add positives to the rule definition

Checkmarx · Aug 23, 2023 · 319a704 · 319a704
1 parent a2492c1
commit 319a704
Show file tree

Hide file tree

Showing 3 changed files with 78 additions and 2 deletions.
diff --git a/secrets/rules/authenticated_url.go b/secrets/rules/authenticated_url.go
@@ -1,4 +1,4 @@
-package secrets
+package rules
 
 import (
 	"regexp"
@@ -16,5 +16,16 @@ func AuthenticatedURL() *config.Rule {
 		SecretGroup: 1,
 	}
 
-	return &rule
+	tPositives := []string{
+		"mongodb+srv://radar:[email protected]/?retryWrites=true&w=majority",
+		"--output=https://elastic:bF21iC0bfTVXo3qhpJqTGs78@c22f5bc9787c4c268d3b069ad866bdc2.eu-central-1.aws.cloud.es.io:9243/tfs",
+		"https://abc:[email protected]",
+	}
+
+	fPositives := []string{
+		"https://google.com",
+		"https://google.com?user=abc&password=123",
+	}
+
+	return validate(rule, tPositives, fPositives)
 }
diff --git a/secrets/rules/rule.go b/secrets/rules/rule.go
@@ -0,0 +1,37 @@
+package rules
+
+import (
+	"strings"
+
+	"github.com/rs/zerolog/log"
+	"github.com/zricethezav/gitleaks/v8/config"
+	"github.com/zricethezav/gitleaks/v8/detect"
+)
+
+// Copied from https://github.com/gitleaks/gitleaks/blob/463d24618fa42fc7629dc30c9744ebe36c5df1ab/cmd/generate/config/rules/rule.go
+func validate(r config.Rule, truePositives []string, falsePositives []string) *config.Rule {
+	// normalize keywords like in the config package
+	var keywords []string
+	for _, k := range r.Keywords {
+		keywords = append(keywords, strings.ToLower(k))
+	}
+	r.Keywords = keywords
+
+	rules := make(map[string]config.Rule)
+	rules[r.RuleID] = r
+	d := detect.NewDetector(config.Config{
+		Rules:    rules,
+		Keywords: keywords,
+	})
+	for _, tp := range truePositives {
+		if len(d.DetectString(tp)) != 1 {
+			log.Fatal().Msgf("Failed to validate. For rule ID [%s], true positive [%s] was not detected by regexp [%s]", r.RuleID, tp, r.Regex)
+		}
+	}
+	for _, fp := range falsePositives {
+		if len(d.DetectString(fp)) != 0 {
+			log.Fatal().Msgf("Failed to validate. For rule ID [%s], false positive [%s] was detected by regexp [%s]", r.RuleID, fp, r.Regex)
+		}
+	}
+	return &r
+}
diff --git a/secrets/rules/rule_test.go b/secrets/rules/rule_test.go
@@ -0,0 +1,28 @@
+package rules_test
+
+import (
+	"testing"
+
+	"github.com/checkmarx/2ms/secrets/rules"
+	"github.com/zricethezav/gitleaks/v8/config"
+)
+
+func Test2msRules(t *testing.T) {
+	t.Parallel()
+
+	testsRules := []struct {
+		name     string
+		validate func() *config.Rule
+	}{
+		{name: "AuthenticatedURL", validate: rules.AuthenticatedURL},
+	}
+
+	for _, tRule := range testsRules {
+		testRule := tRule // fix for loop variable being captured by func literal
+		t.Run(testRule.name, func(t *testing.T) {
+			t.Parallel()
+
+			testRule.validate()
+		})
+	}
+}