Modify MSteams secrets: add tests, add pattern readability (#280)

loris-s-sonarsource · web-flow · commit 0cf74fdf3350 · 2023-09-25T08:55:48.000+02:00
diff --git a/sonar-text-plugin/src/main/resources/org/sonar/plugins/secrets/configuration/ms-teams.yaml b/sonar-text-plugin/src/main/resources/org/sonar/plugins/secrets/configuration/ms-teams.yaml
@@ -15,21 +15,33 @@ provider:
       patternNot: 
         - "(\\w)\\1{5,}"
         - "(?i)test|abcd|1234"
-        - "(?i)\
-        YOURTENANTNAME|\
-        mycompany|\
-        yourorg|\
-        team[_-]?name|\
-        example|\
-        contoso|\
-        acmecorp"
+        - "(?i)YOURTENANTNAME|mycompany|yourorg|(s|ex)ample"
+        - "(?i)team[_-]?name"
+        - "contoso|acmecorp"
 
   rules:
     - rspecKey: S6721
       id: ms-teams-webhook-urls
       metadata:
         name: Microsoft Teams Webhook Urls
+      detection:
+        matching:
+          # Structure:
+          # https://tenant-name.webhook.office.com/webhookb2/guid@guid/IncomingWebhook/connectorId/guid
+          # An MS GUID is in the following format XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX where X is a hex digit
+            pattern: "((?:https://)?\
+                    [a-z0-9_-]{1,50}\\.webhook\\.office\\.com/webhookb2/\
+                    [a-z0-9\\-]{1,50}@[a-z0-9\\-]{1,50}/IncomingWebhook/[a-z0-9]{1,50}/[a-z0-9\\-]{1,50})"
       examples:
+        - text: |
+            # Noncompliant code example
+            props.set("teams_webhook_url", "https://sonarcompany.webhook.office.com/webhookb2/52feb105-fe74-52b9-8e90-5d165916fe22@61c6aa5a3-6531-4e28-9c0b-33ba1a8aa1ff/IncomingWebhook/f7fb2308e5f14431ace5b7cd0e670e42/4563618c-b03b-4e80-b093-28bb4ff11de8")
+          containsSecret: true
+          match: https://sonarcompany.webhook.office.com/webhookb2/52feb105-fe74-52b9-8e90-5d165916fe22@61c6aa5a3-6531-4e28-9c0b-33ba1a8aa1ff/IncomingWebhook/f7fb2308e5f14431ace5b7cd0e670e42/4563618c-b03b-4e80-b093-28bb4ff11de8
+        - text: |
+            # Compliant solution
+            props.set("teams_webhook_url", System.getenv("TEAMS_WEBHOOK_URL"))
+          containsSecret: false
         - text: |
             var webhookUrl = "https://companyname.webhook.office.com/webhookb2/5bf015e2-ce92-42a8-8e90-92552d6ef161@0c6aa5a3-6531-4e28-9c0b-33ba1a8aa1ff/IncomingWebhook/f7fb2308e5f14431ace5b7cd0e670e42/4563618c-b03b-4e80-b093-28bb4ff11de8";
             var client = new HttpClient();
@@ -53,9 +65,4 @@ provider:
               '1': 'https://mycompany.webhook.office.com/webhookb2/f49c28c6-d10b-412c-b961-fge456bd@c1a7fa9b-90b3-49ab-b5e2-345HG88c/IncomingWebhook/b43c20SDSGFG56712d848bc1cebb17/53ee2e22-a867-4e74-868a-F3fs3935',
             }
           containsSecret: false
-      detection:
-        matching:
-          # Structure:
-          # https://tenant-name.webhook.office.com/webhookb2/guid@guid/IncomingWebhook/connectorId/guid
-          # An MS GUID is in the following format XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX where X is a hex digit
-          pattern: "((https://)?[a-z0-9_-]{1,50}\\.webhook\\.office\\.com/webhookb2/[a-z0-9\\-]{1,50}@[a-z0-9\\-]{1,50}/IncomingWebhook/[a-z0-9]{1,50}/[a-z0-9\\-]{1,50})"
+
