horusecCliFilesOrPathsToIgnore not matching properly
brunobehnken opened this issue · comments
What happened:
I'm running Horusec using the command
docker run --rm -v "/var/run/docker.sock:/var/run/docker.sock" -v "/home/myuser/repos/my_python_project:/src/horusec" --network host horuszup/horusec-cli:latest horusec start -p /src/horusec -P /home/myuser/repos/my_python_project -s INFO,LOW --enable-owasp-dependency-check --enable-git-history --enable-commit-author --config-file-path '/src/horusec/horusec-config.json' -o sonarqube -O /src/horusec/sonar-out.json
My horusec-config.json has the following content:
{
"horusecCliFilesOrPathsToIgnore": [
"tests/**"
]
}
My sonar-out.json comes with this content:
{
"issues": [
{
"type": "VULNERABILITY",
"ruleId": "HorusecEngine",
"engineId": "horusec",
"severity": "BLOCKER",
"effortMinutes": 0,
"primaryLocation": {
"message": "(1/1) * Possible vulnerability detected: Password found in a hardcoded URL\nA password was found in a hardcoded URL, this can lead to not only the leak of this password but also a failure point to some more sophisticated CSRF and SSRF attacks. Check CWE-352 (https://cwe.mitre.org/data/definitions/352.html) and CWE-918 (https://cwe.mitre.org/data/definitions/918.html) for more details.",
"filePath": "tests/unit/infrastructure/mysql/test_mysql.py",
"textRange": {
"startLine": 72,
"startColumn": 27
}
}
},
{
"type": "VULNERABILITY",
"ruleId": "GitLeaks",
"engineId": "horusec",
"severity": "BLOCKER",
"effortMinutes": 0,
"primaryLocation": {
"message": "(1/1) * Possible vulnerability detected: Hardcoded Credential",
"filePath": "tests/infrastructure/mysql/test_mysql.py",
"textRange": {
"startLine": 72,
"startColumn": 29
}
}
}
]
}
What you expected to happen:
The sonar-out.json report should come empty, since both vulnerabilities are in files whose paths match the expression passed in the horusecCliFilesOrPathsToIgnore variable in horusec-config.json file.
How to reproduce it (as minimally and precisely as possible):
Create a file that has a vulnerability and place it in a directory. Add to the horusec-config.json file the variable horusecCliFilesOrPathsToIgnore, and add to this variable an expression that has a directory that is one of the parents of the directory that contains the file you created, followed by the wildcard /**, so the expression matches the file you created. Run horusec using a command that is equivalent to the one I mentioned in the "What happened" section. The output recorded in sonar-format should contain the vulnerability that was supposed to be ignored.
Anything else we need to know?:
-
The second vulnerability ("ruleId": "GitLeaks") is present only in Git history, because the file has been moved to another path (the one of the first vulnerability).
-
If I change
tests/**to**/tests/**, Horusec runs normally and the first vulnerability ("ruleId": "HorusecEngine") does not appear in the sonar report, but the second one still does. As far as I can tell,**/tests/**is not a valid expression.
Environment:
- Horusec version (use
horusec version):
Version: v2.8.0
Git commit: df32c1c
Built: Wed Jun 08 13:57:08 2022
Distribution: normal
- Operating System:
docker run horuszup/horusec-cli:latest cat /etc/os-release provides the following output:
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.15.0
PRETTY_NAME="Alpine Linux v3.15"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://bugs.alpinelinux.org/"
I'm running Docker over (lsb_release -a output):
Distributor ID: Ubuntu
Description: Ubuntu 20.04.5 LTS
Release: 20.04
Codename: focal
- Network plugin / Tool and version (if this is a network-related / tool bug):
- Others: