-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base trufflehog hashes on file_path and payload #9899
Conversation
Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.
Note 🟢 Risk threshold not exceeded. Change Summary (click to expand)The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective. Summary: The code changes in this pull request focus on improving the integration between the DefectDojo application and the Trufflehog security scanner. The key changes include:
To address the security concerns introduced by the changes to the
By addressing these security considerations, the application security team can ensure that the changes to the DefectDojo application do not introduce additional security risks while still providing the benefits of improved integration with the Trufflehog security scanner. Files Changed:
Powered by DryRun Security |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's a great idea. Thanks for proposing that change!
@@ -193,7 +193,8 @@ def get_findings_v3(self, data, test): | |||
url="N/A", | |||
dynamic_finding=False, | |||
static_finding=True, | |||
nb_occurences=1 | |||
nb_occurences=1, | |||
payload=rawV2 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not seeing rawV2
used in any of the unit test files. Is this a new field? Would there be any concern for folks using older versions of truffle hog without rawV2
in their scan reports? In those cases, the only field that would be used for deduplication would be the file path
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Maffooch I had a further look on that, another way to do this would be using url
.
This field can be completed using Trufflehog v2 and Trufflehog v3.
Furthermore it's unique as it contains path
, commit_hash
and line_number
.
We can also add the component_name
to make sure we add no regression from before.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With this update we make sure that any further change from Trufflehog or on the default description won't impact issue duplications
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As url
was left empty until now, projects might have issues when upgrading DefectDojo.
@Maffooch is there a migration mechanism so that I can write a script to fill url
field for existing findings?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've created a new PR here:
#10118
Closing since #10118 was opened |
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
Hmm, must have gotten distracted. Closing for real this time. |
Description
Hashes based on description are not suitable on a long-term basis. Any change from Trufflehog or DefectDojo contributors to add/delete/modify fields in the description will lead to duplicates.
Currently, the best way to deduplicate findings is to consider
file_path
andpayload
fields.That ensures a new finding is created each time a secret is introduced in a file.
Checklist
This checklist is for your information.
dev
.dev
.Extra information
Please clear everything below when submitting your pull request, it's here purely for your information.
Moderators: Labels currently accepted for PRs:
Contributors: Git Tips
Rebase on dev branch
If the dev branch has changed since you started working on it, please rebase your work after the current dev.
On your working branch
mybranch
:In case of conflict:
When everything's fine on your local branch, force push to your
myOrigin
remote:To cancel everything:
Squashing commits
pick
byfixup
on the commits you want squashed outpick
byreword
on the first commit if you want to change the commit messageForce push to your
myOrigin
remote: