eblume/kingfisher
1
0
Fork 0
forked from mirrors/kingfisher
Code Pull requests Activity Actions
kingfisher/tests/int_dedup.rs

245 lines
8.6 KiB
Rust
Raw Normal View History

preparing for v1.12
2025-06-24 17:17:16 -07:00
//! Proves that run_async_scan collapses identical findings when
//! ── no_dedup == false ──
//! while keeping them separate when no_dedup == true.
use std::{
fs,
sync::{Arc, Mutex},
};
use anyhow::Result;
use kingfisher::{
cli::{
commands::{
Added first-class Azure Repos support, including CLI commands, enumeration, and documentation updates
2025-10-04 23:12:28 -07:00
azure::AzureRepoType,
Added support for BitBucket
2025-09-22 18:21:03 -07:00
bitbucket::{BitbucketAuthArgs, BitbucketRepoType},
Added support for Gitea
2025-09-23 13:07:45 -07:00
gitea::GiteaRepoType,
preparing for v1.12
2025-06-24 17:17:16 -07:00
github::{GitCloneMode, GitHistoryMode, GitHubRepoType},
gitlab::GitLabRepoType,
inputs::{ContentFilteringArgs, InputSpecifierArgs},
output::{OutputArgs, ReportOutputFormat},
rules::RuleSpecifierArgs,
scan::{ConfidenceLevel, ScanArgs},
},
preparing for v1.78.0
2026-02-02 23:22:08 -08:00
global::{Mode, TlsMode},
preparing for v1.12
2025-06-24 17:17:16 -07:00
GlobalArgs,
},
findings_store::FindingsStore,
rule_loader::RuleLoader,
rules_database::RulesDatabase,
scanner::run_async_scan,
updated tests
2025-11-24 11:08:31 -08:00
update::UpdateStatus,
preparing for v1.12
2025-06-24 17:17:16 -07:00
};
use tempfile::TempDir;
use tokio::runtime::Runtime;
use url::Url;
/// Helper: run a scan with the supplied `no_dedup` flag and return how many
/// findings the `FindingsStore` ends up containing.
fn run_scan(count_rt: &Runtime, no_dedup: bool) -> Result<usize> {
// ── temp workspace ──────────────────────────────────────────────
let work = TempDir::new()?;
let rules_dir = work.path().join("rules");
fs::create_dir_all(&rules_dir)?;
let inputs_dir = work.path().join("in");
fs::create_dir_all(&inputs_dir)?;
// 1. Tiny custom rule that matches `secret_1234`
fs::write(
rules_dir.join("demo.yml"),
r#"
rules:
- id: demo.secret
name: Demo secret
pattern: "secret_[0-9]{4}"
confidence: low
"#,
)?;
// 2. Two different blobs that both contain the SAME secret
fs::write(inputs_dir.join("a.txt"), "secret_1234\n")?;
fs::write(inputs_dir.join("b.txt"), "secret_1234\n")?;
// ── build ScanArgs ──────────────────────────────────────────────
let scan_args = ScanArgs {
num_jobs: 2,
rules: RuleSpecifierArgs {
rules_path: vec![rules_dir.clone()],
rule: vec!["all".into()],
load_builtins: false,
},
input_specifier_args: InputSpecifierArgs {
path_inputs: vec![inputs_dir.join("a.txt"), inputs_dir.join("b.txt")],
git_url: Vec::new(),
v1.73.0
2026-01-01 22:24:57 -08:00
git_clone_dir: None,
keep_clones: false,
repo_clone_limit: None,
include_contributors: false,
preparing for v1.12
2025-06-24 17:17:16 -07:00
github_user: Vec::new(),
github_organization: Vec::new(),
Added --github-exclude and --gitlab-exclude options to skip specific repositories when scanning or listing GitHub and GitLab sources, including support for gitignore-style glob patterns
2025-09-15 21:26:51 -07:00
github_exclude: Vec::new(),
preparing for v1.12
2025-06-24 17:17:16 -07:00
all_github_organizations: false,
github_api_url: Url::parse("https://api.github.com/").unwrap(),
github_repo_type: GitHubRepoType::Source,
// new GitLab defaults
gitlab_user: Vec::new(),
gitlab_group: Vec::new(),
Added --github-exclude and --gitlab-exclude options to skip specific repositories when scanning or listing GitHub and GitLab sources, including support for gitignore-style glob patterns
2025-09-15 21:26:51 -07:00
gitlab_exclude: Vec::new(),
preparing for v1.12
2025-06-24 17:17:16 -07:00
all_gitlab_groups: false,
gitlab_api_url: Url::parse("https://gitlab.com/").unwrap(),
gitlab_repo_type: GitLabRepoType::Owner,
- Added support for scanning gitlab subgroups, with 'kingfisher scan --gitlab-group my-group --gitlab-include-subgroups'
2025-08-14 09:25:18 -07:00
gitlab_include_subgroups: false,
preparing for v1.12
2025-06-24 17:17:16 -07:00
- Added first-class Hugging Face scanning support, including CLI enumeration, token authentication, and integration with remote scans. - Condensed GitError formatting to report the exit status and the first informative lines from stdout/stderr, producing concise git clone failure logs. - Added support for scanning Google Cloud Storage buckets via --gcs-bucket, including optional prefixes and service-account authentication. - Added --skip-aws-account (now accepting comma-separated values) and --skip-aws-account-file to bypass live AWS validation for known canary/honey-token account IDs without triggering alerts. Kingfisher now ships with several canary AWS account IDs pre-seeded in the skip list and now reports matching findings as "Not Attempted" with the "Response" containing "(skip list entry)" so its clear that validation was intentionally skipped and why.
2025-10-15 22:47:40 -07:00
huggingface_user: Vec::new(),
huggingface_organization: Vec::new(),
huggingface_model: Vec::new(),
huggingface_dataset: Vec::new(),
huggingface_space: Vec::new(),
huggingface_exclude: Vec::new(),
Added support for Gitea
2025-09-23 13:07:45 -07:00
gitea_user: Vec::new(),
gitea_organization: Vec::new(),
gitea_exclude: Vec::new(),
all_gitea_organizations: false,
gitea_api_url: Url::parse("https://gitea.com/api/v1/").unwrap(),
gitea_repo_type: GiteaRepoType::Source,
Added support for BitBucket
2025-09-22 18:21:03 -07:00
bitbucket_user: Vec::new(),
bitbucket_workspace: Vec::new(),
bitbucket_project: Vec::new(),
bitbucket_exclude: Vec::new(),
all_bitbucket_workspaces: false,
bitbucket_api_url: Url::parse("https://api.bitbucket.org/2.0/").unwrap(),
bitbucket_repo_type: BitbucketRepoType::Source,
bitbucket_auth: BitbucketAuthArgs::default(),
Added first-class Azure Repos support, including CLI commands, enumeration, and documentation updates
2025-10-04 23:12:28 -07:00
azure_organization: Vec::new(),
azure_project: Vec::new(),
azure_exclude: Vec::new(),
all_azure_projects: false,
azure_base_url: Url::parse("https://dev.azure.com/").unwrap(),
azure_repo_type: AzureRepoType::Source,
Added support for scanning issues returned from a JQL search using --jira-url and --jql
2025-07-25 17:21:28 -07:00
jira_url: None,
jql: None,
Add Jira comment and changelog scanning
2026-02-28 11:13:00 -07:00
jira_include_comments: false,
jira_include_changelog: false,
Added support for scanning Confluence pages
2025-08-10 21:51:31 -07:00
confluence_url: None,
cql: None,
WIP: Adding support for scanning Docker images
2025-07-27 12:20:20 -07:00
max_results: 100,
Added support for Slack
2025-07-29 19:00:49 -07:00
slack_query: None,
slack_api_url: Url::parse("https://slack.com/api/").unwrap(),
-Added support for scanning AWS S3 buckets via --s3-bucket and optional --s3-prefix - Added --role-arn and --aws-local-profile flags for S3 authentication alongside KF_AWS_KEY/KF_AWS_SECRET
2025-08-02 20:40:16 -07:00
// s3
s3_bucket: None,
s3_prefix: None,
role_arn: None,
aws_local_profile: None,
- Added first-class Hugging Face scanning support, including CLI enumeration, token authentication, and integration with remote scans. - Condensed GitError formatting to report the exit status and the first informative lines from stdout/stderr, producing concise git clone failure logs. - Added support for scanning Google Cloud Storage buckets via --gcs-bucket, including optional prefixes and service-account authentication. - Added --skip-aws-account (now accepting comma-separated values) and --skip-aws-account-file to bypass live AWS validation for known canary/honey-token account IDs without triggering alerts. Kingfisher now ships with several canary AWS account IDs pre-seeded in the skip list and now reports matching findings as "Not Attempted" with the "Response" containing "(skip list entry)" so its clear that validation was intentionally skipped and why.
2025-10-15 22:47:40 -07:00
gcs_bucket: None,
gcs_prefix: None,
gcs_service_account: None,
WIP: Adding support for scanning Docker images
2025-07-27 12:20:20 -07:00
// Docker image scanning
docker_image: Vec::new(),
preparing for v1.12
2025-06-24 17:17:16 -07:00
// git clone / history options
git_clone: GitCloneMode::Bare,
git_history: GitHistoryMode::Full,
commit_metadata: true,
- Added '--repo-artifacts' flag to scan repository issues, gists/snippets, and wikis when cloning via '--git-url'
2025-08-20 20:41:11 -07:00
repo_artifacts: false,
scan_nested_repos: true,
Added diff-only Git scanning via --since-commit and --branch, including remote-aware ref resolution so CI jobs can pair --git-url clones with pull request branches
2025-09-16 14:20:43 -07:00
since_commit: None,
branch: None,
- Fixed local filesystem scans to keep open_path_as_is enabled when opening Git repositories and only disable it for diff-based scans. - Created Linux and Windows specific installer script - Updated diff-focused scanning so --branch-root-commit can be provided alongside --branch, letting you diff from a chosen commit while targeting a specific branch tip (still defaulting back to the --branch ref when the commit is omitted).
2025-10-25 17:12:51 -07:00
branch_root: false,
branch_root_commit: None,
Updated precommit behavior and docs
2025-12-09 12:56:55 -08:00
staged: false,
preparing for v1.12
2025-06-24 17:17:16 -07:00
},
content_filtering_args: ContentFilteringArgs {
max_file_size_mb: 5.0,
extraction_depth: 1,
no_binary: true,
no_extract_archives: false,
Added baseline feature with --baseline-file and --manage-baseline flags. Introduced --exclude option for skipping paths
2025-07-14 13:18:24 -07:00
exclude: Vec::new(), // Exclude patterns
preparing for v1.12
2025-06-24 17:17:16 -07:00
},
confidence: ConfidenceLevel::Low,
no_validate: true,
- Reduced per-match memory usage by compacting stored source locations and interning repeated capture names. - Stored optional validation response bodies as boxed strings to avoid allocating empty payloads and to streamline validator caches. - Parallelized git cloning based on the configured job count and begin scanning repositories as soon as each clone finishes to reduce end-to-end scan times. - Combined per-repository results into a single aggregate summary after scans complete. - Added initial access-map support and report viewer html file. Currently beta features.
2025-12-04 22:02:30 -08:00
access_map: false,
preparing for v1.12
2025-06-24 17:17:16 -07:00
rule_stats: false,
only_valid: false,
min_entropy: Some(0.0),
redact: false,
git_repo_timeout: 1800, // 30 minutes
output_args: OutputArgs { output: None, format: ReportOutputFormat::Pretty },
no_dedup,
v1.73.0
2026-01-01 22:24:57 -08:00
view_report: false,
Added baseline feature with --baseline-file and --manage-baseline flags. Introduced --exclude option for skipping paths
2025-07-14 13:18:24 -07:00
baseline_file: None,
manage_baseline: false,
Added '--skip-regex' and '--skip-word' flags to ignore secrets matching custom patterns or skipwords
2025-08-19 19:18:25 -07:00
skip_regex: Vec::new(),
skip_word: Vec::new(),
- Added first-class Hugging Face scanning support, including CLI enumeration, token authentication, and integration with remote scans. - Condensed GitError formatting to report the exit status and the first informative lines from stdout/stderr, producing concise git clone failure logs. - Added support for scanning Google Cloud Storage buckets via --gcs-bucket, including optional prefixes and service-account authentication. - Added --skip-aws-account (now accepting comma-separated values) and --skip-aws-account-file to bypass live AWS validation for known canary/honey-token account IDs without triggering alerts. Kingfisher now ships with several canary AWS account IDs pre-seeded in the skip list and now reports matching findings as "Not Attempted" with the "Response" containing "(skip list entry)" so its clear that validation was intentionally skipped and why.
2025-10-15 22:47:40 -07:00
skip_aws_account: Vec::new(),
skip_aws_account_file: None,
Decode Base64 blobs and scan their contents for secrets while skipping short strings for performance. This has a small performance impact and can be disabled with --no-base64
2025-08-30 19:40:11 -07:00
no_base64: false,
added --turbo mode
2026-02-24 12:25:12 -07:00
turbo: false,
- Added a --no-ignore CLI flag to disable inline directives when you need every potential secret reported - Added: repeatable --ignore-comment <TOKEN> flag to reuse inline directives from other scanners (for example NOSONAR, kics-scan ignore, gitleaks:allow, etc)
2025-10-10 16:23:41 -07:00
extra_ignore_comments: Vec::new(),
- Added kingfisher:ignore (or kingfisher:allow) to silence a finding inline within a file - Added: to reuse existing inline directives from other scanners, pass --compat-ignore-comments to also accept NOSONAR, kics-scan ignore, gitleaks:allow and trufflehog:ignore
2025-10-09 20:11:31 -07:00
no_inline_ignore: false,
Added an optional exclude_words list to PatternRequirements so matches containing case-insensitive placeholder words are filtered out, with accompanying tests to cover the new behavior.
2025-11-05 17:19:11 -08:00
no_ignore_if_contains: false,
Updated kingfisher scan to accept Git repository URLs as positional targets (for example kingfisher scan github.com/org/repo or kingfisher scan https://gitlab.com/group/project.git) without requiring --git-url.
2026-02-26 23:14:18 -07:00
view_report_port: 7890,
view_report_address: "127.0.0.1".to_string(),
v1.73.0
2026-01-01 22:24:57 -08:00
validation_retries: 1,
Added optional validation rate limiting via --validation-rps (global) and repeatable --validation-rps-rule <RULE_SELECTOR=RPS> (per-rule override) for both scan and validate. Throttling now applies across built-in validator types (HTTP/gRPC plus AWS, GCP, Coinbase, MongoDB, Postgres, MySQL, JDBC, JWT, and Azure Storage). Rule selectors support the short form (for example, github=2 matches kingfisher.github.*) with longest-prefix precedence when multiple selectors apply.
2026-02-12 12:33:59 -08:00
validation_rps: None,
validation_rps_rule: Vec::new(),
v1.73.0
2026-01-01 22:24:57 -08:00
validation_timeout: 10,
v1.80.0
2026-02-09 12:11:35 -08:00
full_validation_response: false,
preparing for v1.12
2025-06-24 17:17:16 -07:00
};
let global_args = GlobalArgs {
verbose: 0,
quiet: true,
color: Mode::Never,
progress: Mode::Never,
no_update_check: false,
self_update: false,
ignore_certs: false,
Removed the unused --rlimit-nofile flag
2025-09-18 17:02:56 -07:00
user_agent_suffix: None,
preparing for v1.78.0
2026-02-02 23:22:08 -08:00
tls_mode: TlsMode::Strict,
preparing for v1.12
2025-06-24 17:17:16 -07:00
};
// ── load rules once ─────────────────────────────────────────────
let loaded = RuleLoader::from_rule_specifiers(&scan_args.rules).load(&scan_args)?;
let resolved = loaded.resolve_enabled_rules()?;
let rules_db = Arc::new(RulesDatabase::from_rules(resolved.into_iter().cloned().collect())?);
updated tests
2025-11-24 11:08:31 -08:00
let update_status = UpdateStatus::default();
preparing for v1.12
2025-06-24 17:17:16 -07:00
// Fresh FindingsStore for this run
let store_path = work.path().join("store");
fs::create_dir_all(&store_path)?;
let datastore = Arc::new(Mutex::new(FindingsStore::new(store_path)));
// run_async_scan is async use the supplied Tokio runtime
count_rt.block_on(run_async_scan(
&global_args,
&scan_args,
Arc::clone(&datastore),
&rules_db,
updated tests
2025-11-24 11:08:31 -08:00
&update_status,
preparing for v1.12
2025-06-24 17:17:16 -07:00
))?;
let x = Ok(datastore.lock().unwrap().get_matches().len());
x
}
#[test]
fn test_dedup_branch() -> Result<()> {
Fix redis URI matching and sqlite row budget
2026-02-28 14:25:05 -08:00
// A *single* runtime reused for both scans keeps the test fast
preparing for v1.12
2025-06-24 17:17:16 -07:00
let rt = Runtime::new().unwrap();
let findings_with_dups = run_scan(&rt, true)?; // keep duplicates
let findings_deduped = run_scan(&rt, false)?; // collapse duplicates
assert!(
findings_with_dups > findings_deduped,
"expected deduplication to reduce finding count ({} -- {})",
findings_with_dups,
findings_deduped
);
assert_eq!(findings_deduped, 1, "exactly one unique finding should remain after dedup");
Ok(())
}
Copy permalink