feat(detectors): add RSA SecurID software token detector#5106
feat(detectors): add RSA SecurID software token detector#5106momomuchu wants to merge 2 commits into
Conversation
3c57a83 to
db29e15
Compare
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
There are 2 total unresolved issues (including 1 from previous review).
Reviewed by Cursor Bugbot for commit db29e15. Configure here.
| DetectorType_PgAnalyzeReadKey DetectorType = 1054 | ||
| DetectorType_RedHatPyxis DetectorType = 1055 | ||
| DetectorType_OctopusDeploy DetectorType = 1056 | ||
| DetectorType_RSASecurID DetectorType = 1058 |
There was a problem hiding this comment.
Stale descriptor blob breaks String() for new enum
High Severity
The Go constant and DetectorType_name/DetectorType_value maps were manually updated for RSASecurID, but the file_detector_type_proto_rawDesc binary descriptor blob was not regenerated. The String() method uses protoimpl.X.EnumStringOf which resolves names from the descriptor, not the name map. As a result, DetectorType_RSASecurID.String() returns "1058" instead of "RSASecurID", affecting engine logging, JSON output, GitHub Actions output, and dedup hashing.
Additional Locations (2)
Reviewed by Cursor Bugbot for commit db29e15. Configure here.
rajpratham1
left a comment
There was a problem hiding this comment.
Good addition overall, but I think the Cursor finding is valid. contextPat recognizes both and , whereas Keywords() only returns "TKNBatch" and "sdtid". Since the Aho-Corasick prefilter gates execution of FromData, a valid token containing only may never be scanned. Could you add "TKNBasic" to Keywords() (or otherwise align the prefilter with contextPat) so all supported formats are reachable?
…fflesecurity#4395 Detects RSA SecurID software tokens distributed as .sdtid XML files. A token export contains a <SN> element (12-digit serial number) and a <Seed> element (the TOTP seed, either a 128-bit hex value or an AES-encrypted seed in base64). Possession of the seed lets an attacker generate valid one-time passcodes, so both parts are emitted as a multi-part credential (serial + seed). False-positive defense: results are only emitted when an RSA SecurID structural marker (<TKNBatch>, <TKNBasic>, or the .sdtid extension) is present, so generic XML containing unrelated <SN>/<Seed> elements is not reported. The serial must be exactly 12 digits and the seed at least 16 characters. No public endpoint can validate a software token, so results are unverified. Registers the detector in pkg/engine/defaults and adds the RSASecurID (1057) enum to proto/detector_type.proto and the generated detector_typepb constants/maps. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
… tokens are scanned — review feedback trufflesecurity#5106 contextPat matches <TKNBatch, <TKNBasic and .sdtid, but Keywords() only advertised "TKNBatch" and "sdtid". The Aho-Corasick prefilter gates FromData on Keywords(), so a token whose only structural marker is <TKNBasic> (no TKNBatch/sdtid literal) was dropped before ever being scanned. Add "TKNBasic" so every literal in contextPat has a covering keyword. Adds a BDD given/when/then test proving a <TKNBasic>-only token is now detected end-to-end through the real prefilter path, plus a structural test asserting every contextPat marker has a matching keyword. Existing negative controls unchanged. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
db29e15 to
73453d4
Compare


Description
Closes #4395.
Adds a detector for RSA SecurID software tokens distributed as
.sdtidXML files. Each token export contains a<SN>serial (12 digits) and a<Seed>TOTP seed (128-bit hex, or an AES-encrypted seed in base64). The seed lets an attacker generate valid one-time passcodes and defeat the MFA factor, so both parts are reported as a multi-part credential (serial + seed).Detection rationale
<SN>(\d{12})</SN>and<Seed>([A-Za-z0-9+/]{16,}={0,2})</Seed>must both be present.<TKNBatch>,<TKNBasic>, or.sdtid) before emitting, so generic XML with unrelated<SN>/<Seed>elements is not flagged. This is the primary false-positive defense.unverified.Test coverage
8 pattern cases: 2 positive (hex seed, base64/encrypted seed) and 6 negative (SN only, Seed only, wrong element names, short seed, wrong-length serial, missing structural marker). All synthetic/fake values — no real token material.
Note on generated protobuf
proto/detector_type.protois updated with the newRSASecurIDenum, and the generateddetector_type.pb.gocarries the matching constant + name/value map entries so the package builds and the enum resolves. The embedded descriptor blob was not regenerated (themake protostoolchain runs in a pinned Docker image unavailable in my environment). Runningmake protosbefore merge will regenerate it cleanly from the updated proto source.Checklist
go test ./pkg/detectors/rsasecurid/...passinggo vet/gofmtcleanpkg/engine/defaultsNote
Low Risk
Additive secret scanner with tests and structural guards; no changes to auth or runtime behavior beyond new findings.
Overview
Adds a new RSA SecurID detector for
.sdtidXML exports: it only fires when SecurID structure markers (TKNBatch,TKNBasic, or.sdtid) are present together with a 12-digit<SN>and a<Seed>(hex or base64). Findings are emitted as a multi-part credential (serial+seed) with no verification (no public validation API).Keywords()aligns with those structural markers so the Aho–Corasick prefilter does not skip<TKNBasic>-only blobs. Tests cover positive/negative patterns plus prefilter/keyword coverage.The scanner is wired into default detectors and
DetectorType_RSASecurID(1059) is added inproto/detector_type.protoand the generated Go maps (fullmake protosmay still be needed for the embedded descriptor).Reviewed by Cursor Bugbot for commit 73453d4. Bugbot is set up for automated code reviews on this repo. Configure here.