fix: add special characters support for generic credential rule

.2ms.yml

@@ -1383,3 +1383,9 @@ ignore-result:
 - fcaf9a97bbcf85b33f88738b1e817e098e9c37e1 # unit test from e2e_test.go
 - fe08c7c6c7f8bb715022aa4cd16ae1c69906ebba # test data from expectedReportWithValidation.json
 - 5858849b35c4d0c6061a61c28c39e28b98844333 # unit test from rule_test.go
+- 93a8246bc5d82a9d47d8b683b4343b51dc3bb918 # unit test from generic_credential_test.go
+- ce952993fb8d6762a1feb0a1860dd806e0a36d40 # unit test from generic_credential_test.go
+- 0ee50cf76ca12b4b03bfb8f233527d846965ae8a # unit test from generic_credential_test.go (remove later)
+- 1ab798f14ecce9ea8a9229803c33f06e0093306a # unit test from generic_credential_test.go (remove later)
+- 4154ccf54f5d43a54103495dcf0e228353dc02f4 # unit test from generic_credential_test.go (remove later)
+- 783d3aa8f0e14f6d1527879bbcb3ae6195134b33 # unit test from generic_credential_test.go (remove later)

engine/rules/ruledefine/generic_credential.go

@@ -16,7 +16,7 @@ var genericCredentialRegex = generateSemiGenericRegexIncludingXml([]string{
 	"passw(?:or)?d",
 	"secret",
 	"token",
-}, `[\w.=-]{10,150}|[a-z0-9][a-z0-9+/]{11,}={0,3}`, true).String()
+}, `[\w.=\-~?!:@]{10,150}|[a-z0-9][a-z0-9+/]{11,}={0,3}`, true).String()
 
 func GenericCredential() *Rule {
 	return &Rule{
@@ -42,7 +42,7 @@ func GenericCredential() *Rule {
 				// NOTE: this is a goofy hack to get around the fact there golang's regex engine does not support positive lookaheads.
 				// Ideally we would want to ensure the secret contains both numbers and alphabetical characters, not just alphabetical characters.
 				Regexes: []string{
-					regexp.MustCompile(`^[a-zA-Z_.-]+$`).String(),
+					regexp.MustCompile(`^[a-zA-Z_.-]+:?$`).String(),
 				},
 			},
 			{
@@ -60,7 +60,7 @@ func GenericCredential() *Rule {
 						`|rapid|capital` + // common words containing "api"
 						`|[a-z0-9-]*?api[a-z0-9-]*?:jar:` + // Maven META-INF dependencies that contain "api" in the name.
 						// Auth
-						`|author` +
+						`|\bauthor\b` +
 						`|X-MS-Exchange-Organization-Auth` + // email header
 						`|Authentication-Results` + // email header
 						// Credentials
@@ -94,6 +94,10 @@ func GenericCredential() *Rule {
 						// Empty variables capturing the next line (e.g., .env files)
 						`|(?-i:(?:[A-Z_]+=\n[A-Z_]+=|[a-z_]+=\n[a-z_]+=)(?:\n|\z))` +
 						`|(?-i:(?:[A-Z.]+=\n[A-Z.]+=|[a-z.]+=\n[a-z.]+=)(?:\n|\z))` +
+						// Code constant references (e.g. AnnotationWithConstants::INTEGER).
+						`|(?-i:\w+::[A-Z][A-Z0-9_]*)` +
+						// Any secret in valid date/datetime format (e.g. ISO 8601: 2018-04-22T10:28:49.876Z) — not a credential
+						`|\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(?:\.\d+)?(?:Z|[+-]\d{2}:\d{2})?` +
 						`)`).String(),
 				},
 				StopWords: append(DefaultStopWords,

engine/rules/ruledefine/generic_credential_test.go

@@ -85,6 +85,8 @@ func TestGenericCredential(t *testing.T) {
 				" utils.GetEnvOrDefault(\"api_token\", \"dafa7817-e246-48f3-91a7-e87653d587b8\")",
 				// xml cases
 				"<key>API_KEY</key>\n<string>AIzaSyATDL7Wz3Ze6BU31Yv3fVVth30Skyib29g</string>",
+				"Authorization.ClientSecret: e55wsdasfsgs-sdsdas_2sdasjVM~ggadASaADASsad",
+				"Authorization.ClientSecret: e55wsdasfsgs-sds::das_2sdasjVM~ggad?ASaAD!ASs@ad",
 			},
 			falsePositives: []string{
 				"issuerKeyHash=npmXsmT2_C1iJZ-SD7RuL8exZ=6ucd",
@@ -96,6 +98,13 @@ func TestGenericCredential(t *testing.T) {
 				"<key>GOOGLE_APP_ID</key>\n<string>1:407966239993:ios:0d7534f14f8cfe19</string>",
 				"\"a_b_key\": \"x-someval-127.0.0.1\",",
 				"KeyVaultSecretsUser: '62168719-64c5-453d-b4ef-b51d8b1ad44d'",
+				"maxAPIResponseBytes: tc.maxAPIBytes , maxTotalScanBytes:   tc.maxTotalBytes,",
+				"SOME_KEY = AnnotationWithConstants::INTEGER",
+				"SOME_KEY = AnnotationWithConstants::TANTO_FAZ",
+				"AuthnInstant=2018-04-22T10:28:49.876Z",
+				"AuthnInstant=2018-04-22T10:28:49Z",
+				"AuthnInstant=2018-04-22T10:28:49+00:00",
+				"PasswordStorage::SECTION_DELIMITER",
 			},
 		},
 	}