Skip to content

Commit

Permalink
Merge pull request Yelp#620 from Yelp/dakranj-611-fix-audit-report-fa…
Browse files Browse the repository at this point in the history
…iling

Fix audit report that verifies a secret
  • Loading branch information
lorenzodb1 authored Sep 27, 2022
2 parents 0dcd54c + 07e8244 commit b32a53f
Show file tree
Hide file tree
Showing 2 changed files with 41 additions and 2 deletions.
3 changes: 3 additions & 0 deletions detect_secrets/audit/common.py
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
from ..transformers import get_transformed_file
from ..types import NamedIO
from ..util.inject import call_function_with_arguments
from detect_secrets.util.code_snippet import get_code_snippet


def get_baseline_from_file(filename: str) -> SecretsCollection:
Expand Down Expand Up @@ -91,6 +92,7 @@ def get_raw_secrets_from_file(
line_numbers = list(range(len(lines_to_scan)))

for line_number, line in zip(line_numbers, lines_to_scan):
context = get_code_snippet(lines=line_getter.lines, line_number=line_number + 1)
identified_secrets = call_function_with_arguments(
plugin.analyze_line,
filename=secret.filename,
Expand All @@ -100,6 +102,7 @@ def get_raw_secrets_from_file(
# We enable eager search, because we *know* there's a secret here -- the baseline
# flagged it after all.
enable_eager_search=bool(secret.line_number),
context=context,
)

for identified_secret in (identified_secrets or []):
Expand Down
40 changes: 38 additions & 2 deletions tests/audit/report_test.py
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@
from detect_secrets.constants import VerifiedResult
from detect_secrets.core import baseline
from detect_secrets.core.secrets_collection import SecretsCollection
from detect_secrets.plugins.aws import AWSKeyDetector
from detect_secrets.plugins.basic_auth import BasicAuthDetector
from detect_secrets.plugins.jwt import JwtTokenDetector
from detect_secrets.settings import transient_settings
Expand All @@ -20,13 +21,14 @@
first_secret = 'value1'
second_secret = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ' # noqa: E501
random_secret = ''.join(random.choice(string.ascii_letters) for _ in range(8))
aws_secret = 'AKIAZZZZZZZZZZZZZZZZ'


@pytest.mark.parametrize(
'class_to_print, expected_real, expected_false, expected_output',
[
(
None, 3, 1,
None, 4, 1,
{
'results': [
{
Expand Down Expand Up @@ -71,11 +73,21 @@
BasicAuthDetector.secret_type,
],
},
{
'category': 'VERIFIED_TRUE',
'lines': {
1: 'aws_access_key = {}'.format(aws_secret),
},
'secrets': aws_secret,
'types': [
AWSKeyDetector.secret_type,
],
},
],
},
),
(
SecretClassToPrint.REAL_SECRET, 3, 0,
SecretClassToPrint.REAL_SECRET, 4, 0,
{
'results': [
{
Expand Down Expand Up @@ -109,6 +121,16 @@
JwtTokenDetector.secret_type,
],
},
{
'category': 'VERIFIED_TRUE',
'lines': {
1: 'aws_access_key = {}'.format(aws_secret),
},
'secrets': aws_secret,
'types': [
AWSKeyDetector.secret_type,
],
},
],
},
),
Expand Down Expand Up @@ -193,27 +215,41 @@ def baseline_file():
url = {url_format.format(second_secret)}
example = {url_format.format(random_secret)}
""")[1:]
third_content = textwrap.dedent(f"""
aws_access_key = {aws_secret}
""")[1:]

with create_file_with_content(first_content) as first_file, \
create_file_with_content(second_content) as second_file, \
create_file_with_content(third_content) as third_file, \
mock_named_temporary_file() as baseline_file, \
transient_settings({
'plugins_used': [
{'name': 'BasicAuthDetector'},
{'name': 'JwtTokenDetector'},
{'name': 'AWSKeyDetector'},

],
'filters_used': [
{
'path':
'detect_secrets.filters.common.is_ignored_due_to_verification_policies',
'min_level': 2,
},
],
}):
secrets = SecretsCollection()
secrets.scan_file(first_file)
secrets.scan_file(second_file)
secrets.scan_file(third_file)
labels = {
(first_file, BasicAuthDetector.secret_type, 1): True,
(first_file, BasicAuthDetector.secret_type, 2): None,
(first_file, BasicAuthDetector.secret_type, 3): True,
(second_file, JwtTokenDetector.secret_type, 1): True,
(second_file, BasicAuthDetector.secret_type, 1): False,
(second_file, BasicAuthDetector.secret_type, 2): False,
(third_file, AWSKeyDetector.secret_type, 1): True,
}
for item in secrets:
_, secret = item
Expand Down

0 comments on commit b32a53f

Please sign in to comment.