From 4823260f919b61097ee2940438b10b612e1c1210 Mon Sep 17 00:00:00 2001 From: LeonardoLordelloFontes Date: Thu, 21 Nov 2024 14:03:40 +0000 Subject: [PATCH 1/5] Added new score system --- README.md | 4 + cmd/main.go | 6 +- cmd/workers.go | 20 +- engine/engine.go | 33 ++- engine/engine_test.go | 4 + engine/rules/rule.go | 10 +- engine/rules/rules.go | 379 +++++++++++++++++++---------------- engine/score/score.go | 76 +++++++ engine/score/score_test.go | 234 +++++++++++++++++++++ lib/reporting/report_test.go | 6 + lib/reporting/sarif.go | 1 + lib/secrets/secret.go | 1 + 12 files changed, 594 insertions(+), 180 deletions(-) create mode 100644 engine/score/score.go create mode 100644 engine/score/score_test.go diff --git a/README.md b/README.md index 3051b615..2a28a7e4 100644 --- a/README.md +++ b/README.md @@ -10,6 +10,8 @@ This application is written in Go language and is based on the framework provide The tool checks the content using a series of rules that are designed to identify a wide range of sensitive items such as AWS access token, Bitbucket Client ID, GitHub PAT etc. For a complete list of rules, see [docs/list-of-rules.md](docs/list-of-rules.md). +Additionally, the tool incorporates a scoring system based on the Common Vulnerability Scoring System (CVSS) to help prioritize remediation efforts. + # Installation The following sections explain how to install 2ms using the following methods: @@ -397,6 +399,8 @@ The result of the validation can be: If the `--validate` flag is not provided, the validation field will be omitted from the output, or its value will be an empty string. +> **Note:** The validity check also impacts the score field. If the flag is not provided, the validity is assumed to be "unknown" in the score formula. + ### Special Rules Special rules are rules that are configured in 2ms but are not run as part of the default ruleset, usually because they are too noisy or too specific. You can use the `--add-special-rule` flag to add special rules by rule ID. diff --git a/cmd/main.go b/cmd/main.go index 69027f98..191713a3 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -76,6 +76,7 @@ var report = reporting.Init() var secretsChan = make(chan *secrets.Secret) var secretsExtrasChan = make(chan *secrets.Secret) var validationChan = make(chan *secrets.Secret) +var cvssScoreChan = make(chan *secrets.Secret) func Execute() (int, error) { vConfig.SetEnvPrefix(envPrefix) @@ -84,7 +85,7 @@ func Execute() (int, error) { cobra.OnInitialize(initialize) rootCmd.PersistentFlags().StringVar(&configFilePath, configFileFlag, "", "config file path") cobra.CheckErr(rootCmd.MarkPersistentFlagFilename(configFileFlag, "yaml", "yml", "json")) - rootCmd.PersistentFlags().StringVar(&logLevelVar, logLevelFlagName, "info", "log level (trace, debug, info, warn, error, fatal)") + rootCmd.PersistentFlags().StringVar(&logLevelVar, logLevelFlagName, "trace", "log level (trace, debug, info, warn, error, fatal)") rootCmd.PersistentFlags().StringSliceVar(&reportPathVar, reportPathFlagName, []string{}, "path to generate report files. The output format will be determined by the file extension (.json, .yaml, .sarif)") rootCmd.PersistentFlags().StringVar(&stdoutFormatVar, stdoutFormatFlagName, "yaml", "stdout output format, available formats are: json, yaml, sarif") rootCmd.PersistentFlags().StringArrayVar(&customRegexRuleVar, customRegexRuleFlagName, []string{}, "custom regexes to apply to the scan, must be valid Go regex") @@ -152,6 +153,9 @@ func preRun(pluginName string, cmd *cobra.Command, args []string) error { go processValidation(engine) } + channels.WaitGroup.Add(1) + go processScore(engine) + return nil } diff --git a/cmd/workers.go b/cmd/workers.go index 6d262360..5cd5ce2e 100644 --- a/cmd/workers.go +++ b/cmd/workers.go @@ -28,11 +28,14 @@ func processSecrets() { secretsExtrasChan <- secret if validateVar { validationChan <- secret + } else { + cvssScoreChan <- secret } report.Results[secret.ID] = append(report.Results[secret.ID], secret) } close(secretsExtrasChan) close(validationChan) + close(cvssScoreChan) } func processSecretsExtras() { @@ -52,9 +55,24 @@ func processValidation(engine *engine.Engine) { wgValidation := &sync.WaitGroup{} for secret := range validationChan { wgValidation.Add(1) - go engine.RegisterForValidation(secret, wgValidation) + go func() { + wgValidation.Done() + engine.RegisterForValidation(secret) + cvssScoreChan <- secret + }() } wgValidation.Wait() engine.Validate() } + +func processScore(engine *engine.Engine) { + defer channels.WaitGroup.Done() + + wgScore := &sync.WaitGroup{} + for secret := range cvssScoreChan { + wgScore.Add(1) + go engine.Score(secret, validateVar, wgScore) + } + wgScore.Wait() +} diff --git a/engine/engine.go b/engine/engine.go index fe1a4c6a..eb91e92c 100644 --- a/engine/engine.go +++ b/engine/engine.go @@ -3,6 +3,7 @@ package engine import ( "crypto/sha1" "fmt" + "github.com/checkmarx/2ms/engine/score" "os" "regexp" "strings" @@ -21,9 +22,10 @@ import ( ) type Engine struct { - rules map[string]config.Rule - detector detect.Detector - validator validation.Validator + rules map[string]config.Rule + rulesBaseRiskScore map[string]float64 + detector detect.Detector + validator validation.Validator ignoredIds []string allowedValues []string @@ -49,9 +51,11 @@ func Init(engineConfig EngineConfig) (*Engine, error) { } rulesToBeApplied := make(map[string]config.Rule) + rulesBaseRiskScore := make(map[string]float64) keywords := []string{} for _, rule := range *selectedRules { rulesToBeApplied[rule.Rule.RuleID] = rule.Rule + rulesBaseRiskScore[rule.Rule.RuleID] = score.GetBaseRiskScore(rule.ScoreParameters.Category, rule.ScoreParameters.RuleType) for _, keyword := range rule.Rule.Keywords { keywords = append(keywords, strings.ToLower(keyword)) } @@ -63,9 +67,10 @@ func Init(engineConfig EngineConfig) (*Engine, error) { detector.MaxTargetMegaBytes = engineConfig.MaxTargetMegabytes return &Engine{ - rules: rulesToBeApplied, - detector: *detector, - validator: *validation.NewValidator(), + rules: rulesToBeApplied, + rulesBaseRiskScore: rulesBaseRiskScore, + detector: *detector, + validator: *validation.NewValidator(), ignoredIds: engineConfig.IgnoredIds, allowedValues: engineConfig.AllowedValues, @@ -126,11 +131,19 @@ func (e *Engine) AddRegexRules(patterns []string) error { return nil } -func (s *Engine) RegisterForValidation(secret *secrets.Secret, wg *sync.WaitGroup) { - defer wg.Done() +func (s *Engine) RegisterForValidation(secret *secrets.Secret) { s.validator.RegisterForValidation(secret) } +func (s *Engine) Score(secret *secrets.Secret, validateFlag bool, wg *sync.WaitGroup) { + defer wg.Done() + validationStatus := secrets.UnknownResult // default validity + if validateFlag { + validationStatus = secret.ValidationStatus + } + secret.CvssScore = score.GetCvssScore(s.GetRuleBaseRiskScore(secret.RuleID), validationStatus) +} + func (s *Engine) Validate() { s.validator.Validate() } @@ -191,3 +204,7 @@ func GetRulesCommand(engineConfig *EngineConfig) *cobra.Command { }, } } + +func (s *Engine) GetRuleBaseRiskScore(ruleId string) float64 { + return s.rulesBaseRiskScore[ruleId] +} diff --git a/engine/engine_test.go b/engine/engine_test.go index 20b65be9..38299431 100644 --- a/engine/engine_test.go +++ b/engine/engine_test.go @@ -169,6 +169,10 @@ func TestSecrets(t *testing.T) { } } +func TestScore(t *testing.T) { + +} + type item struct { content *string id string diff --git a/engine/rules/rule.go b/engine/rules/rule.go index 0d704190..c25f441d 100644 --- a/engine/rules/rule.go +++ b/engine/rules/rule.go @@ -8,9 +8,15 @@ import ( "github.com/zricethezav/gitleaks/v8/detect" ) +type ScoreParameters struct { + Category RuleCategory + RuleType uint8 +} + type Rule struct { - Rule config.Rule - Tags []string + Rule config.Rule + Tags []string + ScoreParameters ScoreParameters } // Copied from https://github.com/gitleaks/gitleaks/blob/463d24618fa42fc7629dc30c9744ebe36c5df1ab/cmd/generate/config/rules/rule.go diff --git a/engine/rules/rules.go b/engine/rules/rules.go index 70b0f167..b306057d 100644 --- a/engine/rules/rules.go +++ b/engine/rules/rules.go @@ -7,6 +7,49 @@ import ( "github.com/zricethezav/gitleaks/v8/cmd/generate/config/rules" ) +type RuleCategory string + +const ( + CategoryAuthenticationAndAuthorization RuleCategory = "Authentication and Authorization" + CategoryCryptocurrencyExchange RuleCategory = "Cryptocurrency Exchange" + CategoryFinancialServices RuleCategory = "Financial Services" + CategoryPaymentProcessing RuleCategory = "Payment Processing" + CategorySecurity RuleCategory = "Security" + CategoryAPIAccess RuleCategory = "API Access" + CategoryCICD RuleCategory = "CI/CD" + CategoryCloudPlatform RuleCategory = "Cloud Platform" + CategoryDatabaseAsAService RuleCategory = "Database as a Service" + CategoryDevelopmentPlatform RuleCategory = "Development Platform" + CategoryEmailDeliveryService RuleCategory = "Email Delivery Service" + CategoryInfrastructureAsCode RuleCategory = "Infrastructure as Code (IaC)" + CategoryPackageManagement RuleCategory = "Package Management" + CategorySourceCodeManagement RuleCategory = "Source Code Management" + CategoryWebHostingAndDeployment RuleCategory = "Web Hosting and Deployment" + CategoryBackgroundProcessingService RuleCategory = "Background Processing Service" + CategoryCDN RuleCategory = "CDN (Content Delivery Network)" + CategoryContentManagementSystem RuleCategory = "Content Management System (CMS)" + CategoryCustomerSupport RuleCategory = "Customer Support" + CategoryDataAnalytics RuleCategory = "Data Analytics" + CategoryFileStorageAndSharing RuleCategory = "File Storage and Sharing" + CategoryIoTPlatform RuleCategory = "IoT platform" + CategoryMappingAndLocationServices RuleCategory = "Mapping and Location Services" + CategoryNetworking RuleCategory = "Networking" + CategoryPhotoSharing RuleCategory = "Photo Sharing" + CategorySaaS RuleCategory = "SaaS" + CategoryShipping RuleCategory = "Shipping" + CategorySoftwareDevelopment RuleCategory = "Software Development" + CategoryAIAndMachineLearning RuleCategory = "AI and Machine Learning" + CategoryApplicationMonitoring RuleCategory = "Application Monitoring" + CategoryECommercePlatform RuleCategory = "E-commerce Platform" + CategoryMarketingAutomation RuleCategory = "Marketing Automation" + CategoryNewsAndMedia RuleCategory = "News and Media" + CategoryOnlineSurveyPlatform RuleCategory = "Online Survey Platform" + CategoryProjectManagement RuleCategory = "Project Management" + CategorySearchService RuleCategory = "Search Service" + CategorySocialMedia RuleCategory = "Social Media" + CategoryGeneralOrUnknown RuleCategory = "general or unknown" +) + const TagApiKey = "api-key" const TagClientId = "client-id" const TagClientSecret = "client-secret" @@ -29,173 +72,173 @@ const TagWebhook = "webhook" func getDefaultRules() *[]Rule { allRules := &[]Rule{ - {Rule: *rules.AdafruitAPIKey(), Tags: []string{TagApiKey}}, - {Rule: *rules.AdobeClientID(), Tags: []string{TagClientId}}, - {Rule: *rules.AdobeClientSecret(), Tags: []string{TagClientSecret}}, - {Rule: *rules.AgeSecretKey(), Tags: []string{TagSecretKey}}, - {Rule: *rules.Airtable(), Tags: []string{TagApiKey}}, - {Rule: *rules.AlgoliaApiKey(), Tags: []string{TagApiKey}}, - {Rule: *rules.AlibabaAccessKey(), Tags: []string{TagAccessKey, TagAccessId}}, - {Rule: *rules.AlibabaSecretKey(), Tags: []string{TagSecretKey}}, - {Rule: *rules.AsanaClientID(), Tags: []string{TagClientId}}, - {Rule: *rules.AsanaClientSecret(), Tags: []string{TagClientSecret}}, - {Rule: *rules.Atlassian(), Tags: []string{TagApiToken}}, - {Rule: *rules.Authress(), Tags: []string{TagAccessToken}}, - {Rule: *rules.AWS(), Tags: []string{TagAccessToken}}, - {Rule: *rules.BitBucketClientID(), Tags: []string{TagClientId}}, - {Rule: *rules.BitBucketClientSecret(), Tags: []string{TagClientSecret}}, - {Rule: *rules.BittrexAccessKey(), Tags: []string{TagAccessKey}}, - {Rule: *rules.BittrexSecretKey(), Tags: []string{TagSecretKey}}, - {Rule: *rules.Beamer(), Tags: []string{TagApiToken}}, - {Rule: *rules.CodecovAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.CoinbaseAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.Clojars(), Tags: []string{TagApiToken}}, - {Rule: *rules.ConfluentAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.ConfluentSecretKey(), Tags: []string{TagSecretKey}}, - {Rule: *rules.Contentful(), Tags: []string{TagApiToken}}, - {Rule: *rules.Databricks(), Tags: []string{TagApiToken}}, - {Rule: *rules.DatadogtokenAccessToken(), Tags: []string{TagAccessToken, TagClientId}}, - {Rule: *rules.DefinedNetworkingAPIToken(), Tags: []string{TagApiToken}}, - {Rule: *rules.DigitalOceanPAT(), Tags: []string{TagAccessToken}}, - {Rule: *rules.DigitalOceanOAuthToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.DigitalOceanRefreshToken(), Tags: []string{TagRefreshToken}}, - {Rule: *rules.DiscordAPIToken(), Tags: []string{TagApiKey, TagApiToken}}, - {Rule: *rules.DiscordClientID(), Tags: []string{TagClientId}}, - {Rule: *rules.DiscordClientSecret(), Tags: []string{TagClientSecret}}, - {Rule: *rules.Doppler(), Tags: []string{TagApiToken}}, - {Rule: *rules.DropBoxAPISecret(), Tags: []string{TagApiToken}}, - {Rule: *rules.DropBoxShortLivedAPIToken(), Tags: []string{TagApiToken}}, - {Rule: *rules.DropBoxLongLivedAPIToken(), Tags: []string{TagApiToken}}, - {Rule: *rules.DroneciAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.Duffel(), Tags: []string{TagApiToken}}, - {Rule: *rules.Dynatrace(), Tags: []string{TagApiToken}}, - {Rule: *rules.EasyPost(), Tags: []string{TagApiToken}}, - {Rule: *rules.EasyPostTestAPI(), Tags: []string{TagApiToken}}, - {Rule: *rules.EtsyAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.Facebook(), Tags: []string{TagApiToken}}, - {Rule: *rules.FastlyAPIToken(), Tags: []string{TagApiToken, TagApiKey}}, - {Rule: *rules.FinicityClientSecret(), Tags: []string{TagClientSecret}}, - {Rule: *rules.FinicityAPIToken(), Tags: []string{TagApiToken}}, - {Rule: *rules.FlickrAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.FinnhubAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.FlutterwavePublicKey(), Tags: []string{TagPublicKey}}, - {Rule: *rules.FlutterwaveSecretKey(), Tags: []string{TagSecretKey}}, - {Rule: *rules.FlutterwaveEncKey(), Tags: []string{TagEncryptionKey}}, - {Rule: *rules.FrameIO(), Tags: []string{TagApiToken}}, - {Rule: *rules.FreshbooksAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.GCPAPIKey(), Tags: []string{TagApiKey}}, - {Rule: *rules.GenericCredential(), Tags: []string{TagApiKey}}, - {Rule: *rules.GitHubPat(), Tags: []string{TagAccessToken}}, - {Rule: *rules.GitHubFineGrainedPat(), Tags: []string{TagAccessToken}}, - {Rule: *rules.GitHubOauth(), Tags: []string{TagAccessToken}}, - {Rule: *rules.GitHubApp(), Tags: []string{TagAccessToken}}, - {Rule: *rules.GitHubRefresh(), Tags: []string{TagRefreshToken}}, - {Rule: *rules.GitlabPat(), Tags: []string{TagAccessToken}}, - {Rule: *rules.GitlabPipelineTriggerToken(), Tags: []string{TagTriggerToken}}, - {Rule: *rules.GitlabRunnerRegistrationToken(), Tags: []string{TagRegistrationToken}}, - {Rule: *rules.GitterAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.GoCardless(), Tags: []string{TagApiToken}}, - {Rule: *rules.GrafanaApiKey(), Tags: []string{TagApiKey}}, - {Rule: *rules.GrafanaCloudApiToken(), Tags: []string{TagApiToken}}, - {Rule: *rules.GrafanaServiceAccountToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.Hashicorp(), Tags: []string{TagApiToken}}, - {Rule: *rules.HashicorpField(), Tags: []string{TagPassword}}, - {Rule: *rules.Heroku(), Tags: []string{TagApiKey}}, - {Rule: *rules.HubSpot(), Tags: []string{TagApiToken, TagApiKey}}, - {Rule: *rules.HuggingFaceAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.HuggingFaceOrganizationApiToken(), Tags: []string{TagApiToken}}, - {Rule: *rules.InfracostAPIToken(), Tags: []string{TagApiToken}}, - {Rule: *rules.Intercom(), Tags: []string{TagApiToken, TagApiKey}}, - {Rule: *rules.JFrogAPIKey(), Tags: []string{TagApiKey}}, - {Rule: *rules.JFrogIdentityToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.JWT(), Tags: []string{TagAccessToken}}, - {Rule: *rules.JWTBase64(), Tags: []string{TagAccessToken}}, - {Rule: *rules.KrakenAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.KucoinAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.KucoinSecretKey(), Tags: []string{TagSecretKey}}, - {Rule: *rules.LaunchDarklyAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.LinearAPIToken(), Tags: []string{TagApiToken, TagApiKey}}, - {Rule: *rules.LinearClientSecret(), Tags: []string{TagClientSecret}}, - {Rule: *rules.LinkedinClientID(), Tags: []string{TagClientId}}, - {Rule: *rules.LinkedinClientSecret(), Tags: []string{TagClientSecret}}, - {Rule: *rules.LobAPIToken(), Tags: []string{TagApiKey}}, - {Rule: *rules.LobPubAPIToken(), Tags: []string{TagApiKey}}, - {Rule: *rules.MailChimp(), Tags: []string{TagApiKey}}, - {Rule: *rules.MailGunPubAPIToken(), Tags: []string{TagPublicKey}}, - {Rule: *rules.MailGunPrivateAPIToken(), Tags: []string{TagPrivateKey}}, - {Rule: *rules.MailGunSigningKey(), Tags: []string{TagApiKey}}, - {Rule: *rules.MapBox(), Tags: []string{TagApiToken}}, - {Rule: *rules.MattermostAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.MessageBirdAPIToken(), Tags: []string{TagApiToken}}, - {Rule: *rules.MessageBirdClientID(), Tags: []string{TagClientId}}, - {Rule: *rules.NetlifyAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.NewRelicUserID(), Tags: []string{TagApiKey}}, - {Rule: *rules.NewRelicUserKey(), Tags: []string{TagAccessId}}, - {Rule: *rules.NewRelicBrowserAPIKey(), Tags: []string{TagApiToken}}, - {Rule: *rules.NPM(), Tags: []string{TagAccessToken}}, - {Rule: *rules.NytimesAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.OktaAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.OpenAI(), Tags: []string{TagApiKey}}, - {Rule: *PlaidAccessID(), Tags: []string{TagClientId}}, - // {Rule: *rules.PlaidSecretKey(), Tags: []string{TagSecretKey}}, https://github.com/Checkmarx/2ms/issues/226 - // {Rule: *rules.PlaidAccessToken(), Tags: []string{TagApiToken}}, https://github.com/Checkmarx/2ms/issues/226 - {Rule: *rules.PlanetScalePassword(), Tags: []string{TagPassword}}, - {Rule: *rules.PlanetScaleAPIToken(), Tags: []string{TagApiToken}}, - {Rule: *rules.PlanetScaleOAuthToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.PostManAPI(), Tags: []string{TagApiToken}}, - {Rule: *rules.Prefect(), Tags: []string{TagApiToken}}, - {Rule: *rules.PrivateKey(), Tags: []string{TagPrivateKey}}, - {Rule: *rules.PulumiAPIToken(), Tags: []string{TagApiToken}}, - {Rule: *rules.PyPiUploadToken(), Tags: []string{TagUploadToken}}, - {Rule: *rules.RapidAPIAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.ReadMe(), Tags: []string{TagApiToken}}, - {Rule: *rules.RubyGemsAPIToken(), Tags: []string{TagApiToken}}, - // {Rule: *rules.ScalingoAPIToken(), Tags: []string{TagApiToken}}, https://github.com/Checkmarx/2ms/issues/226 - {Rule: *rules.SendbirdAccessID(), Tags: []string{TagAccessId}}, - {Rule: *rules.SendbirdAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.SendGridAPIToken(), Tags: []string{TagApiToken}}, - {Rule: *rules.SendInBlueAPIToken(), Tags: []string{TagApiToken}}, - {Rule: *rules.SentryAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.ShippoAPIToken(), Tags: []string{TagApiToken}}, - {Rule: *rules.ShopifyAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.ShopifyCustomAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.ShopifyPrivateAppAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.ShopifySharedSecret(), Tags: []string{TagPublicSecret}}, - {Rule: *rules.SidekiqSecret(), Tags: []string{TagSecretKey}}, - {Rule: *rules.SidekiqSensitiveUrl(), Tags: []string{TagSensitiveUrl}}, - {Rule: *rules.SlackBotToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.SlackAppLevelToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.SlackLegacyToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.SlackUserToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.SlackConfigurationToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.SlackConfigurationRefreshToken(), Tags: []string{TagRefreshToken}}, - {Rule: *rules.SlackLegacyBotToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.SlackLegacyWorkspaceToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.SlackWebHookUrl(), Tags: []string{TagWebhook}}, - {Rule: *rules.StripeAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.SquareAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.SquareSpaceAccessToken(), Tags: []string{TagAccessToken}}, - // {Rule: *rules.SumoLogicAccessID(), Tags: []string{TagAccessId}}, https://github.com/Checkmarx/2ms/issues/226 - {Rule: *rules.SumoLogicAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.Snyk(), Tags: []string{TagApiKey}}, - {Rule: *rules.TeamsWebhook(), Tags: []string{TagWebhook}}, - {Rule: *rules.TelegramBotToken(), Tags: []string{TagApiToken}}, - {Rule: *rules.TravisCIAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.Twilio(), Tags: []string{TagApiKey}}, - {Rule: *rules.TwitchAPIToken(), Tags: []string{TagApiToken}}, - {Rule: *rules.TwitterAPIKey(), Tags: []string{TagApiKey}}, - {Rule: *rules.TwitterAPISecret(), Tags: []string{TagApiKey}}, - {Rule: *rules.TwitterAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.TwitterAccessSecret(), Tags: []string{TagPublicSecret}}, - {Rule: *rules.TwitterBearerToken(), Tags: []string{TagApiToken}}, - {Rule: *rules.Typeform(), Tags: []string{TagApiToken}}, - {Rule: *rules.VaultBatchToken(), Tags: []string{TagApiToken}}, - {Rule: *VaultServiceToken(), Tags: []string{TagApiToken}}, - {Rule: *rules.YandexAPIKey(), Tags: []string{TagApiKey}}, - {Rule: *rules.YandexAWSAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.YandexAccessToken(), Tags: []string{TagAccessToken}}, - {Rule: *rules.ZendeskSecretKey(), Tags: []string{TagSecretKey}}, - {Rule: *AuthenticatedURL(), Tags: []string{TagSensitiveUrl}}, + {Rule: *rules.AdafruitAPIKey(), Tags: []string{TagApiKey}, ScoreParameters: ScoreParameters{Category: CategoryIoTPlatform, RuleType: 4}}, + {Rule: *rules.AdobeClientID(), Tags: []string{TagClientId}, ScoreParameters: ScoreParameters{Category: CategorySaaS, RuleType: 1}}, + {Rule: *rules.AdobeClientSecret(), Tags: []string{TagClientSecret}, ScoreParameters: ScoreParameters{Category: CategorySaaS, RuleType: 4}}, + {Rule: *rules.AgeSecretKey(), Tags: []string{TagSecretKey}, ScoreParameters: ScoreParameters{Category: CategoryGeneralOrUnknown, RuleType: 4}}, + {Rule: *rules.Airtable(), Tags: []string{TagApiKey}, ScoreParameters: ScoreParameters{Category: CategoryDatabaseAsAService, RuleType: 4}}, + {Rule: *rules.AlgoliaApiKey(), Tags: []string{TagApiKey}, ScoreParameters: ScoreParameters{Category: CategorySearchService, RuleType: 4}}, + {Rule: *rules.AlibabaAccessKey(), Tags: []string{TagAccessKey, TagAccessId}, ScoreParameters: ScoreParameters{Category: CategoryCloudPlatform, RuleType: 1}}, + {Rule: *rules.AlibabaSecretKey(), Tags: []string{TagSecretKey}, ScoreParameters: ScoreParameters{Category: CategoryCloudPlatform, RuleType: 4}}, + {Rule: *rules.AsanaClientID(), Tags: []string{TagClientId}, ScoreParameters: ScoreParameters{Category: CategoryProjectManagement, RuleType: 1}}, + {Rule: *rules.AsanaClientSecret(), Tags: []string{TagClientSecret}, ScoreParameters: ScoreParameters{Category: CategoryProjectManagement, RuleType: 4}}, + {Rule: *rules.Atlassian(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategorySoftwareDevelopment, RuleType: 4}}, + {Rule: *rules.Authress(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryAuthenticationAndAuthorization, RuleType: 4}}, + {Rule: *rules.AWS(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryAuthenticationAndAuthorization, RuleType: 4}}, + {Rule: *rules.BitBucketClientID(), Tags: []string{TagClientId}, ScoreParameters: ScoreParameters{Category: CategorySourceCodeManagement, RuleType: 1}}, + {Rule: *rules.BitBucketClientSecret(), Tags: []string{TagClientSecret}, ScoreParameters: ScoreParameters{Category: CategorySourceCodeManagement, RuleType: 4}}, + {Rule: *rules.BittrexAccessKey(), Tags: []string{TagAccessKey}, ScoreParameters: ScoreParameters{Category: CategoryCryptocurrencyExchange, RuleType: 4}}, + {Rule: *rules.BittrexSecretKey(), Tags: []string{TagSecretKey}, ScoreParameters: ScoreParameters{Category: CategoryCryptocurrencyExchange, RuleType: 4}}, + {Rule: *rules.Beamer(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryNewsAndMedia, RuleType: 4}}, + {Rule: *rules.CodecovAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategorySecurity, RuleType: 4}}, + {Rule: *rules.CoinbaseAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryCryptocurrencyExchange, RuleType: 4}}, + {Rule: *rules.Clojars(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryPackageManagement, RuleType: 4}}, + {Rule: *rules.ConfluentAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.ConfluentSecretKey(), Tags: []string{TagSecretKey}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.Contentful(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryContentManagementSystem, RuleType: 4}}, + {Rule: *rules.Databricks(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryDataAnalytics, RuleType: 4}}, + {Rule: *rules.DatadogtokenAccessToken(), Tags: []string{TagAccessToken, TagClientId}, ScoreParameters: ScoreParameters{Category: CategoryApplicationMonitoring, RuleType: 4}}, + {Rule: *rules.DefinedNetworkingAPIToken(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryNetworking, RuleType: 4}}, + {Rule: *rules.DigitalOceanPAT(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryCloudPlatform, RuleType: 4}}, + {Rule: *rules.DigitalOceanOAuthToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryCloudPlatform, RuleType: 4}}, + {Rule: *rules.DigitalOceanRefreshToken(), Tags: []string{TagRefreshToken}, ScoreParameters: ScoreParameters{Category: CategoryAPIAccess, RuleType: 4}}, + {Rule: *rules.DiscordAPIToken(), Tags: []string{TagApiKey, TagApiToken}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.DiscordClientID(), Tags: []string{TagClientId}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 1}}, + {Rule: *rules.DiscordClientSecret(), Tags: []string{TagClientSecret}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.Doppler(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryCICD, RuleType: 4}}, + {Rule: *rules.DropBoxAPISecret(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryFileStorageAndSharing, RuleType: 4}}, + {Rule: *rules.DropBoxShortLivedAPIToken(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryFileStorageAndSharing, RuleType: 4}}, + {Rule: *rules.DropBoxLongLivedAPIToken(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryFileStorageAndSharing, RuleType: 4}}, + {Rule: *rules.DroneciAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryCICD, RuleType: 4}}, + {Rule: *rules.Duffel(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryAPIAccess, RuleType: 4}}, + {Rule: *rules.Dynatrace(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryApplicationMonitoring, RuleType: 4}}, + {Rule: *rules.EasyPost(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryShipping, RuleType: 4}}, + {Rule: *rules.EasyPostTestAPI(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryShipping, RuleType: 4}}, + {Rule: *rules.EtsyAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryECommercePlatform, RuleType: 4}}, + {Rule: *rules.Facebook(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.FastlyAPIToken(), Tags: []string{TagApiToken, TagApiKey}, ScoreParameters: ScoreParameters{Category: CategoryCDN, RuleType: 4}}, + {Rule: *rules.FinicityClientSecret(), Tags: []string{TagClientSecret}, ScoreParameters: ScoreParameters{Category: CategoryFinancialServices, RuleType: 4}}, + {Rule: *rules.FinicityAPIToken(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryFinancialServices, RuleType: 4}}, + {Rule: *rules.FlickrAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryPhotoSharing, RuleType: 4}}, + {Rule: *rules.FinnhubAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryFinancialServices, RuleType: 4}}, + {Rule: *rules.FlutterwavePublicKey(), Tags: []string{TagPublicKey}, ScoreParameters: ScoreParameters{Category: CategoryPaymentProcessing, RuleType: 4}}, + {Rule: *rules.FlutterwaveSecretKey(), Tags: []string{TagSecretKey}, ScoreParameters: ScoreParameters{Category: CategoryPaymentProcessing, RuleType: 4}}, + {Rule: *rules.FlutterwaveEncKey(), Tags: []string{TagEncryptionKey}, ScoreParameters: ScoreParameters{Category: CategoryPaymentProcessing, RuleType: 4}}, + {Rule: *rules.FrameIO(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryNewsAndMedia, RuleType: 4}}, + {Rule: *rules.FreshbooksAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryFinancialServices, RuleType: 4}}, + {Rule: *rules.GCPAPIKey(), Tags: []string{TagApiKey}, ScoreParameters: ScoreParameters{Category: CategoryCloudPlatform, RuleType: 4}}, + {Rule: *rules.GenericCredential(), Tags: []string{TagApiKey}, ScoreParameters: ScoreParameters{Category: CategoryGeneralOrUnknown, RuleType: 4}}, + {Rule: *rules.GitHubPat(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryDevelopmentPlatform, RuleType: 4}}, + {Rule: *rules.GitHubFineGrainedPat(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryAPIAccess, RuleType: 4}}, + {Rule: *rules.GitHubOauth(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryAuthenticationAndAuthorization, RuleType: 4}}, + {Rule: *rules.GitHubApp(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryCICD, RuleType: 4}}, + {Rule: *rules.GitHubRefresh(), Tags: []string{TagRefreshToken}, ScoreParameters: ScoreParameters{Category: CategoryAuthenticationAndAuthorization, RuleType: 4}}, + {Rule: *rules.GitlabPat(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategorySourceCodeManagement, RuleType: 4}}, + {Rule: *rules.GitlabPipelineTriggerToken(), Tags: []string{TagTriggerToken}, ScoreParameters: ScoreParameters{Category: CategoryCICD, RuleType: 4}}, + {Rule: *rules.GitlabRunnerRegistrationToken(), Tags: []string{TagRegistrationToken}, ScoreParameters: ScoreParameters{Category: CategoryCICD, RuleType: 4}}, + {Rule: *rules.GitterAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.GoCardless(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryPaymentProcessing, RuleType: 4}}, + {Rule: *rules.GrafanaApiKey(), Tags: []string{TagApiKey}, ScoreParameters: ScoreParameters{Category: CategoryApplicationMonitoring, RuleType: 4}}, + {Rule: *rules.GrafanaCloudApiToken(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryApplicationMonitoring, RuleType: 4}}, + {Rule: *rules.GrafanaServiceAccountToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryApplicationMonitoring, RuleType: 4}}, + {Rule: *rules.Hashicorp(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryInfrastructureAsCode, RuleType: 4}}, + {Rule: *rules.HashicorpField(), Tags: []string{TagPassword}, ScoreParameters: ScoreParameters{Category: CategoryInfrastructureAsCode, RuleType: 4}}, + {Rule: *rules.Heroku(), Tags: []string{TagApiKey}, ScoreParameters: ScoreParameters{Category: CategorySaaS, RuleType: 4}}, + {Rule: *rules.HubSpot(), Tags: []string{TagApiToken, TagApiKey}, ScoreParameters: ScoreParameters{Category: CategoryMarketingAutomation, RuleType: 4}}, + {Rule: *rules.HuggingFaceAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryAIAndMachineLearning, RuleType: 4}}, + {Rule: *rules.HuggingFaceOrganizationApiToken(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryAIAndMachineLearning, RuleType: 4}}, + {Rule: *rules.InfracostAPIToken(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryFinancialServices, RuleType: 4}}, + {Rule: *rules.Intercom(), Tags: []string{TagApiToken, TagApiKey}, ScoreParameters: ScoreParameters{Category: CategoryCustomerSupport, RuleType: 4}}, + {Rule: *rules.JFrogAPIKey(), Tags: []string{TagApiKey}, ScoreParameters: ScoreParameters{Category: CategoryCICD, RuleType: 4}}, + {Rule: *rules.JFrogIdentityToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryCICD, RuleType: 4}}, + {Rule: *rules.JWT(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryGeneralOrUnknown, RuleType: 4}}, + {Rule: *rules.JWTBase64(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryGeneralOrUnknown, RuleType: 4}}, + {Rule: *rules.KrakenAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryAuthenticationAndAuthorization, RuleType: 4}}, + {Rule: *rules.KucoinAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryCryptocurrencyExchange, RuleType: 4}}, + {Rule: *rules.KucoinSecretKey(), Tags: []string{TagSecretKey}, ScoreParameters: ScoreParameters{Category: CategoryCryptocurrencyExchange, RuleType: 4}}, + {Rule: *rules.LaunchDarklyAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategorySourceCodeManagement, RuleType: 4}}, + {Rule: *rules.LinearAPIToken(), Tags: []string{TagApiToken, TagApiKey}, ScoreParameters: ScoreParameters{Category: CategoryAPIAccess, RuleType: 4}}, + {Rule: *rules.LinearClientSecret(), Tags: []string{TagClientSecret}, ScoreParameters: ScoreParameters{Category: CategoryAuthenticationAndAuthorization, RuleType: 4}}, + {Rule: *rules.LinkedinClientID(), Tags: []string{TagClientId}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 1}}, + {Rule: *rules.LinkedinClientSecret(), Tags: []string{TagClientSecret}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.LobAPIToken(), Tags: []string{TagApiKey}, ScoreParameters: ScoreParameters{Category: CategoryAPIAccess, RuleType: 4}}, + {Rule: *rules.LobPubAPIToken(), Tags: []string{TagApiKey}, ScoreParameters: ScoreParameters{Category: CategoryAPIAccess, RuleType: 4}}, + {Rule: *rules.MailChimp(), Tags: []string{TagApiKey}, ScoreParameters: ScoreParameters{Category: CategoryEmailDeliveryService, RuleType: 4}}, + {Rule: *rules.MailGunPubAPIToken(), Tags: []string{TagPublicKey}, ScoreParameters: ScoreParameters{Category: CategoryEmailDeliveryService, RuleType: 4}}, + {Rule: *rules.MailGunPrivateAPIToken(), Tags: []string{TagPrivateKey}, ScoreParameters: ScoreParameters{Category: CategoryEmailDeliveryService, RuleType: 4}}, + {Rule: *rules.MailGunSigningKey(), Tags: []string{TagApiKey}, ScoreParameters: ScoreParameters{Category: CategoryEmailDeliveryService, RuleType: 4}}, + {Rule: *rules.MapBox(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryMappingAndLocationServices, RuleType: 4}}, + {Rule: *rules.MattermostAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.MessageBirdAPIToken(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.MessageBirdClientID(), Tags: []string{TagClientId}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 1}}, + {Rule: *rules.NetlifyAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryWebHostingAndDeployment, RuleType: 4}}, + {Rule: *rules.NewRelicUserID(), Tags: []string{TagApiKey}, ScoreParameters: ScoreParameters{Category: CategoryApplicationMonitoring, RuleType: 1}}, + {Rule: *rules.NewRelicUserKey(), Tags: []string{TagAccessId}, ScoreParameters: ScoreParameters{Category: CategoryApplicationMonitoring, RuleType: 4}}, + {Rule: *rules.NewRelicBrowserAPIKey(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryApplicationMonitoring, RuleType: 4}}, + {Rule: *rules.NPM(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryPackageManagement, RuleType: 4}}, + {Rule: *rules.NytimesAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryNewsAndMedia, RuleType: 4}}, + {Rule: *rules.OktaAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryAuthenticationAndAuthorization, RuleType: 4}}, + {Rule: *rules.OpenAI(), Tags: []string{TagApiKey}, ScoreParameters: ScoreParameters{Category: CategoryAIAndMachineLearning, RuleType: 4}}, + {Rule: *PlaidAccessID(), Tags: []string{TagClientId}, ScoreParameters: ScoreParameters{Category: CategoryFinancialServices, RuleType: 1}}, + // {Rule: *rules.PlaidSecretKey(), Tags: []string{TagSecretKey}, ScoreParameters: ScoreParameters{Category: CategoryFinancialServices, RuleType: 4}}, https://github.com/Checkmarx/2ms/issues/226 + // {Rule: *rules.PlaidAccessToken(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryFinancialServices, RuleType: 4}}, https://github.com/Checkmarx/2ms/issues/226 + {Rule: *rules.PlanetScalePassword(), Tags: []string{TagPassword}, ScoreParameters: ScoreParameters{Category: CategoryDatabaseAsAService, RuleType: 4}}, + {Rule: *rules.PlanetScaleAPIToken(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryDatabaseAsAService, RuleType: 4}}, + {Rule: *rules.PlanetScaleOAuthToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryDatabaseAsAService, RuleType: 4}}, + {Rule: *rules.PostManAPI(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryAPIAccess, RuleType: 4}}, + {Rule: *rules.Prefect(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryAPIAccess, RuleType: 4}}, + {Rule: *rules.PrivateKey(), Tags: []string{TagPrivateKey}, ScoreParameters: ScoreParameters{Category: CategoryGeneralOrUnknown, RuleType: 4}}, + {Rule: *rules.PulumiAPIToken(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryCloudPlatform, RuleType: 4}}, + {Rule: *rules.PyPiUploadToken(), Tags: []string{TagUploadToken}, ScoreParameters: ScoreParameters{Category: CategoryPackageManagement, RuleType: 4}}, + {Rule: *rules.RapidAPIAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryAPIAccess, RuleType: 4}}, + {Rule: *rules.ReadMe(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryAPIAccess, RuleType: 4}}, + {Rule: *rules.RubyGemsAPIToken(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryPackageManagement, RuleType: 4}}, + // {Rule: *rules.ScalingoAPIToken(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryWebHostingAndDeployment, RuleType: 4}}, https://github.com/Checkmarx/2ms/issues/226 + {Rule: *rules.SendbirdAccessID(), Tags: []string{TagAccessId}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 1}}, + {Rule: *rules.SendbirdAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.SendGridAPIToken(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryEmailDeliveryService, RuleType: 4}}, + {Rule: *rules.SendInBlueAPIToken(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryEmailDeliveryService, RuleType: 4}}, + {Rule: *rules.SentryAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryApplicationMonitoring, RuleType: 4}}, + {Rule: *rules.ShippoAPIToken(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryShipping, RuleType: 4}}, + {Rule: *rules.ShopifyAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryECommercePlatform, RuleType: 4}}, + {Rule: *rules.ShopifyCustomAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryECommercePlatform, RuleType: 4}}, + {Rule: *rules.ShopifyPrivateAppAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryECommercePlatform, RuleType: 4}}, + {Rule: *rules.ShopifySharedSecret(), Tags: []string{TagPublicSecret}, ScoreParameters: ScoreParameters{Category: CategoryECommercePlatform, RuleType: 4}}, + {Rule: *rules.SidekiqSecret(), Tags: []string{TagSecretKey}, ScoreParameters: ScoreParameters{Category: CategoryBackgroundProcessingService, RuleType: 4}}, + {Rule: *rules.SidekiqSensitiveUrl(), Tags: []string{TagSensitiveUrl}, ScoreParameters: ScoreParameters{Category: CategoryBackgroundProcessingService, RuleType: 4}}, + {Rule: *rules.SlackBotToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.SlackAppLevelToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.SlackLegacyToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.SlackUserToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.SlackConfigurationToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.SlackConfigurationRefreshToken(), Tags: []string{TagRefreshToken}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.SlackLegacyBotToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.SlackLegacyWorkspaceToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.SlackWebHookUrl(), Tags: []string{TagWebhook}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.StripeAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryPaymentProcessing, RuleType: 4}}, + {Rule: *rules.SquareAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryPaymentProcessing, RuleType: 4}}, + {Rule: *rules.SquareSpaceAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryWebHostingAndDeployment, RuleType: 4}}, + // {Rule: *rules.SumoLogicAccessID(), Tags: []string{TagAccessId}, ScoreParameters: ScoreParameters{Category: CategoryApplicationMonitoring, RuleType: 4}}, https://github.com/Checkmarx/2ms/issues/226 + {Rule: *rules.SumoLogicAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryApplicationMonitoring, RuleType: 4}}, + {Rule: *rules.Snyk(), Tags: []string{TagApiKey}, ScoreParameters: ScoreParameters{Category: CategorySecurity, RuleType: 4}}, + {Rule: *rules.TeamsWebhook(), Tags: []string{TagWebhook}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.TelegramBotToken(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.TravisCIAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryCICD, RuleType: 4}}, + {Rule: *rules.Twilio(), Tags: []string{TagApiKey}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.TwitchAPIToken(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryNewsAndMedia, RuleType: 4}}, + {Rule: *rules.TwitterAPIKey(), Tags: []string{TagApiKey}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.TwitterAPISecret(), Tags: []string{TagApiKey}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.TwitterAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.TwitterAccessSecret(), Tags: []string{TagPublicSecret}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.TwitterBearerToken(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategorySocialMedia, RuleType: 4}}, + {Rule: *rules.Typeform(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryOnlineSurveyPlatform, RuleType: 4}}, + {Rule: *rules.VaultBatchToken(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategorySecurity, RuleType: 4}}, + {Rule: *VaultServiceToken(), Tags: []string{TagApiToken}, ScoreParameters: ScoreParameters{Category: CategoryAuthenticationAndAuthorization, RuleType: 4}}, + {Rule: *rules.YandexAPIKey(), Tags: []string{TagApiKey}, ScoreParameters: ScoreParameters{Category: CategoryCloudPlatform, RuleType: 4}}, + {Rule: *rules.YandexAWSAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryCloudPlatform, RuleType: 4}}, + {Rule: *rules.YandexAccessToken(), Tags: []string{TagAccessToken}, ScoreParameters: ScoreParameters{Category: CategoryCloudPlatform, RuleType: 4}}, + {Rule: *rules.ZendeskSecretKey(), Tags: []string{TagSecretKey}, ScoreParameters: ScoreParameters{Category: CategoryCustomerSupport, RuleType: 4}}, + {Rule: *AuthenticatedURL(), Tags: []string{TagSensitiveUrl}, ScoreParameters: ScoreParameters{Category: CategoryGeneralOrUnknown, RuleType: 4}}, } return allRules @@ -203,7 +246,7 @@ func getDefaultRules() *[]Rule { func getSpecialRules() *[]Rule { specialRules := []Rule{ - {Rule: *HardcodedPassword(), Tags: []string{TagPassword}}, + {Rule: *HardcodedPassword(), Tags: []string{TagPassword}, ScoreParameters: ScoreParameters{Category: CategoryGeneralOrUnknown, RuleType: 4}}, } return &specialRules diff --git a/engine/score/score.go b/engine/score/score.go new file mode 100644 index 00000000..812a0ef1 --- /dev/null +++ b/engine/score/score.go @@ -0,0 +1,76 @@ +package score + +import ( + "github.com/checkmarx/2ms/engine/rules" + "github.com/checkmarx/2ms/lib/secrets" + "math" +) + +func getCategoryScore(category rules.RuleCategory) uint8 { + CategoryScore := map[rules.RuleCategory]uint8{ + rules.CategoryAuthenticationAndAuthorization: 4, + rules.CategoryCryptocurrencyExchange: 4, + rules.CategoryFinancialServices: 4, + rules.CategoryPaymentProcessing: 4, + rules.CategorySecurity: 4, + rules.CategoryAPIAccess: 3, + rules.CategoryCICD: 3, + rules.CategoryCloudPlatform: 3, + rules.CategoryDatabaseAsAService: 3, + rules.CategoryDevelopmentPlatform: 3, + rules.CategoryEmailDeliveryService: 3, + rules.CategoryGeneralOrUnknown: 3, + rules.CategoryInfrastructureAsCode: 3, + rules.CategoryPackageManagement: 3, + rules.CategorySourceCodeManagement: 3, + rules.CategoryWebHostingAndDeployment: 3, + rules.CategoryBackgroundProcessingService: 2, + rules.CategoryCDN: 2, + rules.CategoryContentManagementSystem: 2, + rules.CategoryCustomerSupport: 2, + rules.CategoryDataAnalytics: 2, + rules.CategoryFileStorageAndSharing: 2, + rules.CategoryIoTPlatform: 2, + rules.CategoryMappingAndLocationServices: 2, + rules.CategoryNetworking: 2, + rules.CategoryPhotoSharing: 2, + rules.CategorySaaS: 2, + rules.CategoryShipping: 2, + rules.CategorySoftwareDevelopment: 2, + rules.CategoryAIAndMachineLearning: 1, + rules.CategoryApplicationMonitoring: 1, + rules.CategoryECommercePlatform: 1, + rules.CategoryMarketingAutomation: 1, + rules.CategoryNewsAndMedia: 1, + rules.CategoryOnlineSurveyPlatform: 1, + rules.CategoryProjectManagement: 1, + rules.CategorySearchService: 1, + rules.CategorySocialMedia: 1, + } + return CategoryScore[category] +} + +func getValidityScore(baseRiskScore float64, validationStatus secrets.ValidationResult) float64 { + switch validationStatus { + case secrets.ValidResult: + return math.Min(1, 4-baseRiskScore) + case secrets.InvalidResult: + return math.Max(-1, 1-baseRiskScore) + } + return 0.0 +} + +func GetBaseRiskScore(category rules.RuleCategory, ruleType uint8) float64 { + categoryScore := getCategoryScore(category) + return float64(categoryScore)*0.6 + float64(ruleType)*0.4 +} + +func GetCvssScore(baseRiskScore float64, validationStatus secrets.ValidationResult) float64 { + validityScore := getValidityScore(baseRiskScore, validationStatus) + cvssScore := (baseRiskScore+validityScore-1)*3 + 1 + return math.Round(cvssScore*10) / 10 +} + +func RegisterForScore(secret *secrets.Secret) { + +} diff --git a/engine/score/score_test.go b/engine/score/score_test.go new file mode 100644 index 00000000..164d4528 --- /dev/null +++ b/engine/score/score_test.go @@ -0,0 +1,234 @@ +package score_test + +import ( + . "github.com/checkmarx/2ms/engine" + "github.com/checkmarx/2ms/engine/rules" + "github.com/checkmarx/2ms/engine/score" + "github.com/checkmarx/2ms/lib/secrets" + "github.com/stretchr/testify/assert" + ruleConfig "github.com/zricethezav/gitleaks/v8/cmd/generate/config/rules" + "sync" + "testing" +) + +func TestScore(t *testing.T) { + specialRule := rules.HardcodedPassword() + allRules := *rules.FilterRules([]string{}, []string{}, []string{specialRule.RuleID}) + + engineConfig := EngineConfig{SpecialList: []string{specialRule.RuleID}} + engine, err := Init(engineConfig) + assert.NoError(t, err) + + expectedCvssScores := map[string][3]float64{ // ruleID -> Valid, Invalid, Unknown + ruleConfig.AdafruitAPIKey().RuleID: {9.4, 3.4, 6.4}, + ruleConfig.AdobeClientID().RuleID: {5.8, 1, 2.8}, + ruleConfig.AdobeClientSecret().RuleID: {9.4, 3.4, 6.4}, + ruleConfig.AgeSecretKey().RuleID: {10, 5.2, 8.2}, + ruleConfig.Airtable().RuleID: {10, 5.2, 8.2}, + ruleConfig.AlgoliaApiKey().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.AlibabaAccessKey().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.AlibabaSecretKey().RuleID: {10, 5.2, 8.2}, + ruleConfig.AsanaClientID().RuleID: {4, 1, 1}, + ruleConfig.AsanaClientSecret().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.Atlassian().RuleID: {9.4, 3.4, 6.4}, + ruleConfig.Authress().RuleID: {10, 7, 10}, + ruleConfig.AWS().RuleID: {10, 7, 10}, + ruleConfig.BitBucketClientID().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.BitBucketClientSecret().RuleID: {10, 5.2, 8.2}, + ruleConfig.BittrexAccessKey().RuleID: {10, 7, 10}, + ruleConfig.BittrexSecretKey().RuleID: {10, 7, 10}, + ruleConfig.Beamer().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.CodecovAccessToken().RuleID: {10, 7, 10}, + ruleConfig.CoinbaseAccessToken().RuleID: {10, 7, 10}, + ruleConfig.Clojars().RuleID: {10, 5.2, 8.2}, + ruleConfig.ConfluentAccessToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.ConfluentSecretKey().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.Contentful().RuleID: {9.4, 3.4, 6.4}, + ruleConfig.Databricks().RuleID: {9.4, 3.4, 6.4}, + ruleConfig.DatadogtokenAccessToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.DefinedNetworkingAPIToken().RuleID: {9.4, 3.4, 6.4}, + ruleConfig.DigitalOceanPAT().RuleID: {10, 5.2, 8.2}, + ruleConfig.DigitalOceanOAuthToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.DigitalOceanRefreshToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.DiscordAPIToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.DiscordClientID().RuleID: {4, 1, 1}, + ruleConfig.DiscordClientSecret().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.Doppler().RuleID: {10, 5.2, 8.2}, + ruleConfig.DropBoxAPISecret().RuleID: {9.4, 3.4, 6.4}, + ruleConfig.DropBoxShortLivedAPIToken().RuleID: {9.4, 3.4, 6.4}, + ruleConfig.DropBoxLongLivedAPIToken().RuleID: {9.4, 3.4, 6.4}, + ruleConfig.DroneciAccessToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.Duffel().RuleID: {10, 5.2, 8.2}, + ruleConfig.Dynatrace().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.EasyPost().RuleID: {9.4, 3.4, 6.4}, + ruleConfig.EasyPostTestAPI().RuleID: {9.4, 3.4, 6.4}, + ruleConfig.EtsyAccessToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.Facebook().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.FastlyAPIToken().RuleID: {9.4, 3.4, 6.4}, + ruleConfig.FinicityClientSecret().RuleID: {10, 7, 10}, + ruleConfig.FinicityAPIToken().RuleID: {10, 7, 10}, + ruleConfig.FlickrAccessToken().RuleID: {9.4, 3.4, 6.4}, + ruleConfig.FinnhubAccessToken().RuleID: {10, 7, 10}, + ruleConfig.FlutterwavePublicKey().RuleID: {10, 7, 10}, + ruleConfig.FlutterwaveSecretKey().RuleID: {10, 7, 10}, + ruleConfig.FlutterwaveEncKey().RuleID: {10, 7, 10}, + ruleConfig.FrameIO().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.FreshbooksAccessToken().RuleID: {10, 7, 10}, + ruleConfig.GCPAPIKey().RuleID: {10, 5.2, 8.2}, + ruleConfig.GenericCredential().RuleID: {10, 5.2, 8.2}, + ruleConfig.GitHubPat().RuleID: {10, 5.2, 8.2}, + ruleConfig.GitHubFineGrainedPat().RuleID: {10, 5.2, 8.2}, + ruleConfig.GitHubOauth().RuleID: {10, 7, 10}, + ruleConfig.GitHubApp().RuleID: {10, 5.2, 8.2}, + ruleConfig.GitHubRefresh().RuleID: {10, 7, 10}, + ruleConfig.GitlabPat().RuleID: {10, 5.2, 8.2}, + ruleConfig.GitlabPipelineTriggerToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.GitlabRunnerRegistrationToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.GitterAccessToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.GoCardless().RuleID: {10, 7, 10}, + ruleConfig.GrafanaApiKey().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.GrafanaCloudApiToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.GrafanaServiceAccountToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.Hashicorp().RuleID: {10, 5.2, 8.2}, + ruleConfig.HashicorpField().RuleID: {10, 5.2, 8.2}, + ruleConfig.Heroku().RuleID: {9.4, 3.4, 6.4}, + ruleConfig.HubSpot().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.HuggingFaceAccessToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.HuggingFaceOrganizationApiToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.InfracostAPIToken().RuleID: {10, 7, 10}, + ruleConfig.Intercom().RuleID: {9.4, 3.4, 6.4}, + ruleConfig.JFrogAPIKey().RuleID: {10, 5.2, 8.2}, + ruleConfig.JFrogIdentityToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.JWT().RuleID: {10, 5.2, 8.2}, + ruleConfig.JWTBase64().RuleID: {10, 5.2, 8.2}, + ruleConfig.KrakenAccessToken().RuleID: {10, 7, 10}, + ruleConfig.KucoinAccessToken().RuleID: {10, 7, 10}, + ruleConfig.KucoinSecretKey().RuleID: {10, 7, 10}, + ruleConfig.LaunchDarklyAccessToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.LinearAPIToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.LinearClientSecret().RuleID: {10, 7, 10}, + ruleConfig.LinkedinClientID().RuleID: {4, 1, 1}, + ruleConfig.LinkedinClientSecret().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.LobAPIToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.LobPubAPIToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.MailChimp().RuleID: {10, 5.2, 8.2}, + ruleConfig.MailGunPubAPIToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.MailGunPrivateAPIToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.MailGunSigningKey().RuleID: {10, 5.2, 8.2}, + ruleConfig.MapBox().RuleID: {9.4, 3.4, 6.4}, + ruleConfig.MattermostAccessToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.MessageBirdAPIToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.MessageBirdClientID().RuleID: {4, 1, 1}, + ruleConfig.NetlifyAccessToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.NewRelicUserID().RuleID: {4, 1, 1}, + ruleConfig.NewRelicUserKey().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.NewRelicBrowserAPIKey().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.NPM().RuleID: {10, 5.2, 8.2}, + ruleConfig.NytimesAccessToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.OktaAccessToken().RuleID: {10, 7, 10}, + ruleConfig.OpenAI().RuleID: {7.6, 1.6, 4.6}, + rules.PlaidAccessID().RuleID: {9.4, 3.4, 6.4}, + ruleConfig.PlaidSecretKey().RuleID: {10, 7, 10}, + ruleConfig.PlaidAccessToken().RuleID: {10, 7, 10}, + ruleConfig.PlanetScalePassword().RuleID: {10, 5.2, 8.2}, + ruleConfig.PlanetScaleAPIToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.PlanetScaleOAuthToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.PostManAPI().RuleID: {10, 5.2, 8.2}, + ruleConfig.Prefect().RuleID: {10, 5.2, 8.2}, + ruleConfig.PrivateKey().RuleID: {10, 5.2, 8.2}, + ruleConfig.PulumiAPIToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.PyPiUploadToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.RapidAPIAccessToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.ReadMe().RuleID: {10, 5.2, 8.2}, + ruleConfig.RubyGemsAPIToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.ScalingoAPIToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.SendbirdAccessID().RuleID: {4, 1, 1}, + ruleConfig.SendbirdAccessToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.SendGridAPIToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.SendInBlueAPIToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.SentryAccessToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.ShippoAPIToken().RuleID: {9.4, 3.4, 6.4}, + ruleConfig.ShopifyAccessToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.ShopifyCustomAccessToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.ShopifyPrivateAppAccessToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.ShopifySharedSecret().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.SidekiqSecret().RuleID: {9.4, 3.4, 6.4}, + ruleConfig.SidekiqSensitiveUrl().RuleID: {9.4, 3.4, 6.4}, + ruleConfig.SlackBotToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.SlackAppLevelToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.SlackLegacyToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.SlackUserToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.SlackConfigurationToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.SlackConfigurationRefreshToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.SlackLegacyBotToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.SlackLegacyWorkspaceToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.SlackWebHookUrl().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.StripeAccessToken().RuleID: {10, 7, 10}, + ruleConfig.SquareAccessToken().RuleID: {10, 7, 10}, + ruleConfig.SquareSpaceAccessToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.SumoLogicAccessID().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.SumoLogicAccessToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.Snyk().RuleID: {10, 7, 10}, + ruleConfig.TeamsWebhook().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.TelegramBotToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.TravisCIAccessToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.Twilio().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.TwitchAPIToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.TwitterAPIKey().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.TwitterAPISecret().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.TwitterAccessToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.TwitterAccessSecret().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.TwitterBearerToken().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.Typeform().RuleID: {7.6, 1.6, 4.6}, + ruleConfig.VaultBatchToken().RuleID: {10, 7, 10}, + rules.VaultServiceToken().RuleID: {10, 7, 10}, + ruleConfig.YandexAPIKey().RuleID: {10, 5.2, 8.2}, + ruleConfig.YandexAWSAccessToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.YandexAccessToken().RuleID: {10, 5.2, 8.2}, + ruleConfig.ZendeskSecretKey().RuleID: {9.4, 3.4, 6.4}, + rules.AuthenticatedURL().RuleID: {10, 5.2, 8.2}, + specialRule.RuleID: {10, 5.2, 8.2}, + } + for _, rule := range allRules { + expectedRuleScores := expectedCvssScores[rule.Rule.RuleID] + baseRiskScore := score.GetBaseRiskScore(rule.ScoreParameters.Category, rule.ScoreParameters.RuleType) + ruleBaseRiskScore := engine.GetRuleBaseRiskScore(rule.Rule.RuleID) + assert.Equal(t, ruleBaseRiskScore, baseRiskScore, "rule: %s", rule.Rule.RuleID) + assert.Equal(t, expectedRuleScores[0], score.GetCvssScore(baseRiskScore, secrets.ValidResult), "rule: %s", rule.Rule.RuleID) + assert.Equal(t, expectedRuleScores[1], score.GetCvssScore(baseRiskScore, secrets.InvalidResult), "rule: %s", rule.Rule.RuleID) + assert.Equal(t, expectedRuleScores[2], score.GetCvssScore(baseRiskScore, secrets.UnknownResult), "rule: %s", rule.Rule.RuleID) + } + + var allSecrets []*secrets.Secret + for _, rule := range allRules { + var secretValid, secretInvalid, secretUnknown secrets.Secret + secretValid.RuleID = rule.Rule.RuleID + secretValid.ValidationStatus = secrets.ValidResult + secretInvalid.RuleID = rule.Rule.RuleID + secretInvalid.ValidationStatus = secrets.InvalidResult + secretUnknown.RuleID = rule.Rule.RuleID + secretUnknown.ValidationStatus = secrets.UnknownResult + allSecrets = append(allSecrets, &secretValid, &secretInvalid, &secretUnknown) + } + for _, secret := range allSecrets { + var wg sync.WaitGroup + wg.Add(2) + expectedRuleScores := expectedCvssScores[secret.RuleID] + validityIndex := getValidityIndex(secret.ValidationStatus) + unknownIndex := getValidityIndex(secrets.UnknownResult) + engine.Score(secret, true, &wg) + assert.Equal(t, expectedRuleScores[validityIndex], secret.CvssScore, "rule: %s", secret.RuleID) + engine.Score(secret, false, &wg) + assert.Equal(t, expectedRuleScores[unknownIndex], secret.CvssScore, "rule: %s", secret.RuleID) + } +} + +func getValidityIndex(validity secrets.ValidationResult) int { + switch validity { + case secrets.ValidResult: + return 0 + case secrets.InvalidResult: + return 1 + } + return 2 +} diff --git a/lib/reporting/report_test.go b/lib/reporting/report_test.go index 946059cb..0eef1dc1 100644 --- a/lib/reporting/report_test.go +++ b/lib/reporting/report_test.go @@ -29,6 +29,7 @@ var ( EndColumn: 150, Value: "value", ValidationStatus: secrets.ValidResult, + CvssScore: 10.0, RuleDescription: "Rule Description", } // this result has a different rule than result1 @@ -43,6 +44,7 @@ var ( EndColumn: 160, Value: "value 2", ValidationStatus: secrets.InvalidResult, + CvssScore: 4.5, RuleDescription: "Rule Description2", } // this result has the same rule as result1 @@ -57,6 +59,7 @@ var ( EndColumn: 130, Value: "value 3", ValidationStatus: secrets.UnknownResult, + CvssScore: 0.0, RuleDescription: "Rule Description", } ) @@ -105,6 +108,7 @@ var ( }, Properties: Properties{ "validationStatus": string(result1.ValidationStatus), + "cvssScore": result1.CvssScore, }, } result2Sarif = Results{ @@ -135,6 +139,7 @@ var ( }, Properties: Properties{ "validationStatus": string(result2.ValidationStatus), + "cvssScore": result2.CvssScore, }, } result3Sarif = Results{ @@ -165,6 +170,7 @@ var ( }, Properties: Properties{ "validationStatus": string(result3.ValidationStatus), + "cvssScore": result3.CvssScore, }, } ) diff --git a/lib/reporting/sarif.go b/lib/reporting/sarif.go index 090931aa..27cc7146 100644 --- a/lib/reporting/sarif.go +++ b/lib/reporting/sarif.go @@ -91,6 +91,7 @@ func getResults(report Report) []Results { Locations: getLocation(secret), Properties: Properties{ "validationStatus": secret.ValidationStatus, + "cvssScore": secret.CvssScore, }, } results = append(results, r) diff --git a/lib/secrets/secret.go b/lib/secrets/secret.go index 2485d12c..5d505518 100644 --- a/lib/secrets/secret.go +++ b/lib/secrets/secret.go @@ -45,4 +45,5 @@ type Secret struct { ValidationStatus ValidationResult `json:"validationStatus,omitempty"` RuleDescription string `json:"ruleDescription,omitempty"` ExtraDetails map[string]interface{} `json:"extraDetails,omitempty"` + CvssScore float64 `json:"cvssScore,omitempty"` } From b313e801c54f0c0c388249e9fe4aa2765f9c2ed8 Mon Sep 17 00:00:00 2001 From: LeonardoLordelloFontes Date: Thu, 21 Nov 2024 14:06:47 +0000 Subject: [PATCH 2/5] Revert log level to info --- cmd/main.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/main.go b/cmd/main.go index 191713a3..582fe2a7 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -85,7 +85,7 @@ func Execute() (int, error) { cobra.OnInitialize(initialize) rootCmd.PersistentFlags().StringVar(&configFilePath, configFileFlag, "", "config file path") cobra.CheckErr(rootCmd.MarkPersistentFlagFilename(configFileFlag, "yaml", "yml", "json")) - rootCmd.PersistentFlags().StringVar(&logLevelVar, logLevelFlagName, "trace", "log level (trace, debug, info, warn, error, fatal)") + rootCmd.PersistentFlags().StringVar(&logLevelVar, logLevelFlagName, "info", "log level (trace, debug, info, warn, error, fatal)") rootCmd.PersistentFlags().StringSliceVar(&reportPathVar, reportPathFlagName, []string{}, "path to generate report files. The output format will be determined by the file extension (.json, .yaml, .sarif)") rootCmd.PersistentFlags().StringVar(&stdoutFormatVar, stdoutFormatFlagName, "yaml", "stdout output format, available formats are: json, yaml, sarif") rootCmd.PersistentFlags().StringArrayVar(&customRegexRuleVar, customRegexRuleFlagName, []string{}, "custom regexes to apply to the scan, must be valid Go regex") From 661f412c66995ac73025351ecba77a02d354d534 Mon Sep 17 00:00:00 2001 From: LeonardoLordelloFontes Date: Thu, 21 Nov 2024 14:08:15 +0000 Subject: [PATCH 3/5] Remove missplaced test function --- engine/engine_test.go | 4 ---- 1 file changed, 4 deletions(-) diff --git a/engine/engine_test.go b/engine/engine_test.go index 38299431..20b65be9 100644 --- a/engine/engine_test.go +++ b/engine/engine_test.go @@ -169,10 +169,6 @@ func TestSecrets(t *testing.T) { } } -func TestScore(t *testing.T) { - -} - type item struct { content *string id string From d7e06875e8a00fa436f14784cb9e23edf67fdfd2 Mon Sep 17 00:00:00 2001 From: LeonardoLordelloFontes Date: Thu, 21 Nov 2024 16:05:18 +0000 Subject: [PATCH 4/5] Fix channel issues --- cmd/main.go | 6 +++--- cmd/workers.go | 24 ++++++++++++------------ engine/engine.go | 3 ++- 3 files changed, 17 insertions(+), 16 deletions(-) diff --git a/cmd/main.go b/cmd/main.go index 582fe2a7..921ef496 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -76,7 +76,7 @@ var report = reporting.Init() var secretsChan = make(chan *secrets.Secret) var secretsExtrasChan = make(chan *secrets.Secret) var validationChan = make(chan *secrets.Secret) -var cvssScoreChan = make(chan *secrets.Secret) +var cvssScoreWithoutValidationChan = make(chan *secrets.Secret) func Execute() (int, error) { vConfig.SetEnvPrefix(envPrefix) @@ -150,11 +150,11 @@ func preRun(pluginName string, cmd *cobra.Command, args []string) error { if validateVar { channels.WaitGroup.Add(1) - go processValidation(engine) + go processValidationAndScoreWithValidation(engine) } channels.WaitGroup.Add(1) - go processScore(engine) + go processScoreWithoutValidation(engine) return nil } diff --git a/cmd/workers.go b/cmd/workers.go index 5cd5ce2e..ced1e4c0 100644 --- a/cmd/workers.go +++ b/cmd/workers.go @@ -1,6 +1,7 @@ package cmd import ( + "github.com/checkmarx/2ms/lib/secrets" "sync" "github.com/checkmarx/2ms/engine" @@ -29,13 +30,13 @@ func processSecrets() { if validateVar { validationChan <- secret } else { - cvssScoreChan <- secret + cvssScoreWithoutValidationChan <- secret } report.Results[secret.ID] = append(report.Results[secret.ID], secret) } close(secretsExtrasChan) close(validationChan) - close(cvssScoreChan) + close(cvssScoreWithoutValidationChan) } func processSecretsExtras() { @@ -49,30 +50,29 @@ func processSecretsExtras() { wgExtras.Wait() } -func processValidation(engine *engine.Engine) { +func processValidationAndScoreWithValidation(engine *engine.Engine) { defer channels.WaitGroup.Done() wgValidation := &sync.WaitGroup{} for secret := range validationChan { - wgValidation.Add(1) - go func() { - wgValidation.Done() - engine.RegisterForValidation(secret) - cvssScoreChan <- secret - }() + wgValidation.Add(2) + go func(secret *secrets.Secret, wg *sync.WaitGroup) { + engine.RegisterForValidation(secret, wg) + engine.Score(secret, true, wg) + }(secret, wgValidation) } wgValidation.Wait() engine.Validate() } -func processScore(engine *engine.Engine) { +func processScoreWithoutValidation(engine *engine.Engine) { defer channels.WaitGroup.Done() wgScore := &sync.WaitGroup{} - for secret := range cvssScoreChan { + for secret := range cvssScoreWithoutValidationChan { wgScore.Add(1) - go engine.Score(secret, validateVar, wgScore) + go engine.Score(secret, false, wgScore) } wgScore.Wait() } diff --git a/engine/engine.go b/engine/engine.go index eb91e92c..e11e3c14 100644 --- a/engine/engine.go +++ b/engine/engine.go @@ -131,7 +131,8 @@ func (e *Engine) AddRegexRules(patterns []string) error { return nil } -func (s *Engine) RegisterForValidation(secret *secrets.Secret) { +func (s *Engine) RegisterForValidation(secret *secrets.Secret, wg *sync.WaitGroup) { + defer wg.Done() s.validator.RegisterForValidation(secret) } From f4814ed048fc4e12ca90c2e1b5669e3dd4e05552 Mon Sep 17 00:00:00 2001 From: LeonardoLordelloFontes Date: Fri, 22 Nov 2024 12:35:13 +0000 Subject: [PATCH 5/5] Removed function not being used --- engine/score/score.go | 4 ---- 1 file changed, 4 deletions(-) diff --git a/engine/score/score.go b/engine/score/score.go index 812a0ef1..8045ff6e 100644 --- a/engine/score/score.go +++ b/engine/score/score.go @@ -70,7 +70,3 @@ func GetCvssScore(baseRiskScore float64, validationStatus secrets.ValidationResu cvssScore := (baseRiskScore+validityScore-1)*3 + 1 return math.Round(cvssScore*10) / 10 } - -func RegisterForScore(secret *secrets.Secret) { - -}