Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package gitleaks for openSUSE:Factory
checked in at 2024-06-17 19:28:20
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/gitleaks (Old)
and /work/SRC/openSUSE:Factory/.gitleaks.new.19518 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gitleaks"
Mon Jun 17 19:28:20 2024 rev:5 rq:1180962 version:8.18.4
Changes:
--------
--- /work/SRC/openSUSE:Factory/gitleaks/gitleaks.changes 2024-06-03
17:42:51.913711428 +0200
+++ /work/SRC/openSUSE:Factory/.gitleaks.new.19518/gitleaks.changes
2024-06-17 19:28:56.993057325 +0200
@@ -1,0 +2,13 @@
+Fri Jun 14 18:14:02 UTC 2024 - opensuse_buildserv...@ojkastl.de
+
+- Update to version 8.18.4:
+ * Limit hashicorp-tf-password to .tf/.hcl files (#1420)
+ * rm print
+ * reduce telegram... todo url and xml for later
+ * coderabbit.ai <3
+ * Add NewRelic insert key detection (#1417)
+ * Improved Telegram bot token rule regex and added more test
+ cases (#1404)
+ * Add intra42 client secret (#1408)
+
+-------------------------------------------------------------------
Old:
----
gitleaks-8.18.3.tar.gz
New:
----
gitleaks-8.18.4.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ gitleaks.spec ++++++
--- /var/tmp/diff_new_pack.c0Z4Gx/_old 2024-06-17 19:28:57.777086018 +0200
+++ /var/tmp/diff_new_pack.c0Z4Gx/_new 2024-06-17 19:28:57.777086018 +0200
@@ -20,7 +20,7 @@
%define __arch_install_post export NO_BRP_STRIP_DEBUG=true
Name: gitleaks
-Version: 8.18.3
+Version: 8.18.4
Release: 0
Summary: Protect and discover secrets using Gitleaks
License: MIT
++++++ _service ++++++
--- /var/tmp/diff_new_pack.c0Z4Gx/_old 2024-06-17 19:28:57.817087482 +0200
+++ /var/tmp/diff_new_pack.c0Z4Gx/_new 2024-06-17 19:28:57.821087629 +0200
@@ -3,7 +3,7 @@
<param name="url">https://github.com/zricethezav/gitleaks</param>
<param name="scm">git</param>
<param name="exclude">.git</param>
- <param name="revision">v8.18.3</param>
+ <param name="revision">v8.18.4</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="changesgenerate">enable</param>
<param name="versionrewrite-pattern">v(.*)</param>
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.c0Z4Gx/_old 2024-06-17 19:28:57.837088214 +0200
+++ /var/tmp/diff_new_pack.c0Z4Gx/_new 2024-06-17 19:28:57.841088360 +0200
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param
name="url">https://github.com/zricethezav/gitleaks</param>
- <param
name="changesrevision">39947b0b0d3f1829438000819c1ba9dbeb023a89</param></service></servicedata>
+ <param
name="changesrevision">02808f45d038526bfcceebcbf6421c1047997ff9</param></service></servicedata>
(No newline at EOF)
++++++ gitleaks-8.18.3.tar.gz -> gitleaks-8.18.4.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gitleaks-8.18.3/README.md
new/gitleaks-8.18.4/README.md
--- old/gitleaks-8.18.3/README.md 2024-05-31 22:51:43.000000000 +0200
+++ new/gitleaks-8.18.4/README.md 2024-06-13 17:23:26.000000000 +0200
@@ -402,13 +402,19 @@
You can ignore specific findings by creating a `.gitleaksignore` file at the
root of your repo. In release v8.10.0 Gitleaks added a `Fingerprint` value to
the Gitleaks report. Each leak, or finding, has a Fingerprint that uniquely
identifies a secret. Add this fingerprint to the `.gitleaksignore` file to
ignore that specific secret. See Gitleaks'
[.gitleaksignore](https://github.com/zricethezav/gitleaks/blob/master/.gitleaksignore)
for an example. Note: this feature is experimental and is subject to change in
the future.
## Sponsorships
-
+<p align="left">
+ <h3><a
href="https://coderabbit.ai/?utm_source=oss&utm_medium=sponsorship&utm_campaign=gitleaks";>coderabbit.ai</h3>
+ <a
href="https://coderabbit.ai/?utm_source=oss&utm_medium=sponsorship&utm_campaign=gitleaks";>
+ <img alt="CodeRabbit.ai Sponsorship"
src="https://github.com/gitleaks/gitleaks/assets/15034943/76c30a85-887b-47ca-9956-17a8e55c6c41";
width=200>
+ </a>
+</p>
<p align="left">
<a
href="https://www.tines.com/?utm_source=oss&utm_medium=sponsorship&utm_campaign=gitleaks";>
<img alt="Tines Sponsorship"
src="https://user-images.githubusercontent.com/15034943/146411864-4878f936-b4f7-49a0-b625-f9f40c704bfa.png";
width=200>
</a>
</p>
+
## Exit Codes
You can always set the exit code when leaks are encountered with the
--exit-code flag. Default exit codes below:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gitleaks-8.18.3/cmd/generate/config/main.go
new/gitleaks-8.18.4/cmd/generate/config/main.go
--- old/gitleaks-8.18.3/cmd/generate/config/main.go 2024-05-31
22:51:43.000000000 +0200
+++ new/gitleaks-8.18.4/cmd/generate/config/main.go 2024-06-13
17:23:26.000000000 +0200
@@ -106,6 +106,7 @@
rules.HuggingFaceAccessToken(),
rules.HuggingFaceOrganizationApiToken(),
rules.Intercom(),
+ rules.Intra42ClientSecret(),
rules.JFrogAPIKey(),
rules.JFrogIdentityToken(),
rules.JWT(),
@@ -132,6 +133,7 @@
rules.NewRelicUserID(),
rules.NewRelicUserKey(),
rules.NewRelicBrowserAPIKey(),
+ rules.NewRelicInsertKey(),
rules.NPM(),
rules.NytimesAccessToken(),
rules.OktaAccessToken(),
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/gitleaks-8.18.3/cmd/generate/config/rules/hashicorp.go
new/gitleaks-8.18.4/cmd/generate/config/rules/hashicorp.go
--- old/gitleaks-8.18.3/cmd/generate/config/rules/hashicorp.go 2024-05-31
22:51:43.000000000 +0200
+++ new/gitleaks-8.18.4/cmd/generate/config/rules/hashicorp.go 2024-06-13
17:23:26.000000000 +0200
@@ -32,17 +32,20 @@
RuleID: "hashicorp-tf-password",
Regex: generateSemiGenericRegex(keywords,
fmt.Sprintf(`"%s"`, alphaNumericExtended("8,20")), true),
Keywords: keywords,
+ Path: regexp.MustCompile(`\.(tf|hcl)$`),
}
- tps := []string{
+ tps := map[string]string{
// Example from:
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_server.html
- "administrator_login_password = " + `"thisIsDog11"`,
+ "file.tf": "administrator_login_password = " + `"thisIsDog11"`,
//
https://registry.terraform.io/providers/petoju/mysql/latest/docs
- "password = " + `"rootpasswd"`,
+ "file.hcl": "password = " + `"rootpasswd"`,
}
- fps := []string{
- "administrator_login_password = var.db_password",
- `password = "${aws_db_instance.default.password}"`,
+ fps := map[string]string{
+ "file.tf": "administrator_login_password =
var.db_password",
+ "file.hcl": `password =
"${aws_db_instance.default.password}"`,
+ "unrelated.js": "password = " + `"rootpasswd"`,
}
- return validate(r, tps, fps)
+
+ return validateWithPaths(r, tps, fps)
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gitleaks-8.18.3/cmd/generate/config/rules/intra42.go
new/gitleaks-8.18.4/cmd/generate/config/rules/intra42.go
--- old/gitleaks-8.18.3/cmd/generate/config/rules/intra42.go 1970-01-01
01:00:00.000000000 +0100
+++ new/gitleaks-8.18.4/cmd/generate/config/rules/intra42.go 2024-06-13
17:23:26.000000000 +0200
@@ -0,0 +1,29 @@
+package rules
+
+import (
+ "github.com/zricethezav/gitleaks/v8/cmd/generate/secrets"
+ "github.com/zricethezav/gitleaks/v8/config"
+)
+
+func Intra42ClientSecret() *config.Rule {
+ // define rule
+ r := config.Rule{
+ Description: "Found a Intra42 client secret, which could lead
to unauthorized access to the 42School API and sensitive data.",
+ RuleID: "intra42-client-secret",
+ Regex:
generateUniqueTokenRegex(`s-s4t2(?:ud|af)-[abcdef0123456789]{64}`, true),
+ Keywords: []string{
+ "intra",
+ "s-s4t2ud-",
+ "s-s4t2af-",
+ },
+ }
+
+ // validate
+ tps := []string{
+ "clientSecret := \"s-s4t2ud-" + secrets.NewSecret(hex("64")) +
"\"",
+ "clientSecret := \"s-s4t2af-" + secrets.NewSecret(hex("64")) +
"\"",
+
"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", //
gitleaks:allow
+
"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", //
gitleaks:allow
+ }
+ return validate(r, tps, nil)
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/gitleaks-8.18.3/cmd/generate/config/rules/newrelic.go
new/gitleaks-8.18.4/cmd/generate/config/rules/newrelic.go
--- old/gitleaks-8.18.3/cmd/generate/config/rules/newrelic.go 2024-05-31
22:51:43.000000000 +0200
+++ new/gitleaks-8.18.4/cmd/generate/config/rules/newrelic.go 2024-06-13
17:23:26.000000000 +0200
@@ -75,3 +75,26 @@
}
return validate(r, tps, nil)
}
+
+func NewRelicInsertKey() *config.Rule {
+ // define rule
+ r := config.Rule{
+ RuleID: "new-relic-insert-key",
+ Description: "Discovered a New Relic insight insert key,
compromising data injection into the platform.",
+ Regex: generateSemiGenericRegex([]string{
+ "new-relic",
+ "newrelic",
+ "new_relic",
+ }, `NRII-[a-z0-9-]{32}`, true),
+
+ Keywords: []string{
+ "NRII-",
+ },
+ }
+
+ // validate
+ tps := []string{
+ generateSampleSecret("new-relic",
"NRII-"+secrets.NewSecret(hex("32"))),
+ }
+ return validate(r, tps, nil)
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gitleaks-8.18.3/cmd/generate/config/rules/rule.go
new/gitleaks-8.18.4/cmd/generate/config/rules/rule.go
--- old/gitleaks-8.18.3/cmd/generate/config/rules/rule.go 2024-05-31
22:51:43.000000000 +0200
+++ new/gitleaks-8.18.4/cmd/generate/config/rules/rule.go 2024-06-13
17:23:26.000000000 +0200
@@ -97,6 +97,34 @@
return &r
}
+func validateWithPaths(r config.Rule, truePositives map[string]string,
falsePositives map[string]string) *config.Rule {
+ var keywords []string
+ for _, k := range r.Keywords {
+ keywords = append(keywords, strings.ToLower(k))
+ }
+ r.Keywords = keywords
+
+ rules := make(map[string]config.Rule)
+ rules[r.RuleID] = r
+ d := detect.NewDetector(config.Config{
+ Rules: rules,
+ Keywords: keywords,
+ })
+ for path, tp := range truePositives {
+ f := detect.Fragment{Raw: tp, FilePath: path}
+ if len(d.Detect(f)) != 1 {
+ log.Fatal().Msgf("Failed to validate. For rule ID [%s],
true positive [%s] in %s was not detected by regexp [%s] path [%s]", r.RuleID,
tp, path, r.Regex, r.Path)
+ }
+ }
+ for path, fp := range falsePositives {
+ f := detect.Fragment{Raw: fp, FilePath: path}
+ if len(d.Detect(f)) != 0 {
+ log.Fatal().Msgf("Failed to validate. For rule ID [%s],
false positive [%s] in %s was detected by regexp [%s] path [%s]", r.RuleID, fp,
path, r.Regex, r.Path)
+ }
+ }
+ return &r
+}
+
func numeric(size string) string {
return fmt.Sprintf(`[0-9]{%s}`, size)
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/gitleaks-8.18.3/cmd/generate/config/rules/telegram.go
new/gitleaks-8.18.4/cmd/generate/config/rules/telegram.go
--- old/gitleaks-8.18.3/cmd/generate/config/rules/telegram.go 2024-05-31
22:51:43.000000000 +0200
+++ new/gitleaks-8.18.4/cmd/generate/config/rules/telegram.go 2024-06-13
17:23:26.000000000 +0200
@@ -13,44 +13,67 @@
Description: "Detected a Telegram Bot API Token, risking
unauthorized bot operations and message interception on Telegram.",
RuleID: "telegram-bot-api-token",
- Regex:
regexp.MustCompile(`(?i)(?:^|[^0-9])([0-9]{5,16}:A[a-zA-Z0-9_\-]{34})(?:$|[^a-zA-Z0-9_\-])`),
+ Regex: regexp.MustCompile(`(?i:(?:telegr)(?:[0-9a-z\(-_\t
.\\]{0,40})(?:[\s|']|[\s|"]){0,3})(?:=|\|\|:|<=|=>|:|\?=|\()(?:'|\"|\s|=|\x60){0,5}([0-9]{5,16}:A[a-z0-9_\-]{34})(?:['|\"|\n|\r|\s|\x60|;|\\]|$)`),
Keywords: []string{
- "telegram",
- "api",
- "bot",
- "token",
- "url",
+ "telegr",
},
}
// validate
- validToken := secrets.NewSecret(numeric("8") + ":A" +
alphaNumericExtendedShort("34"))
- minToken := secrets.NewSecret(numeric("5") + ":A" +
alphaNumericExtendedShort("34"))
- maxToken := secrets.NewSecret(numeric("16") + ":A" +
alphaNumericExtendedShort("34"))
+ var (
+ validToken = secrets.NewSecret(numeric("8") + ":A" +
alphaNumericExtendedShort("34"))
+ minToken = secrets.NewSecret(numeric("5") + ":A" +
alphaNumericExtendedShort("34"))
+ maxToken = secrets.NewSecret(numeric("16") + ":A" +
alphaNumericExtendedShort("34"))
+ // xsdWithToken = secrets.NewSecret(`<xsd:element
name="AgencyIdentificationCode" type="` + numeric("5") + `:A` +
alphaNumericExtendedShort("34") + `"/>`)
+ )
tps := []string{
// variable assignment
generateSampleSecret("telegram", validToken),
- // URL containing token
- generateSampleSecret("url",
"https://api.telegram.org/bot"+validToken+"/sendMessage";),
+ // URL containing token TODO add another url based rule
+ // generateSampleSecret("url",
"https://api.telegram.org/bot"+validToken+"/sendMessage";),
// object constructor
`const bot = new Telegraf("` + validToken + `")`,
// .env
- `API_TOKEN = ` + validToken,
+ `TELEGRAM_API_TOKEN = ` + validToken,
// YAML
- `bot: ` + validToken,
+ `telegram bot: ` + validToken,
// Token with min bot_id
generateSampleSecret("telegram", minToken),
// Token with max bot_id
generateSampleSecret("telegram", maxToken),
+ // Valid token in XSD document TODO separate rule for this
+ // generateSampleSecret("telegram", xsdWithToken),
}
- tooSmallToken := secrets.NewSecret(numeric("4") + ":A" +
alphaNumericExtendedShort("34"))
- tooBigToken := secrets.NewSecret(numeric("17") + ":A" +
alphaNumericExtendedShort("34"))
+ var (
+ tooSmallToken = secrets.NewSecret(numeric("4") +
":A" + alphaNumericExtendedShort("34"))
+ tooBigToken = secrets.NewSecret(numeric("17")
+ ":A" + alphaNumericExtendedShort("34"))
+ xsdAgencyIdentificationCode1 = secrets.NewSecret(`<xsd:element
name="AgencyIdentificationCode"
type="clm`+numeric("5")+":AgencyIdentificationCodeContentType") + `"/>`
+ xsdAgencyIdentificationCode2 = secrets.NewSecret(`token:"clm` +
numeric("5") + `:AgencyIdentificationCodeContentType"`)
+ xsdAgencyIdentificationCode3 = secrets.NewSecret(`<xsd:element
name="AgencyIdentificationCode" type="clm` + numeric("8") +
`:AgencyIdentificationCodeContentType"/>`)
+ prefixedToken1 =
secrets.NewSecret(`telegram_api_token = \"` + numeric("8") + `:Ahello` +
alphaNumericExtendedShort("34") + `\"`)
+ prefixedToken2 =
secrets.NewSecret(`telegram_api_token = \"` + numeric("8") +
`:A-some-other-thing-` + alphaNumericExtendedShort("34") + `\"`)
+ prefixedToken3 =
secrets.NewSecret(`telegram_api_token = \"` + numeric("8") + `:A_` +
alphaNumericExtendedShort("34") + `\"`)
+ suffixedToken1 =
secrets.NewSecret(`telegram_api_token = \"` + numeric("8") + `:A` +
alphaNumericExtendedShort("34") + `hello\"`)
+ suffixedToken2 =
secrets.NewSecret(`telegram_api_token = \"` + numeric("8") + `:A` +
alphaNumericExtendedShort("34") + `-some-other-thing\"`)
+ suffixedToken3 =
secrets.NewSecret(`telegram_api_token = \"` + numeric("8") + `:A_` +
alphaNumericExtendedShort("34") + `_\"`)
+ )
fps := []string{
// Token with too small bot_id
generateSampleSecret("telegram", tooSmallToken),
// Token with too big bot_id
generateSampleSecret("telegram", tooBigToken),
+ // XSD file containing the string
AgencyIdentificationCodeContentType
+ generateSampleSecret("telegram", xsdAgencyIdentificationCode1),
+ generateSampleSecret("telegram", xsdAgencyIdentificationCode2),
+ generateSampleSecret("telegram", xsdAgencyIdentificationCode3),
+ // Prefix and suffix variations that shouldn't match
+ generateSampleSecret("telegram", prefixedToken1),
+ generateSampleSecret("telegram", prefixedToken2),
+ generateSampleSecret("telegram", prefixedToken3),
+ generateSampleSecret("telegram", suffixedToken1),
+ generateSampleSecret("telegram", suffixedToken2),
+ generateSampleSecret("telegram", suffixedToken3),
}
return validate(r, tps, fps)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/gitleaks-8.18.3/config/gitleaks.toml
new/gitleaks-8.18.4/config/gitleaks.toml
--- old/gitleaks-8.18.3/config/gitleaks.toml 2024-05-31 22:51:43.000000000
+0200
+++ new/gitleaks-8.18.4/config/gitleaks.toml 2024-06-13 17:23:26.000000000
+0200
@@ -2105,6 +2105,7 @@
id = "hashicorp-tf-password"
description = "Identified a HashiCorp Terraform password field, risking
unauthorized infrastructure configuration and security breaches."
regex = '''(?i)(?:administrator_login_password|password)(?:[0-9a-z\-_\t
.]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}("[a-z0-9=_\-]{8,20}")(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+path = '''\.(tf|hcl)$'''
keywords = [
"administrator_login_password","password",
]
@@ -2160,6 +2161,14 @@
]
[[rules]]
+id = "intra42-client-secret"
+description = "Found a Intra42 client secret, which could lead to unauthorized
access to the 42School API and sensitive data."
+regex =
'''(?i)\b(s-s4t2(?:ud|af)-[abcdef0123456789]{64})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+keywords = [
+ "intra","s-s4t2ud-","s-s4t2af-",
+]
+
+[[rules]]
id = "jfrog-api-key"
description = "Found a JFrog API Key, posing a risk of unauthorized access to
software artifact repositories and build pipelines."
regex = '''(?i)(?:jfrog|artifactory|bintray|xray)(?:[0-9a-z\-_\t
.]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{73})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
@@ -2360,6 +2369,14 @@
]
[[rules]]
+id = "new-relic-insert-key"
+description = "Discovered a New Relic insight insert key, compromising data
injection into the platform."
+regex = '''(?i)(?:new-relic|newrelic|new_relic)(?:[0-9a-z\-_\t
.]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}(NRII-[a-z0-9-]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+keywords = [
+ "nrii-",
+]
+
+[[rules]]
id = "new-relic-user-api-id"
description = "Found a New Relic user API ID, posing a risk to application
monitoring services and data integrity."
regex = '''(?i)(?:new-relic|newrelic|new_relic)(?:[0-9a-z\-_\t
.]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{64})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
@@ -2758,9 +2775,9 @@
[[rules]]
id = "telegram-bot-api-token"
description = "Detected a Telegram Bot API Token, risking unauthorized bot
operations and message interception on Telegram."
-regex =
'''(?i)(?:^|[^0-9])([0-9]{5,16}:A[a-zA-Z0-9_\-]{34})(?:$|[^a-zA-Z0-9_\-])'''
+regex = '''(?i:(?:telegr)(?:[0-9a-z\(-_\t
.\\]{0,40})(?:[\s|']|[\s|"]){0,3})(?:=|\|\|:|<=|=>|:|\?=|\()(?:'|\"|\s|=|\x60){0,5}([0-9]{5,16}:A[a-z0-9_\-]{34})(?:['|\"|\n|\r|\s|\x60|;|\\]|$)'''
keywords = [
- "telegram","api","bot","token","url",
+ "telegr",
]
[[rules]]
++++++ vendor.tar.gz ++++++
![https://user-images.githubusercontent.com/15034943/146411864-4878f936-b4f7-49a0-b625-f9f40c704bfa.png"](https://user-images.githubusercontent.com/15034943/146411864-4878f936-b4f7-49a0-b625-f9f40c704bfa.png"){kind=link}