ZupIT / horusec

Horusec is an open source tool that improves identification of vulnerabilities in your project with just one command.

Home Page:https://horusec.io/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

horusecCliFilesOrPathsToIgnore not matching properly

brunobehnken opened this issue · comments

What happened:
I'm running Horusec using the command
docker run --rm -v "/var/run/docker.sock:/var/run/docker.sock" -v "/home/myuser/repos/my_python_project:/src/horusec" --network host horuszup/horusec-cli:latest horusec start -p /src/horusec -P /home/myuser/repos/my_python_project -s INFO,LOW --enable-owasp-dependency-check --enable-git-history --enable-commit-author --config-file-path '/src/horusec/horusec-config.json' -o sonarqube -O /src/horusec/sonar-out.json

My horusec-config.json has the following content:

{
  "horusecCliFilesOrPathsToIgnore": [
    "tests/**"
  ]
}

My sonar-out.json comes with this content:

{
  "issues": [
    {
      "type": "VULNERABILITY",
      "ruleId": "HorusecEngine",
      "engineId": "horusec",
      "severity": "BLOCKER",
      "effortMinutes": 0,
      "primaryLocation": {
        "message": "(1/1) * Possible vulnerability detected: Password found in a hardcoded URL\nA password was found in a hardcoded URL, this can lead to not only the leak of this password but also a failure point to some more sophisticated CSRF and SSRF attacks. Check CWE-352 (https://cwe.mitre.org/data/definitions/352.html) and CWE-918 (https://cwe.mitre.org/data/definitions/918.html) for more details.",
        "filePath": "tests/unit/infrastructure/mysql/test_mysql.py",
        "textRange": {
          "startLine": 72,
          "startColumn": 27
        }
      }
    },
    {
      "type": "VULNERABILITY",
      "ruleId": "GitLeaks",
      "engineId": "horusec",
      "severity": "BLOCKER",
      "effortMinutes": 0,
      "primaryLocation": {
        "message": "(1/1) * Possible vulnerability detected: Hardcoded Credential",
        "filePath": "tests/infrastructure/mysql/test_mysql.py",
        "textRange": {
          "startLine": 72,
          "startColumn": 29
        }
      }
    }
  ]
}

What you expected to happen:
The sonar-out.json report should come empty, since both vulnerabilities are in files whose paths match the expression passed in the horusecCliFilesOrPathsToIgnore variable in horusec-config.json file.

How to reproduce it (as minimally and precisely as possible):
Create a file that has a vulnerability and place it in a directory. Add to the horusec-config.json file the variable horusecCliFilesOrPathsToIgnore, and add to this variable an expression that has a directory that is one of the parents of the directory that contains the file you created, followed by the wildcard /**, so the expression matches the file you created. Run horusec using a command that is equivalent to the one I mentioned in the "What happened" section. The output recorded in sonar-format should contain the vulnerability that was supposed to be ignored.

Anything else we need to know?:

  • The second vulnerability ("ruleId": "GitLeaks") is present only in Git history, because the file has been moved to another path (the one of the first vulnerability).

  • If I change tests/** to **/tests/**, Horusec runs normally and the first vulnerability ("ruleId": "HorusecEngine") does not appear in the sonar report, but the second one still does. As far as I can tell, **/tests/** is not a valid expression.

Environment:

  • Horusec version (use horusec version):

Version: v2.8.0
Git commit: df32c1c
Built: Wed Jun 08 13:57:08 2022
Distribution: normal

  • Operating System:

docker run horuszup/horusec-cli:latest cat /etc/os-release provides the following output:

NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.15.0
PRETTY_NAME="Alpine Linux v3.15"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://bugs.alpinelinux.org/"

I'm running Docker over (lsb_release -a output):
Distributor ID: Ubuntu
Description: Ubuntu 20.04.5 LTS
Release: 20.04
Codename: focal

  • Network plugin / Tool and version (if this is a network-related / tool bug):
  • Others: