From 3a10d70c8a29f9c34d4f403657d29821f40a92a6 Mon Sep 17 00:00:00 2001
From: Brad Larsen <bradford.larsen@praetorian.com>
Date: Wed, 18 Oct 2023 10:38:31 -0400
Subject: [PATCH] Add additional rule examples; reformat one rule

---
 crates/noseyparker/data/default/rules/aws.yml     | 15 +++++++++++++--
 .../noseyparker/data/default/rules/facebook.yml   |  4 ++++
 crates/noseyparker/data/default/rules/twitter.yml |  8 ++++++++
 3 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/crates/noseyparker/data/default/rules/aws.yml b/crates/noseyparker/data/default/rules/aws.yml
index 229fbce0d..ed9269ba1 100644
--- a/crates/noseyparker/data/default/rules/aws.yml
+++ b/crates/noseyparker/data/default/rules/aws.yml
@@ -26,7 +26,17 @@ rules:
 - name: AWS Secret Access Key
   id: np.aws.2
 
-  pattern: '(?i)\baws_?(?:secret)?_?(?:access)?_?(?:key)?["'']?\s{0,30}(?::|=>|=)\s{0,30}["'']?([a-z0-9/+=]{40})\b'
+  pattern: |
+    (?x)(?i)
+    \b
+    aws_? (?:secret)? _? (?:access)? _? (?:key)?
+    ["'']?
+    \s{0,30}
+    (?::|=>|=)
+    \s{0,30}
+    ["'']?
+    ([a-z0-9/+=]{40})
+    \b
 
   references:
   - https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
@@ -39,10 +49,11 @@ rules:
   - 'aws_secret_access_key => aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
 
   negative_examples:
+  - 'export AWS_SECRET_ACCESS_KEY=ded7db27a4558e2ea9bbf0bf36ae0e8521618f366c'
   - '"aws_secret_access_key" =  aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaend'
   - '"aws_secret_access_key" =  aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaendbbbbbbb'
   - '"aws_sEcReT_key"  =  aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaend'
-  # FIXME: modify the pattern to detect cases like this
+  # FIXME: modify the pattern to detect cases like the following
   - 'aws_secret_key: OOzkR1+hF+1ABCsIFDJMEUtqmtnZ1234567890'
   - '======================'
   - '//////////////////////'
diff --git a/crates/noseyparker/data/default/rules/facebook.yml b/crates/noseyparker/data/default/rules/facebook.yml
index 30f9e86c6..e85405320 100644
--- a/crates/noseyparker/data/default/rules/facebook.yml
+++ b/crates/noseyparker/data/default/rules/facebook.yml
@@ -21,6 +21,10 @@ rules:
   - "    var fbApiKey = '0278fc1adf6dc1d82a156f306ce2c5cc';"
   - '     fbApiKey:            "171e84fd57f430fc59afa8fad3dbda2a",'
 
+  negative_examples:
+  # XXX would be nice if the following matched
+  - '\"fbconnectkey\";s:32:\"8f52d1586bd18a18e152289b00ed7d29\";'
+
 
 - name: Facebook Access Token
   id: np.facebook.2
diff --git a/crates/noseyparker/data/default/rules/twitter.yml b/crates/noseyparker/data/default/rules/twitter.yml
index 643e4b28d..5e586f005 100644
--- a/crates/noseyparker/data/default/rules/twitter.yml
+++ b/crates/noseyparker/data/default/rules/twitter.yml
@@ -43,3 +43,11 @@ rules:
   - |
       # TWITTER_API_KEY = 'UZYoBAfBzNace3mBwPOGYw'
       # TWITTER_API_SECRET = 'ngHaeaRPKA5BDQNXace3LWA1PvTA1kBGDaAJmc517E'
+
+  # XXX It would be nice if this actually matched
+  negative_examples:
+  - |
+      Twitter(auth=OAuth('MjuHWoGbzYmJv3ZuHaBvSENfyevu00NQuBc40VM',
+                         'anJLBCOALCXl7aXeybmNA5oae9E03Cm23cKNMLaScuXwk',
+                         'kl3E14NQx84qxO1dy247V0b2W',
+                         '5VFVXVMq9bDJzFAKPfWOiYmJZin2F7YLhSfoyLBXf6Bc9ngX3g'))