fix(secret): update built-in rule tests (aquasecurity#3855)

Co-authored-by: Teppei Fukuda <[email protected]>
030 · Apr 3, 2023 · d113b93 · d113b93
1 parent 5ab6d25
commit d113b93
Show file tree

Hide file tree

Showing 22 changed files with 64 additions and 19 deletions.
diff --git a/pkg/fanal/analyzer/secret/secret_test.go b/pkg/fanal/analyzer/secret/secret_test.go
@@ -210,7 +210,11 @@ func TestSecretRequire(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			a := secret.SecretAnalyzer{}
-			err := a.Init(analyzer.AnalyzerOptions{})
+			err := a.Init(analyzer.AnalyzerOptions{
+				SecretScannerOption: analyzer.SecretScannerOption{
+					ConfigPath: "testdata/skip-tests-config.yaml",
+				},
+			})
 			require.NoError(t, err)
 
 			fi, err := os.Stat(tt.filePath)

diff --git a/pkg/fanal/analyzer/secret/testdata/config.yaml b/pkg/fanal/analyzer/secret/testdata/config.yaml
@@ -6,4 +6,5 @@ rules:
     regex: (?i)(?P<key>(secret))(=|:).{0,5}['"](?P<secret>[0-9a-zA-Z\-_=]{8,64})['"]
     secret-group-name: secret
 
-
+disable-allow-rules:
+  - tests
diff --git a/pkg/fanal/analyzer/secret/testdata/skip-tests-config.yaml b/pkg/fanal/analyzer/secret/testdata/skip-tests-config.yaml
@@ -0,0 +1,2 @@
+disable-allow-rules:
+  - tests
diff --git a/pkg/fanal/secret/builtin-allow-rules.go b/pkg/fanal/secret/builtin-allow-rules.go
@@ -4,7 +4,7 @@ var builtinAllowRules = []AllowRule{
 	{
 		ID:          "tests",
 		Description: "Avoid test files and paths",
-		Path:        MustCompile(`(\/test|-test|_test|\.test)`),
+		Path:        MustCompile(`(^test|\/test|-test|_test|\.test)`),
 	},
 	{
 		ID:          "examples",

diff --git a/pkg/fanal/secret/scanner.go b/pkg/fanal/secret/scanner.go
@@ -341,6 +341,7 @@ type Match struct {
 func (s *Scanner) Scan(args ScanArgs) types.Secret {
 	// Global allowed paths
 	if s.AllowPath(args.FilePath) {
+		log.Logger.Debugf("Skipped secret scanning on %q matching allowed paths", args.FilePath)
 		return types.Secret{
 			FilePath: args.FilePath,
 		}
@@ -355,11 +356,13 @@ func (s *Scanner) Scan(args ScanArgs) types.Secret {
 	for _, rule := range s.Rules {
 		// Check if the file path should be scanned by this rule
 		if !rule.MatchPath(args.FilePath) {
+			log.Logger.Debugf("Skipped secret scanning on %q as non-compliant to the rule %q", args.FilePath, rule.ID)
 			continue
 		}
 
 		// Check if the file path should be allowed
 		if rule.AllowPath(args.FilePath) {
+			log.Logger.Debugf("Skipped secret scanning on %q as allowed", args.FilePath)
 			continue
 		}
 

diff --git a/pkg/fanal/secret/scanner_test.go b/pkg/fanal/secret/scanner_test.go
@@ -554,6 +554,7 @@ func TestSecretScanner(t *testing.T) {
 		},
 		{
 			name:          "find Asymmetric Private Key secrets",
+			configPath:    filepath.Join("testdata", "skip-test.yaml"),
 			inputFilePath: filepath.Join("testdata", "asymmetric-private-secret.txt"),
 			want: types.Secret{
 				FilePath: filepath.Join("testdata", "asymmetric-private-secret.txt"),
@@ -562,6 +563,7 @@ func TestSecretScanner(t *testing.T) {
 		},
 		{
 			name:          "find Alibaba AccessKey ID txt",
+			configPath:    filepath.Join("testdata", "skip-test.yaml"),
 			inputFilePath: "testdata/alibaba-access-key-id.txt",
 			want: types.Secret{
 				FilePath: "testdata/alibaba-access-key-id.txt",
@@ -570,6 +572,7 @@ func TestSecretScanner(t *testing.T) {
 		},
 		{
 			name:          "find Asymmetric Private Key secrets json",
+			configPath:    filepath.Join("testdata", "skip-test.yaml"),
 			inputFilePath: filepath.Join("testdata", "asymmetric-private-secret.json"),
 			want: types.Secret{
 				FilePath: filepath.Join("testdata", "asymmetric-private-secret.json"),
@@ -610,7 +613,7 @@ func TestSecretScanner(t *testing.T) {
 		},
 		{
 			name:          "should find ghp builtin secret",
-			configPath:    "",
+			configPath:    filepath.Join("testdata", "skip-test.yaml"),
 			inputFilePath: filepath.Join("testdata", "builtin-rule-secret.txt"),
 			want: types.Secret{
 				FilePath: filepath.Join("testdata", "builtin-rule-secret.txt"),
@@ -673,6 +676,7 @@ func TestSecretScanner(t *testing.T) {
 		},
 		{
 			name:          "skip examples file",
+			configPath:    filepath.Join("testdata", "skip-test.yaml"),
 			inputFilePath: filepath.Join("testdata", "example-secret.txt"),
 			want: types.Secret{
 				FilePath: filepath.Join("testdata", "example-secret.txt"),
@@ -716,6 +720,7 @@ func TestSecretScanner(t *testing.T) {
 		},
 		{
 			name:          "truncate long line",
+			configPath:    filepath.Join("testdata", "skip-test.yaml"),
 			inputFilePath: filepath.Join("testdata", "long-line-secret.txt"),
 			want: types.Secret{
 				FilePath: filepath.Join("testdata", "long-line-secret.txt"),
@@ -733,12 +738,13 @@ func TestSecretScanner(t *testing.T) {
 		},
 		{
 			name:          "invalid aws secrets",
+			configPath:    filepath.Join("testdata", "skip-test.yaml"),
 			inputFilePath: filepath.Join("testdata", "invalid-aws-secrets.txt"),
 			want:          types.Secret{},
 		},
 		{
 			name:          "asymmetric file",
-			configPath:    "",
+			configPath:    filepath.Join("testdata", "skip-test.yaml"),
 			inputFilePath: "testdata/asymmetric-private-key.txt",
 			want: types.Secret{
 				FilePath: "testdata/asymmetric-private-key.txt",

diff --git a/pkg/fanal/secret/testdata/allow-path.yaml b/pkg/fanal/secret/testdata/allow-path.yaml
@@ -7,4 +7,6 @@ rules:
     secret-group-name: secret
     allow-rules:
       - description: skip text files
-        path: .*\.txt
+        path: .*\.txt
+disable-allow-rules:
+  - tests
diff --git a/pkg/fanal/secret/testdata/allow-regex-outside-group.yaml b/pkg/fanal/secret/testdata/allow-regex-outside-group.yaml
@@ -7,4 +7,6 @@ rules:
     secret-group-name: secret
     allow-rules:
       - description: skip line
-        regex: line
+        regex: line
+disable-allow-rules:
+  - tests
diff --git a/pkg/fanal/secret/testdata/allow-regex.yaml b/pkg/fanal/secret/testdata/allow-regex.yaml
@@ -7,4 +7,6 @@ rules:
     secret-group-name: secret
     allow-rules:
       - description: skip other
-        regex: other
+        regex: other
+disable-allow-rules:
+  - tests
diff --git a/pkg/fanal/secret/testdata/config-disable-allow-rule-md.yaml b/pkg/fanal/secret/testdata/config-disable-allow-rule-md.yaml
@@ -7,5 +7,6 @@ rules:
     secret-group-name: secret
 disable-allow-rules:
   - markdown
+  - tests
 
 
diff --git a/pkg/fanal/secret/testdata/config-disable-ghp.yaml b/pkg/fanal/secret/testdata/config-disable-ghp.yaml
@@ -1,2 +1,5 @@
 disable-rules:
-  - github-pat
+  - github-pat
+
+disable-allow-rules:
+  - tests
diff --git a/pkg/fanal/secret/testdata/config-disable-rule1.yaml b/pkg/fanal/secret/testdata/config-disable-rule1.yaml
@@ -6,4 +6,7 @@ rules:
     regex: (?i)(?P<key>(secret))(=|:).{0,5}['"](?P<secret>[0-9a-zA-Z\-_=]{8,64})['"]
     secret-group-name: secret
 disable-rules:
-  - rule1
+  - rule1
+
+disable-allow-rules:
+  - tests
diff --git a/pkg/fanal/secret/testdata/config-enable-ghp.yaml b/pkg/fanal/secret/testdata/config-enable-ghp.yaml
@@ -1,2 +1,5 @@
 enable-builtin-rules:
-  - github-pat
+  - github-pat
+
+disable-allow-rules:
+  - tests
diff --git a/pkg/fanal/secret/testdata/config-happy-keywords.yaml b/pkg/fanal/secret/testdata/config-happy-keywords.yaml
@@ -7,4 +7,5 @@ rules:
     secret-group-name: secret
     keywords: [secret]
 
-
+disable-allow-rules:
+  - tests
diff --git a/pkg/fanal/secret/testdata/config-sad-keywords.yaml b/pkg/fanal/secret/testdata/config-sad-keywords.yaml
@@ -7,4 +7,5 @@ rules:
     secret-group-name: secret
     keywords: [bla]
 
-
+disable-allow-rules:
+  - tests
diff --git a/pkg/fanal/secret/testdata/config-without-severity.yaml b/pkg/fanal/secret/testdata/config-without-severity.yaml
@@ -4,3 +4,5 @@ rules:
     title: Generic Rule
     regex: (?i)(?P<key>(secret))(=|:).{0,5}['"](?P<secret>somevalue)['"]
     secret-group-name: secret
+disable-allow-rules:
+  - tests
diff --git a/pkg/fanal/secret/testdata/config.yaml b/pkg/fanal/secret/testdata/config.yaml
@@ -6,4 +6,5 @@ rules:
     regex: (?i)(?P<key>(secret))(=|:).{0,5}['"](?P<secret>[0-9a-zA-Z\-_=]{8,64})['"]
     secret-group-name: secret
 
-
+disable-allow-rules:
+  - tests
diff --git a/pkg/fanal/secret/testdata/exclude-block.yaml b/pkg/fanal/secret/testdata/exclude-block.yaml
@@ -8,4 +8,6 @@ rules:
     exclude-block:
       description: exclude blocks
       regexes:
-        - --- ignore block start ---(.|\s)*--- ignore block stop ---
+        - --- ignore block start ---(.|\s)*--- ignore block stop ---
+disable-allow-rules:
+  - tests
diff --git a/pkg/fanal/secret/testdata/global-allow-regex.yaml b/pkg/fanal/secret/testdata/global-allow-regex.yaml
@@ -7,4 +7,6 @@ rules:
     secret-group-name: secret
 allow-rules:
   - description: skip other
-    regex: other
+    regex: other
+disable-allow-rules:
+  - tests
diff --git a/pkg/fanal/secret/testdata/global-exclude-block.yaml b/pkg/fanal/secret/testdata/global-exclude-block.yaml
@@ -8,4 +8,6 @@ rules:
 exclude-block:
   description: exclude blocks
   regexes:
-    - --- ignore block start ---(.|\s)*--- ignore block stop ---
+    - --- ignore block start ---(.|\s)*--- ignore block stop ---
+disable-allow-rules:
+  - tests
diff --git a/pkg/fanal/secret/testdata/multiple-secret-groups.yaml b/pkg/fanal/secret/testdata/multiple-secret-groups.yaml
@@ -5,5 +5,5 @@ rules:
     severity: HIGH
     regex: (?i)credentials:\s*\{\s*user:\s*['"](?P<secret>[0-9a-zA-Z\-_=]{8,64})['"]\s*password:\s*['"](?P<secret>[0-9a-zA-Z\-_=]{8,64})['"]\s*\}
     secret-group-name: secret
-
-
+disable-allow-rules:
+  - tests
diff --git a/pkg/fanal/secret/testdata/skip-test.yaml b/pkg/fanal/secret/testdata/skip-test.yaml
@@ -0,0 +1,2 @@
+disable-allow-rules:
+  - tests