Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package trufflehog for openSUSE:Factory checked in at 2026-03-05 18:20:44 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/trufflehog (Old) and /work/SRC/openSUSE:Factory/.trufflehog.new.561 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "trufflehog" Thu Mar 5 18:20:44 2026 rev:115 rq:1336773 version:3.93.7 Changes: -------- --- /work/SRC/openSUSE:Factory/trufflehog/trufflehog.changes 2026-03-04 21:08:36.104838735 +0100 +++ /work/SRC/openSUSE:Factory/.trufflehog.new.561/trufflehog.changes 2026-03-05 18:20:47.650202785 +0100 @@ -1,0 +2,9 @@ +Thu Mar 05 07:38:04 UTC 2026 - Felix Niederwanger <[email protected]> + +- Update to version 3.93.7: + * fix JDBC detector regex truncating trailing non-alphanumeric password characters (#4755) + * Added detector for JFrog Artifactory Reference Tokens (#4684) + * Thread original chunk data through engine pipeline (#4780) + * [INS-331] Fix the issue causing the tests file system soruce tests to fail on windows (#4743) + +------------------------------------------------------------------- Old: ---- trufflehog-3.93.6.obscpio New: ---- trufflehog-3.93.7.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ trufflehog.spec ++++++ --- /var/tmp/diff_new_pack.R0cogS/_old 2026-03-05 18:20:51.938380592 +0100 +++ /var/tmp/diff_new_pack.R0cogS/_new 2026-03-05 18:20:51.942380758 +0100 @@ -17,7 +17,7 @@ Name: trufflehog -Version: 3.93.6 +Version: 3.93.7 Release: 0 Summary: CLI tool to find exposed secrets in source and archives License: AGPL-3.0-or-later ++++++ _service ++++++ --- /var/tmp/diff_new_pack.R0cogS/_old 2026-03-05 18:20:51.986382582 +0100 +++ /var/tmp/diff_new_pack.R0cogS/_new 2026-03-05 18:20:51.990382748 +0100 @@ -2,7 +2,7 @@ <service name="obs_scm" mode="manual"> <param name="url">https://github.com/trufflesecurity/trufflehog.git</param> <param name="scm">git</param> - <param name="revision">v3.93.6</param> + <param name="revision">v3.93.7</param> <param name="match-tag">v*</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.R0cogS/_old 2026-03-05 18:20:52.022384075 +0100 +++ /var/tmp/diff_new_pack.R0cogS/_new 2026-03-05 18:20:52.022384075 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/trufflesecurity/trufflehog.git</param> - <param name="changesrevision">041f07e9df901a1038a528e5525b0226d04dd5ea</param></service></servicedata> + <param name="changesrevision">c3e599b7163e8198a55467f3133db0e7b2a492cb</param></service></servicedata> (No newline at EOF) ++++++ trufflehog-3.93.6.obscpio -> trufflehog-3.93.7.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trufflehog-3.93.6/pkg/decoders/escaped_unicode.go new/trufflehog-3.93.7/pkg/decoders/escaped_unicode.go --- old/trufflehog-3.93.6/pkg/decoders/escaped_unicode.go 2026-02-27 16:05:52.000000000 +0100 +++ new/trufflehog-3.93.7/pkg/decoders/escaped_unicode.go 2026-03-04 16:56:42.000000000 +0100 @@ -105,6 +105,7 @@ DecoderType: d.Type(), Chunk: &sources.Chunk{ Data: chunkData, + OriginalData: chunk.OriginalData, SourceName: chunk.SourceName, SourceID: chunk.SourceID, JobID: chunk.JobID, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trufflehog-3.93.6/pkg/detectors/artifactoryreferencetoken/artifactoryreferencetoken.go new/trufflehog-3.93.7/pkg/detectors/artifactoryreferencetoken/artifactoryreferencetoken.go --- old/trufflehog-3.93.6/pkg/detectors/artifactoryreferencetoken/artifactoryreferencetoken.go 1970-01-01 01:00:00.000000000 +0100 +++ new/trufflehog-3.93.7/pkg/detectors/artifactoryreferencetoken/artifactoryreferencetoken.go 2026-03-04 16:56:42.000000000 +0100 @@ -0,0 +1,166 @@ +package artifactoryreferencetoken + +import ( + "context" + "errors" + "fmt" + "io" + "net/http" + "strings" + + regexp "github.com/wasilibs/go-re2" + + "github.com/trufflesecurity/trufflehog/v3/pkg/cache/simple" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" +) + +type Scanner struct { + client *http.Client + detectors.DefaultMultiPartCredentialProvider + detectors.EndpointSetter +} + +var ( + // Ensure the Scanner satisfies the interface at compile time. + _ detectors.Detector = (*Scanner)(nil) + _ detectors.EndpointCustomizer = (*Scanner)(nil) + + defaultClient = detectors.DetectorHttpClientWithNoLocalAddresses + + // Reference tokens are base64-encoded strings starting with "reftkn:01|<version>:<expiry>:<random>" + // The base64 encoding of "reftkn" is "cmVmdGtu", total length is always 64 characters + tokenPat = regexp.MustCompile(`\b(cmVmdGtu[A-Za-z0-9]{56})\b`) + urlPat = regexp.MustCompile(`\b([A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]\.jfrog\.io)`) + + invalidHosts = simple.NewCache[struct{}]() + errNoHost = errors.New("no such host") +) + +func (Scanner) CloudEndpoint() string { return "" } + +// Keywords are used for efficiently pre-filtering chunks. +func (s Scanner) Keywords() []string { + return []string{"cmVmdGtu"} +} + +func (s Scanner) getClient() *http.Client { + if s.client != nil { + return s.client + } + + return defaultClient +} + +// FromData will find and optionally verify Artifactory Reference tokens in a given set of bytes. +func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) { + dataStr := string(data) + + var uniqueTokens, uniqueUrls = make(map[string]struct{}), make(map[string]struct{}) + + for _, match := range tokenPat.FindAllStringSubmatch(dataStr, -1) { + uniqueTokens[match[1]] = struct{}{} + } + + foundUrls := make([]string, 0) + for _, match := range urlPat.FindAllStringSubmatch(dataStr, -1) { + foundUrls = append(foundUrls, match[1]) + } + + // Add found + configured endpoints to the list + for _, endpoint := range s.Endpoints(foundUrls...) { + // If any configured endpoint has `https://` remove it because we append that during verification + endpoint = strings.TrimPrefix(endpoint, "https://";) + uniqueUrls[endpoint] = struct{}{} + } + + for token := range uniqueTokens { + for url := range uniqueUrls { + if invalidHosts.Exists(url) { + continue + } + + s1 := detectors.Result{ + DetectorType: detectorspb.DetectorType_ArtifactoryReferenceToken, + Raw: []byte(token), + RawV2: []byte(token + url), + } + + if verify { + isVerified, verificationErr := verifyToken(ctx, s.getClient(), url, token) + s1.Verified = isVerified + if verificationErr != nil { + if errors.Is(verificationErr, errNoHost) { + invalidHosts.Set(url, struct{}{}) + continue + } + + s1.SetVerificationError(verificationErr, token) + } + + if isVerified { + s1.AnalysisInfo = map[string]string{ + "domain": url, + "token": token, + } + } + } + + results = append(results, s1) + } + } + + return results, nil +} + +func verifyToken(ctx context.Context, client *http.Client, host, token string) (bool, error) { + // https://jfrog.com/help/r/jfrog-rest-apis/get-token-by-id + req, err := http.NewRequestWithContext(ctx, http.MethodGet, + "https://"+host+"/access/api/v1/tokens/me";, http.NoBody) + if err != nil { + return false, err + } + + req.Header.Set("Authorization", "Bearer "+token) + resp, err := client.Do(req) + if err != nil { + if strings.Contains(err.Error(), "no such host") { + return false, errNoHost + } + return false, err + } + + defer func() { + _, _ = io.Copy(io.Discard, resp.Body) + _ = resp.Body.Close() + }() + + switch resp.StatusCode { + case http.StatusOK: + // JFrog returns 200 with HTML for invalid subdomains, so we need to check Content-Type + contentType := resp.Header.Get("Content-Type") + if strings.Contains(contentType, "application/json") { + return true, nil + } + // HTML response indicates invalid subdomain/redirect - treat as invalid host + return false, errNoHost + case http.StatusForbidden: + // 403 - the authenticated principal has no permissions to get the token + return true, nil + case http.StatusUnauthorized: + // 401 - invalid/expired token + return false, nil + default: + // 404 - endpoint not found (possibly wrong URL or old Artifactory version) + // 302 and 500+ + return false, fmt.Errorf("unexpected HTTP response status %d", resp.StatusCode) + } +} + +func (s Scanner) Type() detectorspb.DetectorType { + return detectorspb.DetectorType_ArtifactoryReferenceToken +} + +func (s Scanner) Description() string { + return "JFrog Artifactory is a binary repository manager. Reference tokens are 64-character access tokens that can be used to authenticate API requests, providing access to repositories, builds, and artifacts." +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trufflehog-3.93.6/pkg/detectors/artifactoryreferencetoken/artifactoryreferencetoken_integration_test.go new/trufflehog-3.93.7/pkg/detectors/artifactoryreferencetoken/artifactoryreferencetoken_integration_test.go --- old/trufflehog-3.93.6/pkg/detectors/artifactoryreferencetoken/artifactoryreferencetoken_integration_test.go 1970-01-01 01:00:00.000000000 +0100 +++ new/trufflehog-3.93.7/pkg/detectors/artifactoryreferencetoken/artifactoryreferencetoken_integration_test.go 2026-03-04 16:56:42.000000000 +0100 @@ -0,0 +1,165 @@ +//go:build detectors +// +build detectors + +package artifactoryreferencetoken + +import ( + "context" + "fmt" + "testing" + "time" + + "github.com/google/go-cmp/cmp" + "github.com/google/go-cmp/cmp/cmpopts" + + "github.com/trufflesecurity/trufflehog/v3/pkg/common" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" +) + +func TestArtifactoryreferencetoken_FromChunk(t *testing.T) { + ctx, cancel := context.WithTimeout(context.Background(), time.Second*5) + defer cancel() + testSecrets, err := common.GetSecret(ctx, "trufflehog-testing", "detectors6") + if err != nil { + t.Fatalf("could not get test secrets from GCP: %s", err) + } + + instanceURL := testSecrets.MustGetField("ARTIFACTORY_URL") + secret := testSecrets.MustGetField("ARTIFACTORYREFERENCETOKEN") + inactiveSecret := testSecrets.MustGetField("ARTIFACTORYREFERENCETOKEN_INACTIVE") + + type args struct { + ctx context.Context + data []byte + verify bool + } + tests := []struct { + name string + s Scanner + args args + want []detectors.Result + wantErr bool + wantVerificationErr bool + }{ + { + name: "found, verified", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a artifactoryreferencetoken secret %s and domain %s within", secret, instanceURL)), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_ArtifactoryReferenceToken, + Verified: true, + }, + }, + wantErr: false, + wantVerificationErr: false, + }, + { + name: "found, unverified", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a artifactoryreferencetoken secret %s and domain %s within but not valid", inactiveSecret, instanceURL)), // the secret would satisfy the regex but not pass validation + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_ArtifactoryReferenceToken, + Verified: false, + }, + }, + wantErr: false, + wantVerificationErr: false, + }, + { + name: "not found", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte("You cannot find the secret within"), + verify: true, + }, + want: nil, + wantErr: false, + wantVerificationErr: false, + }, + { + name: "found, would be verified if not for timeout", + s: Scanner{client: common.SaneHttpClientTimeOut(1 * time.Microsecond)}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a artifactoryreferencetoken secret %s and domain %s within", secret, instanceURL)), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_ArtifactoryReferenceToken, + Verified: false, + }, + }, + wantErr: false, + wantVerificationErr: true, + }, + { + name: "found, verified but unexpected api surface", + s: Scanner{client: common.ConstantResponseHttpClient(302, "")}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a artifactoryreferencetoken secret %s and domain %s within", secret, instanceURL)), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_ArtifactoryReferenceToken, + Verified: false, + }, + }, + wantErr: false, + wantVerificationErr: true, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + tt.s.UseFoundEndpoints(true) + + got, err := tt.s.FromData(tt.args.ctx, tt.args.verify, tt.args.data) + if (err != nil) != tt.wantErr { + t.Errorf("Artifactoryreferencetoken.FromData() error = %v, wantErr %v", err, tt.wantErr) + return + } + for i := range got { + if len(got[i].Raw) == 0 { + t.Fatalf("no raw secret present: \n %+v", got[i]) + } + if (got[i].VerificationError() != nil) != tt.wantVerificationErr { + t.Fatalf("wantVerificationError = %v, verification error = %v", tt.wantVerificationErr, got[i].VerificationError()) + } + } + ignoreOpts := cmpopts.IgnoreFields(detectors.Result{}, "Raw", "RawV2", "verificationError", "primarySecret", "AnalysisInfo") + if diff := cmp.Diff(got, tt.want, ignoreOpts); diff != "" { + t.Errorf("Artifactoryreferencetoken.FromData() %s diff: (-got +want)\n%s", tt.name, diff) + } + }) + } +} + +func BenchmarkFromData(benchmark *testing.B) { + ctx := context.Background() + s := Scanner{} + for name, data := range detectors.MustGetBenchmarkData() { + benchmark.Run(name, func(b *testing.B) { + b.ResetTimer() + for n := 0; n < b.N; n++ { + _, err := s.FromData(ctx, false, data) + if err != nil { + b.Fatal(err) + } + } + }) + } +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trufflehog-3.93.6/pkg/detectors/artifactoryreferencetoken/artifactoryreferencetoken_test.go new/trufflehog-3.93.7/pkg/detectors/artifactoryreferencetoken/artifactoryreferencetoken_test.go --- old/trufflehog-3.93.6/pkg/detectors/artifactoryreferencetoken/artifactoryreferencetoken_test.go 1970-01-01 01:00:00.000000000 +0100 +++ new/trufflehog-3.93.7/pkg/detectors/artifactoryreferencetoken/artifactoryreferencetoken_test.go 2026-03-04 16:56:42.000000000 +0100 @@ -0,0 +1,206 @@ +package artifactoryreferencetoken + +import ( + "context" + "testing" + + "github.com/google/go-cmp/cmp" + "github.com/stretchr/testify/require" + + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/engine/ahocorasick" +) + +func TestArtifactoryReferenceToken_Pattern(t *testing.T) { + d := Scanner{} + ahoCorasickCore := ahocorasick.NewAhoCorasickCore([]detectors.Detector{d}) + + tests := []struct { + name string + input string + cloudEndpoint string + useCloudEndpoint bool + useFoundEndpoint bool + want []string + }{ + { + name: "valid pattern - environment variable", + input: ` + [INFO] Connecting to Artifactory + [DEBUG] Using reference token: cmVmdGtuOjAxOjAwMDAwMDAwMDA6awJQVlZkdEVyWXJ2cVNSemAABVQ1bwaBSWtE + [INFO] Connected to trufflehog.jfrog.io + `, + useCloudEndpoint: false, + useFoundEndpoint: true, + want: []string{ + "cmVmdGtuOjAxOjAwMDAwMDAwMDA6awJQVlZkdEVyWXJ2cVNSemAABVQ1bwaBSWtEtrufflehog.jfrog.io", + }, + }, + { + name: "valid pattern - config file", + input: ` + artifactory: + url: https://trufflehog.jfrog.io + reference_token: cmVmdGtuOjAxOjE3NjkxNjY0NjE6RE2ZeXpdsU1sOENUUG1RqXqDawNeMrJaTapu + `, + useCloudEndpoint: false, + useFoundEndpoint: true, + want: []string{ + "cmVmdGtuOjAxOjE3NjkxNjY0NjE6RE2ZeXpdsU1sOENUUG1RqXqDawNeMrJaTaputrufflehog.jfrog.io", + }, + }, + { + name: "valid pattern - curl command", + input: ` + curl -H "Authorization: Bearer cmVmdGtuOjAxOjE3NzE0OTkzNzY6RG9OS0QxOHVLduRyyUtNrneMwqt6a33TNUZV" \ + https://trufflehog.jfrog.io/artifactory/api/system/ping + `, + useCloudEndpoint: false, + useFoundEndpoint: true, + want: []string{ + "cmVmdGtuOjAxOjE3NzE0OTkzNzY6RG9OS0QxOHVLduRyyUtNrneMwqt6a33TNUZVtrufflehog.jfrog.io", + }, + }, + { + name: "valid pattern - with cloud endpoint", + input: ` + [INFO] Connecting to Artifactory + [DEBUG] Using reference token: cmVmdGtuOjAxOjAwMDAwMDAwMDA6awJQVlZkdEVyWXJ2cVNSemAABVQ1bwaBSWtE + [INFO] Response received: 200 OK + `, + cloudEndpoint: "cloudendpoint.jfrog.io", + useCloudEndpoint: true, + useFoundEndpoint: false, + want: []string{ + "cmVmdGtuOjAxOjAwMDAwMDAwMDA6awJQVlZkdEVyWXJ2cVNSemAABVQ1bwaBSWtEcloudendpoint.jfrog.io", + }, + }, + { + name: "valid pattern - with cloud and found endpoints", + input: ` + [INFO] Connecting to Artifactory + [DEBUG] Using reference token: cmVmdGtuOjAxOjAwMDAwMDAwMDA6awJQVlZkdEVyWXJ2cVNSemAABVQ1bwaBSWtE + [INFO] trufflehog.jfrog.io + [INFO] Response received: 200 OK + `, + cloudEndpoint: "cloudendpoint.jfrog.io", + useCloudEndpoint: true, + useFoundEndpoint: true, + want: []string{ + "cmVmdGtuOjAxOjAwMDAwMDAwMDA6awJQVlZkdEVyWXJ2cVNSemAABVQ1bwaBSWtEcloudendpoint.jfrog.io", + "cmVmdGtuOjAxOjAwMDAwMDAwMDA6awJQVlZkdEVyWXJ2cVNSemAABVQ1bwaBSWtEtrufflehog.jfrog.io", + }, + }, + { + name: "valid pattern - with disabled found endpoints", + input: ` + [INFO] Connecting to Artifactory + [DEBUG] Using reference token: cmVmdGtuOjAxOjAwMDAwMDAwMDA6awJQVlZkdEVyWXJ2cVNSemAABVQ1bwaBSWtE + [INFO] trufflehog.jfrog.io + [INFO] Response received: 200 OK + `, + cloudEndpoint: "cloudendpoint.jfrog.io", + useCloudEndpoint: true, + useFoundEndpoint: false, + want: []string{ + "cmVmdGtuOjAxOjAwMDAwMDAwMDA6awJQVlZkdEVyWXJ2cVNSemAABVQ1bwaBSWtEcloudendpoint.jfrog.io", + }, + }, + { + name: "valid pattern - with https in configured endpoint", + input: ` + [INFO] Connecting to Artifactory + [DEBUG] Using reference token: cmVmdGtuOjAxOjAwMDAwMDAwMDA6awJQVlZkdEVyWXJ2cVNSemAABVQ1bwaBSWtE + [INFO] Response received: 200 OK + `, + cloudEndpoint: "https://cloudendpoint.jfrog.io";, + useCloudEndpoint: true, + useFoundEndpoint: false, + want: []string{ + "cmVmdGtuOjAxOjAwMDAwMDAwMDA6awJQVlZkdEVyWXJ2cVNSemAABVQ1bwaBSWtEcloudendpoint.jfrog.io", + }, + }, + { + name: "finds multiple tokens", + input: ` + # Primary token + export ARTIFACTORY_TOKEN=cmVmdGtuOjAxOjAwMDAwMDAwMDA6awJQVlZkdEVyWXJ2cVNSemAABVQ1bwaBSWtE + # Backup token + export ARTIFACTORY_TOKEN_BACKUP=cmVmdGtuOjAxOjE3NjkxNjY0NjE6RE2ZeXpdsU1sOENUUG1RqXqDawNeMrJaTapu + export ARTIFACTORY_URL=https://trufflehog.jfrog.io + `, + useCloudEndpoint: false, + useFoundEndpoint: true, + want: []string{ + "cmVmdGtuOjAxOjAwMDAwMDAwMDA6awJQVlZkdEVyWXJ2cVNSemAABVQ1bwaBSWtEtrufflehog.jfrog.io", + "cmVmdGtuOjAxOjE3NjkxNjY0NjE6RE2ZeXpdsU1sOENUUG1RqXqDawNeMrJaTaputrufflehog.jfrog.io", + }, + }, + { + name: "invalid pattern - too short", + input: ` + [DEBUG] Using token: cmVmdGtuOjAxOjAwMDAwMDAwMDA6SHORT + [INFO] URL: trufflehog.jfrog.io + `, + useCloudEndpoint: false, + useFoundEndpoint: true, + want: nil, + }, + { + name: "invalid pattern - wrong prefix", + input: ` + [DEBUG] Using token: aBcDeFgHOjAxOjAwMDAwMDAwMDA6awJQVlZkdEVyWXJ2cVNSemAABVQ1bwaBSWtE + [INFO] URL: trufflehog.jfrog.io + `, + useCloudEndpoint: false, + useFoundEndpoint: true, + want: nil, + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + // Configure endpoint customizer based on test case + d.UseFoundEndpoints(test.useFoundEndpoint) + d.UseCloudEndpoint(test.useCloudEndpoint) + if test.useCloudEndpoint && test.cloudEndpoint != "" { + d.SetCloudEndpoint(test.cloudEndpoint) + } + + matchedDetectors := ahoCorasickCore.FindDetectorMatches([]byte(test.input)) + if len(matchedDetectors) == 0 && len(test.want) > 0 { + t.Errorf("keywords were not matched: %v", d.Keywords()) + return + } + + results, err := d.FromData(context.Background(), false, []byte(test.input)) + require.NoError(t, err) + + if len(results) != len(test.want) { + t.Errorf("expected %d results, got %d", len(test.want), len(results)) + for _, r := range results { + t.Logf("got: %s", string(r.RawV2)) + } + return + } + + actual := make(map[string]struct{}, len(results)) + for _, r := range results { + if len(r.RawV2) > 0 { + actual[string(r.RawV2)] = struct{}{} + } else { + actual[string(r.Raw)] = struct{}{} + } + } + + expected := make(map[string]struct{}, len(test.want)) + for _, v := range test.want { + expected[v] = struct{}{} + } + + if diff := cmp.Diff(expected, actual); diff != "" { + t.Errorf("%s diff: (-want +got)\n%s", test.name, diff) + } + }) + } +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trufflehog-3.93.6/pkg/detectors/copy_metadata_test.go new/trufflehog-3.93.7/pkg/detectors/copy_metadata_test.go --- old/trufflehog-3.93.6/pkg/detectors/copy_metadata_test.go 1970-01-01 01:00:00.000000000 +0100 +++ new/trufflehog-3.93.7/pkg/detectors/copy_metadata_test.go 2026-03-04 16:56:42.000000000 +0100 @@ -0,0 +1,40 @@ +package detectors + +import ( + "testing" + + "github.com/stretchr/testify/assert" + + "github.com/trufflesecurity/trufflehog/v3/pkg/sources" +) + +func TestCopyMetadata_ChunkDataFromOriginalData(t *testing.T) { + chunk := &sources.Chunk{ + Data: []byte("decoded-data"), + OriginalData: []byte("original-source-data"), + SourceName: "test-source", + } + result := Result{ + DetectorType: 1, + Raw: []byte("secret"), + } + + rwm := CopyMetadata(chunk, result) + + assert.Equal(t, "original-source-data", string(rwm.ChunkData)) +} + +func TestCopyMetadata_ChunkDataFallsBackToData(t *testing.T) { + chunk := &sources.Chunk{ + Data: []byte("only-data"), + SourceName: "test-source", + } + result := Result{ + DetectorType: 1, + Raw: []byte("secret"), + } + + rwm := CopyMetadata(chunk, result) + + assert.Equal(t, "only-data", string(rwm.ChunkData)) +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trufflehog-3.93.6/pkg/detectors/detectors.go new/trufflehog-3.93.7/pkg/detectors/detectors.go --- old/trufflehog-3.93.6/pkg/detectors/detectors.go 2026-02-27 16:05:52.000000000 +0100 +++ new/trufflehog-3.93.7/pkg/detectors/detectors.go 2026-03-04 16:56:42.000000000 +0100 @@ -217,10 +217,19 @@ DetectorDescription string // DecoderType is the type of decoder that was used to generate this result's data. DecoderType detectorspb.DecoderType + // ChunkData holds the original pre-decode source chunk data, preserved + // for secret storage encryption in the dispatcher. + ChunkData []byte } // CopyMetadata returns a detector result with included metadata from the source chunk. func CopyMetadata(chunk *sources.Chunk, result Result) ResultWithMetadata { + // OriginalData may be nil when CopyMetadata is called outside the engine + // pipeline (e.g., in tests or external consumers that construct chunks directly). + chunkData := chunk.OriginalData + if chunkData == nil { + chunkData = chunk.Data + } return ResultWithMetadata{ SourceMetadata: chunk.SourceMetadata, SourceID: chunk.SourceID, @@ -229,6 +238,7 @@ SourceType: chunk.SourceType, SourceName: chunk.SourceName, Result: result, + ChunkData: chunkData, } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trufflehog-3.93.6/pkg/detectors/jdbc/jdbc.go new/trufflehog-3.93.7/pkg/detectors/jdbc/jdbc.go --- old/trufflehog-3.93.6/pkg/detectors/jdbc/jdbc.go 2026-02-27 16:05:52.000000000 +0100 +++ new/trufflehog-3.93.7/pkg/detectors/jdbc/jdbc.go 2026-03-04 16:56:42.000000000 +0100 @@ -50,8 +50,10 @@ var _ detectors.CustomFalsePositiveChecker = (*Scanner)(nil) var ( - // Matches typical JDBC connection strings amd ingores any special character at the end - keyPat = regexp.MustCompile(`(?i)jdbc:[\w]{3,10}:[^\s"'<>,{}[\]]{10,511}[A-Za-z0-9]`) + // Matches typical JDBC connection strings. + // The terminal character class additionally excludes () and & to avoid + // capturing surrounding delimiters (e.g. "(jdbc:…)" or "…&user=x&"). + keyPat = regexp.MustCompile(`(?i)jdbc:[\w]{3,10}:[^\s"'<>,{}[\]]{10,511}[^\s"'<>,{}[\]()&]`) ) // Keywords are used for efficiently pre-filtering chunks. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trufflehog-3.93.6/pkg/detectors/jdbc/jdbc_test.go new/trufflehog-3.93.7/pkg/detectors/jdbc/jdbc_test.go --- old/trufflehog-3.93.6/pkg/detectors/jdbc/jdbc_test.go 2026-02-27 16:05:52.000000000 +0100 +++ new/trufflehog-3.93.7/pkg/detectors/jdbc/jdbc_test.go 2026-03-04 16:56:42.000000000 +0100 @@ -84,6 +84,13 @@ }, }, { + name: "trailing non-alphanumeric characters in password", + input: `jdbc:hive9://foo.example.com:10191/default;user=MyRoleUser;password=MyPa$$w0rd...`, + want: []string{ + "jdbc:hive9://foo.example.com:10191/default;user=MyRoleUser;password=MyPa$$w0rd...", + }, + }, + { name: "invalid pattern - false positives", input: ` { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trufflehog-3.93.6/pkg/engine/defaults/defaults.go new/trufflehog-3.93.7/pkg/engine/defaults/defaults.go --- old/trufflehog-3.93.6/pkg/engine/defaults/defaults.go 2026-02-27 16:05:52.000000000 +0100 +++ new/trufflehog-3.93.7/pkg/engine/defaults/defaults.go 2026-03-04 16:56:42.000000000 +0100 @@ -47,6 +47,7 @@ "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/appsynergy" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/apptivo" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/artifactory" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/artifactoryreferencetoken" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/artsy" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/asanaoauth" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/asanapersonalaccesstoken" @@ -911,6 +912,7 @@ &appsynergy.Scanner{}, &apptivo.Scanner{}, &artifactory.Scanner{}, + &artifactoryreferencetoken.Scanner{}, &artsy.Scanner{}, &asanaoauth.Scanner{}, &asanapersonalaccesstoken.Scanner{}, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trufflehog-3.93.6/pkg/engine/engine.go new/trufflehog-3.93.7/pkg/engine/engine.go --- old/trufflehog-3.93.6/pkg/engine/engine.go 2026-02-27 16:05:52.000000000 +0100 +++ new/trufflehog-3.93.7/pkg/engine/engine.go 2026-03-04 16:56:42.000000000 +0100 @@ -854,6 +854,7 @@ startTime := time.Now() sourceVerify := chunk.SourceVerify + chunk.OriginalData = chunk.Data decoded := iterativeDecode(chunk, e.decoders, e.maxDecodeDepth) for _, d := range decoded { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trufflehog-3.93.6/pkg/engine/engine_test.go new/trufflehog-3.93.7/pkg/engine/engine_test.go --- old/trufflehog-3.93.6/pkg/engine/engine_test.go 2026-02-27 16:05:52.000000000 +0100 +++ new/trufflehog-3.93.7/pkg/engine/engine_test.go 2026-03-04 16:56:42.000000000 +0100 @@ -1373,12 +1373,22 @@ assert.NoError(t, err) var count int + noCloudEndpointDetectors := map[detectorspb.DetectorType]struct{}{ + detectorspb.DetectorType_ArtifactoryAccessToken: {}, + detectorspb.DetectorType_ArtifactoryReferenceToken: {}, + detectorspb.DetectorType_TableauPersonalAccessToken: {}, + // these do not have any cloud endpoint + } + for _, det := range e.detectors { if endpoints, ok := det.(interface{ Endpoints(...string) []string }); ok { id := config.GetDetectorID(det) - if len(endpoints.Endpoints()) == 0 && det.Type() != detectorspb.DetectorType_ArtifactoryAccessToken && det.Type() != detectorspb.DetectorType_TableauPersonalAccessToken { // artifactory and tableau does not have any cloud endpoint - t.Fatalf("detector %q Endpoints() is empty", id.String()) + if len(endpoints.Endpoints()) == 0 { + if _, ok := noCloudEndpointDetectors[det.Type()]; !ok { + t.Fatalf("detector %q Endpoints() is empty", id.String()) + } } + count++ } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trufflehog-3.93.6/pkg/pb/detectorspb/detectors.pb.go new/trufflehog-3.93.7/pkg/pb/detectorspb/detectors.pb.go --- old/trufflehog-3.93.6/pkg/pb/detectorspb/detectors.pb.go 2026-02-27 16:05:52.000000000 +0100 +++ new/trufflehog-3.93.7/pkg/pb/detectorspb/detectors.pb.go 2026-03-04 16:56:42.000000000 +0100 @@ -1148,6 +1148,7 @@ DetectorType_JWT DetectorType = 1039 DetectorType_OpenAIAdmin DetectorType = 1040 DetectorType_GoogleGeminiAPIKey DetectorType = 1041 + DetectorType_ArtifactoryReferenceToken DetectorType = 1042 ) // Enum value maps for DetectorType. @@ -2191,6 +2192,7 @@ 1039: "JWT", 1040: "OpenAIAdmin", 1041: "GoogleGeminiAPIKey", + 1042: "ArtifactoryReferenceToken", } DetectorType_value = map[string]int32{ "Alibaba": 0, @@ -3231,6 +3233,7 @@ "JWT": 1039, "OpenAIAdmin": 1040, "GoogleGeminiAPIKey": 1041, + "ArtifactoryReferenceToken": 1042, } ) @@ -3684,7 +3687,7 @@ 0x4c, 0x41, 0x49, 0x4e, 0x10, 0x01, 0x12, 0x0a, 0x0a, 0x06, 0x42, 0x41, 0x53, 0x45, 0x36, 0x34, 0x10, 0x02, 0x12, 0x09, 0x0a, 0x05, 0x55, 0x54, 0x46, 0x31, 0x36, 0x10, 0x03, 0x12, 0x13, 0x0a, 0x0f, 0x45, 0x53, 0x43, 0x41, 0x50, 0x45, 0x44, 0x5f, 0x55, 0x4e, 0x49, 0x43, 0x4f, 0x44, 0x45, - 0x10, 0x04, 0x2a, 0xf0, 0x86, 0x01, 0x0a, 0x0c, 0x44, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, + 0x10, 0x04, 0x2a, 0x90, 0x87, 0x01, 0x0a, 0x0c, 0x44, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x54, 0x79, 0x70, 0x65, 0x12, 0x0b, 0x0a, 0x07, 0x41, 0x6c, 0x69, 0x62, 0x61, 0x62, 0x61, 0x10, 0x00, 0x12, 0x08, 0x0a, 0x04, 0x41, 0x4d, 0x51, 0x50, 0x10, 0x01, 0x12, 0x07, 0x0a, 0x03, 0x41, 0x57, 0x53, 0x10, 0x02, 0x12, 0x09, 0x0a, 0x05, 0x41, 0x7a, 0x75, 0x72, 0x65, 0x10, 0x03, 0x12, @@ -4763,7 +4766,9 @@ 0x08, 0x12, 0x08, 0x0a, 0x03, 0x4a, 0x57, 0x54, 0x10, 0x8f, 0x08, 0x12, 0x10, 0x0a, 0x0b, 0x4f, 0x70, 0x65, 0x6e, 0x41, 0x49, 0x41, 0x64, 0x6d, 0x69, 0x6e, 0x10, 0x90, 0x08, 0x12, 0x17, 0x0a, 0x12, 0x47, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x47, 0x65, 0x6d, 0x69, 0x6e, 0x69, 0x41, 0x50, 0x49, - 0x4b, 0x65, 0x79, 0x10, 0x91, 0x08, 0x42, 0x3d, 0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, + 0x4b, 0x65, 0x79, 0x10, 0x91, 0x08, 0x12, 0x1e, 0x0a, 0x19, 0x41, 0x72, 0x74, 0x69, 0x66, 0x61, + 0x63, 0x74, 0x6f, 0x72, 0x79, 0x52, 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, 0x65, 0x54, 0x6f, + 0x6b, 0x65, 0x6e, 0x10, 0x92, 0x08, 0x42, 0x3d, 0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, 0x68, 0x6f, 0x67, 0x2f, 0x76, 0x33, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x70, 0x62, 0x2f, 0x64, 0x65, 0x74, 0x65, 0x63, 0x74, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trufflehog-3.93.6/pkg/sources/filesystem/filesystem_test.go new/trufflehog-3.93.7/pkg/sources/filesystem/filesystem_test.go --- old/trufflehog-3.93.6/pkg/sources/filesystem/filesystem_test.go 2026-02-27 16:05:52.000000000 +0100 +++ new/trufflehog-3.93.7/pkg/sources/filesystem/filesystem_test.go 2026-03-04 16:56:42.000000000 +0100 @@ -347,7 +347,8 @@ defer cleanupDir() // create an ExcludePathsFile that contains the ignoreDir path - excludeFile, cleanupFile, err := createTempFile("", ignoreDir+"\n") + // In windows path contains \ so we escape it by replacing it with \\ in ignoreDir + excludeFile, cleanupFile, err := createTempFile("", strings.ReplaceAll(ignoreDir, `\`, `\\`)+"\n") require.NoError(t, err) defer cleanupFile() @@ -392,8 +393,8 @@ // Create an IncludePathsFile with the absolute path of the file includeFilePath := filepath.Join(testDir, "include.txt") - err = os.WriteFile(includeFilePath, []byte(filePath+"\n"), 0644) - require.NoError(t, err) + err = os.WriteFile(includeFilePath, []byte(strings.ReplaceAll(filePath, `\`, `\\`)+"\n"), 0644) + require.NoError(t, err) conn, err := anypb.New(&sourcespb.Filesystem{ IncludePathsFile: includeFilePath, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trufflehog-3.93.6/pkg/sources/sources.go new/trufflehog-3.93.7/pkg/sources/sources.go --- old/trufflehog-3.93.6/pkg/sources/sources.go 2026-02-27 16:05:52.000000000 +0100 +++ new/trufflehog-3.93.7/pkg/sources/sources.go 2026-03-04 16:56:42.000000000 +0100 @@ -21,14 +21,13 @@ ) // Chunk contains data to be decoded and scanned along with context on where it came from. -// -// **Important:** The order of the fields in this struct is specifically designed to optimize -// struct alignment and minimize memory usage. Do not change the field order without carefully considering -// the potential impact on memory consumption. -// Ex: https://go.dev/play/p/Azf4a7O-DhC type Chunk struct { // Data is the data to decode and scan. Data []byte + // OriginalData holds the pre-decode source data, preserved for secret + // storage. Set before iterative decoding so it retains the original + // content even after Data is replaced with decoded forms. + OriginalData []byte // SourceName is the name of the Source that produced the chunk. SourceName string diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trufflehog-3.93.6/pkg/sources/sources_test.go new/trufflehog-3.93.7/pkg/sources/sources_test.go --- old/trufflehog-3.93.6/pkg/sources/sources_test.go 2026-02-27 16:05:52.000000000 +0100 +++ new/trufflehog-3.93.7/pkg/sources/sources_test.go 2026-03-04 16:56:42.000000000 +0100 @@ -7,8 +7,10 @@ "github.com/stretchr/testify/assert" ) -// TestChunkSize ensures that the Chunk struct does not exceed 80 bytes. +// TestChunkSize ensures that the Chunk struct does not exceed 104 bytes. +// Size increased from 80 to 104 with the addition of OriginalData []byte +// (24-byte slice header) for secret storage chunk threading. func TestChunkSize(t *testing.T) { t.Parallel() - assert.Equal(t, unsafe.Sizeof(Chunk{}), uintptr(80), "Chunk struct size exceeds 80 bytes") + assert.Equal(t, unsafe.Sizeof(Chunk{}), uintptr(104), "Chunk struct size exceeds 104 bytes") } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/trufflehog-3.93.6/proto/detectors.proto new/trufflehog-3.93.7/proto/detectors.proto --- old/trufflehog-3.93.6/proto/detectors.proto 2026-02-27 16:05:52.000000000 +0100 +++ new/trufflehog-3.93.7/proto/detectors.proto 2026-03-04 16:56:42.000000000 +0100 @@ -1051,6 +1051,7 @@ JWT = 1039; OpenAIAdmin = 1040; GoogleGeminiAPIKey = 1041; + ArtifactoryReferenceToken = 1042; } message Result { ++++++ trufflehog.obsinfo ++++++ --- /var/tmp/diff_new_pack.R0cogS/_old 2026-03-05 18:20:55.714537168 +0100 +++ /var/tmp/diff_new_pack.R0cogS/_new 2026-03-05 18:20:55.718537333 +0100 @@ -1,5 +1,5 @@ name: trufflehog -version: 3.93.6 -mtime: 1772204752 -commit: 041f07e9df901a1038a528e5525b0226d04dd5ea +version: 3.93.7 +mtime: 1772639802 +commit: c3e599b7163e8198a55467f3133db0e7b2a492cb ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/trufflehog/vendor.tar.gz /work/SRC/openSUSE:Factory/.trufflehog.new.561/vendor.tar.gz differ: char 13, line 1
