From f021f60e2bb12408955d4bd800262e386616c1b6 Mon Sep 17 00:00:00 2001 From: Nasirudeen Olohundare Date: Fri, 4 Oct 2024 04:39:54 +0100 Subject: [PATCH] fix: gitlab v1 detector false positive bug --- package.json | 2 +- src/detectors/gitlab/v1.ts | 17 ++++++++--------- 2 files changed, 9 insertions(+), 10 deletions(-) diff --git a/package.json b/package.json index 8102b08..f5897e8 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "securelog-scan", - "version": "2.0.8", + "version": "2.0.9", "description": "A CLI tool to scan codebases for potential secrets.", "main": "dist/index.js", "author": { diff --git a/src/detectors/gitlab/v1.ts b/src/detectors/gitlab/v1.ts index 5c52def..dbfb00a 100644 --- a/src/detectors/gitlab/v1.ts +++ b/src/detectors/gitlab/v1.ts @@ -2,11 +2,10 @@ import Re2 from "re2"; import { surroundWithGroups } from "../../regexHandler"; import { makeGitLabRequest } from "../../analyzers/gitlab"; import { Detector, ScanResult } from "../../types/detector"; -import { isFalsePositive } from "../../util"; const keywords: string[] = ["gitlab"]; const keyPattern: Re2 = new Re2( - `${surroundWithGroups(keywords)}\\b([a-zA-Z0-9\-=_]{20,22})\\b`, + `${surroundWithGroups(keywords)}\\b([a-z0-9]{20,22})\\b`, "gi" ); @@ -19,16 +18,16 @@ const scan = async ( for (const match of matches) { if (match.length !== 2) continue; - if (match[0].includes("glpat-")) continue; - if ( - isFalsePositive(match[1].trim(), ["personal_access_tokens", "display"]) - .isFalsePositive - ) - // remove false positive for detector matching random strings from our gitlab analyzer - continue; const resMatch = match[1].trim(); + + /** + * exclude false positives, a gilab v1 token is suppose to start with go and a + * 20/22 length character + */ + if (!resMatch.startsWith("go")) continue; + result.rawValue = resMatch; result.position = match.index; result.extras = {