diff --git a/credsweeper/common/constants.py b/credsweeper/common/constants.py index 1ab14714f..b837e7381 100644 --- a/credsweeper/common/constants.py +++ b/credsweeper/common/constants.py @@ -140,3 +140,7 @@ class DiffRowType(Enum): # default value for config and ValuePemPatternCheck DEFAULT_PEM_PATTERN_LEN = 5 + +# PEM x509 patterns +PEM_BEGIN_PATTERN = "-----BEGIN" +PEM_END_PATTERN = "-----END" diff --git a/credsweeper/rules/config.yaml b/credsweeper/rules/config.yaml index 32d6ec45e..3240bee13 100644 --- a/credsweeper/rules/config.yaml +++ b/credsweeper/rules/config.yaml @@ -270,14 +270,14 @@ - src - doc -- name: PEM Certificate +- name: PEM Private Key severity: high type: pem_key values: - - (?P-----BEGIN\s(?!ENCRYPTED|EC).*PRIVATE) + - (?P-----BEGIN\s(?!ENCRYPTED|EC)[^-]*PRIVATE[^-]*KEY[^-]*-----) filter_type: - LineSpecificKeyCheck - min_line_len: 20 + min_line_len: 27 usage_list: - src - doc diff --git a/credsweeper/scanner/scanner.py b/credsweeper/scanner/scanner.py index 530d8e169..2ee107d73 100644 --- a/credsweeper/scanner/scanner.py +++ b/credsweeper/scanner/scanner.py @@ -4,7 +4,7 @@ from credsweeper.app import APP_PATH from credsweeper.common.constants import RuleType, MIN_VARIABLE_LENGTH, MIN_SEPARATOR_LENGTH, MIN_VALUE_LENGTH, \ - MAX_LINE_LENGTH, Separator + MAX_LINE_LENGTH, Separator, PEM_BEGIN_PATTERN from credsweeper.config import Config from credsweeper.credentials import Candidate from credsweeper.file_handler.analysis_target import AnalysisTarget @@ -102,7 +102,7 @@ def _select_and_group_targets(self, targets: List[AnalysisTarget]) -> Tuple[Targ if target_line_trimmed_len >= self.min_pattern_len: pattern_targets.append((target, target_line_trimmed_lower, target_line_trimmed_len)) # Check if have "BEGIN" substring. Cannot otherwise ba matched as a PEM key - if target_line_trimmed_len >= self.min_pem_key_len and "BEGIN" in target_line_trimmed: + if target_line_trimmed_len >= self.min_pem_key_len and PEM_BEGIN_PATTERN in target_line_trimmed: pem_targets.append((target, target_line_trimmed_lower, target_line_trimmed_len)) return keyword_targets, pattern_targets, pem_targets diff --git a/tests/data/depth_3.json b/tests/data/depth_3.json index a789f837d..878e9c89c 100644 --- a/tests/data/depth_3.json +++ b/tests/data/depth_3.json @@ -1479,7 +1479,7 @@ "api_validation": "NOT_AVAILABLE", "ml_validation": "NOT_AVAILABLE", "ml_probability": null, - "rule": "PEM Certificate", + "rule": "PEM Private Key", "severity": "high", "line_data_list": [ { @@ -1487,7 +1487,7 @@ "line_num": 1, "path": "tests/samples/pem_key", "info": "tests/samples/pem_key|RAW", - "value": "-----BEGIN RSA PRIVATE", + "value": "-----BEGIN RSA PRIVATE KEY-----", "variable": null, "entropy_validation": false } @@ -1497,7 +1497,7 @@ "api_validation": "NOT_AVAILABLE", "ml_validation": "NOT_AVAILABLE", "ml_probability": null, - "rule": "PEM Certificate", + "rule": "PEM Private Key", "severity": "high", "line_data_list": [ { @@ -1505,7 +1505,7 @@ "line_num": 1, "path": "tests/samples/pem_key.apk", "info": "tests/samples/pem_key.apk|ZIP|3.zip|ZIP|2.zip|ZIP|2|RAW", - "value": "-----BEGIN RSA PRIVATE", + "value": "-----BEGIN RSA PRIVATE KEY-----", "variable": null, "entropy_validation": false } @@ -1515,7 +1515,7 @@ "api_validation": "NOT_AVAILABLE", "ml_validation": "NOT_AVAILABLE", "ml_probability": null, - "rule": "PEM Certificate", + "rule": "PEM Private Key", "severity": "high", "line_data_list": [ { @@ -1523,7 +1523,7 @@ "line_num": 1, "path": "tests/samples/pem_key.apk", "info": "tests/samples/pem_key.apk|ZIP|cred/pem_key.zip|ZIP|key.pem|RAW", - "value": "-----BEGIN RSA PRIVATE", + "value": "-----BEGIN RSA PRIVATE KEY-----", "variable": null, "entropy_validation": false } @@ -1551,7 +1551,7 @@ "api_validation": "NOT_AVAILABLE", "ml_validation": "NOT_AVAILABLE", "ml_probability": null, - "rule": "PEM Certificate", + "rule": "PEM Private Key", "severity": "high", "line_data_list": [ { @@ -1559,7 +1559,7 @@ "line_num": 1, "path": "tests/samples/pem_key.bz2", "info": "tests/samples/pem_key.bz2|BZIP2|tests/samples/pem_key|RAW", - "value": "-----BEGIN RSA PRIVATE", + "value": "-----BEGIN RSA PRIVATE KEY-----", "variable": null, "entropy_validation": false } @@ -1569,7 +1569,7 @@ "api_validation": "NOT_AVAILABLE", "ml_validation": "NOT_AVAILABLE", "ml_probability": null, - "rule": "PEM Certificate", + "rule": "PEM Private Key", "severity": "high", "line_data_list": [ { @@ -1577,7 +1577,7 @@ "line_num": 1, "path": "tests/samples/pem_key.gz", "info": "tests/samples/pem_key.gz|GZIP|tests/samples/pem_key|RAW", - "value": "-----BEGIN RSA PRIVATE", + "value": "-----BEGIN RSA PRIVATE KEY-----", "variable": null, "entropy_validation": false } @@ -1587,7 +1587,7 @@ "api_validation": "NOT_AVAILABLE", "ml_validation": "NOT_AVAILABLE", "ml_probability": null, - "rule": "PEM Certificate", + "rule": "PEM Private Key", "severity": "high", "line_data_list": [ { @@ -1595,7 +1595,7 @@ "line_num": 1, "path": "tests/samples/pem_key.zip", "info": "tests/samples/pem_key.zip|ZIP|pem_key|RAW", - "value": "-----BEGIN RSA PRIVATE", + "value": "-----BEGIN RSA PRIVATE KEY-----", "variable": null, "entropy_validation": false } diff --git a/tests/data/doc.json b/tests/data/doc.json index 1e9b845bc..2955330b2 100644 --- a/tests/data/doc.json +++ b/tests/data/doc.json @@ -993,7 +993,7 @@ "api_validation": "NOT_AVAILABLE", "ml_validation": "NOT_AVAILABLE", "ml_probability": null, - "rule": "PEM Certificate", + "rule": "PEM Private Key", "severity": "high", "line_data_list": [ { @@ -1001,7 +1001,7 @@ "line_num": 1, "path": "tests/samples/pem_key", "info": "tests/samples/pem_key|RAW", - "value": "-----BEGIN RSA PRIVATE", + "value": "-----BEGIN RSA PRIVATE KEY-----", "variable": null, "entropy_validation": false } diff --git a/tests/data/ml_threshold_0.json b/tests/data/ml_threshold_0.json index dba919876..20438b6ed 100644 --- a/tests/data/ml_threshold_0.json +++ b/tests/data/ml_threshold_0.json @@ -1389,7 +1389,7 @@ "api_validation": "NOT_AVAILABLE", "ml_validation": "NOT_AVAILABLE", "ml_probability": null, - "rule": "PEM Certificate", + "rule": "PEM Private Key", "severity": "high", "line_data_list": [ { @@ -1397,7 +1397,7 @@ "line_num": 1, "path": "tests/samples/pem_key", "info": "", - "value": "-----BEGIN RSA PRIVATE", + "value": "-----BEGIN RSA PRIVATE KEY-----", "variable": null, "entropy_validation": false } diff --git a/tests/data/output.json b/tests/data/output.json index b5ca16c3f..56a7c6825 100644 --- a/tests/data/output.json +++ b/tests/data/output.json @@ -1317,7 +1317,7 @@ "api_validation": "NOT_AVAILABLE", "ml_validation": "NOT_AVAILABLE", "ml_probability": null, - "rule": "PEM Certificate", + "rule": "PEM Private Key", "severity": "high", "line_data_list": [ { @@ -1325,7 +1325,7 @@ "line_num": 1, "path": "tests/samples/pem_key", "info": "", - "value": "-----BEGIN RSA PRIVATE", + "value": "-----BEGIN RSA PRIVATE KEY-----", "variable": null, "entropy_validation": false } diff --git a/tests/rules/test_pem_key.py b/tests/rules/test_pem_key.py index 27144e0f0..c382c4082 100644 --- a/tests/rules/test_pem_key.py +++ b/tests/rules/test_pem_key.py @@ -65,7 +65,7 @@ def lines(self, request) -> List[str]: @pytest.fixture def rule_name(self) -> str: - return "PEM Certificate" + return "PEM Private Key" class TestEmptyPemKey: @@ -85,7 +85,7 @@ def lines(self, request) -> List[str]: @pytest.fixture def rule_name(self) -> str: - return "PEM Certificate" + return "PEM Private Key" def test_scan_no_division_by_zero_exception_n(self, file_path: pytest.fixture, lines: pytest.fixture, scanner: pytest.fixture) -> None: diff --git a/tests/test_main.py b/tests/test_main.py index 5dd7f32a1..cc1c12c48 100644 --- a/tests/test_main.py +++ b/tests/test_main.py @@ -556,8 +556,8 @@ def test_yaml_p(self) -> None: cred_sweeper.run(content_provider=content_provider) found_credentials = cred_sweeper.credential_manager.get_credentials() self.assertEqual(2, len(found_credentials)) - self.assertSetEqual({"Secret", "PEM Certificate"}, set(i.rule_name for i in found_credentials)) - self.assertSetEqual({"we5345d0f3da48544z1t1e275y05i161x995q485\n", "-----BEGIN RSA PRIVATE"}, + self.assertSetEqual({"Secret", "PEM Private Key"}, set(i.rule_name for i in found_credentials)) + self.assertSetEqual({"we5345d0f3da48544z1t1e275y05i161x995q485\n", "-----BEGIN RSA PRIVATE KEY-----"}, set(i.line_data_list[0].value for i in found_credentials)) # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #