Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(secret): Consider secrets in rpc calls #2753

Merged
merged 5 commits into from
Aug 25, 2022
Merged

fix(secret): Consider secrets in rpc calls #2753

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
269e9ce
fix(secret): Consider secrets for rpc calls
ankk13 Aug 22, 2022
7a8f025
added secrets field for ConvertFromRPCResults read secrets from result
ankk13 Aug 23, 2022
85ca86c
added integration testcase for secret detection in client_server_test
ankk13 Aug 23, 2022
1fdbb44
removed secrets-rpc.json.golden
ankk13 Aug 24, 2022
e445a29
removed extra testcase of sample.pem
ankk13 Aug 24, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions integration/client_server_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ type csArgs struct {
ClientTokenHeader string
ListAllPackages bool
Target string
secretConfig string
}

func TestClientServer(t *testing.T) {
Expand Down Expand Up @@ -238,6 +239,16 @@ func TestClientServer(t *testing.T) {
},
golden: "testdata/pom.json.golden",
},
{
name: "scan sample.pem with fs command in client/server mode",
args: csArgs{
Command: "fs",
RemoteAddrOption: "--server",
secretConfig: "testdata/fixtures/fs/secrets/trivy-secret.yaml",
Target: "testdata/fixtures/fs/secrets/",
},
golden: "testdata/secrets.json.golden",
},
}

addr, cacheDir := setup(t, setupOptions{})
Expand All @@ -246,6 +257,10 @@ func TestClientServer(t *testing.T) {
t.Run(c.name, func(t *testing.T) {
osArgs, outputFile := setupClient(t, c.args, addr, cacheDir, c.golden)

if c.args.secretConfig != "" {
osArgs = append(osArgs, "--secret-config", c.args.secretConfig)
}

//
err := execute(osArgs)
require.NoError(t, err)
Expand Down
27 changes: 27 additions & 0 deletions integration/testdata/fixtures/fs/secrets/sample.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAvpnaPKLIKdvx98KW68lz8pGaRRcYersNGqPjpifMVjjE8LuC
oXgPU0HePnNTUjpShBnynKCvrtWhN+haKbSp+QWXSxiTrW99HBfAl1MDQyWcukoE
b9Cw6INctVUN4iRvkn9T8E6q174RbcnwA/7yTc7p1NCvw+6B/aAN9l1G2pQXgRdY
C/+G6o1IZEHtWhqzE97nY5QKNuUVD0V09dc5CDYBaKjqetwwv6DFk/GRdOSEd/6b
W+20z0qSHpa3YNW6qSp+x5pyYmDrzRIR03os6DauZkChSRyc/Whvurx6o85D6qpz
ywo8xwNaLZHxTQPgcIA5su9ZIytv9LH2E+lSwwIDAQABAoIBAFml8cD9a5pMqlW3
f9btTQz1sRL4Fvp7CmHSXhvjsjeHwhHckEe0ObkWTRsgkTsm1XLu5W8IITnhn0+1
iNr+78eB+rRGngdAXh8diOdkEy+8/Cee8tFI3jyutKdRlxMbwiKsouVviumoq3fx
OGQYwQ0Z2l/PvCwy/Y82ffq3ysC5gAJsbBYsCrg14bQo44ulrELe4SDWs5HCjKYb
EI2b8cOMucqZSOtxg9niLN/je2bo/I2HGSawibgcOdBms8k6TvsSrZMr3kJ5O6J+
77LGwKH37brVgbVYvbq6nWPL0xLG7dUv+7LWEo5qQaPy6aXb/zbckqLqu6/EjOVe
ydG5JQECgYEA9kKfTZD/WEVAreA0dzfeJRu8vlnwoagL7cJaoDxqXos4mcr5mPDT
kbWgFkLFFH/AyUnPBlK6BcJp1XK67B13ETUa3i9Q5t1WuZEobiKKBLFm9DDQJt43
uKZWJxBKFGSvFrYPtGZst719mZVcPct2CzPjEgN3Hlpt6fyw3eOrnoECgYEAxiOu
jwXCOmuGaB7+OW2tR0PGEzbvVlEGdkAJ6TC/HoKM1A8r2u4hLTEJJCrLLTfw++4I
ddHE2dLeR4Q7O58SfLphwgPmLDezN7WRLGr7Vyfuv7VmaHjGuC3Gv9agnhWDlA2Q
gBG9/R9oVfL0Dc7CgJgLeUtItCYC31bGT3yhV0MCgYEA4k3DG4L+RN4PXDpHvK9I
pA1jXAJHEifeHnaW1d3vWkbSkvJmgVf+9U5VeV+OwRHN1qzPZV4suRI6M/8lK8rA
Gr4UnM4aqK4K/qkY4G05LKrik9Ev2CgqSLQDRA7CJQ+Jn3Nb50qg6hFnFPafN+J7
7juWln08wFYV4Atpdd+9XQECgYBxizkZFL+9IqkfOcONvWAzGo+Dq1N0L3J4iTIk
w56CKWXyj88d4qB4eUU3yJ4uB4S9miaW/eLEwKZIbWpUPFAn0db7i6h3ZmP5ZL8Q
qS3nQCb9DULmU2/tU641eRUKAmIoka1g9sndKAZuWo+o6fdkIb1RgObk9XNn8R4r
psv+aQKBgB+CIcExR30vycv5bnZN9EFlIXNKaeMJUrYCXcRQNvrnUIUBvAO8+jAe
CdLygS5RtgOLZib0IVErqWsP3EI1ACGuLts0vQ9GFLQGaN1SaMS40C9kvns1mlDu
LhIhYpJ8UsCVt5snWo2N+M+6ANh5tpWdQnEK6zILh4tRbuzaiHgb
-----END RSA PRIVATE KEY-----
48 changes: 46 additions & 2 deletions integration/testdata/secrets.json.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,9 @@
}
]
},
"Match": "export AWS_ACCESS_KEY_ID=********************"
"Match": "export AWS_ACCESS_KEY_ID=********************",
"Deleted": false,
"Layer": {}
},
{
"RuleID": "mysecret",
Expand Down Expand Up @@ -110,7 +112,49 @@
}
]
},
"Match": "echo ********"
"Match": "echo ********",
"Deleted": false,
"Layer": {}
}
]
},
{
"Target": "sample.pem",
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you have any specific reason to add this key? This test case already has GitHub PAT and AWS access keys. Aren't they enough?

"Class": "secret",
"Secrets": [
{
"RuleID": "private-key",
"Category": "AsymmetricPrivateKey",
"Severity": "HIGH",
"Title": "Asymmetric Private Key",
"StartLine": 1,
"EndLine": 1,
"Code": {
"Lines": [
{
"Number": 1,
"Content": "-----BEGIN RSA PRIVATE KEY-----******************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END RSA PRIVATE KEY-----",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "-----BEGIN RSA PRIVATE KEY-----******************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END RSA PRIVATE KEY-----",
"FirstCause": true,
"LastCause": true
},
{
"Number": 2,
"Content": "",
"IsCause": false,
"Annotation": "",
"Truncated": false,
"FirstCause": false,
"LastCause": false
}
]
},
"Match": "----BEGIN RSA PRIVATE KEY-----******************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END RSA PRIVATE",
"Deleted": false,
"Layer": {}
}
]
}
Expand Down
4 changes: 2 additions & 2 deletions pkg/rpc/client/client.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,9 +65,9 @@ func (s Scanner) Scan(ctx context.Context, target, artifactKey string, blobKeys
ctx = WithCustomHeaders(ctx, s.customHeaders)

// Convert to the rpc struct
licenseCategories := map[string]*rpc.License{}
licenseCategories := map[string]*rpc.Licenses{}
for category, names := range opts.LicenseCategories {
licenseCategories[string(category)] = &rpc.License{Names: names}
licenseCategories[string(category)] = &rpc.Licenses{Names: names}
}

var res *rpc.ScanResponse
Expand Down
105 changes: 105 additions & 0 deletions pkg/rpc/convert.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,55 @@ func ConvertToRPCCustomResources(resources []ftypes.CustomResource) []*common.Cu
return rpcResources
}

func ConvertToRPCCode(code ftypes.Code) *common.Code {
var rpcLines []*common.Line
for _, line := range code.Lines {
rpcLines = append(rpcLines, &common.Line{
Number: int32(line.Number),
Content: line.Content,
IsCause: line.IsCause,
Annotation: line.Annotation,
Truncated: line.Truncated,
Highlighted: line.Highlighted,
FirstCause: line.FirstCause,
LastCause: line.LastCause,
})
}
return &common.Code{
Lines: rpcLines,
}
}

func ConvertToRPCSecrets(secrets []ftypes.Secret) []*common.Secret {
var rpcSecrets []*common.Secret
for _, s := range secrets {
rpcSecrets = append(rpcSecrets, &common.Secret{
Filepath: s.FilePath,
Findings: ConvertToRPCSecretFindings(s.Findings),
})
}
return rpcSecrets
}

func ConvertToRPCSecretFindings(findings []ftypes.SecretFinding) []*common.SecretFinding {
var rpcFindings []*common.SecretFinding
for _, f := range findings {
rpcFindings = append(rpcFindings, &common.SecretFinding{
RuleId: f.RuleID,
Category: string(f.Category),
Severity: f.Severity,
Title: f.Title,
EndLine: int32(f.EndLine),
StartLine: int32(f.StartLine),
Code: ConvertToRPCCode(f.Code),
Match: f.Match,
Deleted: f.Deleted,
Layer: ConvertToRPCLayer(f.Layer),
})
}
return rpcFindings
}

// ConvertFromRPCPkgs returns list of Fanal package objects
func ConvertFromRPCPkgs(rpcPkgs []*common.Package) []ftypes.Package {
var pkgs []ftypes.Package
Expand Down Expand Up @@ -210,6 +259,7 @@ func ConvertFromRPCResults(rpcResults []*scanner.Result) []types.Result {
Type: result.Type,
Packages: ConvertFromRPCPkgs(result.Packages),
CustomResources: ConvertFromRPCCustomResources(result.CustomResources),
Secrets: ConvertFromRPCSecretFindings(result.Secrets),
})
}
return results
Expand All @@ -232,6 +282,58 @@ func ConvertFromRPCCustomResources(rpcCustomResources []*common.CustomResource)
return resources
}

func ConvertFromRPCCode(rpcCode *common.Code) ftypes.Code {
var lines []ftypes.Line
for _, line := range rpcCode.Lines {
lines = append(lines, ftypes.Line{
Number: int(line.Number),
Content: line.Content,
IsCause: line.IsCause,
Annotation: line.Annotation,
Truncated: line.Truncated,
Highlighted: line.Highlighted,
FirstCause: line.FirstCause,
LastCause: line.LastCause,
})
}
return ftypes.Code{
Lines: lines,
}
}

func ConvertFromRPCSecretFindings(rpcFindings []*common.SecretFinding) []ftypes.SecretFinding {
var findings []ftypes.SecretFinding
for _, finding := range rpcFindings {
findings = append(findings, ftypes.SecretFinding{
RuleID: finding.RuleId,
Category: ftypes.SecretRuleCategory(finding.Category),
Severity: finding.Severity,
Title: finding.Title,
StartLine: int(finding.StartLine),
EndLine: int(finding.EndLine),
Code: ConvertFromRPCCode(finding.Code),
Match: finding.Match,
Deleted: finding.Deleted,
Layer: ftypes.Layer{
Digest: finding.Layer.Digest,
DiffID: finding.Layer.DiffId,
},
})
}
return findings
}

func ConvertFromRPCSecrets(recSecrets []*common.Secret) []ftypes.Secret {
var secrets []ftypes.Secret
for _, secret := range recSecrets {
secrets = append(secrets, ftypes.Secret{
FilePath: secret.Filepath,
Findings: ConvertFromRPCSecretFindings(secret.Findings),
})
}
return secrets
}

// ConvertFromRPCVulns converts []*common.Vulnerability to []types.DetectedVulnerability
func ConvertFromRPCVulns(rpcVulns []*common.Vulnerability) []types.DetectedVulnerability {
var vulns []types.DetectedVulnerability
Expand Down Expand Up @@ -446,6 +548,7 @@ func ConvertFromRPCPutBlobRequest(req *cache.PutBlobRequest) ftypes.BlobInfo {
OpaqueDirs: req.BlobInfo.OpaqueDirs,
WhiteoutFiles: req.BlobInfo.WhiteoutFiles,
CustomResources: ConvertFromRPCCustomResources(req.BlobInfo.CustomResources),
Secrets: ConvertFromRPCSecrets(req.BlobInfo.Secrets),
}
}

Expand Down Expand Up @@ -556,6 +659,7 @@ func ConvertToRPCBlobInfo(diffID string, blobInfo ftypes.BlobInfo) *cache.PutBlo
OpaqueDirs: blobInfo.OpaqueDirs,
WhiteoutFiles: blobInfo.WhiteoutFiles,
CustomResources: customResources,
Secrets: ConvertToRPCSecrets(blobInfo.Secrets),
},
}
}
Expand Down Expand Up @@ -596,6 +700,7 @@ func ConvertToRPCScanResponse(results types.Results, fos *ftypes.OS) *scanner.Sc
Misconfigurations: ConvertToRPCMisconfs(result.Misconfigurations),
Packages: ConvertToRPCPkgs(result.Packages),
CustomResources: ConvertToRPCCustomResources(result.CustomResources),
Secrets: ConvertToRPCSecretFindings(result.Secrets),
})
}

Expand Down
Loading