-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add explicit warning when an overlap is detected #2929
base: main
Are you sure you want to change the base?
Conversation
f334a37
to
503266e
Compare
@@ -752,7 +779,20 @@ func (e *Engine) verificationOverlapWorker(ctx context.Context) { | |||
continue | |||
} | |||
|
|||
if likelyDuplicate(ctx, key, chunkSecrets) { | |||
if ok, t := likelyDuplicate(ctx, key, chunkSecrets); ok { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Personally, I don't understand the threat model for this feature. It silently skips verification if a result matches more than one detector, which happens frequently during normal operation and can result in valid secrets being skipped.
The notion of a "malicious" detector is confusing — is Truffle adding malicious detectors to TruffleHog? Either this check needs a whitelist of common overlaps (e.g., Azure-related, URL and FTP), or it should only trigger between built-in and custom detectors (IMO).
@@ -633,7 +633,7 @@ func TestLikelyDuplicate(t *testing.T) { | |||
name: "empty strings", | |||
val: chunkSecretKey{"", detectorA.Key}, | |||
dupes: map[chunkSecretKey]struct{}{{"", detectorB.Key}: {}}, | |||
expected: true, | |||
expected: false, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should empty strings be considered duplicates? I guess it makes sense, but I'd initially tweaked the logic for likelyDuplicate
to ignore anything smaller than 3 characters.
adb2b14
to
e9988fa
Compare
ae3db9c
to
582444e
Compare
582444e
to
c3e49e8
Compare
c3e49e8
to
7021992
Compare
5ca7755
to
9dd4a83
Compare
9dd4a83
to
1841161
Compare
099544a
to
030ca35
Compare
030ca35
to
6946367
Compare
6946367
to
a43588c
Compare
a43588c
to
6fca032
Compare
Description:
Similar to #2922, the goal of this change is to provide clear and actionable information if a detection is impacted.
The problem is currently that "verification overlap" doesn't provide useful feedback. Even if you use
--results=unknown
to see the error, it doesn't tell you which detectors overlapped.Checklist:
make test-community
)?make lint
this requires golangci-lint)?