search

trufflesecurity / trufflehog

Find and verify secrets
https://trufflesecurity.com
GNU Affero General Public License v3.0
14.5k stars 1.58k forks source link

"syntax error" while processing a file #2877

Open rohitn opened 1 month ago

rohitn commented 1 month ago

TruffleHog Version

trufflehog --version trufflehog 3.76.3

Trace Output

Invocation trufflehog git --no-update --no-verification --trace -j file:///data/REDACTED > ~/trufflehog.json 2> ~/log.txt

From log.txt

2024-05-23T02:09:30Z error trufflehog error processing AR files {"source_manager_worker_id": "awK83", "unit": "/data/REDACTED", "unit_kind": "dir", "commit": "1f3cb90", "path": "REDACTED/FpwLib.lib", "timeout": 30, "error": "error reading AR payload: strconv.Atoi: parsing \"\": invalid syntax"}

Expected Behavior

No errors

Actual Behavior

"invalid syntax" error

Steps to Reproduce

It is a private repository so I cannot provide steps to reproduce

Environment

rgmz commented 1 month ago

Source:

  1. https://github.com/paultag/go-debian/blob/246d63d4a8289011dff5db890058a7d9403f785a/deb/ar.go#L107
  2. https://github.com/paultag/go-debian/blob/246d63d4a8289011dff5db890058a7d9403f785a/deb/ar.go#L153
  3. https://github.com/paultag/go-debian/blob/246d63d4a8289011dff5db890058a7d9403f785a/deb/ar.go#L89
  4. https://github.com/trufflesecurity/trufflehog/blob/1441289d410e0918eddd9f749bdcd37cd14be944/pkg/handlers/ar.go#L74-L80
rgmz commented 1 month ago

I opened a pull request for this in the upstream library: https://github.com/paultag/go-debian/pull/130.

rgmz commented 1 month ago

I opened a pull request for this in the upstream library: paultag/go-debian#130.

@ahrav Is there an optimal field order for string, *int64? https://github.com/paultag/go-debian/blob/0efa67c1a811c738589ad900ef2ff8c6a4fed9c8/deb/ar.go#L131-L134

ahrav commented 1 month ago

I opened a pull request for this in the upstream library: paultag/go-debian#130.

@ahrav Is there an optimal field order for string, *int64? https://github.com/paultag/go-debian/blob/0efa67c1a811c738589ad900ef2ff8c6a4fed9c8/deb/ar.go#L131-L134

Either order should have the same effect. Personally, I prefer the string first in this case (how you have it), but both should work fine.

Thanks for tracking this down. 🙇

ahrav commented 1 month ago

This reminds me, there was also an issue with the rpmutils package causing an IOOR panic. I temporarily band-aided with a recover, but I should submit a proper fix upstream. 😅

rgmz commented 3 weeks ago

No movement on the PR yet. It may end up being necessary to fork it to avoid this common and annoying error.