diff --git a/.2ms.yml b/.2ms.yml index 5758981c..7d346dc3 100644 --- a/.2ms.yml +++ b/.2ms.yml @@ -63,10 +63,29 @@ ignore-result: - ba04dd95db7fd550ebb0f295d80fce4e281529fb # value used for testing, found at https://github.com/Checkmarx/2ms/pull/288/commits/2cdf66865f2bdf006869b8a84f448bec3525bfa0 - 35a133edb564767157c6bd807f57009a9ee78349 # value used for testing, found at https://github.com/Checkmarx/2ms/pull/288/commits/2cdf66865f2bdf006869b8a84f448bec3525bfa0 - 854547fc6e35c0d1f63c0f4d426aebd4d64679fc # False positive, see https://github.com/gitleaks/gitleaks/pull/1358, found at https://github.com/Checkmarx/2ms/commit/45a5c9d35ff910dfec5e5a76cdedb8977da5dd34#diff-d712d2256df359061d691b711ca7ed30ba408199b1e3801cef289779778d8bad + - ae0f7e65c291d7f0ea998dfa77485bfc632e5d62 # value used for testing, found at https://github.com/Checkmarx/2ms/commit/07aab5bb214c03fd9e75e46cebe2b407c88d4f73/reporting/report_test.go#diff-31d71ec2c2ba169dce79b1c2de097e30b43f1695ce364054ee7d6b33896c7040R10 + - 99f9ffb901cb72a0282ce32cf7dc050e5225cd81 # value used for testing, found at https://github.com/Checkmarx/2ms/commit/07aab5bb214c03fd9e75e46cebe2b407c88d4f73/reporting/report_test.go#diff-31d71ec2c2ba169dce79b1c2de097e30b43f1695ce364054ee7d6b33896c7040R10 + - bdd20706ea03aa38c8c9f3f87200cf6ab9010a53 # value used for testing, found at https://github.com/Checkmarx/2ms/commit/07aab5bb214c03fd9e75e46cebe2b407c88d4f73/reporting/report_test.go#diff-31d71ec2c2ba169dce79b1c2de097e30b43f1695ce364054ee7d6b33896c7040R10 + - 1bd84965941175ee61639964adbff6170bea7703 # value used for testing, found at https://github.com/Checkmarx/2ms/commit/07aab5bb214c03fd9e75e46cebe2b407c88d4f73/reporting/report_test.go#diff-31d71ec2c2ba169dce79b1c2de097e30b43f1695ce364054ee7d6b33896c7040R10 + - f86543794ab8c77a54adc91581dcf72bfef6bf78 # value used for testing, found at https://github.com/Checkmarx/2ms/commit/07aab5bb214c03fd9e75e46cebe2b407c88d4f73/reporting/report_test.go#diff-31d71ec2c2ba169dce79b1c2de097e30b43f1695ce364054ee7d6b33896c7040R10 + - 0f80a32cc85ea5c04b65dbf7d6db6ddb8c2e4d29 # value used for testing, found at https://github.com/Checkmarx/2ms/commit/07aab5bb214c03fd9e75e46cebe2b407c88d4f73/reporting/report_test.go#diff-31d71ec2c2ba169dce79b1c2de097e30b43f1695ce364054ee7d6b33896c7040R10 + - 29a593e19a06c138d63468b8a028696ccdfc7eb2 # value used for testing, found at https://github.com/Checkmarx/2ms/commit/07aab5bb214c03fd9e75e46cebe2b407c88d4f73/reporting/report_test.go#diff-31d71ec2c2ba169dce79b1c2de097e30b43f1695ce364054ee7d6b33896c7040R10 + - 8149f62cd847f3c4ba5ffc502bdcb8d66e800c7f # value used for testing, found at https://github.com/Checkmarx/2ms/commit/07aab5bb214c03fd9e75e46cebe2b407c88d4f73/reporting/report_test.go#diff-31d71ec2c2ba169dce79b1c2de097e30b43f1695ce364054ee7d6b33896c7040R10 + - e3b354d102fe73cd4f4016e1ee17e468256d2ae8 # value used for testing, found at https://github.com/Checkmarx/2ms/commit/07aab5bb214c03fd9e75e46cebe2b407c88d4f73/reporting/report_test.go#diff-31d71ec2c2ba169dce79b1c2de097e30b43f1695ce364054ee7d6b33896c7040R10 + - 5c2e640a480ca64c809133e1b157fd97960356bf # value used for testing, found at https://github.com/Checkmarx/2ms/commit/07aab5bb214c03fd9e75e46cebe2b407c88d4f73/reporting/report_test.go#diff-31d71ec2c2ba169dce79b1c2de097e30b43f1695ce364054ee7d6b33896c7040R10 + - 92b1996f9815a2fbd9299a1997ce0bc2c153624f # value used for testing, found at https://github.com/Checkmarx/2ms/commit/07aab5bb214c03fd9e75e46cebe2b407c88d4f73/reporting/report_test.go#diff-31d71ec2c2ba169dce79b1c2de097e30b43f1695ce364054ee7d6b33896c7040R10 + - 7b7c1a0b1c5760490d843e0b9bfe540665d20b28 # value used for testing, found at https://github.com/Checkmarx/2ms/commit/07aab5bb214c03fd9e75e46cebe2b407c88d4f73/reporting/report_test.go#diff-31d71ec2c2ba169dce79b1c2de097e30b43f1695ce364054ee7d6b33896c7040R10 + - c9ae034a5a03a540d50a2686f74fcbb5117f181c # value used for testing, found at https://github.com/Checkmarx/2ms/commit/07aab5bb214c03fd9e75e46cebe2b407c88d4f73/reporting/report_test.go#diff-31d71ec2c2ba169dce79b1c2de097e30b43f1695ce364054ee7d6b33896c7040R10 + - b7c3ac03d8a24892a2c4be5810ce73ffdf6ba3ae # value used for testing, found at https://github.com/Checkmarx/2ms/commit/07aab5bb214c03fd9e75e46cebe2b407c88d4f73/reporting/report_test.go#diff-31d71ec2c2ba169dce79b1c2de097e30b43f1695ce364054ee7d6b33896c7040R10 + - f40881f8369f0d90670fc22a719ecd0ba9cb2f02 # value used for testing, found at https://github.com/Checkmarx/2ms/commit/07aab5bb214c03fd9e75e46cebe2b407c88d4f73/reporting/report_test.go#diff-31d71ec2c2ba169dce79b1c2de097e30b43f1695ce364054ee7d6b33896c7040R10 - b7c3ac03d8a24892a2c4be5810ce73ffdf6ba3ae # value used for testing, found at https://github.com/Checkmarx/2ms/commit/07aab5bb214c03fd9e75e46cebe2b407c88d4f73/reporting/report_test.go#diff-31d71ec2c2ba169dce79b1c2de097e30b43f1695ce364054ee7d6b33896c7040R10 - f40881f8369f0d90670fc22a719ecd0ba9cb2f02 # value used for testing, found at https://github.com/Checkmarx/2ms/commit/07aab5bb214c03fd9e75e46cebe2b407c88d4f73/reporting/report_test.go#diff-31d71ec2c2ba169dce79b1c2de097e30b43f1695ce364054ee7d6b33896c7040R10 - 35a5080cb11d663e33e3ced8f39a24920ca44c8a # value used for testing, found at https://github.com/Checkmarx/2ms/commit/07aab5bb214c03fd9e75e46cebe2b407c88d4f73/reporting/report_test.go#diff-31d71ec2c2ba169dce79b1c2de097e30b43f1695ce364054ee7d6b33896c7040R10 - 7b7c1a0b1c5760490d843e0b9bfe540665d20b28 # value used for testing, found at https://github.com/Checkmarx/2ms/commit/07aab5bb214c03fd9e75e46cebe2b407c88d4f73/reporting/report_test.go#diff-31d71ec2c2ba169dce79b1c2de097e30b43f1695ce364054ee7d6b33896c7040R10 - 92b1996f9815a2fbd9299a1997ce0bc2c153624f # value used for testing, found at https://github.com/Checkmarx/2ms/commit/07aab5bb214c03fd9e75e46cebe2b407c88d4f73/reporting/report_test.go#diff-31d71ec2c2ba169dce79b1c2de097e30b43f1695ce364054ee7d6b33896c7040R10 - bf2e01278453a987f05b69e6c536358cab343322 # value used for testing, found at https://github.com/Checkmarx/2ms/commit/07aab5bb214c03fd9e75e46cebe2b407c88d4f73/reporting/report_test.go#diff-31d71ec2c2ba169dce79b1c2de097e30b43f1695ce364054ee7d6b33896c7040R10 - - c9ae034a5a03a540d50a2686f74fcbb5117f181c # value used for testing, found at https://github.com/Checkmarx/2ms/commit/07aab5bb214c03fd9e75e46cebe2b407c88d4f73/reporting/report_test.go#diff-31d71ec2c2ba169dce79b1c2de097e30b43f1695ce364054ee7d6b33896c7040R10 \ No newline at end of file + - c9ae034a5a03a540d50a2686f74fcbb5117f181c # value used for testing, found at https://github.com/Checkmarx/2ms/commit/07aab5bb214c03fd9e75e46cebe2b407c88d4f73/reporting/report_test.go#diff-31d71ec2c2ba169dce79b1c2de097e30b43f1695ce364054ee7d6b33896c7040R10 + - f9e5e0b35a39914c67ee1660191a356d3c7ab1db # value used for testing, found at https://github.com/Checkmarx/2ms/commit/07aab5bb214c03fd9e75e46cebe2b407c88d4f73/reporting/report_test.go#diff-31d71ec2c2ba169dce79b1c2de097e30b43f1695ce364054ee7d6b33896c7040R10 + - 777f3d460d69a70e2ce760ca757b18f2aa984392 # value used for testing, found at https://github.com/Checkmarx/2ms/commit/07aab5bb214c03fd9e75e46cebe2b407c88d4f73/reporting/report_test.go#diff-31d71ec2c2ba169dce79b1c2de097e30b43f1695ce364054ee7d6b33896c7040R10 + - e392318c730d4cd0a04340f1e3d41d4c61f6eb20 # value used for testing, found at https://github.com/Checkmarx/2ms/commit/07aab5bb214c03fd9e75e46cebe2b407c88d4f73/reporting/report_test.go#diff-31d71ec2c2ba169dce79b1c2de097e30b43f1695ce364054ee7d6b33896c7040R10 + - 8f0e0442b01c18b02cfb8e59555103f8233fc7bf # value used for testing, found at https://github.com/Checkmarx/2ms/commit/07aab5bb214c03fd9e75e46cebe2b407c88d4f73/reporting/report_test.go#diff-31d71ec2c2ba169dce79b1c2de097e30b43f1695ce364054ee7d6b33896c7040R10 \ No newline at end of file diff --git a/.github/workflows/ast-scan.yml b/.github/workflows/ast-scan.yml deleted file mode 100644 index 805a6348..00000000 --- a/.github/workflows/ast-scan.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: Checkmarx One Scan - -on: - workflow_dispatch: - pull_request: - push: - branches: - - main - schedule: - - cron: '00 7 * * *' - -jobs: - cx-scan: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Checkmarx One CLI Action - uses: checkmarx/ast-github-action@dd0f9365942f29a99c3be5bdb308958ede8f906b # v.2.0.25 - with: - base_uri: ${{ secrets.AST_RND_SCANS_BASE_URI }} - cx_tenant: ${{ secrets.AST_RND_SCANS_TENANT }} - cx_client_id: ${{ secrets.AST_RND_SCANS_CLIENT_ID }} - cx_client_secret: ${{ secrets.AST_RND_SCANS_CLIENT_SECRET }} - additional_params: --tags scs --threshold "sast-high=1; sast-medium=1; sast-low=1; sca-high=1; sca-medium=1; iac-security-high=1; iac-security-medium=1; iac-security-low=1" diff --git a/.github/workflows/cx-one-scan.yaml b/.github/workflows/cx-one-scan.yaml new file mode 100644 index 00000000..926337b8 --- /dev/null +++ b/.github/workflows/cx-one-scan.yaml @@ -0,0 +1,26 @@ +name: cx-one-scan + +on: + workflow_dispatch: + pull_request: + push: + branches: + - master + schedule: + - cron: '00 7 * * *' + +jobs: + cx-one-scan: + name: cx-one-scan + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Checkmarx One CLI Action + uses: checkmarx/ast-github-action@86e9ae570a811f9a1fb85903647a307aa3bf6253 # 2.0.44 + with: + base_uri: ${{ secrets.AST_RND_SCANS_BASE_URI }} + cx_tenant: ${{ secrets.AST_RND_SCANS_TENANT }} + cx_client_id: ${{ secrets.AST_RND_SCANS_CLIENT_ID }} + cx_client_secret: ${{ secrets.AST_RND_SCANS_CLIENT_SECRET }} + additional_params: --tags scs --threshold "sast-critical=1; sast-high=1; sast-medium=1; sast-low=1; sca-critical=1; sca-high=1; sca-medium=1; sca-low=1; iac-security-critical=1; iac-security-high=1; iac-security-medium=1;iac-security-low=1" diff --git a/engine/engine.go b/engine/engine.go index 1e5ca210..1d2c80d2 100644 --- a/engine/engine.go +++ b/engine/engine.go @@ -93,7 +93,7 @@ func (e *Engine) Detect(item plugins.ISourceItem, secretsChannel chan *secrets.S values := e.detector.Detect(fragment) - for idx, value := range values { + for _, value := range values { itemId := getFindingId(item, value) var startLine, endLine int var err error @@ -111,10 +111,7 @@ func (e *Engine) Detect(item plugins.ISourceItem, secretsChannel chan *secrets.S endLine = value.EndLine } - if idx == len(values)-1 && strings.HasSuffix(value.Line, CxFileEndMarker) { - value.Line = value.Line[:len(value.Line)-len(CxFileEndMarker)] - value.EndColumn-- - } + value.Line = strings.TrimSuffix(value.Line, CxFileEndMarker) lineContent, err := linecontent.GetLineContent(value.Line, value.Secret) if err != nil { diff --git a/pkg/testData/expectedReport.json b/pkg/testData/expectedReport.json index 5f2279c0..d9f646f4 100644 --- a/pkg/testData/expectedReport.json +++ b/pkg/testData/expectedReport.json @@ -41,7 +41,7 @@ "endLine" : 1, "lineContent": "\n Text_Example = eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJtb2NrU3ViMiIsIm5hbWUiOiJtb2NrTmFtZTIifQ.dummysignature2", "startColumn" : 64, - "endColumn" : 166, + "endColumn" : 167, "value" : "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJtb2NrU3ViMiIsIm5hbWUiOiJtb2NrTmFtZTIifQ.dummysignature2", "ruleDescription" : "Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data.", "extraDetails" : { diff --git a/tests/testData/expectedReport/secret_at_end_report.json b/tests/testData/expectedReport/secret_at_end_report.json index a72af6ed..083229a1 100644 --- a/tests/testData/expectedReport/secret_at_end_report.json +++ b/tests/testData/expectedReport/secret_at_end_report.json @@ -1,36 +1,36 @@ { - "totalItemsScanned": 1, - "totalSecretsFound": 2, - "results": { - "6a3e642795e27b989c54ac0c91147fe8e9a405b4": [ - { - "id": "6a3e642795e27b989c54ac0c91147fe8e9a405b4", - "source": "testData/input/secret_at_end.txt", - "ruleId": "generic-api-key", - "startLine": 2, - "endLine": 2, - "lineContent": "\n\t\t`\"client_secret\" : \"6da89121079f83b2eb6acccf8219ea982c3d79bccc3e9c6a85856480661f8fde\",`", - "startColumn": 6, - "endColumn": 87, - "value": "6da89121079f83b2eb6acccf8219ea982c3d79bccc3e9c6a85856480661f8fde", - "ruleDescription": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", - "cvssScore": 8.2 - } - ], - "84bc054139c2363b37538209055a2d9c23026fab": [ - { - "id": "84bc054139c2363b37538209055a2d9c23026fab", - "source": "testData/input/secret_at_end.txt", - "ruleId": "generic-api-key", - "startLine": 1, - "endLine": 1, - "lineContent": "`\"client_id\" : \"0afae57f3ccfd9d7f5767067bc48b30f719e271ba470488056e37ab35d4b6506\"`,\r", - "startColumn": 3, - "endColumn": 81, - "value": "0afae57f3ccfd9d7f5767067bc48b30f719e271ba470488056e37ab35d4b6506", - "ruleDescription": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", - "cvssScore": 8.2 - } - ] - } - } \ No newline at end of file + "totalItemsScanned": 1, + "totalSecretsFound": 2, + "results": { + "6a3e642795e27b989c54ac0c91147fe8e9a405b4": [ + { + "id": "6a3e642795e27b989c54ac0c91147fe8e9a405b4", + "source": "testData/input/secret_at_end.txt", + "ruleId": "generic-api-key", + "startLine": 2, + "endLine": 2, + "lineContent": "\n\t\t`\"client_secret\" : \"6da89121079f83b2eb6acccf8219ea982c3d79bccc3e9c6a85856480661f8fde\",`", + "startColumn": 6, + "endColumn": 88, + "value": "6da89121079f83b2eb6acccf8219ea982c3d79bccc3e9c6a85856480661f8fde", + "ruleDescription": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", + "cvssScore": 8.2 + } + ], + "84bc054139c2363b37538209055a2d9c23026fab": [ + { + "id": "84bc054139c2363b37538209055a2d9c23026fab", + "source": "testData/input/secret_at_end.txt", + "ruleId": "generic-api-key", + "startLine": 1, + "endLine": 1, + "lineContent": "`\"client_id\" : \"0afae57f3ccfd9d7f5767067bc48b30f719e271ba470488056e37ab35d4b6506\"`,\r", + "startColumn": 3, + "endColumn": 81, + "value": "0afae57f3ccfd9d7f5767067bc48b30f719e271ba470488056e37ab35d4b6506", + "ruleDescription": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", + "cvssScore": 8.2 + } + ] + } +} \ No newline at end of file