Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package gitleaks for openSUSE:Factory checked in at 2024-06-03 17:42:43
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/gitleaks (Old)
and /work/SRC/openSUSE:Factory/.gitleaks.new.24587 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gitleaks"
Mon Jun 3 17:42:43 2024 rev:4 rq:1178068 version:8.18.3
Changes:
--------
--- /work/SRC/openSUSE:Factory/gitleaks/gitleaks.changes 2024-05-06 17:56:09.317427129 +0200
+++ /work/SRC/openSUSE:Factory/.gitleaks.new.24587/gitleaks.changes 2024-06-03 17:42:51.913711428 +0200
@@ -1,0 +2,19 @@
+Sat Jun 01 15:28:13 UTC 2024 - opensuse_buildservice@ojkastl.de
+
+- Update to version 8.18.3:
+ * extend FB access token discovery (#1407)
+ * tests: scalingo validation consistent test (#1359)
+ * add real (test) standard and restricted keys (#1375)
+ * Add Cloudflare API and Origin CA keys (#1374)
+ * Update "contributing guidelines" link (#1390)
+ * add update token from square (#1370)
+ * feat: facebook secret, access token, and page access token
+ rules (#1372)
+ * update mailchimp with new tokens (#1376)
+ * Append ordered rules when extending (#1304)
+ * fix: age rule id with dashes (#1349)
+ * patching golang.org/x/text for CVE-2021-38561 and
+ CVE-2022-32149 (#1342)
+ * Use latest base images. (#1334)
+
+-------------------------------------------------------------------
@@ -5 +24,2 @@
- * Remove IAM identifiers for non-credential resources in the aws-access-token rule
+ * Remove IAM identifiers for non-credential resources in the
+ aws-access-token rule
@@ -7 +27,2 @@
- * --max-target-megabytes flag now supported for --no-git flag as well
+ * --max-target-megabytes flag now supported for --no-git flag as
+ well
@@ -13,2 +34,4 @@
- * chore(config): refactor to go generate; simplify configRules init
- * pretty apparent 'protect' and 'detect' should be merged into one command
+ * chore(config): refactor to go generate; simplify configRules
+ init
+ * pretty apparent 'protect' and 'detect' should be merged into
+ one command
Old:
----
gitleaks-8.18.2.tar.gz
New:
----
gitleaks-8.18.3.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ gitleaks.spec ++++++
--- /var/tmp/diff_new_pack.fZB3aH/_old 2024-06-03 17:42:53.105755359 +0200
+++ /var/tmp/diff_new_pack.fZB3aH/_new 2024-06-03 17:42:53.109755506 +0200
@@ -1,7 +1,7 @@
#
# spec file for package gitleaks
#
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
# Copyright (c) 2024 Andreas Stieger
#
# All modifications and additions to the file contributed by third parties
@@ -20,7 +20,7 @@
%define __arch_install_post export NO_BRP_STRIP_DEBUG=true
Name: gitleaks
-Version: 8.18.2
+Version: 8.18.3
Release: 0
Summary: Protect and discover secrets using Gitleaks
License: MIT
++++++ _service ++++++
--- /var/tmp/diff_new_pack.fZB3aH/_old 2024-06-03 17:42:53.157757275 +0200
+++ /var/tmp/diff_new_pack.fZB3aH/_new 2024-06-03 17:42:53.161757423 +0200
@@ -3,7 +3,7 @@
<param name="url">https://github.com/zricethezav/gitleaks</param>
<param name="scm">git</param>
<param name="exclude">.git</param>
- <param name="revision">v8.18.2</param>
+ <param name="revision">v8.18.3</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="changesgenerate">enable</param>
<param name="versionrewrite-pattern">v(.*)</param>
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.fZB3aH/_old 2024-06-03 17:42:53.185758307 +0200
+++ /var/tmp/diff_new_pack.fZB3aH/_new 2024-06-03 17:42:53.189758455 +0200
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param name="url">https://github.com/zricethezav/gitleaks</param>
- <param name="changesrevision">ac4b5146b0f112df989b4374abb2b12799e37cba</param></service></servicedata>
+ <param name="changesrevision">39947b0b0d3f1829438000819c1ba9dbeb023a89</param></service></servicedata>
(No newline at EOF)
++++++ gitleaks-8.18.2.tar.gz -> gitleaks-8.18.3.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/Dockerfile new/gitleaks-8.18.3/Dockerfile
--- old/gitleaks-8.18.2/Dockerfile 2024-02-01 15:23:13.000000000 +0100
+++ new/gitleaks-8.18.3/Dockerfile 2024-05-31 22:51:43.000000000 +0200
@@ -1,10 +1,10 @@
-FROM golang:1.19 AS build
+FROM golang:1.21 AS build
WORKDIR /go/src/github.com/zricethezav/gitleaks
COPY . .
RUN VERSION=$(git describe --tags --abbrev=0) && \
CGO_ENABLED=0 go build -o bin/gitleaks -ldflags "-X="github.com/zricethezav/gitleaks/v8/cmd.Version=${VERSION}
-FROM alpine:3.16
+FROM alpine:3.19
RUN apk add --no-cache bash git openssh-client
COPY --from=build /go/src/github.com/zricethezav/gitleaks/bin/* /usr/bin/
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/README.md new/gitleaks-8.18.3/README.md
--- old/gitleaks-8.18.2/README.md 2024-02-01 15:23:13.000000000 +0100
+++ new/gitleaks-8.18.3/README.md 2024-05-31 22:51:43.000000000 +0200
@@ -382,7 +382,7 @@
]
```
-Refer to the default [gitleaks config](https://github.com/zricethezav/gitleaks/blob/master/config/gitleaks.toml) for examples or follow the [contributing guidelines](https://github.com/zricethezav/gitleaks/blob/master/README.md) if you would like to contribute to the default configuration. Additionally, you can check out [this gitleaks blog post](https://blog.gitleaks.io/stop-leaking-secrets-configuration-2-3-aeed293b1fbf) which covers advanced configuration setups.
+Refer to the default [gitleaks config](https://github.com/zricethezav/gitleaks/blob/master/config/gitleaks.toml) for examples or follow the [contributing guidelines](https://github.com/gitleaks/gitleaks/blob/master/CONTRIBUTING.md) if you would like to contribute to the default configuration. Additionally, you can check out [this gitleaks blog post](https://blog.gitleaks.io/stop-leaking-secrets-configuration-2-3-aeed293b1fbf) which covers advanced configuration setups.
### Additional Configuration
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/cmd/generate/config/main.go new/gitleaks-8.18.3/cmd/generate/config/main.go
--- old/gitleaks-8.18.2/cmd/generate/config/main.go 2024-02-01 15:23:13.000000000 +0100
+++ new/gitleaks-8.18.3/cmd/generate/config/main.go 2024-05-31 22:51:43.000000000 +0200
@@ -45,6 +45,9 @@
rules.CodecovAccessToken(),
rules.CoinbaseAccessToken(),
rules.Clojars(),
+ rules.CloudflareAPIKey(),
+ rules.CloudflareGlobalAPIKey(),
+ rules.CloudflareOriginCAKey(),
rules.ConfluentAccessToken(),
rules.ConfluentSecretKey(),
rules.Contentful(),
@@ -67,7 +70,9 @@
rules.EasyPost(),
rules.EasyPostTestAPI(),
rules.EtsyAccessToken(),
- rules.Facebook(),
+ rules.FacebookSecret(),
+ rules.FacebookAccessToken(),
+ rules.FacebookPageAccessToken(),
rules.FastlyAPIToken(),
rules.FinicityClientSecret(),
rules.FinicityAPIToken(),
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/cmd/generate/config/rules/age.go new/gitleaks-8.18.3/cmd/generate/config/rules/age.go
--- old/gitleaks-8.18.2/cmd/generate/config/rules/age.go 2024-02-01 15:23:13.000000000 +0100
+++ new/gitleaks-8.18.3/cmd/generate/config/rules/age.go 2024-05-31 22:51:43.000000000 +0200
@@ -10,7 +10,7 @@
// define rule
r := config.Rule{
Description: "Discovered a potential Age encryption tool secret key, risking data decryption and unauthorized access to sensitive information.",
- RuleID: "age secret key",
+ RuleID: "age-secret-key",
Regex: regexp.MustCompile(`AGE-SECRET-KEY-1[QPZRY9X8GF2TVDW0S3JN54KHCE6MUA7L]{58}`),
Keywords: []string{"AGE-SECRET-KEY-1"},
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/cmd/generate/config/rules/cloudflare.go new/gitleaks-8.18.3/cmd/generate/config/rules/cloudflare.go
--- old/gitleaks-8.18.2/cmd/generate/config/rules/cloudflare.go 1970-01-01 01:00:00.000000000 +0100
+++ new/gitleaks-8.18.3/cmd/generate/config/rules/cloudflare.go 2024-05-31 22:51:43.000000000 +0200
@@ -0,0 +1,76 @@
+package rules
+
+import (
+ "github.com/zricethezav/gitleaks/v8/config"
+)
+
+var global_keys = []string{
+ `cloudflare_global_api_key = "d3d1443e0adc9c24564c6c5676d679d47e2ca"`, // gitleaks:allow
+ `CLOUDFLARE_GLOBAL_API_KEY: 674538c7ecac77d064958a04a83d9e9db068c`, // gitleaks:allow
+ `cloudflare: "0574b9f43978174cc2cb9a1068681225433c4"`, // gitleaks:allow
+}
+
+var api_keys = []string{
+ `cloudflare_api_key = "Bu0rrK-lerk6y0Suqo1qSqlDDajOk61wZchCkje4"`, // gitleaks:allow
+ `CLOUDFLARE_API_KEY: 5oK0U90ME14yU6CVxV90crvfqVlNH2wRKBwcLWDc`, // gitleaks:allow
+ `cloudflare: "oj9Yoyq0zmOyWmPPob1aoY5YSNNuJ0fbZSOURBlX"`, // gitleaks:allow
+}
+
+var origin_ca_keys = []string{
+ `CLOUDFLARE_ORIGIN_CA: v1.0-aaa334dc886f30631ba0a610-0d98ef66290d7e50aac7c27b5986c99e6f3f1084c881d8ac0eae5de1d1aa0644076ff57022069b3237d19afe60ad045f207ef2b16387ee37b749441b2ae2e9ebe5b4606e846475d4a5`,
+ `CLOUDFLARE_ORIGIN_CA: v1.0-15d20c7fccb4234ac5cdd756-d5c2630d1b606535cf9320ae7456b090e0896cec64169a92fae4e931ab0f72f111b2e4ffed5b2bb40f6fba6b2214df23b188a23693d59ce3fb0d28f7e89a2206d98271b002dac695ed`,
+}
+
+var identifiers = []string{"cloudflare"}
+
+func CloudflareGlobalAPIKey() *config.Rule {
+ // define rule
+ r := config.Rule{
+ Description: "Detected a Cloudflare Global API Key, potentially compromising cloud application deployments and operational security.",
+ RuleID: "cloudflare-global-api-key",
+ Regex: generateSemiGenericRegex(identifiers, hex("37"), true),
+
+ Keywords: identifiers,
+ }
+
+ // validate
+ tps := global_keys
+ fps := append(api_keys, origin_ca_keys...)
+
+ return validate(r, tps, fps)
+}
+
+func CloudflareAPIKey() *config.Rule {
+ // define rule
+ r := config.Rule{
+ Description: "Detected a Cloudflare API Key, potentially compromising cloud application deployments and operational security.",
+ RuleID: "cloudflare-api-key",
+ Regex: generateSemiGenericRegex(identifiers, alphaNumericExtendedShort("40"), true),
+
+ Keywords: identifiers,
+ }
+
+ // validate
+ tps := api_keys
+ fps := append(global_keys, origin_ca_keys...)
+
+ return validate(r, tps, fps)
+}
+
+func CloudflareOriginCAKey() *config.Rule {
+ ca_identifiers := append(identifiers, "v1.0-")
+ // define rule
+ r := config.Rule{
+ Description: "Detected a Cloudflare Origin CA Key, potentially compromising cloud application deployments and operational security.",
+ RuleID: "cloudflare-origin-ca-key",
+ Regex: generateUniqueTokenRegex(`v1\.0-`+hex("24")+"-"+hex("146"), false),
+
+ Keywords: ca_identifiers,
+ }
+
+ // validate
+ tps := origin_ca_keys
+ fps := append(global_keys, api_keys...)
+
+ return validate(r, tps, fps)
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/cmd/generate/config/rules/facebook.go new/gitleaks-8.18.3/cmd/generate/config/rules/facebook.go
--- old/gitleaks-8.18.2/cmd/generate/config/rules/facebook.go 2024-02-01 15:23:13.000000000 +0100
+++ new/gitleaks-8.18.3/cmd/generate/config/rules/facebook.go 2024-05-31 22:51:43.000000000 +0200
@@ -5,11 +5,13 @@
"github.com/zricethezav/gitleaks/v8/config"
)
-func Facebook() *config.Rule {
+// This rule includes both App Secret and Client Access Token
+// https://developers.facebook.com/docs/facebook-login/guides/access-tokens/
+func FacebookSecret() *config.Rule {
// define rule
r := config.Rule{
- Description: "Discovered a Facebook Access Token, posing a risk of unauthorized access to Facebook accounts and personal data exposure.",
- RuleID: "facebook",
+ Description: "Discovered a Facebook Application secret, posing a risk of unauthorized access to Facebook accounts and personal data exposure.",
+ RuleID: "facebook-secret",
Regex: generateSemiGenericRegex([]string{"facebook"}, hex("32"), true),
Keywords: []string{"facebook"},
@@ -18,6 +20,46 @@
// validate
tps := []string{
generateSampleSecret("facebook", secrets.NewSecret(hex("32"))),
+ `facebook_app_secret = "6dca6432e45d933e13650d1882bd5e69"`, // gitleaks:allow
+ `facebook_client_access_token: 26f5fd13099f2c1331aafb86f6489692`, // gitleaks:allow
+ }
+ return validate(r, tps, nil)
+}
+
+// https://developers.facebook.com/docs/facebook-login/guides/access-tokens/#ap...
+func FacebookAccessToken() *config.Rule {
+ // define rule
+ r := config.Rule{
+ Description: "Discovered a Facebook Access Token, posing a risk of unauthorized access to Facebook accounts and personal data exposure.",
+ RuleID: "facebook-access-token",
+ Regex: generateUniqueTokenRegex(`\d{15,16}(\||%)[0-9a-z\-_]{27,40}`, true),
+ }
+
+ // validate
+ tps := []string{
+ `{"access_token":"911602140448729|AY-lRJZq9BoDLobvAiP25L7RcMg","token_type":"bearer"}`, // gitleaks:allow
+ `1308742762612587|rhoK1cbv0DOU_RTX_87O4MkX7AI`, // gitleaks:allow
+ `1477036645700765|wRPf2v3mt2JfMqCLK8n7oltrEmc`, // gitleaks:allow
+ }
+ return validate(r, tps, nil)
+}
+
+// https://developers.facebook.com/docs/facebook-login/guides/access-tokens/#pa...
+func FacebookPageAccessToken() *config.Rule {
+ // define rule
+ r := config.Rule{
+ Description: "Discovered a Facebook Page Access Token, posing a risk of unauthorized access to Facebook accounts and personal data exposure.",
+ RuleID: "facebook-page-access-token",
+ Regex: generateUniqueTokenRegex("EAA[MC]"+alphaNumeric("20,"), true),
+ Keywords: []string{"EAAM", "EAAC"},
+ }
+
+ // validate
+ tps := []string{
+ `EAAM9GOnCB9kBO2frzOAWGN2zMnZClQshlWydZCrBNdodesbwimx1mfVJgqZBP5RSpMfUzWhtjTTXHG5I1UlvlwRZCgjm3ZBVGeTYiqAAoxyED6HaUdhpGVNoPUwAuAWWFsi9OvyYBQt22DGLqMIgD7VktuCTTZCWKasz81Q822FPhMTB9VFFyClNzQ0NLZClt9zxpsMMrUZCo1VU1rL3CKavir5QTfBjfCEzHNlWAUDUV2YZD`, // gitleaks:allow
+ `EAAM9GOnCB9kBO2zXpAtRBmCrsPPjdA3KeBl4tqsEpcYd09cpjm9MZCBIklZBjIQBKGIJgFwm8IE17G5pipsfRBRBEHMWxvJsL7iHLUouiprxKRQfAagw8BEEDucceqxTiDhVW2IZAQNNbf0d1JhcapAGntx5S1Csm4j0GgZB3DuUfI2HJ9aViTtdfH2vjBy0wtpXm2iamevohGfoF4NgyRHusDLjqy91uYMkfrkc`, // gitleaks:allow
+ `- name: FACEBOOK_TOKEN
+ value: "EAACEdEose0cBA1bad3afsf2aew"`, // gitleaks:allow
}
return validate(r, tps, nil)
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/cmd/generate/config/rules/heroku.go new/gitleaks-8.18.3/cmd/generate/config/rules/heroku.go
--- old/gitleaks-8.18.2/cmd/generate/config/rules/heroku.go 2024-02-01 15:23:13.000000000 +0100
+++ new/gitleaks-8.18.3/cmd/generate/config/rules/heroku.go 2024-05-31 22:51:43.000000000 +0200
@@ -17,6 +17,7 @@
// validate
tps := []string{
`const HEROKU_KEY = "12345678-ABCD-ABCD-ABCD-1234567890AB"`, // gitleaks:allow
+ `heroku_api_key = "832d2129-a846-4e27-99f4-7004b6ad53ef"`, // gitleaks:allow
}
return validate(r, tps, nil)
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/cmd/generate/config/rules/mailchimp.go new/gitleaks-8.18.3/cmd/generate/config/rules/mailchimp.go
--- old/gitleaks-8.18.2/cmd/generate/config/rules/mailchimp.go 2024-02-01 15:23:13.000000000 +0100
+++ new/gitleaks-8.18.3/cmd/generate/config/rules/mailchimp.go 2024-05-31 22:51:43.000000000 +0200
@@ -10,7 +10,7 @@
r := config.Rule{
RuleID: "mailchimp-api-key",
Description: "Identified a Mailchimp API key, potentially compromising email marketing campaigns and subscriber data.",
- Regex: generateSemiGenericRegex([]string{"mailchimp"}, `[a-f0-9]{32}-us20`, true),
+ Regex: generateSemiGenericRegex([]string{"MailchimpSDK.initialize", "mailchimp"}, hex("32")+`-us\d\d`, true),
Keywords: []string{
"mailchimp",
@@ -20,6 +20,12 @@
// validate
tps := []string{
generateSampleSecret("mailchimp", secrets.NewSecret(hex("32"))+"-us20"),
+ `mailchimp_api_key: cefa780880ba5f5696192a34f6292c35-us18`, // gitleaks:allow
+ `MAILCHIMPE_KEY = "b5b9f8e50c640da28993e8b6a48e3e53-us18"`, // gitleaks:allow
}
- return validate(r, tps, nil)
+ fps := []string{
+ // False Negative
+ `MailchimpSDK.initialize(token: 3012a5754bbd716926f99c028f7ea428-us18)`, // gitleaks:allow
+ }
+ return validate(r, tps, fps)
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/cmd/generate/config/rules/scalingo.go new/gitleaks-8.18.3/cmd/generate/config/rules/scalingo.go
--- old/gitleaks-8.18.2/cmd/generate/config/rules/scalingo.go 2024-02-01 15:23:13.000000000 +0100
+++ new/gitleaks-8.18.3/cmd/generate/config/rules/scalingo.go 2024-05-31 22:51:43.000000000 +0200
@@ -1,8 +1,6 @@
package rules
import (
- "regexp"
-
"github.com/zricethezav/gitleaks/v8/cmd/generate/secrets"
"github.com/zricethezav/gitleaks/v8/config"
)
@@ -12,13 +10,14 @@
r := config.Rule{
Description: "Found a Scalingo API token, posing a risk to cloud platform services and application deployment security.",
RuleID: "scalingo-api-token",
- Regex: regexp.MustCompile(`\btk-us-[a-zA-Z0-9-_]{48}\b`),
+ Regex: generateUniqueTokenRegex(`tk-us-[a-zA-Z0-9-_]{48}`, false),
Keywords: []string{"tk-us-"},
}
// validate
tps := []string{
generateSampleSecret("scalingo", "tk-us-"+secrets.NewSecret(alphaNumericExtendedShort("48"))),
+ `scalingo_api_token = "tk-us-loys7ib9yrxcys_ta2sq85mjar6lgcsspkd9x61s7h5epf_-"`, // gitleaks:allow
}
return validate(r, tps, nil)
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/cmd/generate/config/rules/square.go new/gitleaks-8.18.3/cmd/generate/config/rules/square.go
--- old/gitleaks-8.18.2/cmd/generate/config/rules/square.go 2024-02-01 15:23:13.000000000 +0100
+++ new/gitleaks-8.18.3/cmd/generate/config/rules/square.go 2024-05-31 22:51:43.000000000 +0200
@@ -10,13 +10,15 @@
r := config.Rule{
RuleID: "square-access-token",
Description: "Detected a Square Access Token, risking unauthorized payment processing and financial transaction exposure.",
- Regex: generateUniqueTokenRegex(`sq0atp-[0-9A-Za-z\-_]{22}`, true),
- Keywords: []string{"sq0atp-"},
+ Regex: generateUniqueTokenRegex(`(EAAA|sq0atp-)[0-9A-Za-z\-_]{22,60}`, true),
+ Keywords: []string{"sq0atp-", "EAAA"},
}
// validate
tps := []string{
generateSampleSecret("square", secrets.NewSecret(`sq0atp-[0-9A-Za-z\-_]{22}`)),
+ "ARG token=sq0atp-812erere3wewew45678901", // gitleaks:allow
+ "ARG token=EAAAlsBxkkVgvmr7FasTFbM6VUGZ31EJ4jZKTJZySgElBDJ_wyafHuBFquFexY7E", // gitleaks:allow",
}
return validate(r, tps, nil)
}
@@ -33,6 +35,7 @@
// validate
tps := []string{
generateSampleSecret("square", secrets.NewSecret(`sq0csp-[0-9A-Za-z\\-_]{43}`)),
+ `value: "sq0csp-0p9h7g6f4s3s3s3-4a3ardgwa6ADRDJDDKUFYDYDYDY"`, // gitleaks:allow
}
return validate(r, tps, nil)
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/cmd/generate/config/rules/stripe.go new/gitleaks-8.18.3/cmd/generate/config/rules/stripe.go
--- old/gitleaks-8.18.2/cmd/generate/config/rules/stripe.go 2024-02-01 15:23:13.000000000 +0100
+++ new/gitleaks-8.18.3/cmd/generate/config/rules/stripe.go 2024-05-31 22:51:43.000000000 +0200
@@ -10,15 +10,23 @@
r := config.Rule{
Description: "Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data.",
RuleID: "stripe-access-token",
- Regex: generateUniqueTokenRegex(`(sk)_(test|live)_[0-9a-z]{10,32}`, true),
+ Regex: generateUniqueTokenRegex(`(sk|rk)_(test|live|prod)_[0-9a-z]{10,99}`, true),
Keywords: []string{
"sk_test",
"sk_live",
+ "sk_prod",
+ "rk_test",
+ "rk_live",
+ "rk_prod",
},
}
// validate
- tps := []string{"stripeToken := \"sk_test_" + secrets.NewSecret(alphaNumeric("30")) + "\""}
+ tps := []string{
+ "stripeToken := \"sk_test_" + secrets.NewSecret(alphaNumeric("30")) + "\"",
+ "sk_test_51OuEMLAlTWGaDypq4P5cuDHbuKeG4tAGPYHJpEXQ7zE8mKK3jkhTFPvCxnSSK5zB5EQZrJsYdsatNmAHGgb0vSKD00GTMSWRHs", // gitleaks:allow
+ "rk_prod_51OuEMLAlTWGaDypquDn9aZigaJOsa9NR1w1BxZXs9JlYsVVkv5XDu6aLmAxwt5Tgun5WcSwQMKzQyqV16c9iD4sx00BRijuoon", // gitleaks:allow
+ }
fps := []string{"nonMatchingToken := \"task_test_" + secrets.NewSecret(alphaNumeric("30")) + "\""}
return validate(r, tps, fps)
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/config/allowlist.go new/gitleaks-8.18.3/config/allowlist.go
--- old/gitleaks-8.18.2/config/allowlist.go 2024-02-01 15:23:13.000000000 +0100
+++ new/gitleaks-8.18.3/config/allowlist.go 2024-05-31 22:51:43.000000000 +0200
@@ -14,7 +14,13 @@
// Regexes is slice of content regular expressions that are allowed to be ignored.
Regexes []*regexp.Regexp
- // RegexTarget
+ // Can be `match` or `line`.
+ //
+ // If `match` the _Regexes_ will be tested against the match of the _Rule.Regex_.
+ //
+ // If `line` the _Regexes_ will be tested against the entire line.
+ //
+ // If RegexTarget is empty, it will be tested against the found secret.
RegexTarget string
// Paths is a slice of path regular expressions that are allowed to be ignored.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/config/config.go new/gitleaks-8.18.3/config/config.go
--- old/gitleaks-8.18.2/config/config.go 2024-02-01 15:23:13.000000000 +0100
+++ new/gitleaks-8.18.3/config/config.go 2024-05-31 22:51:43.000000000 +0200
@@ -4,6 +4,7 @@
_ "embed"
"fmt"
"regexp"
+ "sort"
"strings"
"github.com/rs/zerolog/log"
@@ -62,7 +63,7 @@
Keywords []string
// used to keep sarif results consistent
- orderedRules []string
+ OrderedRules []string
}
// Extend is a struct that allows users to define how they want their
@@ -158,7 +159,7 @@
StopWords: vc.Allowlist.StopWords,
},
Keywords: keywords,
- orderedRules: orderedRules,
+ OrderedRules: orderedRules,
}
if maxExtendDepth != extendDepth {
@@ -177,9 +178,9 @@
return c, nil
}
-func (c *Config) OrderedRules() []Rule {
+func (c *Config) GetOrderedRules() []Rule {
var orderedRules []Rule
- for _, id := range c.orderedRules {
+ for _, id := range c.OrderedRules {
if _, ok := c.Rules[id]; ok {
orderedRules = append(orderedRules, c.Rules[id])
}
@@ -240,6 +241,7 @@
log.Trace().Msgf("adding %s to base config", ruleID)
c.Rules[ruleID] = rule
c.Keywords = append(c.Keywords, rule.Keywords...)
+ c.OrderedRules = append(c.OrderedRules, ruleID)
}
}
@@ -250,4 +252,7 @@
extensionConfig.Allowlist.Paths...)
c.Allowlist.Regexes = append(c.Allowlist.Regexes,
extensionConfig.Allowlist.Regexes...)
+
+ // sort to keep extended rules in order
+ sort.Strings(c.OrderedRules)
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/config/gitleaks.toml new/gitleaks-8.18.3/config/gitleaks.toml
--- old/gitleaks-8.18.2/config/gitleaks.toml 2024-02-01 15:23:13.000000000 +0100
+++ new/gitleaks-8.18.3/config/gitleaks.toml 2024-05-31 22:51:43.000000000 +0200
@@ -50,7 +50,7 @@
]
[[rules]]
-id = "age secret key"
+id = "age-secret-key"
description = "Discovered a potential Age encryption tool secret key, risking data decryption and unauthorized access to sensitive information."
regex = '''AGE-SECRET-KEY-1[QPZRY9X8GF2TVDW0S3JN54KHCE6MUA7L]{58}'''
keywords = [
@@ -178,6 +178,30 @@
]
[[rules]]
+id = "cloudflare-api-key"
+description = "Detected a Cloudflare API Key, potentially compromising cloud application deployments and operational security."
+regex = '''(?i)(?:cloudflare)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9_-]{40})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+keywords = [
+ "cloudflare",
+]
+
+[[rules]]
+id = "cloudflare-global-api-key"
+description = "Detected a Cloudflare Global API Key, potentially compromising cloud application deployments and operational security."
+regex = '''(?i)(?:cloudflare)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{37})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+keywords = [
+ "cloudflare",
+]
+
+[[rules]]
+id = "cloudflare-origin-ca-key"
+description = "Detected a Cloudflare Origin CA Key, potentially compromising cloud application deployments and operational security."
+regex = '''\b(v1\.0-[a-f0-9]{24}-[a-f0-9]{146})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+keywords = [
+ "cloudflare","v1.0-",
+]
+
+[[rules]]
id = "codecov-access-token"
description = "Found a pattern resembling a Codecov Access Token, posing a risk of unauthorized access to code coverage reports and sensitive data."
regex = '''(?i)(?:codecov)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
@@ -370,8 +394,21 @@
]
[[rules]]
-id = "facebook"
+id = "facebook-access-token"
description = "Discovered a Facebook Access Token, posing a risk of unauthorized access to Facebook accounts and personal data exposure."
+regex = '''(?i)\b(\d{15,16}(\||%)[0-9a-z\-_]{27,40})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+
+[[rules]]
+id = "facebook-page-access-token"
+description = "Discovered a Facebook Page Access Token, posing a risk of unauthorized access to Facebook accounts and personal data exposure."
+regex = '''(?i)\b(EAA[MC][a-z0-9]{20,})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+keywords = [
+ "eaam","eaac",
+]
+
+[[rules]]
+id = "facebook-secret"
+description = "Discovered a Facebook Application secret, posing a risk of unauthorized access to Facebook accounts and personal data exposure."
regex = '''(?i)(?:facebook)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
keywords = [
"facebook",
@@ -2237,7 +2274,7 @@
[[rules]]
id = "mailchimp-api-key"
description = "Identified a Mailchimp API key, potentially compromising email marketing campaigns and subscriber data."
-regex = '''(?i)(?:mailchimp)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{32}-us20)(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)(?:MailchimpSDK.initialize|mailchimp)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{32}-us\d\d)(?:['|\"|\n|\r|\s|\x60|;]|$)'''
keywords = [
"mailchimp",
]
@@ -2487,7 +2524,7 @@
[[rules]]
id = "scalingo-api-token"
description = "Found a Scalingo API token, posing a risk to cloud platform services and application deployment security."
-regex = '''\btk-us-[a-zA-Z0-9-_]{48}\b'''
+regex = '''\b(tk-us-[a-zA-Z0-9-_]{48})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
keywords = [
"tk-us-",
]
@@ -2672,9 +2709,9 @@
[[rules]]
id = "square-access-token"
description = "Detected a Square Access Token, risking unauthorized payment processing and financial transaction exposure."
-regex = '''(?i)\b(sq0atp-[0-9A-Za-z\-_]{22})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)\b((EAAA|sq0atp-)[0-9A-Za-z\-_]{22,60})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
keywords = [
- "sq0atp-",
+ "sq0atp-","eaaa",
]
[[rules]]
@@ -2688,9 +2725,9 @@
[[rules]]
id = "stripe-access-token"
description = "Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data."
-regex = '''(?i)\b((sk)_(test|live)_[0-9a-z]{10,32})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+regex = '''(?i)\b((sk|rk)_(test|live|prod)_[0-9a-z]{10,99})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
keywords = [
- "sk_test","sk_live",
+ "sk_test","sk_live","sk_prod","rk_test","rk_live","rk_prod",
]
[[rules]]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/go.mod new/gitleaks-8.18.3/go.mod
--- old/gitleaks-8.18.2/go.mod 2024-02-01 15:23:13.000000000 +0100
+++ new/gitleaks-8.18.3/go.mod 2024-05-31 22:51:43.000000000 +0200
@@ -41,7 +41,7 @@
github.com/subosito/gotenv v1.2.0 // indirect
golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
golang.org/x/sys v0.6.0 // indirect
- golang.org/x/text v0.3.6 // indirect
+ golang.org/x/text v0.3.8 // indirect
gopkg.in/ini.v1 v1.62.0 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/go.sum new/gitleaks-8.18.3/go.sum
--- old/gitleaks-8.18.2/go.sum 2024-02-01 15:23:13.000000000 +0100
+++ new/gitleaks-8.18.3/go.sum 2024-05-31 22:51:43.000000000 +0200
@@ -448,8 +448,9 @@
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M=
golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.8 h1:nAL+RVCQ9uMn3vJZbV+MRnydTJFPf8qqY42YiA6MrqY=
+golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitleaks-8.18.2/report/sarif.go new/gitleaks-8.18.3/report/sarif.go
--- old/gitleaks-8.18.2/report/sarif.go 2024-02-01 15:23:13.000000000 +0100
+++ new/gitleaks-8.18.3/report/sarif.go 2024-05-31 22:51:43.000000000 +0200
@@ -55,7 +55,7 @@
func getRules(cfg config.Config) []Rules {
// TODO for _, rule := range cfg.Rules {
var rules []Rules
- for _, rule := range cfg.OrderedRules() {
+ for _, rule := range cfg.GetOrderedRules() {
shortDescription := ShortDescription{
Text: rule.Description,
}
++++++ vendor.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor/golang.org/x/text/AUTHORS new/vendor/golang.org/x/text/AUTHORS
--- old/vendor/golang.org/x/text/AUTHORS 2024-05-05 17:19:32.000000000 +0200
+++ new/vendor/golang.org/x/text/AUTHORS 1970-01-01 01:00:00.000000000 +0100
@@ -1,3 +0,0 @@
-# This source code refers to The Go Authors for copyright purposes.
-# The master list of authors is in the main Go distribution,
-# visible at http://tip.golang.org/AUTHORS.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor/golang.org/x/text/CONTRIBUTORS new/vendor/golang.org/x/text/CONTRIBUTORS
--- old/vendor/golang.org/x/text/CONTRIBUTORS 2024-05-05 17:19:32.000000000 +0200
+++ new/vendor/golang.org/x/text/CONTRIBUTORS 1970-01-01 01:00:00.000000000 +0100
@@ -1,3 +0,0 @@
-# This source code was written by the Go contributors.
-# The master list of contributors is in the main Go distribution,
-# visible at http://tip.golang.org/CONTRIBUTORS.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor/golang.org/x/text/unicode/norm/forminfo.go new/vendor/golang.org/x/text/unicode/norm/forminfo.go
--- old/vendor/golang.org/x/text/unicode/norm/forminfo.go 2024-05-05 17:19:32.000000000 +0200
+++ new/vendor/golang.org/x/text/unicode/norm/forminfo.go 2024-06-01 17:28:17.000000000 +0200
@@ -110,10 +110,11 @@
}
// We pack quick check data in 4 bits:
-// 5: Combines forward (0 == false, 1 == true)
-// 4..3: NFC_QC Yes(00), No (10), or Maybe (11)
-// 2: NFD_QC Yes (0) or No (1). No also means there is a decomposition.
-// 1..0: Number of trailing non-starters.
+//
+// 5: Combines forward (0 == false, 1 == true)
+// 4..3: NFC_QC Yes(00), No (10), or Maybe (11)
+// 2: NFD_QC Yes (0) or No (1). No also means there is a decomposition.
+// 1..0: Number of trailing non-starters.
//
// When all 4 bits are zero, the character is inert, meaning it is never
// influenced by normalization.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor/golang.org/x/text/unicode/norm/normalize.go new/vendor/golang.org/x/text/unicode/norm/normalize.go
--- old/vendor/golang.org/x/text/unicode/norm/normalize.go 2024-05-05 17:19:32.000000000 +0200
+++ new/vendor/golang.org/x/text/unicode/norm/normalize.go 2024-06-01 17:28:17.000000000 +0200
@@ -18,16 +18,17 @@
// A Form denotes a canonical representation of Unicode code points.
// The Unicode-defined normalization and equivalence forms are:
//
-// NFC Unicode Normalization Form C
-// NFD Unicode Normalization Form D
-// NFKC Unicode Normalization Form KC
-// NFKD Unicode Normalization Form KD
+// NFC Unicode Normalization Form C
+// NFD Unicode Normalization Form D
+// NFKC Unicode Normalization Form KC
+// NFKD Unicode Normalization Form KD
//
// For a Form f, this documentation uses the notation f(x) to mean
// the bytes or string x converted to the given form.
// A position n in x is called a boundary if conversion to the form can
// proceed independently on both sides:
-// f(x) == append(f(x[0:n]), f(x[n:])...)
+//
+// f(x) == append(f(x[0:n]), f(x[n:])...)
//
// References: https://unicode.org/reports/tr15/ and
// https://unicode.org/notes/tn5/.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor/golang.org/x/text/unicode/norm/tables13.0.0.go new/vendor/golang.org/x/text/unicode/norm/tables13.0.0.go
--- old/vendor/golang.org/x/text/unicode/norm/tables13.0.0.go 2024-05-05 17:19:32.000000000 +0200
+++ new/vendor/golang.org/x/text/unicode/norm/tables13.0.0.go 2024-06-01 17:28:17.000000000 +0200
@@ -7315,7 +7315,7 @@
"\x00V\x03\x03\x00\x00\x1e|" + // 0x00560303: 0x00001E7C
"\x00v\x03\x03\x00\x00\x1e}" + // 0x00760303: 0x00001E7D
"\x00V\x03#\x00\x00\x1e~" + // 0x00560323: 0x00001E7E
- "\x00v\x03#\x00\x00\x1e\u007f" + // 0x00760323: 0x00001E7F
+ "\x00v\x03#\x00\x00\x1e\x7f" + // 0x00760323: 0x00001E7F
"\x00W\x03\x00\x00\x00\x1e\x80" + // 0x00570300: 0x00001E80
"\x00w\x03\x00\x00\x00\x1e\x81" + // 0x00770300: 0x00001E81
"\x00W\x03\x01\x00\x00\x1e\x82" + // 0x00570301: 0x00001E82
@@ -7342,7 +7342,7 @@
"\x00t\x03\b\x00\x00\x1e\x97" + // 0x00740308: 0x00001E97
"\x00w\x03\n\x00\x00\x1e\x98" + // 0x0077030A: 0x00001E98
"\x00y\x03\n\x00\x00\x1e\x99" + // 0x0079030A: 0x00001E99
- "\x01\u007f\x03\a\x00\x00\x1e\x9b" + // 0x017F0307: 0x00001E9B
+ "\x01\x7f\x03\a\x00\x00\x1e\x9b" + // 0x017F0307: 0x00001E9B
"\x00A\x03#\x00\x00\x1e\xa0" + // 0x00410323: 0x00001EA0
"\x00a\x03#\x00\x00\x1e\xa1" + // 0x00610323: 0x00001EA1
"\x00A\x03\t\x00\x00\x1e\xa2" + // 0x00410309: 0x00001EA2
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor/modules.txt new/vendor/modules.txt
--- old/vendor/modules.txt 2024-05-05 17:19:32.000000000 +0200
+++ new/vendor/modules.txt 2024-06-01 17:28:17.000000000 +0200
@@ -116,8 +116,8 @@
golang.org/x/sys/internal/unsafeheader
golang.org/x/sys/unix
golang.org/x/sys/windows
-# golang.org/x/text v0.3.6
-## explicit; go 1.11
+# golang.org/x/text v0.3.8
+## explicit; go 1.17
golang.org/x/text/transform
golang.org/x/text/unicode/norm
# gopkg.in/ini.v1 v1.62.0