From cc75be309b953da97fd3e29fd5dc874aff94e3a7 Mon Sep 17 00:00:00 2001
From: Mick Grove <mick.grove@mongodb.com>
Date: Wed, 25 Jun 2025 14:22:37 -0700
Subject: [PATCH] Added rules for line

---
 data/rules/jenkins.yml | 24 +++++++++++++++++++
 data/rules/jira.yml    | 54 ++++++++++++++++++++++++++++++++++++++++++
 data/rules/line.yml    | 36 ++++++++++++++++++++++++++++
 3 files changed, 114 insertions(+)
 create mode 100644 data/rules/jenkins.yml
 create mode 100644 data/rules/jira.yml
 create mode 100644 data/rules/line.yml

diff --git a/data/rules/jenkins.yml b/data/rules/jenkins.yml
new file mode 100644
index 0000000..f8fbb77
--- /dev/null
+++ b/data/rules/jenkins.yml
@@ -0,0 +1,24 @@
+rules:
+  - name: Jenkins Token or Crumb
+    id: kingfisher.jenkins.1
+    pattern: '(?i)jenkins.{0,10}(?:crumb)?.{0,10}\b([0-9a-f]{32,36})\b'
+    categories: [api, fuzzy, secret]
+    min_entropy: 3.3
+    confidence: medium
+    examples:
+      - |
+        jenkins_user = 'root'
+        # jenkins_passwd = '116365fd86d63bf507aba962606a5c8956'  Pre token
+        jenkins_passwd = '11811f784531053132519844d047186074'   # Dev Token
+        jenkins_url = 'http://10.1.188.121'
+      - |
+        export JENKINS_USER=justin-admin-edit-view
+        export JENKINS_TOKEN=11f4274ec59be12eace9a08b08ee13d54b
+        export JENKINS=jenkins-cicd.apps.sno.openshiftlabs.net
+      - |
+        sh "curl -X POST 'http://jenkins.lsfusion.luxsoft.by/job/${Paths.updateParentVersionsJob}/build' --user ${USERPASS} -H 'Jenkins-Crumb:440561953171ba44ace9740562d172bb'"
+    negative_examples:
+      - '1. ~~Does not play well with [Build Token Root Plugin](https://wiki.jenkins-ci.org/display/JENKINS/Build+Token+Root+Plugin) URL formats.~~ (added with [this commit](https://github.com/morficus/Parameterized-Remote-Trigger-Plugin/commit/f687dbe75d1c4f39f7e14b68220890384d7c5674)  )'
+    references:
+      - https://www.jenkins.io/blog/2018/07/02/new-api-token-system/
+      - https://www.jenkins.io/doc/book/security/csrf-protection/
\ No newline at end of file
diff --git a/data/rules/jira.yml b/data/rules/jira.yml
new file mode 100644
index 0000000..e106e77
--- /dev/null
+++ b/data/rules/jira.yml
@@ -0,0 +1,54 @@
+rules:
+  - name: Jira Domain
+    id: kingfisher.jira.1
+    pattern: |
+      (?x)                   
+      (?i)                   
+      (
+        [a-z][a-z0-9-]{5,24}\.atlassian\.net
+      )
+      \b
+    min_entropy: 3.5
+    visible: false
+    confidence: medium
+    examples:
+      - example-jira.atlassian.net
+      - jira.sprintUri= https://leakyday.atlassian.net/rest
+
+  - name: Jira Token
+    id: kingfisher.jira.2
+    pattern: |
+      (?x)                   
+      (?i)                   
+      \b                     
+      jira
+      (?:.|[\n\r]){0,8}?
+      (?:SECRET|PRIVATE|ACCESS|KEY|PASSWORD|TOKEN)
+      (?:.|[\n\r]){0,16}?
+      \b                     
+      (                      
+        [a-z0-9-]{24}
+      )                      
+      \b                     
+    min_entropy: 3.3
+    confidence: medium
+    examples:
+      - 'Here is my Jira token: VDOheDe1sSCeGkuTARhkFDE2'
+      - public static final String JIRA_PASSWORD = "VDOheDe1sSCeGkuTARhkFDE2";
+    validation:
+      type: Http
+      content:
+        request:
+          headers:
+            Accept: application/json
+            Authorization: Basic {{ TOKEN }}
+          method: GET
+          response_matcher:
+            - report_response: true
+            - status:
+                - 200
+              type: StatusMatch
+          url: https://{{ DOMAIN }}/rest/api/3/dashboard
+    depends_on_rule:
+      - rule_id: kingfisher.jira.1
+        variable: DOMAIN
\ No newline at end of file
diff --git a/data/rules/line.yml b/data/rules/line.yml
new file mode 100644
index 0000000..3dd453a
--- /dev/null
+++ b/data/rules/line.yml
@@ -0,0 +1,36 @@
+rules:
+  - name: Line Messaging API Token
+    id: kingfisher.line.1
+    pattern: |
+      (?x)                   
+      (?i)                   
+      \b                     
+      line
+      (?:.|[\n\r]){0,32}?
+      (?:SECRET|PRIVATE|ACCESS|KEY|TOKEN)
+      (?:.|[\n\r]){0,32}?
+      \b                     
+      (                      
+        (?:[0-9A-Za-z+/]{57}){3}=? 
+      )
+    min_entropy: 3.5
+    confidence: medium
+    examples:
+      - line_access_token = 13IRTqF+j0TfDtuJoIWKRBPhpDnqYUaaSlOilnoy0urLE+kbf5hN4HUf5pSPw20ruyO0BFFF1IDjnBojctp5emFw0hZ51WxB8c75qo48upJInfmqDQ1xrFd4yFKBwx4yRBHYXmI/FyrtcWKd0FBoBAdB04t81/1O/w1cDnyilFU=
+      - linemsg_token:"13IRTqF+j0TfDtuJoIWKRBPhpDnqYUaaSlOilnoy0urLE+kbf5hN4HUf5pSPw20ruyO0BFFF1IDjnBojctp5emFw0hZ51WxB8c75qo48upJInfmqDQ1xrFd4yFKBwx4yRBHYXmI/FyrtcWKd0FBoBAdB04t81/1O/w1cDnyilFU="
+    references:
+      - https://developers.line.biz/en/reference/messaging-api/#get-consumption
+    validation:
+      type: Http
+      content:
+        request:
+          headers:
+            Authorization: 'Bearer {{ TOKEN }}'
+            Content-Type: application/json
+          method: GET
+          response_matcher:
+            - report_response: true
+            - status:
+                - 200
+              type: StatusMatch
+          url: https://api.line.me/v2/bot/message/quota/consumption
\ No newline at end of file