Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Detection sensitivity is very low when no indicators are present #314

Open
1 task done
Gby56 opened this issue Aug 2, 2022 · 2 comments
Open
1 task done

Detection sensitivity is very low when no indicators are present #314

Gby56 opened this issue Aug 2, 2022 · 2 comments
Labels
status:confirmed This issue has been reviewed and confirmed type:bug Something isn't working

Comments

@Gby56
Copy link

Gby56 commented Aug 2, 2022

GitGuardian Shield Version
2.72.0

  • I can reproduce this bug in the latest version

Command executed
Simply add a txt file with a fake AWS key (found on Google) with

AKIAJIPU77TQL5LB6OIB
8Mw77pe6Ua9wr56f6lr069rDPTDWeUvV0q6ZS+6N

Then
ggshield scan -v --all-policies path lol.txt

This won't find anything...

Try the same, with a few pointers:

key=AKIAJIPU77TQL5LB6OIB
secret=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

And this will work.

Describe the bug

There really seems to be a problem in the sensitivity system, ggshield definitely isn't built with a "clues" system that adds weight depending on the findings it has.
An AWS key should always get caught no matter the prefix, especially if the pair key+secret is in the same file imo.

Expected behavior

ggshield should flag secrets without needing pointers for "password" or "key", especially for such common use cases like AWS keys.

Screenshots

If applicable, add screenshots to help explain your problem.

Traceback (if available)

Add any other context about the problem here.
@Gby56 Gby56 added type:bug Something isn't working status:new This issue needs to be reviewed labels Aug 2, 2022
@pierrelalanne
Copy link
Collaborator

pierrelalanne commented Aug 2, 2022
edited

Hi @Gby56,
We had a look at the example you submitted, thanks for opening this issue.

The engine does not raise an alert indeed. Yet, your explanation is not exactly right. The case you described happens because we apply a validation on the context of the secret to verify the secret is not made of some random text that happens to match AWS Keys pattern. The content you sent very much looks like random text. If you were to include any characters, as long as it includes non text characters, in the close context of the secret then an alert would be raised. For instance :

a = b
AKIAJIPU77TQL5LB6OIB
8Mw77pe6Ua9wr56f6lr069rDPTDWeUvV0q6ZS+6N

We are looking into improving this. I'll keep you updated as soon as we have results on this topic.

@pierrelalanne pierrelalanne added status:confirmed This issue has been reviewed and confirmed and removed status:new This issue needs to be reviewed labels Aug 2, 2022
@Gby56
Copy link
Author

Gby56 commented Aug 2, 2022

Got it ! I understand yes, we had a few people playing with it internally and were surprised to see it not triggered.
I would expect that a random string that fits exactly an AWS key, exact length, on a single line, that would trigger an alert 🤔
Maybe the tool could flag things and suggest a way to ignore the finding in the cli output, so even if it's a false positive it's not too noisy ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status:confirmed This issue has been reviewed and confirmed type:bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Gby56 @pierrelalanne