Hashicorp Vault Token (#625)

* hashicorp pattern

* sample update

* test fix

credsweeper/rules/config.yaml

@@ -1182,6 +1182,21 @@
     - code
     - doc
 
+- name: Grafana Service Account Token
+  severity: high
+  confidence: strong
+  type: pattern
+  values:
+    - (?<![0-9A-Za-z_-])(?P<value>glsa_[0-9A-Za-z_-]{32}_[0-9A-Fa-f]{8})(?![0-9A-Za-z_-])
+  min_line_len: 46
+  filter_type:
+    - ValueGrafanaServiceCheck
+  required_substrings:
+    - glsa_
+  target:
+    - code
+    - doc
+
 - name: Dropbox API secret (long term)
   severity: high
   confidence: weak
@@ -1235,6 +1250,24 @@
     - code
     - doc
 
+- name: Hashicorp Vault Token
+  severity: high
+  confidence: strong
+  type: pattern
+  values:
+    - (?<![.0-9A-Za-z_-])(?P<value>hv[brs]\.[0-9A-Za-z_-]{80,160})
+  filter_type:
+    - ValuePatternCheck
+    - ValueEntropyBase64Check
+  min_line_len: 90
+  required_substring:
+    - hvb.
+    - hvr.
+    - hvs.
+  target:
+    - code
+    - doc
+
 - name: Hashicorp Terraform Token
   severity: high
   confidence: strong
@@ -1243,6 +1276,7 @@
     - (?<![.0-9A-Za-z_-])(?P<value>[0-9A-Za-z_-]{14}\.atlasv1\.[0-9A-Za-z_-]{67})(?![0-9A-Za-z_-])
   filter_type:
     - ValuePatternCheck
+    - ValueEntropyBase64Check
   min_line_len: 90
   required_substring:
     - .atlasv1.
@@ -1351,21 +1385,6 @@
     - code
     - doc
 
-- name: Grafana Service Account Token
-  severity: high
-  confidence: strong
-  type: pattern
-  values:
-    - (?<![0-9A-Za-z_-])(?P<value>glsa_[0-9A-Za-z_-]{32}_[0-9A-Fa-f]{8})(?![0-9A-Za-z_-])
-  min_line_len: 46
-  filter_type:
-    - ValueGrafanaServiceCheck
-  required_substrings:
-    - glsa_
-  target:
-    - code
-    - doc
-
 - name: Tencent WeChat API App ID
   severity: medium
   confidence: weak

tests/__init__.py

@@ -7,14 +7,14 @@
 NEGLIGIBLE_ML_THRESHOLD = 0.0001
 
 # credentials count after scan
-SAMPLES_CRED_COUNT: int = 411
-SAMPLES_CRED_LINE_COUNT: int = 429
+SAMPLES_CRED_COUNT: int = 412
+SAMPLES_CRED_LINE_COUNT: int = 430
 
 # credentials count after post-processing
-SAMPLES_POST_CRED_COUNT: int = 368
+SAMPLES_POST_CRED_COUNT: int = 369
 
 # with option --doc
-SAMPLES_IN_DOC = 447
+SAMPLES_IN_DOC = 448
 
 # archived credentials that are not found without --depth
 SAMPLES_IN_DEEP_1 = SAMPLES_POST_CRED_COUNT + 29

tests/data/depth_3.json

@@ -7831,8 +7831,8 @@
             {
                 "line": "Z28P3STmkBQi1Y.atlasv1.YE7RBqu6VVyQIOq9a1eC3YFU5Elt7ToIr6OwzKAWlCTQ7N4gElXaWou6aPpOIwGCoc0",
                 "line_num": 1,
-                "path": "./tests/samples/hashicorp_terraform",
-                "info": "./tests/samples/hashicorp_terraform|RAW",
+                "path": "./tests/samples/hashicorp",
+                "info": "./tests/samples/hashicorp|RAW",
                 "value": "Z28P3STmkBQi1Y.atlasv1.YE7RBqu6VVyQIOq9a1eC3YFU5Elt7ToIr6OwzKAWlCTQ7N4gElXaWou6aPpOIwGCoc0",
                 "value_start": 0,
                 "value_end": 90,
@@ -7847,6 +7847,33 @@
             }
         ]
     },
+    {
+        "api_validation": "NOT_AVAILABLE",
+        "ml_validation": "NOT_AVAILABLE",
+        "ml_probability": null,
+        "rule": "Hashicorp Vault Token",
+        "severity": "high",
+        "confidence": "strong",
+        "line_data_list": [
+            {
+                "line": "hvs.atlasv1-Z28P3STmkBQi1Y-YE7RBqu6VVyQIOq9a1eC3YFU5Elt7ToIr6OwzKAWlCTQ7N4gElXaWou6aPpOIwGCoc0",
+                "line_num": 2,
+                "path": "./tests/samples/hashicorp",
+                "info": "./tests/samples/hashicorp|RAW",
+                "value": "hvs.atlasv1-Z28P3STmkBQi1Y-YE7RBqu6VVyQIOq9a1eC3YFU5Elt7ToIr6OwzKAWlCTQ7N4gElXaWou6aPpOIwGCoc0",
+                "value_start": 0,
+                "value_end": 94,
+                "variable": null,
+                "variable_start": -2,
+                "variable_end": -2,
+                "entropy_validation": {
+                    "iterator": "BASE64_CHARS",
+                    "entropy": 5.346321090472658,
+                    "valid": true
+                }
+            }
+        ]
+    },
     {
         "api_validation": "NOT_AVAILABLE",
         "ml_validation": "NOT_AVAILABLE",

tests/data/doc.json

@@ -11987,8 +11987,8 @@
             {
                 "line": "Z28P3STmkBQi1Y.atlasv1.YE7RBqu6VVyQIOq9a1eC3YFU5Elt7ToIr6OwzKAWlCTQ7N4gElXaWou6aPpOIwGCoc0",
                 "line_num": 1,
-                "path": "./tests/samples/hashicorp_terraform",
-                "info": "./tests/samples/hashicorp_terraform|RAW",
+                "path": "./tests/samples/hashicorp",
+                "info": "./tests/samples/hashicorp|RAW",
                 "value": "Z28P3STmkBQi1Y.atlasv1.YE7RBqu6VVyQIOq9a1eC3YFU5Elt7ToIr6OwzKAWlCTQ7N4gElXaWou6aPpOIwGCoc0",
                 "value_start": 0,
                 "value_end": 90,
@@ -12003,6 +12003,33 @@
             }
         ]
     },
+    {
+        "api_validation": "NOT_AVAILABLE",
+        "ml_validation": "NOT_AVAILABLE",
+        "ml_probability": null,
+        "rule": "Hashicorp Vault Token",
+        "severity": "high",
+        "confidence": "strong",
+        "line_data_list": [
+            {
+                "line": "hvs.atlasv1-Z28P3STmkBQi1Y-YE7RBqu6VVyQIOq9a1eC3YFU5Elt7ToIr6OwzKAWlCTQ7N4gElXaWou6aPpOIwGCoc0",
+                "line_num": 2,
+                "path": "./tests/samples/hashicorp",
+                "info": "./tests/samples/hashicorp|RAW",
+                "value": "hvs.atlasv1-Z28P3STmkBQi1Y-YE7RBqu6VVyQIOq9a1eC3YFU5Elt7ToIr6OwzKAWlCTQ7N4gElXaWou6aPpOIwGCoc0",
+                "value_start": 0,
+                "value_end": 94,
+                "variable": null,
+                "variable_start": -2,
+                "variable_end": -2,
+                "entropy_validation": {
+                    "iterator": "BASE64_CHARS",
+                    "entropy": 5.346321090472658,
+                    "valid": true
+                }
+            }
+        ]
+    },
     {
         "api_validation": "NOT_AVAILABLE",
         "ml_validation": "NOT_AVAILABLE",

tests/data/ml_threshold.json

@@ -8465,7 +8465,7 @@
             {
                 "line": "8d92cc575673b937117a0bc2d9933296bc82695b5edfce134b6f4742d26132c5",
                 "line_num": 1,
-                "path": "./tests/samples/hashicorp_terraform",
+                "path": "./tests/samples/hashicorp",
                 "info": "",
                 "value": "8d92cc575673b937117a0bc2d9933296bc82695b5edfce134b6f4742d26132c5",
                 "value_start": 0,
@@ -8481,6 +8481,33 @@
             }
         ]
     },
+    {
+        "api_validation": "NOT_AVAILABLE",
+        "ml_validation": "NOT_AVAILABLE",
+        "ml_probability": null,
+        "rule": "Hashicorp Vault Token",
+        "severity": "high",
+        "confidence": "strong",
+        "line_data_list": [
+            {
+                "line": "ab065aa9aa644f0c7b24030e33468fcacd6c7f20140af08249fb744b1bbb7ccc",
+                "line_num": 2,
+                "path": "./tests/samples/hashicorp",
+                "info": "",
+                "value": "ab065aa9aa644f0c7b24030e33468fcacd6c7f20140af08249fb744b1bbb7ccc",
+                "value_start": 0,
+                "value_end": 94,
+                "variable": null,
+                "variable_start": -2,
+                "variable_end": -2,
+                "entropy_validation": {
+                    "iterator": "BASE64_CHARS",
+                    "entropy": 5.346321090472658,
+                    "valid": true
+                }
+            }
+        ]
+    },
     {
         "api_validation": "NOT_AVAILABLE",
         "ml_validation": "NOT_AVAILABLE",

tests/data/output.json

@@ -7412,7 +7412,7 @@
             {
                 "line": "Z28P3STmkBQi1Y.atlasv1.YE7RBqu6VVyQIOq9a1eC3YFU5Elt7ToIr6OwzKAWlCTQ7N4gElXaWou6aPpOIwGCoc0",
                 "line_num": 1,
-                "path": "./tests/samples/hashicorp_terraform",
+                "path": "./tests/samples/hashicorp",
                 "info": "",
                 "value": "Z28P3STmkBQi1Y.atlasv1.YE7RBqu6VVyQIOq9a1eC3YFU5Elt7ToIr6OwzKAWlCTQ7N4gElXaWou6aPpOIwGCoc0",
                 "value_start": 0,
@@ -7428,6 +7428,33 @@
             }
         ]
     },
+    {
+        "api_validation": "NOT_AVAILABLE",
+        "ml_validation": "NOT_AVAILABLE",
+        "ml_probability": null,
+        "rule": "Hashicorp Vault Token",
+        "severity": "high",
+        "confidence": "strong",
+        "line_data_list": [
+            {
+                "line": "hvs.atlasv1-Z28P3STmkBQi1Y-YE7RBqu6VVyQIOq9a1eC3YFU5Elt7ToIr6OwzKAWlCTQ7N4gElXaWou6aPpOIwGCoc0",
+                "line_num": 2,
+                "path": "./tests/samples/hashicorp",
+                "info": "",
+                "value": "hvs.atlasv1-Z28P3STmkBQi1Y-YE7RBqu6VVyQIOq9a1eC3YFU5Elt7ToIr6OwzKAWlCTQ7N4gElXaWou6aPpOIwGCoc0",
+                "value_start": 0,
+                "value_end": 94,
+                "variable": null,
+                "variable_start": -2,
+                "variable_end": -2,
+                "entropy_validation": {
+                    "iterator": "BASE64_CHARS",
+                    "entropy": 5.346321090472658,
+                    "valid": true
+                }
+            }
+        ]
+    },
     {
         "api_validation": "NOT_AVAILABLE",
         "ml_validation": "NOT_AVAILABLE",

tests/samples/hashicorp

@@ -0,0 +1,4 @@
+Z28P3STmkBQi1Y.atlasv1.YE7RBqu6VVyQIOq9a1eC3YFU5Elt7ToIr6OwzKAWlCTQ7N4gElXaWou6aPpOIwGCoc0
+hvs.atlasv1-Z28P3STmkBQi1Y-YE7RBqu6VVyQIOq9a1eC3YFU5Elt7ToIr6OwzKAWlCTQ7N4gElXaWou6aPpOIwGCoc0
+
+FalseCase:iOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Imk2bEdrM0ZaenhSY1ViMkMzbkVu6VVyQIOq9a1eC3YFU5Elt7ToIr6OwzKAWlCTQ7N4gElXaWou6aPpOIwGCoc0RN3N5SEpsWSIsImtpZCI6Imk2bEdrM0ZaenhSY1ViMkMzbkVRN3N5SEpsWSJ9/hvs.u6VVyQIOq9a1eC3YFU5Elt7ToIr6OwzKAWlCTQ7N4gElXaWou6aPpOIwGCoc0/iOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Imk2bEdrM0ZaenhSY1ViMu6VVyQIOq9a1eC3YFU5Elt7ToIr6OwzKAWlCTQ7N4gElXaWou6aPpOIwGCoc0kMzbkVRN3N5SEpsWSIsImtpZCI6Imk2bEdrM0ZaenhSY1ViMkMzbkVRN3N5SEpsWSJ9