SARIF output shows incorrect rule properties
nierz opened this issue · comments
Describe the bug
GitLeaks pre v8.18.2 used to show the rule IDs in the SARIF output in the following way:
"rules": [
{
"id": "adafruit-api-key",
"name": "Adafruit API Key",
"shortDescription": {
"text": "(?i)(?:adafruit)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|\u003e|:{1,3}=|\\|\\|:|\u003c=|=\u003e|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9_-]{32})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
},
{
"id": "adobe-client-id",
"name": "Adobe Client ID (OAuth Web)",
"shortDescription": {
"text": "(?i)(?:adobe)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|\u003e|:{1,3}=|\\|\\|:|\u003c=|=\u003e|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-f0-9]{32})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
},
...more rules
]
However, in GitLeaks v8.18.2 this was changed to:
"rules": [
{
"id": "adafruit-api-key",
"name": "Identified a potential Adafruit API Key, which could lead to unauthorized access to Adafruit services and sensitive data exposure.",
"shortDescription": {
"text": "(?i)(?:adafruit)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|\u003e|:{1,3}=|\\|\\|:|\u003c=|=\u003e|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-z0-9_-]{32})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
},
{
"id": "adobe-client-id",
"name": "Detected a pattern that resembles an Adobe OAuth Web Client ID, posing a risk of compromised Adobe integrations and data breaches.",
"shortDescription": {
"text": "(?i)(?:adobe)(?:[0-9a-z\\-_\\t .]{0,20})(?:[\\s|']|[\\s|\"]){0,3}(?:=|\u003e|:{1,3}=|\\|\\|:|\u003c=|=\u003e|:|\\?=)(?:'|\\\"|\\s|=|\\x60){0,5}([a-f0-9]{32})(?:['|\\\"|\\n|\\r|\\s|\\x60|;]|$)"
}
},
...more rules
]
As you can see, the properties are wrong. The name actually changed to be a description.
To Reproduce
Steps to reproduce the behavior:
Simply run gitleaks
with SARIF report format on any directory. For instance:
gitleaks detect . --report-format sarif --report-path result.json
Expected behavior
The name
property should have the actual name (like it used to do), and the new name that looks like a description should go into a different SARIF property - fullDescription
is a good one, here's an example from KICS's SARIF output:
"rules": [
{
"id": "fd54f200-402c-4333-a5a4-36ef6709af2f",
"name": "Missing User Instruction",
"shortDescription": {
"text": "Missing User Instruction"
},
"fullDescription": {
"text": "A user should be specified in the dockerfile, otherwise the image will run as root"
},
...
}
Basic Info:
- OS: Mac OS
- Gitleaks Version: 8.18.2
cc @zricethezav