Add new rule for Kubernetes Bootstrap Token

[sinkozs]

No description provided.

[bradlarsen]

Thanks for the submission @sinkozs!

This submission looks good, but I think the rule can be made more precise. I ran a scan with this rule enabled over 1.8TB of input files, and nearly all the matches are false positives.

The rule as written, adapted from the regex in the Kubernetes docs on the token format:

    (?x)
    \b
    ([a-z0-9]{6}\.[a-z0-9]{16})
    \b

Note, the actual code that generates bootstrap tokens does indeed appear to use the full [a-z0-9] range.

Some kinds of false positives

Strings from executable files:

\x00\x01\x03runtime.gcbits.0x00000000000000\x00\x05\x03

Strings from source code:

project.dependencies.add("api", "com.github.quickpermissions:quickpermissions-annotations:0.3.1")

Domain names:

<a href="https://iphone.giveawayoftheday.com/">iPhone</a>

Variable assignments:

Analytics.tracking.browse.producthierarchy['sc'] = {"id":"SC5884","value":"Bags & Briefcases"};

Improving precision

This rule as written lacks a distinctive prefix or suffix to match on, and so matches many unrelated things. Modifying the rule to require some leading context should do the trick. I re-tested with this version on the 1.8TB inputs, got almost no false positives:

    (?x)
    (?: token | Token | TOKEN | bootstrap | BOOTSTRAP)
    .{0,8}
    \b
    ([a-z0-9]{6}\.[a-z0-9]{16})
    \b

[bradlarsen]

I revised the rule to improve precision. Thank you for the contribution!

[bradlarsen]

I also added 1 additional new rule for cases like in the documentation where the token ID and secret get split across 2 adjacent YAML fields.