model

Documentation

Index

• type CtxParserRule
  • func (c *CtxParserRule) Init()
• type FileLeak
• type GitLeak
• type IndepParserRule
• type Leak
• type Repo
  • func (r *Repo) FetchCommits() []*object.Commit
  • func (r *Repo) Init(source, cache string)
  • func (r *Repo) PlainOpen(repoPath string) *git.Repository
• type RuleSet
  • func (r *RuleSet) Parse(file string, leakChan chan Leak)
  • func (r *RuleSet) ParseConfig(file string)
  • func (r *RuleSet) ParsePatch(patch *object.Patch, commit *object.Commit, repo *Repo, leakChan chan Leak)

Types

type CtxParserRule

type CtxParserRule struct {
	// Instance of the parser
	Parser contextParser `yaml:"-"`
	// Name of the parser type
	Type string `yaml:"type"`
	// Extensions which the parser takes into consideration
	Extensions []string `yaml:"extensions"`
	// Bag of words used mainly to identify keys/values
	// that are potential leaks
	KeyBag []string `yaml:"keys"`
	// Confidence of the assessment
	// - "High" : for context based parsers
	// - "Low" : for regexp/context insensitive parsers
	Confidence string `yaml:"confidence"`
}

CtxParserRule is an union of a definition of the parser and it's instantiation.

func (*CtxParserRule) Init

func (c *CtxParserRule) Init()

Init creates a Parser if the .Type is defined

type FileLeak

type FileLeak struct {
	// File (path to the file from the root of the execution)
	File string `yaml:"file"`
	Line int    `yaml:"line"`

	// Contains a couple of line before and after the commit
	// This allows for displaying the context of the discovery
	// without having to store / display the whole file
	Snippet []string `yaml:"snippet"`
	// Affected is the index of the offending line in the snippet slice
	Affected int `yaml:"affected"`
	// Start index of the offending snippet within the affected line
	StartIdx int
	// End index of the offending snippet within the affected line
	EndIdx     int
	Confidence string `yaml:"confidence"`

	IndepParserRule *IndepParserRule `yaml:"-"`
	CtxParserRule   *CtxParserRule   `yaml:"-"`
}

FileLeak is a potential leak detected in the filesystem

type GitLeak

type GitLeak struct {
	// Hash of the commit (SHA-1)
	Commit string `yaml:"commit"`
	// File (path to the file from the root of the git repo)
	File string `yaml:"file"`
	// Line number within the affected file
	Line int `yaml:"line"`

	// Contains a couple of line before and after the commit
	// This allows for displaying the context of the discovery
	// without having to store / display the whole file
	Snippet []string `yaml:"snippet"`
	// Affected is the index of the offending line in the snippet slice
	Affected int `yaml:"affected"`
	// Start index of the offending snippet within the affected line
	StartIdx int
	// End index of the offending snippet within the affected line
	EndIdx     int
	Confidence string `yaml:"confidence"`

	// Stores the name of the author of the commit
	// This could be replaced with the email for better formatting
	Author string `yaml:"author,omitempty"`
	// Time of the commit
	When time.Time `yaml:"commit_date"`

	// Pointer to the offending rule
	IndepParserRule *IndepParserRule `yaml:"-"`
	// Pointer to the offending parser rule
	// The Rule and ParserRule attributes are exclusive
	CtxParserRule *CtxParserRule `yaml:"-"`
	Repo          *Repo          `yaml:"-"`
}

GitLeak is a potential leak detected associated with a commit

type IndepParserRule

type IndepParserRule struct {
	Definition  string  `yaml:"definition"`
	Description string  `yaml:"description,omitempty"`
	Category    string  `yaml:"category,omitempty"`
	Weight      float32 `yaml:"weight"`
	Compiled    *regexp.Regexp
}

IndepParserRule represents a context independant parser

type Leak

type Leak interface {
}

Leak is an interface that represents a possible credential leak discovered during the scan phase

type Repo

type Repo struct {
	Source string `yaml:"source"`
	Path   string
	Since  time.Time
	Storer *git.Repository
}

Repo represents the internal git representation as well as the local one (in the filesystem)

func (*Repo) FetchCommits

func (r *Repo) FetchCommits() []*object.Commit

FetchCommits stores all commits in a slice

This allows for concurrent r/w of the commit slice without having to go through go-git's commit iterator object. (Comes at a certain cost to memory but the commit object itself seems to be very light)

func (*Repo) Init

func (r *Repo) Init(source, cache string)

Init creates a repository struct

func (*Repo) PlainOpen

func (r *Repo) PlainOpen(repoPath string) *git.Repository

PlainOpen attempts to use go-git's to open a cloned repository

type RuleSet

type RuleSet struct {
	// Version of the configuration file
	// Not used currently but for future proofing
	APIVersion string `yaml:"apiVersion"`

	// FNV hash of the configuration file
	// Useful for determining whether or not the definition file
	// has been changed. (for future uses)
	Checksum          string
	ReadAt            time.Time
	IndepParsers      []IndepParserRule `yaml:"rules"`
	CtxParsers        []CtxParserRule   `yaml:"parsers"`
	BlackList         []string          `yaml:"black_list"`
	BlackListCompiled []*regexp.Regexp  `yaml:"-"`

	// Sets whether or not to examine compressed files
	Compressed bool `yaml:"compressed"`
}

RuleSet groups all Rules and Parsers interpreted from the user defined file

• Rules represent parsers that are context independant it can parse a file line by line to precisely find the leak
• Parsers are parsers that need the entire file as a context to analyse for leaks correctly (TODO: rename)

func (*RuleSet) Parse

func (r *RuleSet) Parse(file string, leakChan chan Leak)

Parse reads a given file and applies all rules given

func (*RuleSet) ParseConfig

func (r *RuleSet) ParseConfig(file string)

ParseConfig reads the user defined configuration file

func (*RuleSet) ParsePatch

func (r *RuleSet) ParsePatch(patch *object.Patch, commit *object.Commit, repo *Repo, leakChan chan Leak)

ParsePatch iterates over each chunk of the patch object and applies all context indenpendant rules TODO: allow context dependant rules