Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Noseyparker version 16 and 22 support for git history and without git history scans #11615

Closed
wants to merge 3 commits into from
Closed

Noseyparker version 16 and 22 support for git history and without git history scans #11615

wants to merge 3 commits into from

Conversation

Himan10
Copy link

@Himan10 Himan10 commented Jan 22, 2025

ISSUE: #11535

@manuel-sommer also has pushed some changes to a different PR regarding the support for version 22, I've added a comment in this PR as well with regards to issues I've encountered with his code. The reason to create a new PR for this because I was not able to push changes to manuel's PR, so I've attached his PR as well in case if anyone wants to check out the previous changes

Manuel's PR: #11565

Reason:

I've identified some issues with the changes you've pushed to this PR. In Noseyparker, we have a flag to scan repositories without including their Git history (the flag --git-history=none is used for this). The structure of the reports generated by Noseyparker with --git-history=none is different from those generated without this flag. When running a normal scan with Noseyparker (which includes the Git history), the scan generally includes commit metadata. However, this commit metadata is not present in scans where --git-history=none is used.

Previously, we were unable to import Noseyparker scans, where the Git history of the repository was excluded, into DefectDojo. I've made some changes to your PR to support importing both the versions of the Noseyparker report, one with Git history and one without. I've tested this code locally with the latest version of DefectDojo and v2.33.0 (release mode).

dependabot bot and others added 3 commits January 21, 2025 15:28
@dependabot
Bump vite from 6.0.7 to 6.0.9 in /docs (DefectDojo#11610)
ac08db2 
Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 6.0.7 to 6.0.9.
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v6.0.9/packages/vite)

---
updated-dependencies:
- dependency-name: vite
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@paulOsinski
Pro Release Notes 2.42.2 (DefectDojo#11611)
5372984 
* update changelog 2.42.2

* add additional 2.42.1 features

---------

Co-authored-by: Paul Osinski <[email protected]>
update: add support for noseyparker v16 and v22 for git and without g…
2d629c7 
…it history scans
@Himan10 Himan10 changed the title Noseyparker version 16 and 22 support for git history and without git scans Noseyparker version 16 and 22 support for git history and without git history scans Jan 22, 2025
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Jan 22, 2025
edited
Loading

DryRun Security Summary

The code changes update the NoseyParkerParser class to support Nosey Parker v0.22.0, improve secret detection handling, display full secret values, and implement deduplication logic for more accurate and actionable secret findings in Git repositories.

Expand for full summary

Summary:

The code changes in this pull request update the NoseyParkerParser class, which is responsible for parsing and processing the output of the Nosey Parker tool, a secret detection tool for Git repositories. The key changes include:

  1. Support for Nosey Parker v0.22.0: The code now supports the JSON Lines format output of Nosey Parker version 0.22.0, in addition to the previously supported version 0.16.0.
  2. Improved handling of commit history: The code now handles the differences in the JSON Lines output when the Nosey Parker scan is performed with or without the --git-history option, providing more context and details about the detected secrets.
  3. Consistent secret display: The code now displays the full secret value in the finding's description, instead of just the first 3 characters as it did previously for the v0.16.0 output.
  4. Deduplication logic: The code uses a hash-based deduplication mechanism to ensure that duplicate findings are not created for the same secret, file path, and line number combination.

From an application security perspective, these changes are positive, as they improve the handling and reporting of secrets detected in Git repositories, providing more accurate and actionable information to the users of the tool.

Files Changed:

  • dojo/tools/noseyparker/parser.py: This file contains the NoseyParkerParser class, which has been updated to support the latest version of Nosey Parker (v0.22.0), improve the handling of commit history, display the full secret value consistently, and implement a deduplication mechanism to avoid creating duplicate findings.

Code Analysis

We ran 9 analyzers against 1 file and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

@Himan10 Himan10 mentioned this pull request Jan 22, 2025
Merged
manuel-sommer
manuel-sommer suggested changes Jan 22, 2025
View reviewed changes
dojo/tools/noseyparker/parser.py
@@ -17,85 +17,158 @@ def get_label_for_scan_types(self, scan_type):

def get_description_for_scan_types(self, scan_type):
return "Nosey Parker report file can be imported in JSON Lines format (option --jsonl). " \
"Supports v0.16.0 of https://github.com/praetorian-inc/noseyparker"
"Supports v0.16.0 and v0.22.0 of https://github.com/praetorian-inc/noseyparker"
Copy link
Contributor

@manuel-sommer manuel-sommer Jan 22, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @Himan10 ,
I suggest to close this PR and you just review mine. Reviews are welcome and I will add your suggestions. This PR also targets branch master which is not the right target.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

okay but could you give me permissions to push changes to your PR ? It looks like I don't have permissions. I reviewed your changes tho but it was failing with scans where --git-history was set to none.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just add a comment in the code inside the PR and submit the review. (Do a code review)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@manuel-sommer 👍 on keeping the original #11565 open and closing this one

@Himan10 Himan10 changed the base branch from master to bugfix January 22, 2025 12:13
@manuel-sommer
Copy link
Contributor

This can be closed @mtesauro The functionality is covered in my PR

@mtesauro
Copy link
Contributor

Closing - work will happen in #11565

@mtesauro mtesauro closed this Jan 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@manuel-sommer manuel-sommer manuel-sommer requested changes

@mtesauro mtesauro mtesauro left review comments

Assignees
No one assigned
Labels
parser
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Himan10 @manuel-sommer @mtesauro @paulOsinski