diff --git a/.2ms.yml b/.2ms.yml
index 8e10e02d..ab55d19d 100644
--- a/.2ms.yml
+++ b/.2ms.yml
@@ -1383,3 +1383,9 @@ ignore-result:
- fcaf9a97bbcf85b33f88738b1e817e098e9c37e1 # unit test from e2e_test.go
- fe08c7c6c7f8bb715022aa4cd16ae1c69906ebba # test data from expectedReportWithValidation.json
- 5858849b35c4d0c6061a61c28c39e28b98844333 # unit test from rule_test.go
+- 93a8246bc5d82a9d47d8b683b4343b51dc3bb918 # unit test from generic_credential_test.go
+- ce952993fb8d6762a1feb0a1860dd806e0a36d40 # unit test from generic_credential_test.go
+- 0ee50cf76ca12b4b03bfb8f233527d846965ae8a # unit test from generic_credential_test.go (remove later)
+- 1ab798f14ecce9ea8a9229803c33f06e0093306a # unit test from generic_credential_test.go (remove later)
+- 4154ccf54f5d43a54103495dcf0e228353dc02f4 # unit test from generic_credential_test.go (remove later)
+- 783d3aa8f0e14f6d1527879bbcb3ae6195134b33 # unit test from generic_credential_test.go (remove later)
\ No newline at end of file
diff --git a/engine/rules/ruledefine/generic_credential.go b/engine/rules/ruledefine/generic_credential.go
index 27513163..d28dacc0 100644
--- a/engine/rules/ruledefine/generic_credential.go
+++ b/engine/rules/ruledefine/generic_credential.go
@@ -16,7 +16,7 @@ var genericCredentialRegex = generateSemiGenericRegexIncludingXml([]string{
"passw(?:or)?d",
"secret",
"token",
-}, `[\w.=-]{10,150}|[a-z0-9][a-z0-9+/]{11,}={0,3}`, true).String()
+}, `[\w.=\-~?!:@]{10,150}|[a-z0-9][a-z0-9+/]{11,}={0,3}`, true).String()
func GenericCredential() *Rule {
return &Rule{
@@ -42,7 +42,7 @@ func GenericCredential() *Rule {
// NOTE: this is a goofy hack to get around the fact there golang's regex engine does not support positive lookaheads.
// Ideally we would want to ensure the secret contains both numbers and alphabetical characters, not just alphabetical characters.
Regexes: []string{
- regexp.MustCompile(`^[a-zA-Z_.-]+$`).String(),
+ regexp.MustCompile(`^[a-zA-Z_.-]+:?$`).String(),
},
},
{
@@ -60,7 +60,7 @@ func GenericCredential() *Rule {
`|rapid|capital` + // common words containing "api"
`|[a-z0-9-]*?api[a-z0-9-]*?:jar:` + // Maven META-INF dependencies that contain "api" in the name.
// Auth
- `|author` +
+ `|\bauthor\b` +
`|X-MS-Exchange-Organization-Auth` + // email header
`|Authentication-Results` + // email header
// Credentials
@@ -94,6 +94,10 @@ func GenericCredential() *Rule {
// Empty variables capturing the next line (e.g., .env files)
`|(?-i:(?:[A-Z_]+=\n[A-Z_]+=|[a-z_]+=\n[a-z_]+=)(?:\n|\z))` +
`|(?-i:(?:[A-Z.]+=\n[A-Z.]+=|[a-z.]+=\n[a-z.]+=)(?:\n|\z))` +
+ // Code constant references (e.g. AnnotationWithConstants::INTEGER).
+ `|(?-i:\w+::[A-Z][A-Z0-9_]*)` +
+ // Any secret in valid date/datetime format (e.g. ISO 8601: 2018-04-22T10:28:49.876Z) — not a credential
+ `|\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(?:\.\d+)?(?:Z|[+-]\d{2}:\d{2})?` +
`)`).String(),
},
StopWords: append(DefaultStopWords,
diff --git a/engine/rules/ruledefine/generic_credential_test.go b/engine/rules/ruledefine/generic_credential_test.go
index 4449663e..eb0462bf 100644
--- a/engine/rules/ruledefine/generic_credential_test.go
+++ b/engine/rules/ruledefine/generic_credential_test.go
@@ -85,6 +85,8 @@ func TestGenericCredential(t *testing.T) {
" utils.GetEnvOrDefault(\"api_token\", \"dafa7817-e246-48f3-91a7-e87653d587b8\")",
// xml cases
"API_KEY\nAIzaSyATDL7Wz3Ze6BU31Yv3fVVth30Skyib29g",
+ "Authorization.ClientSecret: e55wsdasfsgs-sdsdas_2sdasjVM~ggadASaADASsad",
+ "Authorization.ClientSecret: e55wsdasfsgs-sds::das_2sdasjVM~ggad?ASaAD!ASs@ad",
},
falsePositives: []string{
"issuerKeyHash=npmXsmT2_C1iJZ-SD7RuL8exZ=6ucd",
@@ -96,6 +98,13 @@ func TestGenericCredential(t *testing.T) {
"GOOGLE_APP_ID\n1:407966239993:ios:0d7534f14f8cfe19",
"\"a_b_key\": \"x-someval-127.0.0.1\",",
"KeyVaultSecretsUser: '62168719-64c5-453d-b4ef-b51d8b1ad44d'",
+ "maxAPIResponseBytes: tc.maxAPIBytes , maxTotalScanBytes: tc.maxTotalBytes,",
+ "SOME_KEY = AnnotationWithConstants::INTEGER",
+ "SOME_KEY = AnnotationWithConstants::TANTO_FAZ",
+ "AuthnInstant=2018-04-22T10:28:49.876Z",
+ "AuthnInstant=2018-04-22T10:28:49Z",
+ "AuthnInstant=2018-04-22T10:28:49+00:00",
+ "PasswordStorage::SECTION_DELIMITER",
},
},
}