From de6c2a7a1086897a718f44eafc15905edebfb0a7 Mon Sep 17 00:00:00 2001 From: kashif khan Date: Fri, 15 Nov 2024 11:21:26 +0500 Subject: [PATCH 1/3] updated buildkite detectors --- pkg/detectors/buildkite/{ => v1}/buildkite.go | 36 +++++++++++++------ .../{ => v1}/buildkite_integration_test.go | 0 .../buildkite/{ => v1}/buildkite_test.go | 0 .../v2}/buildkite.go | 18 +++------- .../v2}/buildkite_test.go | 0 .../v2}/buildkitev2_integration_test.go | 0 pkg/engine/defaults/defaults.go | 8 ++--- 7 files changed, 34 insertions(+), 28 deletions(-) rename pkg/detectors/buildkite/{ => v1}/buildkite.go (72%) rename pkg/detectors/buildkite/{ => v1}/buildkite_integration_test.go (100%) rename pkg/detectors/buildkite/{ => v1}/buildkite_test.go (100%) rename pkg/detectors/{buildkitev2 => buildkite/v2}/buildkite.go (82%) rename pkg/detectors/{buildkitev2 => buildkite/v2}/buildkite_test.go (100%) rename pkg/detectors/{buildkitev2 => buildkite/v2}/buildkitev2_integration_test.go (100%) diff --git a/pkg/detectors/buildkite/buildkite.go b/pkg/detectors/buildkite/v1/buildkite.go similarity index 72% rename from pkg/detectors/buildkite/buildkite.go rename to pkg/detectors/buildkite/v1/buildkite.go index e91d3550631f..db0efb4e30f8 100644 --- a/pkg/detectors/buildkite/buildkite.go +++ b/pkg/detectors/buildkite/v1/buildkite.go @@ -52,17 +52,10 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result } if verify { - req, err := http.NewRequestWithContext(ctx, "GET", "https://api.buildkite.com/v2/access-token", nil) - if err != nil { - continue - } - req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", resMatch)) - res, err := client.Do(req) - if err == nil { - defer res.Body.Close() - if res.StatusCode >= 200 && res.StatusCode < 300 { - s1.Verified = true - } + isVerified, verificationErr := VerifyBuildKite(ctx, client, resMatch) + s1.Verified = isVerified + if verificationErr != nil { + s1.SetVerificationError(verificationErr, resMatch) } } @@ -79,3 +72,24 @@ func (s Scanner) Type() detectorspb.DetectorType { func (s Scanner) Description() string { return "Buildkite is a platform for running fast, secure, and scalable continuous integration pipelines. Buildkite API tokens can be used to access and modify pipeline data and configurations." } + +func VerifyBuildKite(ctx context.Context, client *http.Client, secret string) (bool, error) { + // create a request + req, err := http.NewRequestWithContext(ctx, "GET", "https://api.buildkite.com/v2/access-token", nil) + if err != nil { + return false, err + } + + // add authorization header + req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", secret)) + + res, err := client.Do(req) + if err == nil { + defer res.Body.Close() + if res.StatusCode >= 200 && res.StatusCode < 300 { + return true, nil + } + } + + return false, nil +} diff --git a/pkg/detectors/buildkite/buildkite_integration_test.go b/pkg/detectors/buildkite/v1/buildkite_integration_test.go similarity index 100% rename from pkg/detectors/buildkite/buildkite_integration_test.go rename to pkg/detectors/buildkite/v1/buildkite_integration_test.go diff --git a/pkg/detectors/buildkite/buildkite_test.go b/pkg/detectors/buildkite/v1/buildkite_test.go similarity index 100% rename from pkg/detectors/buildkite/buildkite_test.go rename to pkg/detectors/buildkite/v1/buildkite_test.go diff --git a/pkg/detectors/buildkitev2/buildkite.go b/pkg/detectors/buildkite/v2/buildkite.go similarity index 82% rename from pkg/detectors/buildkitev2/buildkite.go rename to pkg/detectors/buildkite/v2/buildkite.go index f42663d0f4bf..2106803e951b 100644 --- a/pkg/detectors/buildkitev2/buildkite.go +++ b/pkg/detectors/buildkite/v2/buildkite.go @@ -2,14 +2,13 @@ package buildkitev2 import ( "context" - "fmt" - "net/http" "strings" regexp "github.com/wasilibs/go-re2" "github.com/trufflesecurity/trufflehog/v3/pkg/common" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + v1 "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/buildkite/v1" "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" ) @@ -52,17 +51,10 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result } if verify { - req, err := http.NewRequestWithContext(ctx, "GET", "https://api.buildkite.com/v2/access-token", nil) - if err != nil { - continue - } - req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", resMatch)) - res, err := client.Do(req) - if err == nil { - defer res.Body.Close() - if res.StatusCode >= 200 && res.StatusCode < 300 { - s1.Verified = true - } + isVerified, verificationErr := v1.VerifyBuildKite(ctx, client, resMatch) + s1.Verified = isVerified + if verificationErr != nil { + s1.SetVerificationError(verificationErr, resMatch) } } diff --git a/pkg/detectors/buildkitev2/buildkite_test.go b/pkg/detectors/buildkite/v2/buildkite_test.go similarity index 100% rename from pkg/detectors/buildkitev2/buildkite_test.go rename to pkg/detectors/buildkite/v2/buildkite_test.go diff --git a/pkg/detectors/buildkitev2/buildkitev2_integration_test.go b/pkg/detectors/buildkite/v2/buildkitev2_integration_test.go similarity index 100% rename from pkg/detectors/buildkitev2/buildkitev2_integration_test.go rename to pkg/detectors/buildkite/v2/buildkitev2_integration_test.go diff --git a/pkg/engine/defaults/defaults.go b/pkg/engine/defaults/defaults.go index 1bc9266beb3a..d62fac18bf2c 100644 --- a/pkg/engine/defaults/defaults.go +++ b/pkg/engine/defaults/defaults.go @@ -106,8 +106,8 @@ import ( "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/budibase" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/bugherd" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/bugsnag" - "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/buildkite" - "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/buildkitev2" + buildKitev1 "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/buildkite/v1" + buildKitev2 "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/buildkite/v2" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/bulbul" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/bulksms" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/buttercms" @@ -925,8 +925,8 @@ func buildDetectorList() []detectors.Detector { &budibase.Scanner{}, &bugherd.Scanner{}, &bugsnag.Scanner{}, - &buildkite.Scanner{}, - &buildkitev2.Scanner{}, + &buildKitev1.Scanner{}, + &buildKitev2.Scanner{}, &bulbul.Scanner{}, &bulksms.Scanner{}, &buttercms.Scanner{}, From 3f3113b16a000e7c047e3df83040aac6c3b2df0c Mon Sep 17 00:00:00 2001 From: kashif khan Date: Fri, 15 Nov 2024 19:40:15 +0500 Subject: [PATCH 2/3] resolved comments --- pkg/detectors/buildkite/v1/buildkite.go | 20 ++++++++++++-------- pkg/detectors/buildkite/v2/buildkite.go | 4 +--- 2 files changed, 13 insertions(+), 11 deletions(-) diff --git a/pkg/detectors/buildkite/v1/buildkite.go b/pkg/detectors/buildkite/v1/buildkite.go index db0efb4e30f8..743c6f00de86 100644 --- a/pkg/detectors/buildkite/v1/buildkite.go +++ b/pkg/detectors/buildkite/v1/buildkite.go @@ -3,6 +3,7 @@ package buildkite import ( "context" "fmt" + "io" "net/http" "strings" @@ -54,9 +55,7 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result if verify { isVerified, verificationErr := VerifyBuildKite(ctx, client, resMatch) s1.Verified = isVerified - if verificationErr != nil { - s1.SetVerificationError(verificationErr, resMatch) - } + s1.SetVerificationError(verificationErr, resMatch) } results = append(results, s1) @@ -84,11 +83,16 @@ func VerifyBuildKite(ctx context.Context, client *http.Client, secret string) (b req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", secret)) res, err := client.Do(req) - if err == nil { - defer res.Body.Close() - if res.StatusCode >= 200 && res.StatusCode < 300 { - return true, nil - } + if err != nil { + return false, err + } + defer func() { + _, _ = io.Copy(io.Discard, res.Body) + _ = res.Body.Close() + }() + + if res.StatusCode == http.StatusOK { + return true, nil } return false, nil diff --git a/pkg/detectors/buildkite/v2/buildkite.go b/pkg/detectors/buildkite/v2/buildkite.go index 2106803e951b..bd52ea44f6b0 100644 --- a/pkg/detectors/buildkite/v2/buildkite.go +++ b/pkg/detectors/buildkite/v2/buildkite.go @@ -53,9 +53,7 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result if verify { isVerified, verificationErr := v1.VerifyBuildKite(ctx, client, resMatch) s1.Verified = isVerified - if verificationErr != nil { - s1.SetVerificationError(verificationErr, resMatch) - } + s1.SetVerificationError(verificationErr, resMatch) } results = append(results, s1) From 9d28f4ccbe7c5ca8844e0eb131b88ce09831607d Mon Sep 17 00:00:00 2001 From: kashif khan Date: Mon, 18 Nov 2024 18:54:20 +0500 Subject: [PATCH 3/3] added scoped in extradata --- pkg/detectors/buildkite/v1/buildkite.go | 37 +++++++++++++++++++------ pkg/detectors/buildkite/v2/buildkite.go | 3 +- 2 files changed, 31 insertions(+), 9 deletions(-) diff --git a/pkg/detectors/buildkite/v1/buildkite.go b/pkg/detectors/buildkite/v1/buildkite.go index 743c6f00de86..1a4cca6b668a 100644 --- a/pkg/detectors/buildkite/v1/buildkite.go +++ b/pkg/detectors/buildkite/v1/buildkite.go @@ -2,6 +2,7 @@ package buildkite import ( "context" + "encoding/json" "fmt" "io" "net/http" @@ -16,6 +17,10 @@ import ( type Scanner struct{} +type APIResponse struct { + Scopes []string `json:"scopes"` +} + func (s Scanner) Version() int { return 1 } // Ensure the Scanner satisfies the interface at compile time. @@ -50,12 +55,15 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result s1 := detectors.Result{ DetectorType: detectorspb.DetectorType_Buildkite, Raw: []byte(resMatch), + ExtraData: make(map[string]string), } if verify { - isVerified, verificationErr := VerifyBuildKite(ctx, client, resMatch) + extraData, isVerified, verificationErr := VerifyBuildKite(ctx, client, resMatch) s1.Verified = isVerified s1.SetVerificationError(verificationErr, resMatch) + + s1.ExtraData = extraData } results = append(results, s1) @@ -72,11 +80,12 @@ func (s Scanner) Description() string { return "Buildkite is a platform for running fast, secure, and scalable continuous integration pipelines. Buildkite API tokens can be used to access and modify pipeline data and configurations." } -func VerifyBuildKite(ctx context.Context, client *http.Client, secret string) (bool, error) { +func VerifyBuildKite(ctx context.Context, client *http.Client, secret string) (map[string]string, bool, error) { // create a request + // api doc: https://buildkite.com/docs/apis/rest-api/access-token#get-the-current-token req, err := http.NewRequestWithContext(ctx, "GET", "https://api.buildkite.com/v2/access-token", nil) if err != nil { - return false, err + return nil, false, err } // add authorization header @@ -84,16 +93,28 @@ func VerifyBuildKite(ctx context.Context, client *http.Client, secret string) (b res, err := client.Do(req) if err != nil { - return false, err + return nil, false, err } defer func() { _, _ = io.Copy(io.Discard, res.Body) _ = res.Body.Close() }() - if res.StatusCode == http.StatusOK { - return true, nil - } + switch res.StatusCode { + case http.StatusOK: + var response APIResponse - return false, nil + if err := json.NewDecoder(res.Body).Decode(&response); err != nil { + return nil, false, err + } + + extraData := make(map[string]string) + + extraData["scopes"] = strings.Join(response.Scopes, ", ") + return extraData, true, nil + case http.StatusUnauthorized: + return nil, false, nil + default: + return nil, false, fmt.Errorf("unexpected HTTP response status %d", res.StatusCode) + } } diff --git a/pkg/detectors/buildkite/v2/buildkite.go b/pkg/detectors/buildkite/v2/buildkite.go index bd52ea44f6b0..1f416bbc2211 100644 --- a/pkg/detectors/buildkite/v2/buildkite.go +++ b/pkg/detectors/buildkite/v2/buildkite.go @@ -51,9 +51,10 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result } if verify { - isVerified, verificationErr := v1.VerifyBuildKite(ctx, client, resMatch) + extraData, isVerified, verificationErr := v1.VerifyBuildKite(ctx, client, resMatch) s1.Verified = isVerified s1.SetVerificationError(verificationErr, resMatch) + s1.ExtraData = extraData } results = append(results, s1)