Giters

ZupIT / horusec

Horusec is an open source tool that improves identification of vulnerabilities in your project with just one command.

Home Page:https://horusec.io/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

horusecCliFilesOrPathsToIgnore apparently being ignored in vscode extension and CI

lays147 opened this issue · comments

commented

What happened: I have configured the horusecCliFilesOrPathsToIgnore option to ignore some folders and files.

How to reproduce it (as minimally and precisely as possible):
NodeJS project with a package-lock.json with pgpass installed.

Horusec-config:

{
  "horusecCliCertInsecureSkipVerify": false,
  "horusecCliFilesOrPathsToIgnore": [
    "*tmp*",
    "**/.vscode/**",
    "docker-compose.yml",
    ".env.sample",
    "package-lock.json",
    "**/.dist/**",
    "**/.coverage/**",
    "**/.coverage-e2e/**"
  ],
  "horusecCliReturnErrorIfFoundVulnerability": false,
  "horusecCliRiskAcceptHashes": null,
  "horusecCliSeveritiesToIgnore": [
    "INFO"
  ],
  "horusecCliShowVulnerabilitiesTypes": [
    "Vulnerability"
  ],
  "horusecCliTimeoutInSecondsAnalysis": 600,
  "horusecCliTimeoutInSecondsRequest": 300,
  "horusecCliFalsePositiveHashes": [
  ]
}

Expected result: package-lock.json is ignored on the scan

Actual result: package-lock.json is scanned by horusec

Column: 11
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /runner/_work/FeeRavManagerAPI/FeeRavManagerAPI/package-lock.json
Code: "pgpass": "1.x"
RuleID: HS-LEAKS-26
Type: Vulnerability
ReferenceHash: dce09eb1eb793933fbfe57a3088b23d04e9a760c5d8fbddf6f1e9a95e222f71e
Details: (1/1) * Possible vulnerability detected: Hard-coded password
The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. For more information checkout the CWE-798 (https://cwe.mitre.org/data/definitions/798.html) advisory.

Also using the VsCode addon with the above horusec-config the folders like distare still being scanned.

Anything else we need to know?:

Environment:

  • Horusec version (use horusec version):
    In the CI I use the config from de docs: curl -fsSL https://raw.githubusercontent.com/ZupIT/horusec/main/deployments/scripts/install.sh
  • Operating System: In the CI Ubuntu, my machine: Arch Linux
  • Others: VsCode: v2.2.8
commented

Same thing here with horusecCliJsonOutputFilepath. It's being completely ignored by the plugin-launched docker process.

Environment:

  • Horusec version: v2.8.0 (RPM version)
  • OS: Fedora 38 64-bit
  • VSCODE version: 1.82.3
  • Docker version: 24.0.6