Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

horusecCliFilesOrPathsToIgnore apparently being ignored in vscode extension and CI #1157

Open
lays147 opened this issue Aug 16, 2023 · 1 comment
Open

horusecCliFilesOrPathsToIgnore apparently being ignored in vscode extension and CI #1157

lays147 opened this issue Aug 16, 2023 · 1 comment

Comments

@lays147
Copy link

lays147 commented Aug 16, 2023
edited

What happened: I have configured the horusecCliFilesOrPathsToIgnore option to ignore some folders and files.

How to reproduce it (as minimally and precisely as possible):
NodeJS project with a package-lock.json with pgpass installed.

Horusec-config:

{
  "horusecCliCertInsecureSkipVerify": false,
  "horusecCliFilesOrPathsToIgnore": [
    "*tmp*",
    "**/.vscode/**",
    "docker-compose.yml",
    ".env.sample",
    "package-lock.json",
    "**/.dist/**",
    "**/.coverage/**",
    "**/.coverage-e2e/**"
  ],
  "horusecCliReturnErrorIfFoundVulnerability": false,
  "horusecCliRiskAcceptHashes": null,
  "horusecCliSeveritiesToIgnore": [
    "INFO"
  ],
  "horusecCliShowVulnerabilitiesTypes": [
    "Vulnerability"
  ],
  "horusecCliTimeoutInSecondsAnalysis": 600,
  "horusecCliTimeoutInSecondsRequest": 300,
  "horusecCliFalsePositiveHashes": [
  ]
}

Expected result: package-lock.json is ignored on the scan

Actual result: package-lock.json is scanned by horusec

Column: 11
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /runner/_work/FeeRavManagerAPI/FeeRavManagerAPI/package-lock.json
Code: "pgpass": "1.x"
RuleID: HS-LEAKS-26
Type: Vulnerability
ReferenceHash: dce09eb1eb793933fbfe57a3088b23d04e9a760c5d8fbddf6f1e9a95e222f71e
Details: (1/1) * Possible vulnerability detected: Hard-coded password
The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. For more information checkout the CWE-798 (https://cwe.mitre.org/data/definitions/798.html) advisory.

Also using the VsCode addon with the above horusec-config the folders like distare still being scanned.

Anything else we need to know?:

Environment:

  • Horusec version (use horusec version):
    In the CI I use the config from de docs: curl -fsSL https://raw.githubusercontent.com/ZupIT/horusec/main/deployments/scripts/install.sh
  • Operating System: In the CI Ubuntu, my machine: Arch Linux
  • Others: VsCode: v2.2.8
@injcristianrojas
Copy link

Same thing here with horusecCliJsonOutputFilepath. It's being completely ignored by the plugin-launched docker process.

Environment:

  • Horusec version: v2.8.0 (RPM version)
  • OS: Fedora 38 64-bit
  • VSCODE version: 1.82.3
  • Docker version: 24.0.6

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@injcristianrojas @lays147