fix(secret): Alibaba AccessKey ID (aquasecurity#3083)

BenjaminHerbert · Oct 27, 2022 · 9e649b8 · 9e649b8
1 parent af89249
commit 9e649b8
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 6 deletions.
diff --git a/pkg/fanal/secret/builtin-rules.go b/pkg/fanal/secret/builtin-rules.go
@@ -270,12 +270,13 @@ var builtinRules = []Rule{
 		Keywords: []string{"p8e-"},
 	},
 	{
-		ID:       "alibaba-access-key-id",
-		Category: CategoryAlibaba,
-		Title:    "Alibaba AccessKey ID",
-		Severity: "HIGH",
-		Regex:    MustCompile(`(LTAI)(?i)[a-z0-9]{20}`),
-		Keywords: []string{"LTAI"},
+		ID:              "alibaba-access-key-id",
+		Category:        CategoryAlibaba,
+		Title:           "Alibaba AccessKey ID",
+		Severity:        "HIGH",
+		Regex:           MustCompile(`([^0-9a-z]|^)(?P<secret>(LTAI)(?i)[a-z0-9]{20})([^0-9a-z]|$)`),
+		SecretGroupName: "secret",
+		Keywords:        []string{"LTAI"},
 	},
 	{
 		ID:              "alibaba-secret-key",

diff --git a/pkg/fanal/secret/scanner_test.go b/pkg/fanal/secret/scanner_test.go
@@ -494,6 +494,37 @@ func TestSecretScanner(t *testing.T) {
 			},
 		},
 	}
+	wantFindingAlibabaAccessKeyId := types.SecretFinding{
+		RuleID:    "alibaba-access-key-id",
+		Category:  secret.CategoryAlibaba,
+		Title:     "Alibaba AccessKey ID",
+		Severity:  "HIGH",
+		StartLine: 2,
+		EndLine:   2,
+		Match:     "key = ************************,",
+		Code: types.Code{
+			Lines: []types.Line{
+				{
+					Number:      1,
+					Content:     "key : LTAI1234567890ABCDEFG123asd",
+					Highlighted: "key : LTAI1234567890ABCDEFG123asd",
+				},
+				{
+					Number:      2,
+					Content:     "key = ************************,",
+					Highlighted: "key = ************************,",
+					IsCause:     true,
+					FirstCause:  true,
+					LastCause:   true,
+				},
+				{
+					Number:      3,
+					Content:     "asdLTAI1234567890ABCDEFG123",
+					Highlighted: "asdLTAI1234567890ABCDEFG123",
+				},
+			},
+		},
+	}
 
 	tests := []struct {
 		name          string
@@ -527,6 +558,14 @@ func TestSecretScanner(t *testing.T) {
 				Findings: []types.SecretFinding{wantFindingAsymmetricPrivateKey},
 			},
 		},
+		{
+			name:          "find Alibaba AccessKey ID txt",
+			inputFilePath: "testdata/alibaba-access-key-id.txt",
+			want: types.Secret{
+				FilePath: "testdata/alibaba-access-key-id.txt",
+				Findings: []types.SecretFinding{wantFindingAlibabaAccessKeyId},
+			},
+		},
 		{
 			name:          "find Asymmetric Private Key secrets json",
 			inputFilePath: "testdata/asymmetric-private-secret.json",

diff --git a/pkg/fanal/secret/testdata/alibaba-access-key-id.txt b/pkg/fanal/secret/testdata/alibaba-access-key-id.txt
@@ -0,0 +1,3 @@
+key : LTAI1234567890ABCDEFG123asd
+key = LTAI1234567890ABCDEFG123,
+asdLTAI1234567890ABCDEFG123