Prevent print or logging in detectors (#2341)

* Prevent print or logging in detectors * mount repo * update job name
trufflesecurity · Jan 26, 2024 · 3a6cfd9 · 3a6cfd9
1 parent 41cfec4
commit 3a6cfd9
Show file tree

Hide file tree

Showing 6 changed files with 31 additions and 13 deletions.
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -11,13 +11,13 @@ permissions:
   pull-requests: read
 
 jobs:
-  golangci:
-    name: lint
+  golangci-lint:
+    name: golangci-lint
     runs-on: ubuntu-latest
     steps:
       - uses: actions/setup-go@v4
         with:
-          go-version: '1.21'
+          go-version: "1.21"
       - uses: actions/checkout@v4
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v3
@@ -35,3 +35,12 @@ jobs:
 
           # Optional: if set to true then the action don't cache or restore ~/.cache/go-build.
           # skip-build-cache: true
+  semgrep:
+    name: semgrep
+    runs-on: ubuntu-latest
+    container:
+      image: returntocorp/semgrep
+    if: (github.actor != 'dependabot[bot]')
+    steps:
+      - uses: actions/checkout@v4
+      - run: semgrep --config=hack/semgrep-rules.yaml pkg/detectors/
diff --git a/hack/semgrep-rules.yaml b/hack/semgrep-rules.yaml
@@ -0,0 +1,10 @@
+rules:
+  - id: no-printing-in-detectors
+    patterns:
+      - pattern-either:
+          - pattern: fmt.Println(...)
+          - pattern: fmt.Printf(...)
+          - pattern: import("log")
+    message: "Do not print or log inside of detectors."
+    languages: [go]
+    severity: ERROR
diff --git a/pkg/detectors/column/column.go b/pkg/detectors/column/column.go
@@ -4,11 +4,11 @@ import (
 	"context"
 	"encoding/base64"
 	"fmt"
-	regexp "github.com/wasilibs/go-re2"
-	"log"
 	"net/http"
 	"strings"
 
+	regexp "github.com/wasilibs/go-re2"
+
 	"github.com/trufflesecurity/trufflehog/v3/pkg/common"
 	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors"
 	"github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb"
@@ -43,7 +43,6 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result
 			continue
 		}
 		resMatch := strings.TrimSpace(match[1])
-		log.Println("resmatch: " + resMatch)
 
 		s1 := detectors.Result{
 			DetectorType: detectorspb.DetectorType_Column,

diff --git a/pkg/detectors/couchbase/couchbase.go b/pkg/detectors/couchbase/couchbase.go
@@ -3,12 +3,12 @@ package couchbase
 import (
 	"context"
 	"fmt"
-	regexp "github.com/wasilibs/go-re2"
-	"log"
 	"strings"
 	"time"
 	"unicode"
 
+	regexp "github.com/wasilibs/go-re2"
+
 	"github.com/couchbase/gocb/v2"
 	"github.com/trufflesecurity/trufflehog/v3/pkg/common"
 	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors"
@@ -107,7 +107,7 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result
 					// when accessing Capella from a different Wide Area Network
 					// or Availability Zone (e.g. your laptop).
 					if err := options.ApplyProfile(gocb.ClusterConfigProfileWanDevelopment); err != nil {
-						log.Fatal("apply profile err", err)
+						continue
 					}
 
 					// Initialize the Connection

diff --git a/pkg/detectors/deno/denodeploy.go b/pkg/detectors/deno/denodeploy.go
@@ -4,10 +4,11 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	regexp "github.com/wasilibs/go-re2"
 	"io"
 	"net/http"
 
+	regexp "github.com/wasilibs/go-re2"
+
 	"github.com/trufflesecurity/trufflehog/v3/pkg/common"
 	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors"
 	"github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb"
@@ -73,7 +74,6 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result
 					} else {
 						var user userResponse
 						if err := json.Unmarshal(body, &user); err != nil {
-							fmt.Printf("Unmarshal error: %v\n", err)
 							s1.SetVerificationError(err, token)
 						} else {
 							s1.ExtraData = map[string]string{

diff --git a/pkg/detectors/ipinfo/ipinfo.go b/pkg/detectors/ipinfo/ipinfo.go
@@ -3,10 +3,11 @@ package ipinfo
 import (
 	"context"
 	"fmt"
-	regexp "github.com/wasilibs/go-re2"
 	"net/http"
 	"strings"
 
+	regexp "github.com/wasilibs/go-re2"
+
 	"github.com/trufflesecurity/trufflehog/v3/pkg/common"
 	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors"
 	"github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb"
@@ -59,7 +60,6 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result
 			}
 			res, err := client.Do(req)
 			if err == nil {
-				fmt.Println(res.Status, resMatch)
 				defer res.Body.Close()
 				if res.StatusCode >= 200 && res.StatusCode < 300 {
 					s1.Verified = true