Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

High Entropy string matchers have false positives on uuids. #250

Closed
conartist6 opened this issue Oct 8, 2019 · 5 comments
Closed

High Entropy string matchers have false positives on uuids. #250

conartist6 opened this issue Oct 8, 2019 · 5 comments

Comments

@conartist6
Copy link

It should be possible to identify random UUIDs which, though they are hex high entropy strings, are generally not secrets. The combination of length, string formatting, and the version bit should be sufficient to match UUIDs, and at least offer the user a configuration option to consider them false positives and quash reporting on them.
@KevinHock
Copy link
Collaborator

We might be able to add this to #245, as it has recently come up for us as well.

On a private branch, I had added

            if len(result) == 36:
                UUID_RE = re.compile(
                    r'^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89AB][0-9a-f]{3}-[0-9a-f]{12}$',
                    re.IGNORECASE,
                )
                if UUID_RE.match(result):
                    continue

in this area

detect-secrets/detect_secrets/plugins/high_entropy_strings.py

Lines 92 to 97 in b21c5f8

for result in self.secret_generator(string):
if is_false_positive(result, self.automaton):
continue
secret = PotentialSecret(self.secret_type, filename, result, line_num)
output[secret] = secret

recently, but I didn't fully flesh it out.

@KevinHock
Copy link
Collaborator

KevinHock commented Oct 8, 2019
edited
Loading

Could you give an example UUID for posterity @conartist6? I realized on my private branch I had - and other metacharacters in the entropy plugin I was running and so it makes sense how my plugin caught them, but on master right now we don't have -'s in our base64 high-entropy plugin, so I'm curious what part of the UUID we did trigger off of (on master).

@conartist6
Copy link
Author

conartist6 commented Oct 8, 2019
edited
Loading

5873b5ea-c5cb-40ed-b206-111bb37195f2

This is a v4 uuid.

@KevinHock
Copy link
Collaborator

Thanks! :)

@OiCMudkips OiCMudkips mentioned this issue Oct 9, 2019
Merged
killuazhu pushed a commit to IBM/detect-secrets that referenced this issue May 28, 2020
Publish to Artifactory (Yelp#250)
1038e2c 
* Publish art too

* Dummy... not echo, but action
killuazhu pushed a commit to IBM/detect-secrets that referenced this issue Jul 9, 2020
@justineyster
Publish to Artifactory (Yelp#250)
e4914f7 
* Publish art too

* Dummy... not echo, but action
killuazhu pushed a commit to IBM/detect-secrets that referenced this issue Sep 17, 2020
@justineyster
create image for dss (Yelp#245)
1f70358 
use correct docker setting (Yelp#246)

Use escape sequence to replace clear (Yelp#247)

Build docker images for DSS client (Yelp#248)

Build on tag push (Yelp#249)

Publish to Artifactory (Yelp#250)
@domanchi
Copy link
Contributor

This should have been closed a while ago. In v1, this is added as a filter as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@conartist6 @KevinHock @domanchi