Skip to content
This repository has been archived by the owner on Nov 4, 2024. It is now read-only.

Commit

Permalink
Merge pull request #941 from galasa-dev/issue-1884-detect-secrets
Browse files Browse the repository at this point in the history
added test files to detect-secrets and audited the secrets
  • Loading branch information
KirbyKatcher authored Jun 5, 2024
2 parents 9b5ca23 + 239a01b commit 4a45ef0
Show file tree
Hide file tree
Showing 16 changed files with 173 additions and 46 deletions.
6 changes: 6 additions & 0 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
repos:
- repo: https://github.com/ibm/detect-secrets
rev: 0.13.1+ibm.62.dss
hooks:
- id: detect-secrets # pragma: whitelist secret
args: [--baseline, .secrets.baseline, --use-all-plugins, --fail-on-unaudited]
84 changes: 84 additions & 0 deletions .secrets.baseline
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
{
"exclude": {
"files": "^.secrets.baseline$",
"lines": null
},
"plugins_used": [
{
"name": "AWSKeyDetector"
},
{
"name": "ArtifactoryDetector"
},
{
"name": "AzureStorageKeyDetector"
},
{
"base64_limit": 4.5,
"name": "Base64HighEntropyString"
},
{
"name": "BasicAuthDetector"
},
{
"name": "BoxDetector"
},
{
"name": "CloudantDetector"
},
{
"ghe_instance": "github.ibm.com",
"name": "GheDetector"
},
{
"name": "GitHubTokenDetector"
},
{
"hex_limit": 3,
"name": "HexHighEntropyString"
},
{
"name": "IbmCloudIamDetector"
},
{
"name": "IbmCosHmacDetector"
},
{
"name": "JwtTokenDetector"
},
{
"keyword_exclude": null,
"name": "KeywordDetector"
},
{
"name": "MailchimpDetector"
},
{
"name": "NpmDetector"
},
{
"name": "PrivateKeyDetector"
},
{
"name": "SlackDetector"
},
{
"name": "SoftlayerDetector"
},
{
"name": "SquareOAuthDetector"
},
{
"name": "StripeDetector"
},
{
"name": "TwilioKeyDetector"
}
],
"results": {},
"version": "0.13.1+ibm.62.dss",
"word_list": {
"file": null,
"hash": null
}
}
41 changes: 39 additions & 2 deletions build-locally.sh
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,15 @@ Options are:
EOF
}

function check_exit_code () {
# This function takes 3 parameters in the form:
# $1 an integer value of the returned exit code
# $2 an error message to display if $1 is not equal to 0
if [[ "$1" != "0" ]]; then
error "$2"
exit 1
fi
}
#-----------------------------------------------------------------------------------------
# Process parameters
#-----------------------------------------------------------------------------------------
Expand Down Expand Up @@ -185,9 +194,37 @@ function build_code {
info "Using command: ${cmd}"
$cmd 2>&1 > ${log_file}

rc=$? ; if [[ "${rc}" != "0" ]]; then error "Failed to build ${project} see logs at ${log_file}" ; exit 1 ; fi
rc=$?
check_exit_code $rc "Failed to build ${project} see logs at ${log_file}"
success "Project ${project} built - OK - log is at ${log_file}"

}

build_code
function check_secrets {
h2 "updating secrets baseline"
cd ${BASEDIR}
detect-secrets scan --update .secrets.baseline
rc=$?
check_exit_code $rc "Failed to run detect-secrets. Please check it is installed properly"
success "updated secrets file"

h2 "running audit for secrets"
detect-secrets audit .secrets.baseline
rc=$?
check_exit_code $rc "Failed to audit detect-secrets."

#Check all secrets have been audited
secrets=$(grep -c hashed_secret .secrets.baseline)
audits=$(grep -c is_secret .secrets.baseline)
if [[ "$secrets" != "$audits" ]]; then
error "Not all secrets found have been audited"
exit 1
fi
sed -i '' '/[ ]*"generated_at": ".*",/d' .secrets.baseline
success "secrets audit complete"
}


build_code

check_secrets
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
/*
* Copyright contributors to the Galasa project
*
* SPDX-License-Identifier: EPL-2.0
*/
/*
* Copyright contributors to the Galasa project
*
* SPDX-License-Identifier: EPL-2.0
*/

package dev.galasa.cicsts;

Expand All @@ -14,7 +14,7 @@
* show:<br>
* <code>INTO('A.....')</code><br>
* and in Hex:<br>
* <code>INTO(X'C13456789ABC')</code><br>
* <code>INTO(X'C13456789ABC')</code><br> example hex in javadoc comment //pragma: allowlist secret
* Both representations are available using the {@link #getTextValue()} and {@link #getHexValue()} methods respectively
*/
public interface ICeciResponseOutputValue {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -115,7 +115,7 @@ public void retrieveBearerTokenUnauthorised() throws DockerManagerException, Mal
when(credentialsMock.getUsername()).thenReturn("testUsername");
when(credentialsMock.getPassword()).thenReturn("testPassword");
String user = "testUsername";
String password = "testPassword";
String password = "testPassword"; //unit test mock password //pragma: allowlist secret
when(clientMock.setAuthorisation(user, password)).thenReturn(clientMock);
when(clientMock.build()).thenReturn(clientMock);
// Base64 encoding credentials to replicate private encoding method (generateDockerRegistryAuthStructure)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,4 +9,4 @@ kind: Secret
metadata:
name: testsecret
data:
test_password: dGVzdHBhc3N3b3Jk
test_password: dGVzdHBhc3N3b3Jk #This is used in in the IVT test only #pragma: allowlist secret
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,7 @@ data:
;password =
# Use either URL or the previous fields to configure the database
# Example: mysql://user:secret@host:port/database
# Example: mysql://user:secret@host:port/database #pragma: allowlist secret
;url =
# For "postgres" only, either "disable", "require" or "verify-full"
Expand Down Expand Up @@ -164,7 +164,7 @@ data:
;admin_user = admin
# default admin password, can be changed before first start of grafana, or in profile settings
;admin_password = admin
;admin_password = admin #property is not used as it is commented out #pragma: allowlist secret
# used for signing
;secret_key = SW2YcwTIb9zpOOhoPsMm
Expand Down Expand Up @@ -276,7 +276,7 @@ data:
;enabled = false
;allow_sign_up = true
;client_id = some_id
;client_secret = some_secret
;client_secret = some_secret #property is not used as it is commented out #pragma: allowlist secret
;scopes = user:email,read:org
;auth_url = https://github.com/login/oauth/authorize
;token_url = https://github.com/login/oauth/access_token
Expand All @@ -289,7 +289,7 @@ data:
;enabled = false
;allow_sign_up = true
;client_id = some_client_id
;client_secret = some_client_secret
;client_secret = some_client_secret #property is not used as it is commented out #pragma: allowlist secret
;scopes = https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email
;auth_url = https://accounts.google.com/o/oauth2/auth
;token_url = https://accounts.google.com/o/oauth2/token
Expand All @@ -302,7 +302,7 @@ data:
;name = OAuth
;allow_sign_up = true
;client_id = some_id
;client_secret = some_secret
;client_secret = some_secret #property is not used as it is commented out #pragma: allowlist secret
;scopes = user:email,read:org
;auth_url = https://foo.bar/login/oauth/authorize
;token_url = https://foo.bar/login/oauth/access_token
Expand All @@ -323,7 +323,7 @@ data:
;enabled = false
;allow_sign_up = true
;client_id = some_id
;client_secret = some_secret
;client_secret = some_secret #property is not used as it is commented out #pragma: allowlist secret
;scopes = user:email
;allowed_organizations =
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -316,7 +316,7 @@ remote_hosts=127.0.0.1
#server.rmi.ssl.keystore.file=rmi_keystore.jks
#
# Password of Keystore
#server.rmi.ssl.keystore.password=changeit
#server.rmi.ssl.keystore.password=changeit #property is not used as it is commented out #pragma: allowlist secret
#
# Key alias
#server.rmi.ssl.keystore.alias=rmi
Expand All @@ -328,7 +328,7 @@ remote_hosts=127.0.0.1
#server.rmi.ssl.truststore.file=rmi_keystore.jks
#
# Password of Trust store
#server.rmi.ssl.truststore.password=changeit
#server.rmi.ssl.truststore.password=changeit #property is not used as it is commented out #pragma: allowlist secret
#
# Set this if you don't want to use SSL for RMI
#server.rmi.ssl.disable= false
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,7 @@ public LinuxSharedImage(LinuxManagerImpl manager, String tag, String hostid, Str
throw new LinuxManagerException("useradd of username " + this.username + " failed:-\n" + response);
}

String tempPassword = "ThisIsTheFutureOfTesting";
String tempPassword = "ThisIsTheFutureOfTesting"; //Not a secret but this raises a vulnerability on server side runs. Issue has been raised to correct this //pragma: allowlist secret
for(int i = 0; i < 4; i++) {
tempPassword = tempPassword + Integer.toString(this.random.nextInt(10));
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,7 @@ public void testGeConvertToDatastream() throws Exception {

System.out.println(hexDatastream);

assertThat(hexDatastream).as("Expected outbound datastream").isEqualTo("7D40401140C1F1F20850F3F4");
assertThat(hexDatastream).as("Expected outbound datastream").isEqualTo("7D40401140C1F1F20850F3F4"); // expected output as a hex code, not a secret //pragma: allowlist secret

}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ public class TestColour extends Zos3270TestBase {

public static void main(String[] args) throws DecoderException, Zos3270Exception {

String inbound = "f5c2115b611311c2601df8d59699948193408689859384a211c5401df0d596999481931df8c995a38595a28511c6501d40e385a2a340c99597a4a3404040401df011c8f0290341f442f7c0f8c889878893898788a3899587114b50290341f242f2c0f0d9858440d985a58599a285290341f242f2c0f0d98584408187818995114c6f290341f242f1c0f0c293a48540d985a58599a285290341f242f3c0f0d789959240d985a58599a285290341f242f4c0f0c79985859540d985a58599a285290341f242f5c0f0e3a49998a49689a28540d985a58599a285114df0290341f242f7c0f0e68889a38540d985a58599a28511505e290341f442f6c0f0e885939396a640e4958485999389958511d27a290341f142f6c0f0e885939396a640c29389959211d55c290242f6c0f0e885939396a640d6a4a393899585114c60290341f242f6c0f0e885939396a640d985a58599a285114040290242f7c0f0e385a2a340c5a7a3859584858440c481a381a2a39985819440d4819711d550290242f2c0f0d9858440d6a4a39389958511d940290242f2c0f0d98584290242f1c0f0c293a485290242f3c0f0d7899592290242f4c0f0c799858595290242f5c0f0e3a49998a49689a285290242f6c0f0e885939396a6290242f7c0f0e68889a3851df0c4858681a493a3115a50290242f2c0f8d98584290242f1c0f8c293a485290242f3c0f8d7899592290242f4c0f8c799858595290242f5c0f8e3a49998a49689a285290242f6c0f8e885939396a6290242f7c0f8e68889a3851df8c4858681a493a311d2f0290341f142f2c0f0d9858440c293899592115050290341f442f2c0f0d9858440e49584859993899585115b60290341f442f4c0c1115c6f1df0";
String inbound = "f5c2115b611311c2601df8d59699948193408689859384a211c5401df0d596999481931df8c995a38595a28511c6501d40e385a2a340c99597a4a3404040401df011c8f0290341f442f7c0f8c889878893898788a3899587114b50290341f242f2c0f0d9858440d985a58599a285290341f242f2c0f0d98584408187818995114c6f290341f242f1c0f0c293a48540d985a58599a285290341f242f3c0f0d789959240d985a58599a285290341f242f4c0f0c79985859540d985a58599a285290341f242f5c0f0e3a49998a49689a28540d985a58599a285114df0290341f242f7c0f0e68889a38540d985a58599a28511505e290341f442f6c0f0e885939396a640e4958485999389958511d27a290341f142f6c0f0e885939396a640c29389959211d55c290242f6c0f0e885939396a640d6a4a393899585114c60290341f242f6c0f0e885939396a640d985a58599a285114040290242f7c0f0e385a2a340c5a7a3859584858440c481a381a2a39985819440d4819711d550290242f2c0f0d9858440d6a4a39389958511d940290242f2c0f0d98584290242f1c0f0c293a485290242f3c0f0d7899592290242f4c0f0c799858595290242f5c0f0e3a49998a49689a285290242f6c0f0e885939396a6290242f7c0f0e68889a3851df0c4858681a493a3115a50290242f2c0f8d98584290242f1c0f8c293a485290242f3c0f8d7899592290242f4c0f8c799858595290242f5c0f8e3a49998a49689a285290242f6c0f8e885939396a6290242f7c0f8e68889a3851df8c4858681a493a311d2f0290341f142f2c0f0d9858440c293899592115050290341f442f2c0f0d9858440e49584859993899585115b60290341f442f4c0c1115c6f1df0"; // expected input as a hex code, not a secret //pragma: allowlist secret
byte[] inboundBytes = Hex.decodeHex(inbound);

Network network = new Network("here", 1, "a");
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ public static void main(String[] args) throws TerminalInterruptedException, Netw

// String inbound = "f5c01140c1131140401d004a54444a53303120776173207375636365737366756c2e204a534f4e20636f6e76657274656420746f20446174612e2020205472616e73666f726d20636f6d6d616e64207375636365737366756c2e1d00200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001d00200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001d00200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001d0020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000";

String inbound1 = "f5c311c5e41311405d290242f1c0f8c3e5c6d4e2f0f140e3c5e2e340d4c1d7e2c5e311c5d21d60c3e4e2e3d6d4c5d940d5e4d4c2c5d97a1dd1f1f1f1f1f1f11df011c7f6290242f1c060d7c1d9e340d5e4d4c2c5d97a1dd1f2f2f2f2f2f2f2f2f2f21df0114ad9290242f1c060d8e4c1d5e3c9e3e87a1dd1f3f3f3f340401df0115a50290242f2c061c3d6d5e3d9d6d340e3c5e2e34040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040";
String inbound1 = "f5c311c5e41311405d290242f1c0f8c3e5c6d4e2f0f140e3c5e2e340d4c1d7e2c5e311c5d21d60c3e4e2e3d6d4c5d940d5e4d4c2c5d97a1dd1f1f1f1f1f1f11df011c7f6290242f1c060d7c1d9e340d5e4d4c2c5d97a1dd1f2f2f2f2f2f2f2f2f2f21df0114ad9290242f1c060d8e4c1d5e3c9e3e87a1dd1f3f3f3f340401df0115a50290242f2c061c3d6d5e3d9d6d340e3c5e2e34040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040"; // expected input as a hex code, not a secret //pragma: allowlist secret
String inbound2 = "f140114040124040";
String inbound3 = "f1c611c26013";
byte[] inbound1Bytes = Hex.decodeHex(inbound1);
Expand Down
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
/*
* Copyright contributors to the Galasa project
*
* SPDX-License-Identifier: EPL-2.0
*/
/*
* Copyright contributors to the Galasa project
*
* SPDX-License-Identifier: EPL-2.0
*/
package dev.galasa.zosfile.rseapi.manager.internal;

import java.io.BufferedReader;
Expand Down Expand Up @@ -58,7 +58,7 @@ public class RseapiZosDatasetAttributesListdsi {
private static final String PROP_SYSCREATE = "syscreate";
private static final String PROP_SYSREFDATE = "sysrefdate";
private static final String PROP_SYSEXDATE = "sysexdate";
private static final String PROP_SYSPASSWORD = "syspassword";
private static final String PROP_SYSPASSWORD = "syspassword"; //Not a password but a pointer to a password //pragma: allowlist secret
private static final String PROP_SYSRACFA = "sysracfa";
private static final String PROP_SYSUPDATED = "sysupdated";
private static final String PROP_SYSTRKSCYL = "systrkscyl";
Expand Down
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
/*
* Copyright contributors to the Galasa project
*
* SPDX-License-Identifier: EPL-2.0
*/
/*
* Copyright contributors to the Galasa project
*
* SPDX-License-Identifier: EPL-2.0
*/
package dev.galasa.zosfile.zosmf.manager.internal;

import java.io.BufferedReader;
Expand Down Expand Up @@ -61,7 +61,7 @@ public class ZosmfZosDatasetAttributesListdsi {
private static final String PROP_SYSCREATE = "syscreate";
private static final String PROP_SYSREFDATE = "sysrefdate";
private static final String PROP_SYSEXDATE = "sysexdate";
private static final String PROP_SYSPASSWORD = "syspassword";
private static final String PROP_SYSPASSWORD = "syspassword"; //Not a password but a pointer to a password //pragma: allowlist secret
private static final String PROP_SYSRACFA = "sysracfa";
private static final String PROP_SYSUPDATED = "sysupdated";
private static final String PROP_SYSTRKSCYL = "systrkscyl";
Expand Down
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
/*
* Copyright contributors to the Galasa project
*
* SPDX-License-Identifier: EPL-2.0
*/
/*
* Copyright contributors to the Galasa project
*
* SPDX-License-Identifier: EPL-2.0
*/
package dev.galasa.zosmf.internal.properties;

import org.junit.Assert;
Expand All @@ -28,7 +28,7 @@ public class TestServerCreds {
//
// private static final String SERVER_ID = "server";
//
// private static final String CREDS = "creds";
// private static final String CREDS = "creds"; commented out unit test //pragma: allowlist secret
//
// @Test
// public void testConstructor() {
Expand Down
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
/*
* Copyright contributors to the Galasa project
*
* SPDX-License-Identifier: EPL-2.0
*/
/*
* Copyright contributors to the Galasa project
*
* SPDX-License-Identifier: EPL-2.0
*/
package dev.galasa.zosrseapi.internal.properties;

import org.junit.Assert;
Expand All @@ -28,7 +28,7 @@ public class TestServerCreds {
//
// private static final String SERVER_ID = "server";
//
// private static final String CREDS = "creds";
// private static final String CREDS = "creds"; commented out unit test //pragma: allowlist secret
//
// @Test
// public void testConstructor() {
Expand Down

0 comments on commit 4a45ef0

Please sign in to comment.