineValue: ` String password = context.decrypt("%%ARCHIVAL_DB_PWD%%");`, + LineValue: ` String password = context.decrypt("%%MONGO_DB_PWD%%");`, }, wantIsFP: true, }, @@ -614,7 +614,7 @@ func Test_findFalsePositive(t *testing.T) { hit: Hit{ Code: 3057, Filename: "source.xml", - LineValue: ` password = generatePolicyPassword(context, identity, "AXP Directory")`, + LineValue: ` password = generatePassword(context)`, }, wantIsFP: true, }, @@ -623,7 +623,7 @@ func Test_findFalsePositive(t *testing.T) { hit: Hit{ Code: 3057, Filename: "source.xml", - LineValue: ` logger.debug("Password Rule Library : generateNotAPolicyPassword :hasDigit :" + hasDigit);`, + LineValue: ` logger.debug("Password is : generatePassword :data :" + data);`, }, wantIsFP: false, }, @@ -663,6 +663,24 @@ func Test_findFalsePositive(t *testing.T) { }, wantIsFP: false, }, + { + name: "Skip password that is is being read from array", + hit: Hit{ + Code: 3057, + Filename: "source.xml", + LineValue: ` String password = param[0];`, + }, + wantIsFP: true, + }, + { + name: "Do not skip password that is is not being read from array", + hit: Hit{ + Code: 3057, + Filename: "source.xml", + LineValue: ` String password = pa$$[@ee4@]`, + }, + wantIsFP: false, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) {