search

newrelic / rusty-hog

A suite of secret scanners built in Rust for performance. Based on TruffleHog (https://github.com/dxa4481/truffleHog) which is written in Python.
Apache License 2.0
445 stars 58 forks source link

Choctaw Hog v1.0.9 binary working, v1.0.10 not working #38

Closed h888t closed 2 years ago

h888t commented 3 years ago

Description

Choctaw Hog completes successfully when using pre-built v1.0.9 binary, but returns a list of empty issues when utilising the pre-built 1.0.10 binary.

Steps to Reproduce

v1.0.9

$ ./choctaw_hog https://github.com/newrelic/rusty-hog  --httpsuser "" --httpspass "" --help
choctaw_hog 1.0.9

...........

$ ./choctaw_hog https://github.com/newrelic/rusty-hog  --httpsuser "" --httpspass "" --prettyprint
[
  {
    "commit": "v1.0.10\n",
    "commitHash": "04bd867ad782daa532e28bcfe45f18a66b9aa90a",
    "date": "2021-04-23 18:10:31",
    "diff": "  \"PGP private key block\": \"-----BEGIN PGP PRIVATE KEY BLOCK-----\",\n",
    "stringsFound": [
      "-----BEGIN PGP PRIVATE KEY BLOCK-----"
    ],

...........

v1.0.10

$ unzip rustyhogs-darwin-choctaw_hog-1.0.10.zip
Archive:  rustyhogs-darwin-choctaw_hog-1.0.10.zip
  inflating: darwin_releases/choctaw_hog
$ cd darwin_releases/
$ ./choctaw_hog https://github.com/newrelic/rusty-hog  --httpsuser "" --httpspass "" --prettyprint
[]

Expected Behaviour

Pre-built v1.0.10 also returns results

Your Environment

macOS Big Sur (20.6.0 Darwin Kernel Version 20.6.0: Wed Jun 23 00:26:31 PDT 2021; root:xnu-7195.141.2~5/RELEASE_X86_64 x86_64), but replicated with Docker image aswell.

cutler-scott-newrelic commented 3 years ago

Interesting. I'll check this out tomorrow as I'm on vacation today. Thanks for the report.

Scott

On Mon, Sep 13, 2021, 12:22 AM B @.***> wrote:

Description

Choctaw Hog completes successfully when using pre-built v1.0.9 binary, but returns a list of empty issues when utilising the pre-built 1.0.10 binary. Steps to Reproduce

v1.0.9

$ ./choctaw_hog https://github.com/newrelic/rusty-hog --httpsuser "" --httpspass "" --help choctaw_hog 1.0.9

...........

$ ./choctaw_hog https://github.com/newrelic/rusty-hog --httpsuser "" --httpspass "" --prettyprint [ { "commit": "v1.0.10\n", "commitHash": "04bd867ad782daa532e28bcfe45f18a66b9aa90a", "date": "2021-04-23 18:10:31", "diff": " \"PGP private key block\": \"-----BEGIN PGP PRIVATE KEY BLOCK-----\",\n", "stringsFound": [ "-----BEGIN PGP PRIVATE KEY BLOCK-----" ],

...........

v1.0.10

$ unzip rustyhogs-darwin-choctaw_hog-1.0.10.zip Archive: rustyhogs-darwin-choctaw_hog-1.0.10.zip inflating: darwin_releases/choctaw_hog $ cd darwin_releases/ $ ./choctaw_hog https://github.com/newrelic/rusty-hog --httpsuser "" --httpspass "" --prettyprint []

Expected Behaviour

Pre-built v1.0.10 also returns results Your Environment

macOS Big Sur (20.6.0 Darwin Kernel Version 20.6.0: Wed Jun 23 00:26:31 PDT 2021; root:xnu-7195.141.2~5/RELEASE_X86_64 x86_64), but replicated with Docker image aswell.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/newrelic/rusty-hog/issues/38, or unsubscribe https://github.com/notifications/unsubscribe-auth/ALKCTQIUKPBC2IEIS3UCU53UBWREVANCNFSM5D5EUTNQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

h888t commented 3 years ago

Ofcourse, take your time - I do not know Rust otherwise I'd take a stab at figuring out the issue myself. Thanks for the great tool, and enjoy your holiday!

wetfeet2000 commented 3 years ago

I was able to track this down to a change in behavior in the git2 Rust library. Specifically, when force_binary is set to true, the diff no longer returns the binary difference between files but just a message that there is a difference (sigh). I'll keep working on this to make sure that both text and binary diffs work. But in the meantime I will revoke the 1.10 release because it is definitely broken.

cutler-scott-newrelic commented 3 years ago

Update: The latest commit to master should fix the issues, so if you really need you can build it yourself. I'll work on building a public release tomorrow.

cutler-scott-newrelic commented 2 years ago

@h888t do you want to test the new release on your machine to double check we're good? https://github.com/newrelic/rusty-hog/releases/tag/v1.0.11

h888t commented 2 years ago

I can confirm v1.0.11 is working for me! Many thanks for your help.

$ unzip rustyhogs-darwin-choctaw_hog-1.0.11.zip
Archive:  rustyhogs-darwin-choctaw_hog-1.0.11.zip
  inflating: darwin_releases/choctaw_hog
$ cd darwin_releases/
$ ./choctaw_hog https://github.com/newrelic/rusty-hog  --httpsuser "" --httpspass "" --prettyprint
[
  {
    "commit": "fixed #16 refactored scan_dir and wrote test\n\nversion increment and changelog update\n\nstarting to implement white
.....