Skip to content

Commit f1efa4e

Browse files
cx-diogo-rochacx-diogo-rocha
committed
Merge branch 'AST-75295-custom-rules' of https://github.com/Checkmarx/2ms into AST-00000-custom-rules-small-fixes
2 parents 3edb767 + fd2c16d commit f1efa4e

File tree

3 files changed

+144
-2
lines changed

3 files changed

+144
-2
lines changed

.2ms.yml

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2987,3 +2987,35 @@ ignore-result:
29872987
- ba40bd0cfa331c71899179dbb35b2a6eb452a482 # secret found in ruleids.go
29882988
- eeaf67842fc9be3123b8e2aea470608c2f362033 # test/development data from generic_credential.go
29892989
- 25960f13ce160dba4f08f210370fccdca6cb51eb # FP, id not credential
2990+
- 1019ff5ad384a9770c0db24dbeaa00499b8dba63 # unit test from e2e_test.go
2991+
- 15a18f3e8ee97ed9fe5b7abd5840f8968a45afa0 # unit test from e2e_test.go
2992+
- 1e61ab2a417e54226a532871b7134d026bf1d6cd # unit test from engine_test.go
2993+
- 3833ee626018f25781466413a8b78b925314d828 # unit test from engine_test.go
2994+
- 45b29b568529fc466bed681f705a16a87f50e6f7 # unit test from engine_test.go
2995+
- 47b590343654def2150b375a76640ceb41477719 # unit test from engine_test.go
2996+
- 507579c214d7bdbcfa68beee419a02badabcf99a # unit test from engine_test.go
2997+
- 5306279b0926f22bc33366cfa7c913f72c326a2a # unit test from engine_test.go
2998+
- 5eb82b4df0cca86ee0b21be432212a3fb9929d69 # unit test from engine_test.go
2999+
- 673360e98a233713640729ca92718b833082380c # unit test from engine_test.go
3000+
- 6a98649f8c9e407297f49bab69914b1b78efed4b # unit test from e2e_test.go
3001+
- 6d228656ed5cd4d350ce8c97e7f68436399e7139 # unit test from e2e_test.go
3002+
- 89f1b6508e21b00cbd77a540f6dfec5c08fefe95 # unit test from engine_test.go
3003+
- 8a823c69a876c06c45e8b9d6a01ee576f72b4047 # unit test from e2e_test.go
3004+
- 9429401f76006e61ecf6b10175952d106ce48b5e # unit test from engine_test.go
3005+
- a00431efb72a9865f31a5a4c30f34ef6806ca312 # unit test from engine_test.go
3006+
- a21b7f852dd9e043538c94095f5b656ca7a2bf56 # secret found in ruleids.go
3007+
- a28534b80dff06089cf547ca728b21d2d93bd0fc # unit test from e2e_test.go
3008+
- a34b74beb6851dced6e24ee5d5d96c46f9b4c131 # unit test from engine_test.go
3009+
- ac2c149e54ee0df4308e6c306054b07a4717faac # unit test from engine_test.go
3010+
- b1e59e3d53cde93a7cac720d213bd99908464fe4 # unit test from engine_test.go
3011+
- c76e96c2c969d7722eefcc86071efcac4dc2e8ef # unit test from engine_test.go
3012+
- c8cfc3f14d58bd6cdf18d25054b2577253c4a809 # unit test from e2e_test.go
3013+
- cbea2411762b0ce7bd59e7461dac69069ea2e1e9 # unit test from e2e_test.go
3014+
- d8e6840f7b21d75f3b44ec1404af4e391b67d7e2 # unit test from e2e_test.go
3015+
- da346403524ee25eb52c68b8dbd900dfad47c4f3 # unit test from engine_test.go
3016+
- e1a9caae63a86477a809a77a18ef745c3d3682ca # unit test from e2e_test.go
3017+
- e2a10da9e03cb5c7ed9e8399e22c81fd6a10c237 # unit test from engine_test.go
3018+
- e6cb4b56f380f519250ef0bd150327710d49f220 # secret found in ruleids.go
3019+
- edb22f489a7846d8a39074541c92d27e3a88c123 # unit test from engine_test.go
3020+
- fe01911702da491dde97b22544ea2fd7027698a4 # unit test from engine_test.go
3021+
- 5ad4e2c9342c26b419d89ce606af840b222ddc29 # FP

engine/engine.go

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -387,13 +387,15 @@ func (e *Engine) detectSecrets(
387387
if !isSecretIgnored(secret, e.ignoredIds, e.allowedValues, value.Line, value.Match, pluginName) {
388388
// Atomically increment and check to avoid race condition
389389
newCount := e.findingsCounter.Add(1)
390-
if maxFindings > 0 && newCount > maxFindings {
390+
if maxFindings > 0 && newCount >= maxFindings {
391391
e.maxFindingsWarnOnce.Do(func() {
392392
log.Warn().
393393
Uint64("max_findings", maxFindings).
394394
Msg("Maximum findings limit reached. Scan will stop early and report results up to this limit.")
395395
})
396-
break
396+
if newCount > maxFindings {
397+
break
398+
}
397399
}
398400
secrets <- secret
399401
} else {

engine/engine_test.go

Lines changed: 108 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1515,3 +1515,111 @@ third_token: ghp_abcdefghijklmnopqrstuvwxyz1234567890
15151515
})
15161516
}
15171517
}
1518+
1519+
func TestMaxFindingsWarning(t *testing.T) {
1520+
// Content with multiple secrets in single fragment
1521+
multipleSecrets := `
1522+
github_token: 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
1523+
another_token: ghp_1234567890abcdefghijklmnopqrstuvwxyz
1524+
third_token: ghp_abcdefghijklmnopqrstuvwxyz1234567890
1525+
fourth_token: ghp_9876543210zyxwvutsrqponmlkjihgfedcba
1526+
fifth_token: ghp_aB3cD4eF5gH6iJ7kL8mN9oP0qR1sT2uV3wX4
1527+
`
1528+
1529+
testCases := []struct {
1530+
name string
1531+
limit uint64
1532+
fragments []string
1533+
expectedCount int
1534+
shouldLogWarning bool
1535+
}{
1536+
{
1537+
name: "no limit - no warning",
1538+
limit: 0,
1539+
fragments: []string{multipleSecrets},
1540+
expectedCount: 5,
1541+
shouldLogWarning: false,
1542+
},
1543+
{
1544+
name: "limit of 3 - warning logged when limit reached",
1545+
limit: 3,
1546+
fragments: []string{multipleSecrets},
1547+
expectedCount: 3,
1548+
shouldLogWarning: true,
1549+
},
1550+
{
1551+
name: "limit of 2 across multiple fragments - warning logged",
1552+
limit: 2,
1553+
fragments: []string{
1554+
"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",
1555+
"ghp_1234567890abcdefghijklmnopqrstuvwxyz",
1556+
"ghp_abcdefghijklmnopqrstuvwxyz1234567890",
1557+
},
1558+
expectedCount: 2,
1559+
shouldLogWarning: true,
1560+
},
1561+
{
1562+
name: "limit of 1 - warning logged immediately",
1563+
limit: 1,
1564+
fragments: []string{multipleSecrets},
1565+
expectedCount: 1,
1566+
shouldLogWarning: true,
1567+
},
1568+
{
1569+
name: "limit higher than findings - no warning",
1570+
limit: 10,
1571+
fragments: []string{multipleSecrets},
1572+
expectedCount: 5,
1573+
shouldLogWarning: false,
1574+
},
1575+
}
1576+
1577+
for _, tc := range testCases {
1578+
t.Run(tc.name, func(t *testing.T) {
1579+
// Capture log output
1580+
var logsBuffer bytes.Buffer
1581+
log.Logger = log.Output(zerolog.ConsoleWriter{
1582+
Out: &logsBuffer,
1583+
NoColor: true,
1584+
TimeFormat: "",
1585+
}).Level(zerolog.WarnLevel)
1586+
1587+
eng, err := initEngine(&EngineConfig{
1588+
DetectorWorkerPoolSize: 1,
1589+
MaxFindings: tc.limit,
1590+
})
1591+
require.NoError(t, err)
1592+
defer eng.Shutdown()
1593+
1594+
secretsChan := make(chan *secrets.Secret, 10)
1595+
fsPlugin := &plugins.FileSystemPlugin{}
1596+
1597+
for _, fragment := range tc.fragments {
1598+
err = eng.DetectFragment(item{content: &fragment}, secretsChan, fsPlugin.GetName())
1599+
require.NoError(t, err)
1600+
}
1601+
1602+
close(secretsChan)
1603+
1604+
count := 0
1605+
for range secretsChan {
1606+
count++
1607+
}
1608+
1609+
// Verify findings count
1610+
assert.Equal(t, tc.expectedCount, count)
1611+
1612+
// Verify warning message
1613+
loggedMessage := logsBuffer.String()
1614+
if tc.shouldLogWarning {
1615+
assert.Contains(t, loggedMessage, "Maximum findings limit reached",
1616+
"Expected warning message to be logged when limit is reached")
1617+
assert.Contains(t, loggedMessage, fmt.Sprintf("max_findings=%d", tc.limit),
1618+
"Expected max_findings value in log message")
1619+
} else {
1620+
assert.NotContains(t, loggedMessage, "Maximum findings limit reached",
1621+
"Warning message should not be logged when limit is not reached")
1622+
}
1623+
})
1624+
}
1625+
}

0 commit comments

Comments
 (0)