commit gitleaks for openSUSE:Factory

3 Jun 2024

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package gitleaks for openSUSE:Factory checked in at 2024-06-03 17:42:43
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/gitleaks (Old)
 and      /work/SRC/openSUSE:Factory/.gitleaks.new.24587 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "gitleaks"

Mon Jun  3 17:42:43 2024 rev:4 rq:1178068 version:8.18.3

Changes:
--------

--- /work/SRC/openSUSE:Factory/gitleaks/gitleaks.changes	2024-05-06 17:56:09.317427129 +0200
+++ /work/SRC/openSUSE:Factory/.gitleaks.new.24587/gitleaks.changes	2024-06-03 17:42:51.913711428 +0200
@@ -1,0 +2,19 @@
+Sat Jun 01 15:28:13 UTC 2024 - opensuse_buildservice@ojkastl.de
+
+- Update to version 8.18.3:
+  * extend FB access token discovery (#1407)
+  * tests: scalingo validation consistent test (#1359)
+  * add real (test) standard and restricted keys (#1375)
+  * Add Cloudflare API and Origin CA keys (#1374)
+  * Update "contributing guidelines" link (#1390)
+  * add update token from square (#1370)
+  * feat: facebook secret, access token, and page access token
+    rules (#1372)
+  * update mailchimp with new tokens (#1376)
+  * Append ordered rules when extending (#1304)
+  * fix: age rule id with dashes (#1349)
+  * patching golang.org/x/text for CVE-2021-38561 and
+    CVE-2022-32149 (#1342)
+  * Use latest base images. (#1334)
+
+-------------------------------------------------------------------
@@ -5 +24,2 @@
-  * Remove IAM identifiers for non-credential resources in the aws-access-token rule
+  * Remove IAM identifiers for non-credential resources in the
+    aws-access-token rule
@@ -7 +27,2 @@
-  * --max-target-megabytes flag now supported for --no-git flag as well
+  * --max-target-megabytes flag now supported for --no-git flag as
+    well
@@ -13,2 +34,4 @@
-  * chore(config): refactor to go generate; simplify configRules init
-  * pretty apparent 'protect' and 'detect' should be merged into one command
+  * chore(config): refactor to go generate; simplify configRules
+    init
+  * pretty apparent 'protect' and 'detect' should be merged into
+    one command

Old:
----
  gitleaks-8.18.2.tar.gz

New:
----
  gitleaks-8.18.3.tar.gz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ gitleaks.spec ++++++
--- /var/tmp/diff_new_pack.fZB3aH/_old	2024-06-03 17:42:53.105755359 +0200
+++ /var/tmp/diff_new_pack.fZB3aH/_new	2024-06-03 17:42:53.109755506 +0200
@@ -1,7 +1,7 @@
 #
 # spec file for package gitleaks
 #
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 # Copyright (c) 2024 Andreas Stieger <Andreas.Stieger@gmx.de>
 #
 # All modifications and additions to the file contributed by third parties
@@ -20,7 +20,7 @@
 %define __arch_install_post export NO_BRP_STRIP_DEBUG=true
 
 Name:           gitleaks
-Version:        8.18.2
+Version:        8.18.3
 Release:        0
 Summary:        Protect and discover secrets using Gitleaks
 License:        MIT

++++++ _service ++++++
--- /var/tmp/diff_new_pack.fZB3aH/_old	2024-06-03 17:42:53.157757275 +0200
+++ /var/tmp/diff_new_pack.fZB3aH/_new	2024-06-03 17:42:53.161757423 +0200
@@ -3,7 +3,7 @@
     <param name="url">https://github.com/zricethezav/gitleaks</param>
     <param name="scm">git</param>
     <param name="exclude">.git</param>
-    <param name="revision">v8.18.2</param>
+    <param name="revision">v8.18.3</param>
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="changesgenerate">enable</param>
     <param name="versionrewrite-pattern">v(.*)</param>

++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.fZB3aH/_old	2024-06-03 17:42:53.185758307 +0200
+++ /var/tmp/diff_new_pack.fZB3aH/_new	2024-06-03 17:42:53.189758455 +0200
@@ -1,6 +1,6 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://github.com/zricethezav/gitleaks</param>
-              <param name="changesrevision">ac4b5146b0f112df989b4374abb2b12799e37cba</param></service></servicedata>
+              <param name="changesrevision">39947b0b0d3f1829438000819c1ba9dbeb023a89</param></service></servicedata>
 (No newline at EOF)
 

++++++ gitleaks-8.18.2.tar.gz -> gitleaks-8.18.3.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/Dockerfile new/gitleaks-8.18.3/Dockerfile
--- old/gitleaks-8.18.2/Dockerfile	2024-02-01 15:23:13.000000000 +0100
+++ new/gitleaks-8.18.3/Dockerfile	2024-05-31 22:51:43.000000000 +0200
@@ -1,10 +1,10 @@
-FROM golang:1.19 AS build
+FROM golang:1.21 AS build
 WORKDIR /go/src/github.com/zricethezav/gitleaks
 COPY . .
 RUN VERSION=$(git describe --tags --abbrev=0) && \
 CGO_ENABLED=0 go build -o bin/gitleaks -ldflags "-X="github.com/zricethezav/gitleaks/v8/cmd.Version=${VERSION}
 
-FROM alpine:3.16
+FROM alpine:3.19
 RUN apk add --no-cache bash git openssh-client
 COPY --from=build /go/src/github.com/zricethezav/gitleaks/bin/* /usr/bin/
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/README.md new/gitleaks-8.18.3/README.md
--- old/gitleaks-8.18.2/README.md	2024-02-01 15:23:13.000000000 +0100
+++ new/gitleaks-8.18.3/README.md	2024-05-31 22:51:43.000000000 +0200
@@ -382,7 +382,7 @@
 ]
 ```
 
-Refer to the default [gitleaks config](https://github.com/zricethezav/gitleaks/blob/master/config/gitleaks.toml) for examples or follow the [contributing guidelines](https://github.com/zricethezav/gitleaks/blob/master/README.md) if you would like to contribute to the default configuration. Additionally, you can check out [this gitleaks blog post](https://blog.gitleaks.io/stop-leaking-secrets-configuration-2-3-aeed293b1fbf) which covers advanced configuration setups.
+Refer to the default [gitleaks config](https://github.com/zricethezav/gitleaks/blob/master/config/gitleaks.toml) for examples or follow the [contributing guidelines](https://github.com/gitleaks/gitleaks/blob/master/CONTRIBUTING.md) if you would like to contribute to the default configuration. Additionally, you can check out [this gitleaks blog post](https://blog.gitleaks.io/stop-leaking-secrets-configuration-2-3-aeed293b1fbf) which covers advanced configuration setups.
 
 ### Additional Configuration
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/cmd/generate/config/main.go new/gitleaks-8.18.3/cmd/generate/config/main.go
--- old/gitleaks-8.18.2/cmd/generate/config/main.go	2024-02-01 15:23:13.000000000 +0100
+++ new/gitleaks-8.18.3/cmd/generate/config/main.go	2024-05-31 22:51:43.000000000 +0200
@@ -45,6 +45,9 @@
 		rules.CodecovAccessToken(),
 		rules.CoinbaseAccessToken(),
 		rules.Clojars(),
+		rules.CloudflareAPIKey(),
+		rules.CloudflareGlobalAPIKey(),
+		rules.CloudflareOriginCAKey(),
 		rules.ConfluentAccessToken(),
 		rules.ConfluentSecretKey(),
 		rules.Contentful(),
@@ -67,7 +70,9 @@
 		rules.EasyPost(),
 		rules.EasyPostTestAPI(),
 		rules.EtsyAccessToken(),
-		rules.Facebook(),
+		rules.FacebookSecret(),
+		rules.FacebookAccessToken(),
+		rules.FacebookPageAccessToken(),
 		rules.FastlyAPIToken(),
 		rules.FinicityClientSecret(),
 		rules.FinicityAPIToken(),
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/cmd/generate/config/rules/age.go new/gitleaks-8.18.3/cmd/generate/config/rules/age.go
--- old/gitleaks-8.18.2/cmd/generate/config/rules/age.go	2024-02-01 15:23:13.000000000 +0100
+++ new/gitleaks-8.18.3/cmd/generate/config/rules/age.go	2024-05-31 22:51:43.000000000 +0200
@@ -10,7 +10,7 @@
 	// define rule
 	r := config.Rule{
 		Description: "Discovered a potential Age encryption tool secret key, risking data decryption and unauthorized access to sensitive information.",
-		RuleID:      "age secret key",
+		RuleID:      "age-secret-key",
 		Regex:       regexp.MustCompile(`AGE-SECRET-KEY-1[QPZRY9X8GF2TVDW0S3JN54KHCE6MUA7L]{58}`),
 		Keywords:    []string{"AGE-SECRET-KEY-1"},
 	}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/cmd/generate/config/rules/cloudflare.go new/gitleaks-8.18.3/cmd/generate/config/rules/cloudflare.go
--- old/gitleaks-8.18.2/cmd/generate/config/rules/cloudflare.go	1970-01-01 01:00:00.000000000 +0100
+++ new/gitleaks-8.18.3/cmd/generate/config/rules/cloudflare.go	2024-05-31 22:51:43.000000000 +0200
@@ -0,0 +1,76 @@
+package rules
+
+import (
+	"github.com/zricethezav/gitleaks/v8/config"
+)
+
+var global_keys = []string{
+	`cloudflare_global_api_key = "d3d1443e0adc9c24564c6c5676d679d47e2ca"`, // gitleaks:allow
+	`CLOUDFLARE_GLOBAL_API_KEY: 674538c7ecac77d064958a04a83d9e9db068c`,    // gitleaks:allow
+	`cloudflare: "0574b9f43978174cc2cb9a1068681225433c4"`,                 // gitleaks:allow
+}
+
+var api_keys = []string{
+	`cloudflare_api_key = "Bu0rrK-lerk6y0Suqo1qSqlDDajOk61wZchCkje4"`, // gitleaks:allow
+	`CLOUDFLARE_API_KEY: 5oK0U90ME14yU6CVxV90crvfqVlNH2wRKBwcLWDc`,    // gitleaks:allow
+	`cloudflare: "oj9Yoyq0zmOyWmPPob1aoY5YSNNuJ0fbZSOURBlX"`,          // gitleaks:allow
+}
+
+var origin_ca_keys = []string{
+	`CLOUDFLARE_ORIGIN_CA: v1.0-aaa334dc886f30631ba0a610-0d98ef66290d7e50aac7c27b5986c99e6f3f1084c881d8ac0eae5de1d1aa0644076ff57022069b3237d19afe60ad045f207ef2b16387ee37b749441b2ae2e9ebe5b4606e846475d4a5`,
+	`CLOUDFLARE_ORIGIN_CA: v1.0-15d20c7fccb4234ac5cdd756-d5c2630d1b606535cf9320ae7456b090e0896cec64169a92fae4e931ab0f72f111b2e4ffed5b2bb40f6fba6b2214df23b188a23693d59ce3fb0d28f7e89a2206d98271b002dac695ed`,
+}
+
+var identifiers = []string{"cloudflare"}
+
+func CloudflareGlobalAPIKey() *config.Rule {
+	// define rule
+	r := config.Rule{
+		Description: "Detected a Cloudflare Global API Key, potentially compromising cloud application deployments and operational security.",
+		RuleID:      "cloudflare-global-api-key",
+		Regex:       generateSemiGenericRegex(identifiers, hex("37"), true),
+
+		Keywords: identifiers,
+	}
+
+	// validate
+	tps := global_keys
+	fps := append(api_keys, origin_ca_keys...)
+
+	return validate(r, tps, fps)
+}
+
+func CloudflareAPIKey() *config.Rule {
+	// define rule
+	r := config.Rule{
+		Description: "Detected a Cloudflare API Key, potentially compromising cloud application deployments and operational security.",
+		RuleID:      "cloudflare-api-key",
+		Regex:       generateSemiGenericRegex(identifiers, alphaNumericExtendedShort("40"), true),
+
+		Keywords: identifiers,
+	}
+
+	// validate
+	tps := api_keys
+	fps := append(global_keys, origin_ca_keys...)
+
+	return validate(r, tps, fps)
+}
+
+func CloudflareOriginCAKey() *config.Rule {
+	ca_identifiers := append(identifiers, "v1.0-")
+	// define rule
+	r := config.Rule{
+		Description: "Detected a Cloudflare Origin CA Key, potentially compromising cloud application deployments and operational security.",
+		RuleID:      "cloudflare-origin-ca-key",
+		Regex:       generateUniqueTokenRegex(`v1\.0-`+hex("24")+"-"+hex("146"), false),
+
+		Keywords: ca_identifiers,
+	}
+
+	// validate
+	tps := origin_ca_keys
+	fps := append(global_keys, api_keys...)
+
+	return validate(r, tps, fps)
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/cmd/generate/config/rules/facebook.go new/gitleaks-8.18.3/cmd/generate/config/rules/facebook.go
--- old/gitleaks-8.18.2/cmd/generate/config/rules/facebook.go	2024-02-01 15:23:13.000000000 +0100
+++ new/gitleaks-8.18.3/cmd/generate/config/rules/facebook.go	2024-05-31 22:51:43.000000000 +0200
@@ -5,11 +5,13 @@
 	"github.com/zricethezav/gitleaks/v8/config"
 )
 
-func Facebook() *config.Rule {
+// This rule includes both App Secret and Client Access Token
+// https://developers.facebook.com/docs/facebook-login/guides/access-tokens/
+func FacebookSecret() *config.Rule {
 	// define rule
 	r := config.Rule{
-		Description: "Discovered a Facebook Access Token, posing a risk of unauthorized access to Facebook accounts and personal data exposure.",
-		RuleID:      "facebook",
+		Description: "Discovered a Facebook Application secret, posing a risk of unauthorized access to Facebook accounts and personal data exposure.",
+		RuleID:      "facebook-secret",
 		Regex:       generateSemiGenericRegex([]string{"facebook"}, hex("32"), true),
 
 		Keywords: []string{"facebook"},
@@ -18,6 +20,46 @@
 	// validate
 	tps := []string{
 		generateSampleSecret("facebook", secrets.NewSecret(hex("32"))),
+		`facebook_app_secret = "6dca6432e45d933e13650d1882bd5e69"`,       // gitleaks:allow
+		`facebook_client_access_token: 26f5fd13099f2c1331aafb86f6489692`, // gitleaks:allow
+	}
+	return validate(r, tps, nil)
+}
+
+// https://developers.facebook.com/docs/facebook-login/guides/access-tokens/#ap...
+func FacebookAccessToken() *config.Rule {
+	// define rule
+	r := config.Rule{
+		Description: "Discovered a Facebook Access Token, posing a risk of unauthorized access to Facebook accounts and personal data exposure.",
+		RuleID:      "facebook-access-token",
+		Regex:       generateUniqueTokenRegex(`\d{15,16}(\||%)[0-9a-z\-_]{27,40}`, true),
+	}
+
+	// validate
+	tps := []string{
+		`{"access_token":"911602140448729|AY-lRJZq9BoDLobvAiP25L7RcMg","token_type":"bearer"}`, // gitleaks:allow
+		`1308742762612587|rhoK1cbv0DOU_RTX_87O4MkX7AI`,                                         // gitleaks:allow
+		`1477036645700765|wRPf2v3mt2JfMqCLK8n7oltrEmc`,                                         // gitleaks:allow
+	}
+	return validate(r, tps, nil)
+}
+
+// https://developers.facebook.com/docs/facebook-login/guides/access-tokens/#pa...
+func FacebookPageAccessToken() *config.Rule {
+	// define rule
+	r := config.Rule{
+		Description: "Discovered a Facebook Page Access Token, posing a risk of unauthorized access to Facebook accounts and personal data exposure.",
+		RuleID:      "facebook-page-access-token",
+		Regex:       generateUniqueTokenRegex("EAA[MC]"+alphaNumeric("20,"), true),
+		Keywords:    []string{"EAAM", "EAAC"},
+	}
+
+	// validate
+	tps := []string{
+		`EAAM9GOnCB9kBO2frzOAWGN2zMnZClQshlWydZCrBNdodesbwimx1mfVJgqZBP5RSpMfUzWhtjTTXHG5I1UlvlwRZCgjm3ZBVGeTYiqAAoxyED6HaUdhpGVNoPUwAuAWWFsi9OvyYBQt22DGLqMIgD7VktuCTTZCWKasz81Q822FPhMTB9VFFyClNzQ0NLZClt9zxpsMMrUZCo1VU1rL3CKavir5QTfBjfCEzHNlWAUDUV2YZD`, // gitleaks:allow
+		`EAAM9GOnCB9kBO2zXpAtRBmCrsPPjdA3KeBl4tqsEpcYd09cpjm9MZCBIklZBjIQBKGIJgFwm8IE17G5pipsfRBRBEHMWxvJsL7iHLUouiprxKRQfAagw8BEEDucceqxTiDhVW2IZAQNNbf0d1JhcapAGntx5S1Csm4j0GgZB3DuUfI2HJ9aViTtdfH2vjBy0wtpXm2iamevohGfoF4NgyRHusDLjqy91uYMkfrkc`,          // gitleaks:allow
+		`- name: FACEBOOK_TOKEN
+		value: "EAACEdEose0cBA1bad3afsf2aew"`, // gitleaks:allow
 	}
 	return validate(r, tps, nil)
 }
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/cmd/generate/config/rules/heroku.go new/gitleaks-8.18.3/cmd/generate/config/rules/heroku.go
--- old/gitleaks-8.18.2/cmd/generate/config/rules/heroku.go	2024-02-01 15:23:13.000000000 +0100
+++ new/gitleaks-8.18.3/cmd/generate/config/rules/heroku.go	2024-05-31 22:51:43.000000000 +0200
@@ -17,6 +17,7 @@
 	// validate
 	tps := []string{
 		`const HEROKU_KEY = "12345678-ABCD-ABCD-ABCD-1234567890AB"`, // gitleaks:allow
+		`heroku_api_key = "832d2129-a846-4e27-99f4-7004b6ad53ef"`,   // gitleaks:allow
 	}
 	return validate(r, tps, nil)
 }
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/cmd/generate/config/rules/mailchimp.go new/gitleaks-8.18.3/cmd/generate/config/rules/mailchimp.go
--- old/gitleaks-8.18.2/cmd/generate/config/rules/mailchimp.go	2024-02-01 15:23:13.000000000 +0100
+++ new/gitleaks-8.18.3/cmd/generate/config/rules/mailchimp.go	2024-05-31 22:51:43.000000000 +0200
@@ -10,7 +10,7 @@
 	r := config.Rule{
 		RuleID:      "mailchimp-api-key",
 		Description: "Identified a Mailchimp API key, potentially compromising email marketing campaigns and subscriber data.",
-		Regex:       generateSemiGenericRegex([]string{"mailchimp"}, `[a-f0-9]{32}-us20`, true),
+		Regex:       generateSemiGenericRegex([]string{"MailchimpSDK.initialize", "mailchimp"}, hex("32")+`-us\d\d`, true),
 
 		Keywords: []string{
 			"mailchimp",
@@ -20,6 +20,12 @@
 	// validate
 	tps := []string{
 		generateSampleSecret("mailchimp", secrets.NewSecret(hex("32"))+"-us20"),
+		`mailchimp_api_key: cefa780880ba5f5696192a34f6292c35-us18`, // gitleaks:allow
+		`MAILCHIMPE_KEY = "b5b9f8e50c640da28993e8b6a48e3e53-us18"`, // gitleaks:allow
 	}
-	return validate(r, tps, nil)
+	fps := []string{
+		// False Negative
+		`MailchimpSDK.initialize(token: 3012a5754bbd716926f99c028f7ea428-us18)`, // gitleaks:allow
+	}
+	return validate(r, tps, fps)
 }
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/cmd/generate/config/rules/scalingo.go new/gitleaks-8.18.3/cmd/generate/config/rules/scalingo.go
--- old/gitleaks-8.18.2/cmd/generate/config/rules/scalingo.go	2024-02-01 15:23:13.000000000 +0100
+++ new/gitleaks-8.18.3/cmd/generate/config/rules/scalingo.go	2024-05-31 22:51:43.000000000 +0200
@@ -1,8 +1,6 @@
 package rules
 
 import (
-	"regexp"
-
 	"github.com/zricethezav/gitleaks/v8/cmd/generate/secrets"
 	"github.com/zricethezav/gitleaks/v8/config"
 )
@@ -12,13 +10,14 @@
 	r := config.Rule{
 		Description: "Found a Scalingo API token, posing a risk to cloud platform services and application deployment security.",
 		RuleID:      "scalingo-api-token",
-		Regex:       regexp.MustCompile(`\btk-us-[a-zA-Z0-9-_]{48}\b`),
+		Regex:       generateUniqueTokenRegex(`tk-us-[a-zA-Z0-9-_]{48}`, false),
 		Keywords:    []string{"tk-us-"},
 	}
 
 	// validate
 	tps := []string{
 		generateSampleSecret("scalingo", "tk-us-"+secrets.NewSecret(alphaNumericExtendedShort("48"))),
+		`scalingo_api_token = "tk-us-loys7ib9yrxcys_ta2sq85mjar6lgcsspkd9x61s7h5epf_-"`, // gitleaks:allow
 	}
 	return validate(r, tps, nil)
 }
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/cmd/generate/config/rules/square.go new/gitleaks-8.18.3/cmd/generate/config/rules/square.go
--- old/gitleaks-8.18.2/cmd/generate/config/rules/square.go	2024-02-01 15:23:13.000000000 +0100
+++ new/gitleaks-8.18.3/cmd/generate/config/rules/square.go	2024-05-31 22:51:43.000000000 +0200
@@ -10,13 +10,15 @@
 	r := config.Rule{
 		RuleID:      "square-access-token",
 		Description: "Detected a Square Access Token, risking unauthorized payment processing and financial transaction exposure.",
-		Regex:       generateUniqueTokenRegex(`sq0atp-[0-9A-Za-z\-_]{22}`, true),
-		Keywords:    []string{"sq0atp-"},
+		Regex:       generateUniqueTokenRegex(`(EAAA|sq0atp-)[0-9A-Za-z\-_]{22,60}`, true),
+		Keywords:    []string{"sq0atp-", "EAAA"},
 	}
 
 	// validate
 	tps := []string{
 		generateSampleSecret("square", secrets.NewSecret(`sq0atp-[0-9A-Za-z\-_]{22}`)),
+		"ARG token=sq0atp-812erere3wewew45678901",                                    // gitleaks:allow
+		"ARG token=EAAAlsBxkkVgvmr7FasTFbM6VUGZ31EJ4jZKTJZySgElBDJ_wyafHuBFquFexY7E", // gitleaks:allow",
 	}
 	return validate(r, tps, nil)
 }
@@ -33,6 +35,7 @@
 	// validate
 	tps := []string{
 		generateSampleSecret("square", secrets.NewSecret(`sq0csp-[0-9A-Za-z\\-_]{43}`)),
+		`value: "sq0csp-0p9h7g6f4s3s3s3-4a3ardgwa6ADRDJDDKUFYDYDYDY"`, // gitleaks:allow
 	}
 	return validate(r, tps, nil)
 }
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/cmd/generate/config/rules/stripe.go new/gitleaks-8.18.3/cmd/generate/config/rules/stripe.go
--- old/gitleaks-8.18.2/cmd/generate/config/rules/stripe.go	2024-02-01 15:23:13.000000000 +0100
+++ new/gitleaks-8.18.3/cmd/generate/config/rules/stripe.go	2024-05-31 22:51:43.000000000 +0200
@@ -10,15 +10,23 @@
 	r := config.Rule{
 		Description: "Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data.",
 		RuleID:      "stripe-access-token",
-		Regex:       generateUniqueTokenRegex(`(sk)_(test|live)_[0-9a-z]{10,32}`, true),
+		Regex:       generateUniqueTokenRegex(`(sk|rk)_(test|live|prod)_[0-9a-z]{10,99}`, true),
 		Keywords: []string{
 			"sk_test",
 			"sk_live",
+			"sk_prod",
+			"rk_test",
+			"rk_live",
+			"rk_prod",
 		},
 	}
 
 	// validate
-	tps := []string{"stripeToken := \"sk_test_" + secrets.NewSecret(alphaNumeric("30")) + "\""}
+	tps := []string{
+		"stripeToken := \"sk_test_" + secrets.NewSecret(alphaNumeric("30")) + "\"",
+		"sk_test_51OuEMLAlTWGaDypq4P5cuDHbuKeG4tAGPYHJpEXQ7zE8mKK3jkhTFPvCxnSSK5zB5EQZrJsYdsatNmAHGgb0vSKD00GTMSWRHs", // gitleaks:allow
+		"rk_prod_51OuEMLAlTWGaDypquDn9aZigaJOsa9NR1w1BxZXs9JlYsVVkv5XDu6aLmAxwt5Tgun5WcSwQMKzQyqV16c9iD4sx00BRijuoon", // gitleaks:allow
+	}
 	fps := []string{"nonMatchingToken := \"task_test_" + secrets.NewSecret(alphaNumeric("30")) + "\""}
 	return validate(r, tps, fps)
 }
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/config/allowlist.go new/gitleaks-8.18.3/config/allowlist.go
--- old/gitleaks-8.18.2/config/allowlist.go	2024-02-01 15:23:13.000000000 +0100
+++ new/gitleaks-8.18.3/config/allowlist.go	2024-05-31 22:51:43.000000000 +0200
@@ -14,7 +14,13 @@
 	// Regexes is slice of content regular expressions that are allowed to be ignored.
 	Regexes []*regexp.Regexp
 
-	// RegexTarget
+	// Can be `match` or `line`.
+	//
+	// If `match` the _Regexes_ will be tested against the match of the _Rule.Regex_.
+	//
+	// If `line` the _Regexes_ will be tested against the entire line.
+	//
+	// If RegexTarget is empty, it will be tested against the found secret.
 	RegexTarget string
 
 	// Paths is a slice of path regular expressions that are allowed to be ignored.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/config/config.go new/gitleaks-8.18.3/config/config.go
--- old/gitleaks-8.18.2/config/config.go	2024-02-01 15:23:13.000000000 +0100
+++ new/gitleaks-8.18.3/config/config.go	2024-05-31 22:51:43.000000000 +0200
@@ -4,6 +4,7 @@
 	_ "embed"
 	"fmt"
 	"regexp"
+	"sort"
 	"strings"
 
 	"github.com/rs/zerolog/log"
@@ -62,7 +63,7 @@
 	Keywords    []string
 
 	// used to keep sarif results consistent
-	orderedRules []string
+	OrderedRules []string
 }
 
 // Extend is a struct that allows users to define how they want their
@@ -158,7 +159,7 @@
 			StopWords:   vc.Allowlist.StopWords,
 		},
 		Keywords:     keywords,
-		orderedRules: orderedRules,
+		OrderedRules: orderedRules,
 	}
 
 	if maxExtendDepth != extendDepth {
@@ -177,9 +178,9 @@
 	return c, nil
 }
 
-func (c *Config) OrderedRules() []Rule {
+func (c *Config) GetOrderedRules() []Rule {
 	var orderedRules []Rule
-	for _, id := range c.orderedRules {
+	for _, id := range c.OrderedRules {
 		if _, ok := c.Rules[id]; ok {
 			orderedRules = append(orderedRules, c.Rules[id])
 		}
@@ -240,6 +241,7 @@
 			log.Trace().Msgf("adding %s to base config", ruleID)
 			c.Rules[ruleID] = rule
 			c.Keywords = append(c.Keywords, rule.Keywords...)
+			c.OrderedRules = append(c.OrderedRules, ruleID)
 		}
 	}
 
@@ -250,4 +252,7 @@
 		extensionConfig.Allowlist.Paths...)
 	c.Allowlist.Regexes = append(c.Allowlist.Regexes,
 		extensionConfig.Allowlist.Regexes...)
+
+	// sort to keep extended rules in order
+	sort.Strings(c.OrderedRules)
 }
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/config/gitleaks.toml new/gitleaks-8.18.3/config/gitleaks.toml
--- old/gitleaks-8.18.2/config/gitleaks.toml	2024-02-01 15:23:13.000000000 +0100
+++ new/gitleaks-8.18.3/config/gitleaks.toml	2024-05-31 22:51:43.000000000 +0200
@@ -50,7 +50,7 @@
 ]
 
 [[rules]]
-id = "age secret key"
+id = "age-secret-key"
 description = "Discovered a potential Age encryption tool secret key, risking data decryption and unauthorized access to sensitive information."
 regex = '''AGE-SECRET-KEY-1[QPZRY9X8GF2TVDW0S3JN54KHCE6MUA7L]{58}'''
 keywords = [
@@ -178,6 +178,30 @@
 ]
 
 [[rules]]
+id = "cloudflare-api-key"
+description = "Detected a Cloudflare API Key, potentially compromising cloud application deployments and operational security."
+regex = '''(?i)(?:cloudflare)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9_-]{40})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+keywords = [
+    "cloudflare",
+]
+
+[[rules]]
+id = "cloudflare-global-api-key"
+description = "Detected a Cloudflare Global API Key, potentially compromising cloud application deployments and operational security."
+regex = '''(?i)(?:cloudflare)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{37})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+keywords = [
+    "cloudflare",
+]
+
+[[rules]]
+id = "cloudflare-origin-ca-key"
+description = "Detected a Cloudflare Origin CA Key, potentially compromising cloud application deployments and operational security."
+regex = '''\b(v1\.0-[a-f0-9]{24}-[a-f0-9]{146})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+keywords = [
+    "cloudflare","v1.0-",
+]
+
+[[rules]]
 id = "codecov-access-token"
 description = "Found a pattern resembling a Codecov Access Token, posing a risk of unauthorized access to code coverage reports and sensitive data."
 regex = '''(?i)(?:codecov)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
@@ -370,8 +394,21 @@
 ]
 
 [[rules]]
-id = "facebook"
+id = "facebook-access-token"
 description = "Discovered a Facebook Access Token, posing a risk of unauthorized access to Facebook accounts and personal data exposure."
+regex = '''(?i)\b(\d{15,16}(\||%)[0-9a-z\-_]{27,40})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+
+[[rules]]
+id = "facebook-page-access-token"
+description = "Discovered a Facebook Page Access Token, posing a risk of unauthorized access to Facebook accounts and personal data exposure."
+regex = '''(?i)\b(EAA[MC][a-z0-9]{20,})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+keywords = [
+    "eaam","eaac",
+]
+
+[[rules]]
+id = "facebook-secret"
+description = "Discovered a Facebook Application secret, posing a risk of unauthorized access to Facebook accounts and personal data exposure."
 regex = '''(?i)(?:facebook)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
 keywords = [
     "facebook",
@@ -2237,7 +2274,7 @@
 [[rules]]
 id = "mailchimp-api-key"
 description = "Identified a Mailchimp API key, potentially compromising email marketing campaigns and subscriber data."
-regex = '''(?i)(?:mailchimp)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{32}-us20)(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:MailchimpSDK.initialize|mailchimp)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{32}-us\d\d)(?:['|\"|\n|\r|\s|\x60|;]|$)'''
 keywords = [
     "mailchimp",
 ]
@@ -2487,7 +2524,7 @@
 [[rules]]
 id = "scalingo-api-token"
 description = "Found a Scalingo API token, posing a risk to cloud platform services and application deployment security."
-regex = '''\btk-us-[a-zA-Z0-9-_]{48}\b'''
+regex = '''\b(tk-us-[a-zA-Z0-9-_]{48})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
 keywords = [
     "tk-us-",
 ]
@@ -2672,9 +2709,9 @@
 [[rules]]
 id = "square-access-token"
 description = "Detected a Square Access Token, risking unauthorized payment processing and financial transaction exposure."
-regex = '''(?i)\b(sq0atp-[0-9A-Za-z\-_]{22})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)\b((EAAA|sq0atp-)[0-9A-Za-z\-_]{22,60})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
 keywords = [
-    "sq0atp-",
+    "sq0atp-","eaaa",
 ]
 
 [[rules]]
@@ -2688,9 +2725,9 @@
 [[rules]]
 id = "stripe-access-token"
 description = "Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data."
-regex = '''(?i)\b((sk)_(test|live)_[0-9a-z]{10,32})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)\b((sk|rk)_(test|live|prod)_[0-9a-z]{10,99})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
 keywords = [
-    "sk_test","sk_live",
+    "sk_test","sk_live","sk_prod","rk_test","rk_live","rk_prod",
 ]
 
 [[rules]]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/go.mod new/gitleaks-8.18.3/go.mod
--- old/gitleaks-8.18.2/go.mod	2024-02-01 15:23:13.000000000 +0100
+++ new/gitleaks-8.18.3/go.mod	2024-05-31 22:51:43.000000000 +0200
@@ -41,7 +41,7 @@
 	github.com/subosito/gotenv v1.2.0 // indirect
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
 	golang.org/x/sys v0.6.0 // indirect
-	golang.org/x/text v0.3.6 // indirect
+	golang.org/x/text v0.3.8 // indirect
 	gopkg.in/ini.v1 v1.62.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/go.sum new/gitleaks-8.18.3/go.sum
--- old/gitleaks-8.18.2/go.sum	2024-02-01 15:23:13.000000000 +0100
+++ new/gitleaks-8.18.3/go.sum	2024-05-31 22:51:43.000000000 +0200
@@ -448,8 +448,9 @@
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.8 h1:nAL+RVCQ9uMn3vJZbV+MRnydTJFPf8qqY42YiA6MrqY=
+golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/report/sarif.go new/gitleaks-8.18.3/report/sarif.go
--- old/gitleaks-8.18.2/report/sarif.go	2024-02-01 15:23:13.000000000 +0100
+++ new/gitleaks-8.18.3/report/sarif.go	2024-05-31 22:51:43.000000000 +0200
@@ -55,7 +55,7 @@
 func getRules(cfg config.Config) []Rules {
 	// TODO	for _, rule := range cfg.Rules {
 	var rules []Rules
-	for _, rule := range cfg.OrderedRules() {
+	for _, rule := range cfg.GetOrderedRules() {
 		shortDescription := ShortDescription{
 			Text: rule.Description,
 		}

++++++ vendor.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor/golang.org/x/text/AUTHORS new/vendor/golang.org/x/text/AUTHORS
--- old/vendor/golang.org/x/text/AUTHORS	2024-05-05 17:19:32.000000000 +0200
+++ new/vendor/golang.org/x/text/AUTHORS	1970-01-01 01:00:00.000000000 +0100
@@ -1,3 +0,0 @@
-# This source code refers to The Go Authors for copyright purposes.
-# The master list of authors is in the main Go distribution,
-# visible at http://tip.golang.org/AUTHORS.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor/golang.org/x/text/CONTRIBUTORS new/vendor/golang.org/x/text/CONTRIBUTORS
--- old/vendor/golang.org/x/text/CONTRIBUTORS	2024-05-05 17:19:32.000000000 +0200
+++ new/vendor/golang.org/x/text/CONTRIBUTORS	1970-01-01 01:00:00.000000000 +0100
@@ -1,3 +0,0 @@
-# This source code was written by the Go contributors.
-# The master list of contributors is in the main Go distribution,
-# visible at http://tip.golang.org/CONTRIBUTORS.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor/golang.org/x/text/unicode/norm/forminfo.go new/vendor/golang.org/x/text/unicode/norm/forminfo.go
--- old/vendor/golang.org/x/text/unicode/norm/forminfo.go	2024-05-05 17:19:32.000000000 +0200
+++ new/vendor/golang.org/x/text/unicode/norm/forminfo.go	2024-06-01 17:28:17.000000000 +0200
@@ -110,10 +110,11 @@
 }
 
 // We pack quick check data in 4 bits:
-//   5:    Combines forward  (0 == false, 1 == true)
-//   4..3: NFC_QC Yes(00), No (10), or Maybe (11)
-//   2:    NFD_QC Yes (0) or No (1). No also means there is a decomposition.
-//   1..0: Number of trailing non-starters.
+//
+//	5:    Combines forward  (0 == false, 1 == true)
+//	4..3: NFC_QC Yes(00), No (10), or Maybe (11)
+//	2:    NFD_QC Yes (0) or No (1). No also means there is a decomposition.
+//	1..0: Number of trailing non-starters.
 //
 // When all 4 bits are zero, the character is inert, meaning it is never
 // influenced by normalization.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor/golang.org/x/text/unicode/norm/normalize.go new/vendor/golang.org/x/text/unicode/norm/normalize.go
--- old/vendor/golang.org/x/text/unicode/norm/normalize.go	2024-05-05 17:19:32.000000000 +0200
+++ new/vendor/golang.org/x/text/unicode/norm/normalize.go	2024-06-01 17:28:17.000000000 +0200
@@ -18,16 +18,17 @@
 // A Form denotes a canonical representation of Unicode code points.
 // The Unicode-defined normalization and equivalence forms are:
 //
-//   NFC   Unicode Normalization Form C
-//   NFD   Unicode Normalization Form D
-//   NFKC  Unicode Normalization Form KC
-//   NFKD  Unicode Normalization Form KD
+//	NFC   Unicode Normalization Form C
+//	NFD   Unicode Normalization Form D
+//	NFKC  Unicode Normalization Form KC
+//	NFKD  Unicode Normalization Form KD
 //
 // For a Form f, this documentation uses the notation f(x) to mean
 // the bytes or string x converted to the given form.
 // A position n in x is called a boundary if conversion to the form can
 // proceed independently on both sides:
-//   f(x) == append(f(x[0:n]), f(x[n:])...)
+//
+//	f(x) == append(f(x[0:n]), f(x[n:])...)
 //
 // References: https://unicode.org/reports/tr15/ and
 // https://unicode.org/notes/tn5/.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor/golang.org/x/text/unicode/norm/tables13.0.0.go new/vendor/golang.org/x/text/unicode/norm/tables13.0.0.go
--- old/vendor/golang.org/x/text/unicode/norm/tables13.0.0.go	2024-05-05 17:19:32.000000000 +0200
+++ new/vendor/golang.org/x/text/unicode/norm/tables13.0.0.go	2024-06-01 17:28:17.000000000 +0200
@@ -7315,7 +7315,7 @@
 	"\x00V\x03\x03\x00\x00\x1e|" + // 0x00560303: 0x00001E7C
 	"\x00v\x03\x03\x00\x00\x1e}" + // 0x00760303: 0x00001E7D
 	"\x00V\x03#\x00\x00\x1e~" + // 0x00560323: 0x00001E7E
-	"\x00v\x03#\x00\x00\x1e\u007f" + // 0x00760323: 0x00001E7F
+	"\x00v\x03#\x00\x00\x1e\x7f" + // 0x00760323: 0x00001E7F
 	"\x00W\x03\x00\x00\x00\x1e\x80" + // 0x00570300: 0x00001E80
 	"\x00w\x03\x00\x00\x00\x1e\x81" + // 0x00770300: 0x00001E81
 	"\x00W\x03\x01\x00\x00\x1e\x82" + // 0x00570301: 0x00001E82
@@ -7342,7 +7342,7 @@
 	"\x00t\x03\b\x00\x00\x1e\x97" + // 0x00740308: 0x00001E97
 	"\x00w\x03\n\x00\x00\x1e\x98" + // 0x0077030A: 0x00001E98
 	"\x00y\x03\n\x00\x00\x1e\x99" + // 0x0079030A: 0x00001E99
-	"\x01\u007f\x03\a\x00\x00\x1e\x9b" + // 0x017F0307: 0x00001E9B
+	"\x01\x7f\x03\a\x00\x00\x1e\x9b" + // 0x017F0307: 0x00001E9B
 	"\x00A\x03#\x00\x00\x1e\xa0" + // 0x00410323: 0x00001EA0
 	"\x00a\x03#\x00\x00\x1e\xa1" + // 0x00610323: 0x00001EA1
 	"\x00A\x03\t\x00\x00\x1e\xa2" + // 0x00410309: 0x00001EA2
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor/modules.txt new/vendor/modules.txt
--- old/vendor/modules.txt	2024-05-05 17:19:32.000000000 +0200
+++ new/vendor/modules.txt	2024-06-01 17:28:17.000000000 +0200
@@ -116,8 +116,8 @@
 golang.org/x/sys/internal/unsafeheader
 golang.org/x/sys/unix
 golang.org/x/sys/windows
-# golang.org/x/text v0.3.6
-## explicit; go 1.11
+# golang.org/x/text v0.3.8
+## explicit; go 1.17
 golang.org/x/text/transform
 golang.org/x/text/unicode/norm
 # gopkg.in/ini.v1 v1.62.0

    

commit gitleaks for openSUSE:Factory

Source-Sync