From 67bce86d80df2006fb13f63544d849c187d7c68b Mon Sep 17 00:00:00 2001
From: Jan Winz <jan.winz@mercedes-benz.com>
Date: Fri, 4 Oct 2024 14:13:11 +0200
Subject: [PATCH] Update pds-gitleaks and gitleaks version #3487

- update default gitleaks version in env file
- update gitleaks.sh to use new command line options instead of deprecated ones
- add build arg parameter to docker compose yaml files
---
 .../gitleaks/docker-compose_gitleaks.yaml          |  1 +
 ...cker-compose_pds_gitleaks_external-network.yaml |  1 +
 .../gitleaks/docker/scripts/gitleaks.sh            | 14 +++++++-------
 sechub-pds-solutions/gitleaks/env                  |  2 +-
 4 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/sechub-pds-solutions/gitleaks/docker-compose_gitleaks.yaml b/sechub-pds-solutions/gitleaks/docker-compose_gitleaks.yaml
index d39bef1066..03c87d3798 100644
--- a/sechub-pds-solutions/gitleaks/docker-compose_gitleaks.yaml
+++ b/sechub-pds-solutions/gitleaks/docker-compose_gitleaks.yaml
@@ -7,6 +7,7 @@ services:
             args:
                 - BASE_IMAGE=${BASE_IMAGE}
                 - GITLEAKS_VERSION=${GITLEAKS_VERSION}
+                - SECRETVALIDATION_WRAPPER_VERSION=${SECRETVALIDATION_WRAPPER_VERSION}
             context: docker/
             dockerfile: Gitleaks.dockerfile
         container_name: pds-gitleaks
diff --git a/sechub-pds-solutions/gitleaks/docker-compose_pds_gitleaks_external-network.yaml b/sechub-pds-solutions/gitleaks/docker-compose_pds_gitleaks_external-network.yaml
index 955e639586..8414da9322 100644
--- a/sechub-pds-solutions/gitleaks/docker-compose_pds_gitleaks_external-network.yaml
+++ b/sechub-pds-solutions/gitleaks/docker-compose_pds_gitleaks_external-network.yaml
@@ -7,6 +7,7 @@ services:
             args:
                 - BASE_IMAGE=${BASE_IMAGE}
                 - GITLEAKS_VERSION=${GITLEAKS_VERSION}
+                - SECRETVALIDATION_WRAPPER_VERSION=${SECRETVALIDATION_WRAPPER_VERSION}
             context: docker/
             dockerfile: Gitleaks.dockerfile
         container_name: pds-gitleaks
diff --git a/sechub-pds-solutions/gitleaks/docker/scripts/gitleaks.sh b/sechub-pds-solutions/gitleaks/docker/scripts/gitleaks.sh
index 61c4ca0c0f..3961cfc640 100755
--- a/sechub-pds-solutions/gitleaks/docker/scripts/gitleaks.sh
+++ b/sechub-pds-solutions/gitleaks/docker/scripts/gitleaks.sh
@@ -24,32 +24,32 @@ scan_target_directory="$PDS_JOB_EXTRACTED_SOURCES_FOLDER"
 
 # It is important to specify the target source folder with the current directory ".", because gitleaks puts this path in the report.
 # The full path containing "$PDS_JOB_EXTRACTED_SOURCES_FOLDER" is not useful in the report.
-gitleaks_options="--log-level debug --config $TOOL_FOLDER/custom-gitleaks.toml --source . --report-format sarif --report-path $PDS_JOB_RESULT_FILE --exit-code 0"
+gitleaks_options="--max-decode-depth 10 --log-level debug --config $TOOL_FOLDER/custom-gitleaks.toml --report-format sarif --report-path $PDS_JOB_RESULT_FILE --exit-code 0"
 
 # If the history scan was disabled, a normal filesystem scan is performed.
 if [ "$GITLEAKS_HISTORY_SCAN_ENABLED" = "false" ] ; then
-  gitleaks_options="$gitleaks_options --no-git"
+  gitleaks_options="directory . $gitleaks_options"
   echo "History scan was disabled by an administrator. A secret scan on the filesystem without history deepscan will be done instead." | tee "$PDS_JOB_USER_MESSAGES_FOLDER"/history-scan-disabled.txt
   
 # If no '.git' directory was found we cannot scan the git history
 elif [ -z "$git_directory" ] ; then
-  gitleaks_options="$gitleaks_options --no-git"
+  gitleaks_options="directory . $gitleaks_options"
   echo "No .git folder was uploaded for the secret scan. A secret scan on the filesystem without history deepscan will be done instead." | tee "$PDS_JOB_USER_MESSAGES_FOLDER"/no-git.txt
 
 # If the value of 'git_directory' is not a valid directory there is more than a single result of the find command
 elif [ ! -d "$git_directory" ] ; then
-  gitleaks_options="$gitleaks_options --no-git"
+  gitleaks_options="directory . $gitleaks_options"
   echo "Multiple .git folders were uploaded for the secret scan. This is not supported. A secret scan on the filesystem without history deepscan will be done instead." | tee "$PDS_JOB_USER_MESSAGES_FOLDER"/multiple-git.txt
 
 # If exactly one '.git' directory was found we scan the git history
 else
-  scan_target_directory="$repository_root_directory"
+  cd "$repository_root_directory"
+  gitleaks_options="git . $gitleaks_options"
   echo ".git folder was uploaded for the secret scan. Perform secret scan with history deepscan." | tee "$PDS_JOB_USER_MESSAGES_FOLDER"/history-scan.txt
 fi
 
 echo "### Running Gitleaks"
-cd "$scan_target_directory"
-gitleaks detect $gitleaks_options
+gitleaks $gitleaks_options
 
 # Secret-Validation
 if [ "$SECRET_VALIDATOR_ENABLED" = "true" ] ; then
diff --git a/sechub-pds-solutions/gitleaks/env b/sechub-pds-solutions/gitleaks/env
index fbf5863ce3..7645b85517 100644
--- a/sechub-pds-solutions/gitleaks/env
+++ b/sechub-pds-solutions/gitleaks/env
@@ -5,7 +5,7 @@ BASE_IMAGE="ghcr.io/mercedes-benz/sechub/pds-base"
 
 # The gitleaks version to use
 # See: https://github.com/gitleaks/gitleaks/releases
-GITLEAKS_VERSION="8.18.4"
+GITLEAKS_VERSION="8.20.0"
 
 # The build type of the Secret-Validation-Wrapper
 # Possible values are: