Giters

ZupIT / horusec

Horusec is an open source tool that improves identification of vulnerabilities in your project with just one command.

Home Page:https://horusec.io/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

HS-LEAKS: False positive in go.sum (linkedin...)

stefanb opened this issue · comments

commented

When a Go program uses a module from Linkedin (eg https://github.com/linkedin/goavro ) the name will be mentioned in go.sum file followed by a hash on the same line, eg:

github.com/linkedin/goavro v2.1.0+incompatible/go.mod h1:bBCwI2eGYpUI/4820s67MElg9tdeLbINjLjiM2xZFYM=
github.com/linkedin/goavro/v2 v2.10.0/go.mod h1:UgQUb2N/pmueQYH9bfqFioWxzYCZXSfF8Jw03O5sjqA=
github.com/linkedin/goavro/v2 v2.10.1/go.mod h1:UgQUb2N/pmueQYH9bfqFioWxzYCZXSfF8Jw03O5sjqA=
github.com/linkedin/goavro/v2 v2.11.1/go.mod h1:UgQUb2N/pmueQYH9bfqFioWxzYCZXSfF8Jw03O5sjqA=

...which triggers a false positive via regexp in:

horusec/internal/services/engines/leaks/rules.go

Lines 171 to 187 in 873d410

func NewLinkedInClientID() *text.Rule {
return &text.Rule{
Metadata: engine.Metadata{
ID: "HS-LEAKS-9",
Name: "LinkedIn Client ID",
Description: "When use LinkedIn Client ID is recommended use vault or environment variable encrypted for the best security. For more information checkout the CWE-312 (https://cwe.mitre.org/data/definitions/312.html) advisory.",
Severity: severities.Critical.ToString(),
Confidence: confidence.Medium.ToString(),
SafeExample: SampleSafeHSLEAKS9,
UnsafeExample: SampleVulnerableHSLEAKS9,
},
Type: text.Regular,
Expressions: []*regexp.Regexp{
regexp.MustCompile(`(?i)linkedin(.{0,20})?(?-i)[0-9a-z]{12}`),
},
}
}

This likely affects other LEAKS rulesc with loose regexp and companies publishing opensource libraries.