Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package gitleaks for openSUSE:Factory checked in at 2024-10-20 10:04:26 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gitleaks (Old) and /work/SRC/openSUSE:Factory/.gitleaks.new.26871 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "gitleaks" Sun Oct 20 10:04:26 2024 rev:12 rq:1208892 version:8.21.1 Changes: -------- --- /work/SRC/openSUSE:Factory/gitleaks/gitleaks.changes 2024-10-16 23:46:34.928555384 +0200 +++ /work/SRC/openSUSE:Factory/.gitleaks.new.26871/gitleaks.changes 2024-10-20 10:04:30.480062568 +0200 @@ -1,0 +2,10 @@ +Fri Oct 18 12:19:05 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 8.21.1: + * feat: add curl basic auth rule (#1575) + * Update spelling in README.md (#1574) + * refactor(allowlist): use iota for condition (#1569) + * refactor(config): temporarily switch to [rules.allowlist] + (#1573) + +------------------------------------------------------------------- Old: ---- gitleaks-8.21.0.obscpio New: ---- gitleaks-8.21.1.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gitleaks.spec ++++++ --- /var/tmp/diff_new_pack.PBF6TT/_old 2024-10-20 10:04:31.336098041 +0200 +++ /var/tmp/diff_new_pack.PBF6TT/_new 2024-10-20 10:04:31.340098206 +0200 @@ -20,7 +20,7 @@ %define __arch_install_post export NO_BRP_STRIP_DEBUG=true Name: gitleaks -Version: 8.21.0 +Version: 8.21.1 Release: 0 Summary: Protect and discover secrets using Gitleaks License: MIT ++++++ _service ++++++ --- /var/tmp/diff_new_pack.PBF6TT/_old 2024-10-20 10:04:31.380099865 +0200 +++ /var/tmp/diff_new_pack.PBF6TT/_new 2024-10-20 10:04:31.384100030 +0200 @@ -3,7 +3,7 @@ <param name="url">https://github.com/zricethezav/gitleaks</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">v8.21.0</param> + <param name="revision">v8.21.1</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> <param name="changesgenerate">enable</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.PBF6TT/_old 2024-10-20 10:04:31.408101024 +0200 +++ /var/tmp/diff_new_pack.PBF6TT/_new 2024-10-20 10:04:31.412101191 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/zricethezav/gitleaks</param> - <param name="changesrevision">aabe3815394d24d5b8198ba6068a99e0ba7601b1</param></service></servicedata> + <param name="changesrevision">cf5334fd61d16fb4af1362856ebfb98397c5d4b3</param></service></servicedata> (No newline at EOF) ++++++ gitleaks-8.21.0.obscpio -> gitleaks-8.21.1.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.21.0/README.md new/gitleaks-8.21.1/README.md --- old/gitleaks-8.21.0/README.md 2024-10-15 02:17:37.000000000 +0200 +++ new/gitleaks-8.21.1/README.md 2024-10-18 02:15:30.000000000 +0200 @@ -266,7 +266,7 @@ # Keywords are used for pre-regex check filtering. Rules that contain # keywords will perform a quick string compare check to make sure the # keyword(s) are in the content being scanned. Ideally these values should -# either be part of the idenitifer or unique strings specific to the rule's regex +# either be part of the identiifer or unique strings specific to the rule's regex # (introduced in v8.6.0) keywords = [ "auth", @@ -301,7 +301,7 @@ [[rules.allowlists]] # The "AND" condition can be used to make sure all criteria match. - # e.g., this matches if |regexes| AND |paths| are satisified. + # e.g., this matches if |regexes| AND |paths| are satisfied. condition = "AND" # note: |regexes| defaults to check the _Secret_ in the finding. # Acceptable values for |regexTarget| are "secret" (default), "match", and "line". diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.21.0/cmd/generate/config/main.go new/gitleaks-8.21.1/cmd/generate/config/main.go --- old/gitleaks-8.21.0/cmd/generate/config/main.go 2024-10-15 02:17:37.000000000 +0200 +++ new/gitleaks-8.21.1/cmd/generate/config/main.go 2024-10-18 02:15:30.000000000 +0200 @@ -54,6 +54,7 @@ rules.ConfluentAccessToken(), rules.ConfluentSecretKey(), rules.Contentful(), + rules.CurlBasicAuth(), rules.Databricks(), rules.DatadogtokenAccessToken(), rules.DefinedNetworkingAPIToken(), diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.21.0/cmd/generate/config/rules/config.tmpl new/gitleaks-8.21.1/cmd/generate/config/rules/config.tmpl --- old/gitleaks-8.21.0/cmd/generate/config/rules/config.tmpl 2024-10-15 02:17:37.000000000 +0200 +++ new/gitleaks-8.21.1/cmd/generate/config/rules/config.tmpl 2024-10-18 02:15:30.000000000 +0200 @@ -43,9 +43,35 @@ tags = [ {{ range $j, $tag := . }}"{{ $tag }}",{{ end }} ]{{ end }} + +{{- /* + * Use [rules.allowlist] for a while, allow people to catch up with the new syntax. + * TODO: Remove this a few major versions after 8.21.0 + * https://github.com/gitleaks/gitleaks/issues/1571 + */}} +{{- if eq (len $rule.Allowlists) 1 }}{{ with index $rule.Allowlists 0}}{{ if or .Regexes .Paths .Commits .StopWords }} +# NOTE: Gitleaks >= v8.21.0 should use [[rules.allowlists] instead. +[rules.allowlist] +{{ with .MatchCondition }}condition = "{{ . }}" +{{ end -}} +{{- with .Commits }}commits = [ + {{ range $j, $commit := . }}"{{ $commit }}",{{ end }} +]{{ end }} +{{- with .Paths }}paths = [ + {{ range $j, $path := . }}'''{{ $path }}''',{{ end }} +]{{ end }} +{{- with .RegexTarget }}regexTarget = "{{ . }}" +{{ end -}} +{{- with .Regexes }}regexes = [{{ range $i, $regex := . }} + '''{{ $regex }}''',{{ end }} +]{{ end }} +{{- with .StopWords }}stopwords = [{{ range $j, $stopword := . }} + "{{ $stopword }}",{{ end }} +]{{ end }}{{ end }}{{ end }} +{{ else }} {{ with $rule.Allowlists }}{{ range $i, $allowlist := . }}{{ if or $allowlist.Regexes $allowlist.Paths $allowlist.Commits $allowlist.StopWords }} [[rules.allowlists]] -{{ with $allowlist.MatchCondition }}condition = "{{ . }}" +{{ with $allowlist.MatchCondition }}condition = "{{ .String }}" {{ end -}} {{- with $allowlist.Commits }}commits = [ {{ range $j, $commit := . }}"{{ $commit }}",{{ end }} @@ -61,5 +87,5 @@ {{- with $allowlist.StopWords }}stopwords = [{{ range $j, $stopword := . }} "{{ $stopword }}",{{ end }} ]{{ end }}{{ end }}{{ end }} -{{ end }} +{{ end }}{{ end }} {{ end -}} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.21.0/cmd/generate/config/rules/curl.go new/gitleaks-8.21.1/cmd/generate/config/rules/curl.go --- old/gitleaks-8.21.0/cmd/generate/config/rules/curl.go 1970-01-01 01:00:00.000000000 +0100 +++ new/gitleaks-8.21.1/cmd/generate/config/rules/curl.go 2024-10-18 02:15:30.000000000 +0200 @@ -0,0 +1,77 @@ +package rules + +import ( + "github.com/zricethezav/gitleaks/v8/cmd/generate/config/utils" + "regexp" + + "github.com/zricethezav/gitleaks/v8/config" +) + +// https://curl.se/docs/manpage.html#-u +func CurlBasicAuth() *config.Rule { + r := config.Rule{ + RuleID: "curl-auth-user", + // TODO: Description: "", + Regex: regexp.MustCompile(`\bcurl\b(?:.*|.*(?:[\r\n]{1,2}.*){1,5})[ \t\n\r](?:-u|--user)[ =](?:("[^:"]{3,}:[^"]{3,}")|('[^:']{3,}:[^']{3,}')|((?:"[^"]{3,}"|'[^']{3,}'|[\w$@.-]+):(?:"[^"]{3,}"|'[^']{3,}'|[\w$@.-]+))|)(?:\s|\z)`), + Keywords: []string{"curl"}, + Allowlists: []config.Allowlist{ + { + Regexes: []*regexp.Regexp{ + regexp.MustCompile(`[^:]+:(changeme|pass(word)?|pwd|\*+|x+)`), // common placeholder passwords + regexp.MustCompile(`<[^>]+>:<[^>]+>|<[^:]+:[^>]+>`), // <placeholder> + regexp.MustCompile(`[^:]+:\[[^]]+]`), // [placeholder] + regexp.MustCompile(`(?i)[^:]+:\$(\d|[a-z]\w+|(\{\d|[a-z]\w+}))`), // $1 or $VARIABLE + }, + }, + }, + } + + // validate + tps := []string{ + // short + `curl --cacert ca.crt -u elastic:P@ssw0rd$1 https://localhost:9200`, // same lines, no quotes + `sh-5.0$ curl -k -X POST https://infinispan:11222/rest/v2/caches/default/hello \ + -H 'Content-type: text/plain' \ + -d 'world' \ + -u developer:yqDVtkqPECriaLRi`, // different line + + // long + `curl --user roger23@gmail.com:pQ9wTxu4Fg https://www.dropbox.com/cli_link?host_id=abcdefg -v`, // same line, no quotes + `curl -s --user 'api:d2LkV78zLx!t' \ + https://api.mailgun.net/v2/sandbox91d3515882ecfaa1c65be642.mailgun.org/messages`, // same line, single quotes + `curl -s -v --user "j.smith:dB2yF6@qL9vZm1P#4J" "https://api.contoso.org/user/me"`, // same line, double quotes + `curl -X POST --user "{acd3c08b-74e8-4f44-a2d0-80694le24f46}":"{ZqL5kVrX1n8tA2}" --header "Accept: application/json" --data "{\"text\":\"Hello, world\",\"source\":\"en\",\"target\":\"es\"}" https://gateway.watsonplatform.net/language-translator/api`, + `curl --user kevin:'pRf7vG2h1L8nQkW9' -iX PATCH -H "Content-Type: application/json" -d`, // same line, mixed quoting + `$ curl https://api.dropbox.com/oauth2/token \ + --user c28wlsosanujy2z:qgsnai0xokrw4j1 --data grant_type=authorization_code`, // different line + + // TODO + //` curl -s --insecure --url "imaps://whatever.imap.server" --user\ + //"myuserid:mypassword" --request "STATUS INBOX (UNSEEN)"`, + } + fps := []string{ + // short + ` curl -sL --user "$1:$2" "$3" > "$4"`, // environment variable + `curl -u <user:password> https://test.com/endpoint`, // placeholder + `curl --user neo4j:[PASSWORD] http://[IP]:7474/db/data/`, // placeholder + `curl -u "myusername" http://localhost:15130/api/check_user/`, // no password + + // long + ` curl -sL --user "$GITHUB_USERNAME:$GITHUB_PASSWORD" "$GITHUB_URL" > "$TESTS_PATH"`, // environment variable + `curl http://127.0.0.1:5000/file --user user:pass --digest # digest auth`, // placeholder + ` curl -X GET --insecure --user "username:password" \`, // placeholder + `curl --silent --insecure --user ${f5user}:${f5pass} \`, // placeholder + `curl --insecure --ssl-reqd "smtps://smtp.gmail.com" --mail-from "src@gmail.com" --mail-rcpt "dst@gmail.com" --user "src@gmail.com" --upload-file out.txt`, // no password + + // different command + `#HTTP command line test +curl -X POST -H "Content-Type: application/json" -d '{"id":12345,"geo":{"latitude":28.50,"longitude":-81.14}}' http://<ip>:8080/serve + +#UDP command line test +echo -n '{"type":"serve","channel":"/","data":{"site_id":8,"post_id":12345,"geo":{"lat":28.50,"long":-81.14}}}' >/dev/udp/127.0.0.1/41234 + +#UDP Listener (for confirmation) +nc -u -l 41234`, + } + return utils.Validate(r, tps, fps) +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.21.0/cmd/generate/config/rules/sumologic.go new/gitleaks-8.21.1/cmd/generate/config/rules/sumologic.go --- old/gitleaks-8.21.0/cmd/generate/config/rules/sumologic.go 2024-10-15 02:17:37.000000000 +0200 +++ new/gitleaks-8.21.1/cmd/generate/config/rules/sumologic.go 2024-10-18 02:15:30.000000000 +0200 @@ -26,9 +26,6 @@ RegexTarget: "line", Regexes: []*regexp.Regexp{regexp.MustCompile(`sumOf`)}, }, - { - Paths: []*regexp.Regexp{regexp.MustCompile(`tests/.+$`)}, - }, }, } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.21.0/config/allowlist.go new/gitleaks-8.21.1/config/allowlist.go --- old/gitleaks-8.21.0/config/allowlist.go 2024-10-15 02:17:37.000000000 +0200 +++ new/gitleaks-8.21.1/config/allowlist.go 2024-10-18 02:15:30.000000000 +0200 @@ -6,13 +6,20 @@ "strings" ) -type AllowlistMatchCondition string +type AllowlistMatchCondition int const ( - AllowlistMatchOr AllowlistMatchCondition = "OR" - AllowlistMatchAnd = "AND" + AllowlistMatchOr AllowlistMatchCondition = iota + AllowlistMatchAnd ) +func (a AllowlistMatchCondition) String() string { + return [...]string{ + "OR", + "AND", + }[a] +} + // Allowlist allows a rule to be ignored for specific // regexes, paths, and/or commits type Allowlist struct { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.21.0/config/config_test.go new/gitleaks-8.21.1/config/config_test.go --- old/gitleaks-8.21.0/config/config_test.go 2024-10-15 02:17:37.000000000 +0200 +++ new/gitleaks-8.21.1/config/config_test.go 2024-10-18 02:15:30.000000000 +0200 @@ -34,7 +34,7 @@ Keywords: []string{}, Allowlists: []Allowlist{ { - MatchCondition: "OR", + MatchCondition: AllowlistMatchOr, Regexes: []*regexp.Regexp{regexp.MustCompile("123")}, }, }, @@ -68,7 +68,7 @@ Tags: []string{"key", "AWS"}, Allowlists: []Allowlist{ { - MatchCondition: "OR", + MatchCondition: AllowlistMatchOr, Regexes: []*regexp.Regexp{regexp.MustCompile("AKIALALEMEL33243OLIA")}, }, }, @@ -87,7 +87,7 @@ Tags: []string{"key", "AWS"}, Allowlists: []Allowlist{ { - MatchCondition: "OR", + MatchCondition: AllowlistMatchOr, Commits: []string{"allowthiscommit"}, }, }, @@ -106,7 +106,7 @@ Tags: []string{"key", "AWS"}, Allowlists: []Allowlist{ { - MatchCondition: "OR", + MatchCondition: AllowlistMatchOr, Paths: []*regexp.Regexp{regexp.MustCompile(".go")}, }, }, @@ -184,11 +184,11 @@ Tags: []string{"key", "AWS"}, Allowlists: []Allowlist{ { - MatchCondition: "OR", + MatchCondition: AllowlistMatchOr, StopWords: []string{"fake"}, }, { - MatchCondition: "OR", + MatchCondition: AllowlistMatchOr, Commits: []string{"abcdefg1"}, Paths: []*regexp.Regexp{regexp.MustCompile(`ignore\.xaml`)}, Regexes: []*regexp.Regexp{regexp.MustCompile(`foo.+bar`)}, @@ -212,11 +212,11 @@ Tags: []string{"key", "AWS"}, Allowlists: []Allowlist{ { - MatchCondition: "OR", + MatchCondition: AllowlistMatchOr, StopWords: []string{"fake"}, }, { - MatchCondition: "AND", + MatchCondition: AllowlistMatchAnd, Commits: []string{"abcdefg1"}, Paths: []*regexp.Regexp{regexp.MustCompile(`ignore\.xaml`)}, Regexes: []*regexp.Regexp{regexp.MustCompile(`foo.+bar`)}, @@ -240,7 +240,7 @@ Tags: []string{"key", "AWS"}, Allowlists: []Allowlist{ { - MatchCondition: "OR", + MatchCondition: AllowlistMatchOr, Paths: []*regexp.Regexp{regexp.MustCompile(`something.py`)}, }, }, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.21.0/config/gitleaks.toml new/gitleaks-8.21.1/config/gitleaks.toml --- old/gitleaks-8.21.0/config/gitleaks.toml 2024-10-15 02:17:37.000000000 +0200 +++ new/gitleaks-8.21.1/config/gitleaks.toml 2024-10-18 02:15:30.000000000 +0200 @@ -252,6 +252,20 @@ keywords = ["contentful"] [[rules]] +id = "curl-auth-user" +description = "" +regex = '''\bcurl\b(?:.*|.*(?:[\r\n]{1,2}.*){1,5})[ \t\n\r](?:-u|--user)[ =](?:("[^:"]{3,}:[^"]{3,}")|('[^:']{3,}:[^']{3,}')|((?:"[^"]{3,}"|'[^']{3,}'|[\w$@.-]+):(?:"[^"]{3,}"|'[^']{3,}'|[\w$@.-]+))|)(?:\s|\z)''' +keywords = ["curl"] +# NOTE: Gitleaks >= v8.21.0 should use [[rules.allowlists] instead. +[rules.allowlist] +regexes = [ + '''[^:]+:(changeme|pass(word)?|pwd|\*+|x+)''', + '''<[^>]+>:<[^>]+>|<[^:]+:[^>]+>''', + '''[^:]+:\[[^]]+]''', + '''(?i)[^:]+:\$(\d|[a-z]\w+|(\{\d|[a-z]\w+}))''', +] + +[[rules]] id = "databricks-api-token" description = "Uncovered a Databricks API token, which may compromise big data analytics platforms and sensitive data processing." regex = '''(?i)\b(dapi[a-h0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)''' @@ -480,8 +494,8 @@ "auth", "access", ] - -[[rules.allowlists]] +# NOTE: Gitleaks >= v8.21.0 should use [[rules.allowlists] instead. +[rules.allowlist] stopwords = [ "000000", "aaaaaa", @@ -2168,8 +2182,8 @@ regex = '''(?i)(?:\bkind:[ \t]*["']?secret["']?(?:.|\s){0,200}?\bdata:(?:.|\s){0,100}?\s+([\w.-]+:(?:[ \t]*(?:\||>[-+]?)\s+)?[ \t]*(?:["']?[a-z0-9]{10,}={0,3}["']?|\{\{[ \t\w"|$:=,.-]+}}|""|''))|\bdata:(?:.|\s){0,100}?\s+([\w.-]+:(?:[ \t]*(?:\||>[-+]?)\s+)?[ \t]*(?:["']?[a-z0-9]{10,}={0,3}["']?|\{\{[ \t\w"|$:=,.-]+}}|""|''))(?:.|\s){0,200}?\bkind:[ \t]*["']?secret["']?)''' path = '''(?i)\.ya?ml$''' keywords = ["secret"] - -[[rules.allowlists]] +# NOTE: Gitleaks >= v8.21.0 should use [[rules.allowlists] instead. +[rules.allowlist] regexes = [ '''[\w.-]+:(?:[ \t]*(?:\||>[-+]?)\s+)?[ \t]*(?:\{\{[ \t\w"|$:=,.-]+}}|""|'')''', ] @@ -2354,8 +2368,8 @@ path = '''(?i)nuget\.config$''' entropy = 1 keywords = ["<add key="] - -[[rules.allowlists]] +# NOTE: Gitleaks >= v8.21.0 should use [[rules.allowlists] instead. +[rules.allowlist] regexes = [ '''33f!!lloppa''', '''hal\+9ooo_da!sY''', @@ -2684,16 +2698,12 @@ regex = '''(?i:(?:sumo)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3})(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}(su[a-zA-Z0-9]{12})(?:['|\"|\n|\r|\s|\x60|;]|$)''' entropy = 3 keywords = ["sumo"] - -[[rules.allowlists]] +# NOTE: Gitleaks >= v8.21.0 should use [[rules.allowlists] instead. +[rules.allowlist] regexTarget = "line" regexes = [ '''sumOf''', ] -[[rules.allowlists]] -paths = [ - '''tests/.+$''', -] [[rules]] id = "sumologic-access-token" @@ -2777,8 +2787,8 @@ "hvs", "s.", ] - -[[rules.allowlists]] +# NOTE: Gitleaks >= v8.21.0 should use [[rules.allowlists] instead. +[rules.allowlist] regexes = [ '''s\.[A-Za-z]{24}''', ] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.21.0/detect/detect.go new/gitleaks-8.21.1/detect/detect.go --- old/gitleaks-8.21.0/detect/detect.go 2024-10-15 02:17:37.000000000 +0200 +++ new/gitleaks-8.21.1/detect/detect.go 2024-10-18 02:15:30.000000000 +0200 @@ -282,7 +282,7 @@ } if isAllowed { logger.Trace(). - Str("condition", string(a.MatchCondition)). + Str("condition", a.MatchCondition.String()). Bool("commit-allowed", commitAllowed). Bool("path-allowed", commitAllowed). Msg("Skipping fragment due to rule allowlist") @@ -474,7 +474,7 @@ if isAllowed { logger.Trace(). Str("finding", finding.Secret). - Str("condition", string(a.MatchCondition)). + Str("condition", a.MatchCondition.String()). Bool("regex-allowed", regexAllowed). Bool("contains-stopword", containsStopword). Msg("Skipping finding due to rule allowlist") ++++++ gitleaks.obsinfo ++++++ --- /var/tmp/diff_new_pack.PBF6TT/_old 2024-10-20 10:04:31.684112462 +0200 +++ /var/tmp/diff_new_pack.PBF6TT/_new 2024-10-20 10:04:31.688112628 +0200 @@ -1,5 +1,5 @@ name: gitleaks -version: 8.21.0 -mtime: 1728951457 -commit: aabe3815394d24d5b8198ba6068a99e0ba7601b1 +version: 8.21.1 +mtime: 1729210530 +commit: cf5334fd61d16fb4af1362856ebfb98397c5d4b3 ++++++ vendor.tar.gz ++++++