Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(secrets): change entropy limit in Combinator plugin #3575

Merged
merged 12 commits into from
Sep 29, 2022
5 changes: 4 additions & 1 deletion checkov/secrets/plugins/entropy_keyword_combinator.py
Original file line number Diff line number Diff line change
Expand Up @@ -12,12 +12,15 @@
from detect_secrets.util.code_snippet import CodeSnippet

MAX_LINE_LENGTH = 10000
ENTROPY_KEYWORD_COMBINATOR_LIMIT = 3


class EntropyKeywordCombinator(BasePlugin):
secret_type = "" # nosec # noqa: CCE003 # a static attribute

def __init__(self, limit: float) -> None:
iac_limit = ENTROPY_KEYWORD_COMBINATOR_LIMIT
self.high_entropy_scanners_iac = (Base64HighEntropyString(limit=iac_limit), HexHighEntropyString(limit=iac_limit))
self.high_entropy_scanners = (Base64HighEntropyString(limit=limit), HexHighEntropyString(limit=limit))
self.keyword_scanner = KeywordDetector()

Expand Down Expand Up @@ -46,7 +49,7 @@ def analyze_line(
keyword_entropy = keyword_matches.union(entropy_matches)
return keyword_entropy
if keyword_matches:
for entropy_scanner in self.high_entropy_scanners:
for entropy_scanner in self.high_entropy_scanners_iac:
matches = entropy_scanner.analyze_line(filename, line, line_number, **kwargs)
if matches:
return matches
Expand Down
61 changes: 17 additions & 44 deletions checkov/secrets/runner.py
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@
}
CHECK_ID_TO_SECRET_TYPE = {v: k for k, v in SECRET_TYPE_TO_ID.items()}

ENTROPY_KEYWORD_LIMIT = 3
ENTROPY_KEYWORD_LIMIT = 4.5
nimrodkor marked this conversation as resolved.
Show resolved Hide resolved
PROHIBITED_FILES = ['Pipfile.lock', 'yarn.lock', 'package-lock.json', 'requirements.txt']

MAX_FILE_SIZE = int(os.getenv('CHECKOV_MAX_FILE_SIZE', '5000000')) # 5 MB is default limit
Expand All @@ -69,58 +69,31 @@
class Runner(BaseRunner[None]):
check_type = CheckType.SECRETS # noqa: CCE003 # a static attribute

def run(
self,
def run(self,
root_folder: str | None,
external_checks_dir: list[str] | None = None,
files: list[str] | None = None,
runner_filter: RunnerFilter | None = None,
collect_skip_comments: bool = True
) -> Report:
) -> Report:
runner_filter = runner_filter or RunnerFilter()
current_dir = Path(__file__).parent
secrets = SecretsCollection()
plugins_used = \
[
{
'name': 'AWSKeyDetector'
},
{
'name': 'ArtifactoryDetector'
},
{
'name': 'AzureStorageKeyDetector'
},
{
'name': 'BasicAuthDetector'
},
{
'name': 'CloudantDetector'
},
{
'name': 'IbmCloudIamDetector'
},
{
'name': 'MailchimpDetector'
},
{
'name': 'PrivateKeyDetector'
},
{
'name': 'SlackDetector'
},
{
'name': 'SoftlayerDetector'
},
{
'name': 'SquareOAuthDetector'
},
{
'name': 'StripeDetector'
},
{
'name': 'TwilioKeyDetector'
},
{'name': 'AWSKeyDetector'},
{'name': 'ArtifactoryDetector'},
{'name': 'AzureStorageKeyDetector'},
{'name': 'BasicAuthDetector'},
{'name': 'CloudantDetector'},
{'name': 'IbmCloudIamDetector'},
{'name': 'MailchimpDetector'},
{'name': 'PrivateKeyDetector'},
{'name': 'SlackDetector'},
{'name': 'SoftlayerDetector'},
{'name': 'SquareOAuthDetector'},
{'name': 'StripeDetector'},
{'name': 'TwilioKeyDetector'},
{
'name': 'EntropyKeywordCombinator',
'path': f'file://{current_dir}/plugins/entropy_keyword_combinator.py',
Expand Down Expand Up @@ -284,4 +257,4 @@ def search_for_suppression(
"result": CheckResult.SKIPPED,
"suppress_comment": skip_search.group(3)[1:] if skip_search.group(3) else "No comment provided"
}
return None
return None
29 changes: 29 additions & 0 deletions tests/secrets/resources/cfn/secret-no-false-positive.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
"""

no False Positive - where it's not an actual secret
check_metadata_values = ('bafadssda$#%2', 'bdfsver#$@%')
CHECKOV_METADATA_RESULT = 'checkov_results5243gvr'
check1 = {'blabla': 'blabla1'}
check2 = {'blabla': 'blabla2'}
check1['some_key_1235#$@'] = check2.get('some_value_1235')


"""

CleanBucketFunction:
Type: "AWS::Lambda::Function"
DependsOn: CleanupRole
Properties:
Handler: index.clearS3Bucket
Role:
Fn::GetAtt: CleanupRole.Arn
Runtime: nodejs12.x
Timeout: 25
Code:
ZipFile: |
no False Positive - where it's not an actual secret
check_metadata_values = ('bafadssda$#%2', 'bdfsver#$@%')
CHECKOV_METADATA_RESULT = 'checkov_results5243gvr'
check1 = {'blabla': 'blabla1'}
check2 = {'blabla': 'blabla2'}
check1['some_key_1235#$@'] = check2.get('some_value_1235')
8 changes: 8 additions & 0 deletions tests/secrets/resources/file_type/test.py
Original file line number Diff line number Diff line change
@@ -1,3 +1,11 @@
# no False Positive - where it's not an actual secret
check_metadata_values = ('bafadssda$#%2', 'bdfsver#$@%')
CHECKOV_METADATA_RESULT = 'checkov_results5243gvr'
check1 = {'blabla': 'blabla1'}
check2 = {'blabla': 'blabla2'}
check1['some_key_1235#$@'] = check2.get('some_value_1235')


access_key = "AKIAIOSFODNN7EXAMPLE"
secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
if __name__ == '__main__':
Expand Down
8 changes: 6 additions & 2 deletions tests/secrets/test_plugin.py
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ def test_negative_entropy_value(self):
self.assertEqual(0, len(result))

def test_popular_kubernetes_manifest_password(self):
result = self.plugin.analyze_line("mock.yaml", 'pwd: "correcthorsebatterystaple"', 5)
result = self.plugin.analyze_line("mock.yaml", 'pwd: "correcthorsebatterystaple"', 5) # fails now
self.assertEqual(1, len(result))
secret = result.pop()
self.assertEqual("Base64 High Entropy String", secret.type)
Expand All @@ -35,4 +35,8 @@ def test_source_code_file_value(self):
self.assertEqual(1, len(result))
secret = result.pop()
self.assertEqual("Secret Keyword", secret.type)
self.assertEqual("93beaa774e56483f19e4fe916ce87e62d4b3ea85", secret.secret_hash)
self.assertEqual("93beaa774e56483f19e4fe916ce87e62d4b3ea85", secret.secret_hash)

def test_source_code_no_false_positive(self):
result = self.plugin.analyze_line("main.py", "check1['some_key_1235#$@'] = check2.get('some_value_1235')", 1)
self.assertEqual(0, len(result))