search

aquasecurity / trivy

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
https://aquasecurity.github.io/trivy
Apache License 2.0
22.1k stars 2.18k forks source link

HuggingFace token detector not working properly (wrong number of characters) #6823

Open DmitriyLewen opened 1 month ago

DmitriyLewen commented 1 month ago

Discussed in https://github.com/aquasecurity/trivy/discussions/6784

Originally posted by **asankov** May 27, 2024 ### Description I am playing around with the secret detector in https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/secret/ and I notice that the detector is not able to detect Hugging Face tokens. Looking at the [HF Regex](https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/secret/builtin-rules.go#L168) it expected 39 symbols after `hf_`. However, my HF token has only 34 symbols. Example HF token: `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` (already revoked) ### Desired Behavior Detect a HF token. ### Actual Behavior Not detecting a HF token. ### Reproduction Steps ```bash 1. Create a Hugging Face account at https://huggingface.co/ 2. Generate an API token at https://huggingface.co/settings/tokens 3. Provide that token as input to the `secret.Scanner` 4. Assert that it returns no findings ``` ### Target Filesystem ### Scanner Secret ### Output Format None ### Mode Standalone ### Debug Output ```bash $ trivy fs hf --debug 2024-05-27T13:40:23+03:00 DEBUG Parsed severities severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL] 2024-05-27T13:40:23+03:00 DEBUG Ignore statuses statuses=[] 2024-05-27T13:40:23+03:00 DEBUG Cache dir dir="/Users/asankov/Library/Caches/trivy" 2024-05-27T13:40:23+03:00 DEBUG DB update was skipped because the local DB is the latest 2024-05-27T13:40:23+03:00 DEBUG DB info schema=2 updated_at=2024-05-27T06:12:09.854561954Z next_update=2024-05-27T12:12:09.854561794Z downloaded_at=2024-05-27T10:39:59.156462Z 2024-05-27T13:40:23+03:00 INFO Vulnerability scanning is enabled 2024-05-27T13:40:23+03:00 DEBUG Vulnerability type type=[os library] 2024-05-27T13:40:23+03:00 INFO Secret scanning is enabled 2024-05-27T13:40:23+03:00 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-05-27T13:40:23+03:00 INFO Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection 2024-05-27T13:40:23+03:00 DEBUG Enabling misconfiguration scanners scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot] 2024-05-27T13:40:23+03:00 DEBUG [secret] No secret config detected config_path="trivy-secret.yaml" 2024-05-27T13:40:23+03:00 DEBUG [nuget] The nuget packages directory couldn't be found. License search disabled 2024-05-27T13:40:23+03:00 DEBUG OS is not detected. 2024-05-27T13:40:23+03:00 DEBUG Detected OS: unknown 2024-05-27T13:40:23+03:00 INFO Number of language-specific files num=0 ``` ### Operating System macOS ### Version ```bash Version: 0.51.4 Vulnerability DB: Version: 2 UpdatedAt: 2024-05-27 06:12:09.854561954 +0000 UTC NextUpdate: 2024-05-27 12:12:09.854561794 +0000 UTC DownloadedAt: 2024-05-27 10:39:59.156462 +0000 UTC ``` ### Checklist - [X] Run `trivy image --reset` - [X] Read [the troubleshooting](https://aquasecurity.github.io/trivy/latest/docs/references/troubleshooting/)
nikpivkin commented 1 month ago

Would it make sense to create a topic about token format on the forum? https://discuss.huggingface.co/