Skip to content

Commit 1583adc

Browse files
cx-miguel-neivacx-miguel-neiva
authored
fix: github token and Clojars not being caught (#293)
<!-- Thanks for contributing to 2ms by offering a pull request. --> Closes # **Proposed Changes** <!-- Please describe the big picture of your changes here. If it fixes a bug or resolves a feature request, be sure to link to that issue. --> **Checklist** - [ ] I covered my changes with tests. - [ ] I Updated the documentation that is affected by my changes: - [ ] Change in the CLI arguments - [ ] Change in the configuration file I submit this contribution under the Apache-2.0 license.
1 parent ae4e0e4 commit 1583adc

File tree

5 files changed

+56
-3
lines changed

5 files changed

+56
-3
lines changed

.2ms.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -88,4 +88,5 @@ ignore-result:
8888
- f9e5e0b35a39914c67ee1660191a356d3c7ab1db # value used for testing, found at https://github.com/Checkmarx/2ms/commit/07aab5bb214c03fd9e75e46cebe2b407c88d4f73/reporting/report_test.go#diff-31d71ec2c2ba169dce79b1c2de097e30b43f1695ce364054ee7d6b33896c7040R10
8989
- 777f3d460d69a70e2ce760ca757b18f2aa984392 # value used for testing, found at https://github.com/Checkmarx/2ms/commit/07aab5bb214c03fd9e75e46cebe2b407c88d4f73/reporting/report_test.go#diff-31d71ec2c2ba169dce79b1c2de097e30b43f1695ce364054ee7d6b33896c7040R10
9090
- e392318c730d4cd0a04340f1e3d41d4c61f6eb20 # value used for testing, found at https://github.com/Checkmarx/2ms/commit/07aab5bb214c03fd9e75e46cebe2b407c88d4f73/reporting/report_test.go#diff-31d71ec2c2ba169dce79b1c2de097e30b43f1695ce364054ee7d6b33896c7040R10
91-
- 8f0e0442b01c18b02cfb8e59555103f8233fc7bf # value used for testing, found at https://github.com/Checkmarx/2ms/commit/07aab5bb214c03fd9e75e46cebe2b407c88d4f73/reporting/report_test.go#diff-31d71ec2c2ba169dce79b1c2de097e30b43f1695ce364054ee7d6b33896c7040R10
91+
- 8f0e0442b01c18b02cfb8e59555103f8233fc7bf # value used for testing, found at https://github.com/Checkmarx/2ms/commit/07aab5bb214c03fd9e75e46cebe2b407c88d4f73/reporting/report_test.go#diff-31d71ec2c2ba169dce79b1c2de097e30b43f1695ce364054ee7d6b33896c7040R10
92+
- 353627158f2e7fa5bb60271cee17da80e5fbba17 # value used as true positive, found at https://github.com/Checkmarx/2ms/pull/292/commits/cc44c8f8bee92250bdcd69bf9fbaffabf0eb442a

engine/rules/clojars.go

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
package rules
2+
3+
import (
4+
"regexp"
5+
6+
"github.com/zricethezav/gitleaks/v8/cmd/generate/secrets"
7+
"github.com/zricethezav/gitleaks/v8/config"
8+
)
9+
10+
func Clojars() *config.Rule {
11+
// define rule
12+
r := config.Rule{
13+
Description: "Uncovered a possible Clojars API token, risking unauthorized access to Clojure libraries and potential code manipulation.",
14+
RuleID: "clojars-api-token",
15+
Regex: regexp.MustCompile(`(?i)CLOJARS_[a-z0-9]{60}`),
16+
Keywords: []string{"clojars"},
17+
}
18+
19+
// validate
20+
tps := []string{
21+
generateSampleSecret("clojars", "CLOJARS_"+secrets.NewSecret(alphaNumeric("60"))),
22+
}
23+
return validate(r, tps, nil)
24+
}

engine/rules/github.go

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
package rules
2+
3+
import (
4+
"regexp"
5+
6+
"github.com/zricethezav/gitleaks/v8/cmd/generate/secrets"
7+
"github.com/zricethezav/gitleaks/v8/config"
8+
)
9+
10+
func GitHubApp() *config.Rule {
11+
// define rule
12+
r := config.Rule{
13+
Description: "Identified a GitHub App Token, which may compromise GitHub application integrations and source code security.",
14+
RuleID: "github-app-token",
15+
Regex: regexp.MustCompile(`(?:ghu|ghs)_[0-9a-zA-Z]{36}`),
16+
Keywords: []string{"ghu_", "ghs_"},
17+
}
18+
19+
// validate
20+
tps := []string{
21+
generateSampleSecret("github", "ghu_"+secrets.NewSecret(alphaNumeric("36"))),
22+
generateSampleSecret("github", "ghs_"+secrets.NewSecret(alphaNumeric("36"))),
23+
}
24+
return validate(r, tps, nil)
25+
}

engine/rules/rule_test.go

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,9 @@ func Test2msRules(t *testing.T) {
1515
validate func() *config.Rule
1616
}{
1717
{name: "AuthenticatedURL", validate: rules.AuthenticatedURL},
18+
{name: "Clojars", validate: rules.Clojars},
19+
{name: "GenericCredential", validate: rules.GenericCredential},
20+
{name: "GitHubApp", validate: rules.GitHubApp},
1821
{name: "HardcodedPassword", validate: rules.HardcodedPassword},
1922
{name: "PlaidAccessID", validate: rules.PlaidAccessID},
2023
{name: "PrivateKey", validate: rules.PrivateKey},

engine/rules/rules.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -92,7 +92,7 @@ func getDefaultRules() *[]Rule {
9292
{Rule: *rules.Beamer(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryNewsAndMedia, RuleType: 4}},
9393
{Rule: *rules.CodecovAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategorySecurity, RuleType: 4}},
9494
{Rule: *rules.CoinbaseAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryCryptocurrencyExchange, RuleType: 4}},
95-
{Rule: *rules.Clojars(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryPackageManagement, RuleType: 4}},
95+
{Rule: *Clojars(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryPackageManagement, RuleType: 4}},
9696
{Rule: *rules.ConfluentAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}},
9797
{Rule: *rules.ConfluentSecretKey(), Tags: []string{TagSecretKey}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}},
9898
{Rule: *rules.Contentful(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryContentManagementSystem, RuleType: 4}},
@@ -131,7 +131,7 @@ func getDefaultRules() *[]Rule {
131131
{Rule: *rules.GitHubPat(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryDevelopmentPlatform, RuleType: 4}},
132132
{Rule: *rules.GitHubFineGrainedPat(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryAPIAccess, RuleType: 4}},
133133
{Rule: *rules.GitHubOauth(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryAuthenticationAndAuthorization, RuleType: 4}},
134-
{Rule: *rules.GitHubApp(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryCICD, RuleType: 4}},
134+
{Rule: *GitHubApp(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryCICD, RuleType: 4}},
135135
{Rule: *rules.GitHubRefresh(), Tags: []string{TagRefreshToken}, ScoreParameters: ScoreParameters{Category: CategoryAuthenticationAndAuthorization, RuleType: 4}},
136136
{Rule: *rules.GitlabPat(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategorySourceCodeManagement, RuleType: 4}},
137137
{Rule: *rules.GitlabPipelineTriggerToken(), Tags: []string{TagTriggerToken}, ScoreParameters: ScoreParameters{Category: CategoryCICD, RuleType: 4}},

0 commit comments

Comments
 (0)