search

ShiftLeftSecurity / sast-scan

Scan is a free & Open Source DevSecOps tool for performing static analysis based security testing of your applications and its dependencies. CI and Git friendly.
https://discord.gg/DCNxzaeUpd
Apache License 2.0
788 stars 112 forks source link

Harcoded credentials in associative array not detected #354

Open rubenandre opened 2 years ago

rubenandre commented 2 years ago

The credscan component does not detect hardcoded credentials in a php associative array (also, potentially in multidimensional associative array).

Example Code:

$user_info = [
    'user1' => [
        'name' => 'user1',
        'password' => 'bSqh7wmkp'
    ];
];

Command output

image

scan-full-report.json output

{
  "tool": {
    "driver": {
      "name": "PHP Security Audit",
      "version": "1.0.0-scan",
      "fullName": "PHP Security Audit"
    }
  },
  "conversion": {
    "tool": {
      "driver": {
        "name": "@ShiftLeft/sast-scan"
      }
    },
    "invocation": {
      "arguments": [
        "psalm",
        "--report-show-info=false",
        "--show-snippet=true",
        "--find-dead-code=always",
        "--find-unused-code=always",
        "-m",
        "--no-progress",
        "--no-file-cache",
        "--no-suggestions",
        "--no-cache",
        "--root=/app",
        "--report=/app/reports/audit-php-report.json"
      ],
      "executionSuccessful": true,
      "commandLine": "psalm --report-show-info=false --show-snippet=true --find-dead-code=always --find-unused-code=always -m --no-progress --no-file-cache --no-suggestions --no-cache --root=/app --report=/app/reports/audit-php-report.json",
      "endTimeUtc": "2021-11-03T20:04:52Z",
      "workingDirectory": {
        "uri": "file:///Users/rubensilva/Documents/test"
      }
    }
  },
  "invocations": [
    {
      "executionSuccessful": true,
      "endTimeUtc": "2021-11-03T20:04:52Z",
      "workingDirectory": {
        "uri": "file:///Users/rubensilva/Documents/test"
      }
    }
  ],
  "properties": {
    "metrics": {
      "total": 0,
      "critical": 0,
      "high": 0,
      "medium": 0,
      "low": 0
    }
  },
  "results": [],
  "automationDetails": {
    "description": {
      "text": "Static Analysis Security Test results using @ShiftLeft/sast-scan"
    },
    "guid": "ea768dc9-e149-4363-8078-859d1b7b8acf"
  },
  "versionControlProvenance": [
    {
      "branch": "",
      "repositoryUri": "",
      "revisionId": ""
    }
  ]
}

{
  "tool": {
    "driver": {
      "name": "PHP Security Analysis",
      "version": "1.0.0-scan",
      "fullName": "PHP Security Analysis"
    }
  },
  "conversion": {
    "tool": {
      "driver": {
        "name": "@ShiftLeft/sast-scan"
      }
    },
    "invocation": {
      "arguments": [
        "/opt/phpsast/vendor/bin/psalm",
        "--report-show-info=false",
        "--show-snippet=true",
        "--taint-analysis",
        "-m",
        "--no-progress",
        "--no-file-cache",
        "--no-suggestions",
        "--no-cache",
        "--root=/app",
        "--report=/app/reports/taint-php-report.json"
      ],
      "executionSuccessful": true,
      "commandLine": "/opt/phpsast/vendor/bin/psalm --report-show-info=false --show-snippet=true --taint-analysis -m --no-progress --no-file-cache --no-suggestions --no-cache --root=/app --report=/app/reports/taint-php-report.json",
      "endTimeUtc": "2021-11-03T20:04:53Z",
      "workingDirectory": {
        "uri": "file:///Users/rubensilva/Documents/test"
      }
    }
  },
  "invocations": [
    {
      "executionSuccessful": true,
      "endTimeUtc": "2021-11-03T20:04:53Z",
      "workingDirectory": {
        "uri": "file:///Users/rubensilva/Documents/test"
      }
    }
  ],
  "properties": {
    "metrics": {
      "total": 0,
      "critical": 0,
      "high": 0,
      "medium": 0,
      "low": 0
    }
  },
  "results": [],
  "automationDetails": {
    "description": {
      "text": "Static Analysis Security Test results using @ShiftLeft/sast-scan"
    },
    "guid": "82b810db-1793-493a-9427-cb87e7a46be9"
  },
  "versionControlProvenance": [
    {
      "branch": "",
      "repositoryUri": "",
      "revisionId": ""
    }
  ]
}
prabhu commented 2 years ago

@rubenandre any idea what the 1 suppressed issue was? Could you investigate by running credscan directly?

rubenandre commented 2 years ago

I run credscan directly (gitleaks) and the output does not show any issue.

image

prabhu commented 2 years ago

@rubenandre this is going to require some testing. I think scan is looking for a minimum of 10 characters, where as your password is only 9 characters.

https://github.com/ShiftLeftSecurity/sast-scan/blob/master/tools_config/credscan-config.toml#L177

Could you override the config and let me know how it looks? I'm happy to accept a PR.