Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tartufo does not put exclusions in report file when using --output-format report when repo is not the present working directory #416

Open
mlamarca-godaddy opened this issue Dec 20, 2022 · 0 comments
Open

Tartufo does not put exclusions in report file when using --output-format report when repo is not the present working directory #416

mlamarca-godaddy opened this issue Dec 20, 2022 · 0 comments
Labels
bug Something isn't working

Comments

@mlamarca-godaddy
Copy link

mlamarca-godaddy commented Dec 20, 2022
edited
Loading

🐛 Bug Report

If I run tartufo to scan a directory from one level above my repo, it reads the tartufo.toml file to apply exclusions, but doesn't include any exclusions in the report file.

To Reproduce

This command:

tartufo --output-format report -v scan-local-repo ${GITHUBREPO}

Creates this output:

Tartufo Scan Results (Time: 2022-12-19T14:51:38.266660)
All clear. No secrets detected.

Configuration:
  version:             3.3.1
  entropy:             Enabled
    sensitivity: 75
  regex:               Enabled

Excluded paths:

Excluded signatures:

Excluded entropy patterns:

In this case, ${GITHUBREPO} is set to "puppet"
The local directory structure is setup as follows:

Directory tartufo is being run from:

/mnt/c/Users/mlamarca/Documents/GitHub

Directory repo is located in:

/mnt/c/Users/mlamarca/Documents/GitHub/puppet

Expected Behavior

If I run tartufo from within the repo directory, I get the expected output:

tartufo --output-format report -v scan-local-repo .
Click to expand output of previous command

Tartufo Scan Results (Time: 2022-12-19T15:04:55.437726)
All clear. No secrets detected.

Configuration:
  version:             3.3.1
  entropy:             Enabled
    sensitivity: 75
  regex:               Enabled

Excluded paths:
  tartufo\.toml: Tartufo config file
  modules/port_template/templates/port_template\.erb: Port templates IDs
  modules/salt/files/master_sign\.pub: Public key needed on all salt minions.
  modules/rbenv/checksums\.json: Non-secret checksum file
  modules/rbenv/plugins/ruby-build/share/ruby-build: Directory containing ruby-build install data for many different versions. Hashes in this directory are not secret.
  modules/rbenv/plugins/ruby-build/\.travis\.yml: Publicly available AWS access credentials used for downloading rbenv install data
  modules/rbenv/plugins/ruby-build/test/cache\.bats: Non-secret shasum contained in file
  modules/rbenv/plugins/ruby-build/test/checksum\.bats: Non-secret shasum contained in file
  modules/rbenv/plugins/ruby-build/test/mirror\.bats: Non-secret checksum contained in file
  modules/stdlib/CONTRIBUTING\.md: Contains non-secret text blob with high entropy
  modules/stdlib/README\.md: File contains non-secret strings with high entropy like example IPv6 and example base64 strings
  modules/stdlib/readmes/README_ja_JP\.md: File contains non-secret strings with high entropy like example IPv6 and example base64 strings
  modules/stdlib/Rakefile: File contains non-secret strings with high entropy like ref value
  modules/stdlib/checksums\.json: File contains many non-secret checksum strings
  modules/rbenv/tests/patches/1\.9\.2-p180_centos\.patch: File contains non-secret high entropy strings in patch notes
  modules/stdlib/Gemfile: File contains non-secret ref values with high entropy
  modules/stdlib/lib/puppet/functions/is_absolute_path\.rb: File contains non-secret commit hashes with high entropy
  modules/stdlib/lib/puppet/functions/is_array\.rb: File contains non-secret commit hashes with high entropy
  modules/stdlib/lib/puppet/functions/is_bool\.rb: File contains non-secret commit hashes with high entropy
  modules/stdlib/lib/puppet/functions/is_float\.rb: File contains non-secret commit hashes with high entropy
  modules/stdlib/lib/puppet/functions/is_ip_address\.rb: File contains non-secret commit hashes with high entropy
  modules/stdlib/lib/puppet/functions/is_ipv4_address\.rb: File contains non-secret commit hashes with high entropy
  modules/stdlib/lib/puppet/functions/is_ipv6_address\.rb: File contains non-secret commit hashes with high entropy
  modules/stdlib/lib/puppet/functions/is_numeric\.rb: File contains non-secret commit hashes with high entropy
  modules/stdlib/lib/puppet/functions/is_string\.rb: File contains non-secret commit hashes with high entropy
  modules/stdlib/lib/puppet/functions/validate_absolute_path\.rb: File contains non-secret commit hashes with high entropy
  modules/stdlib/lib/puppet/functions/validate_bool\.rb: File contains non-secret commit hashes with high entropy
  modules/stdlib/lib/puppet/functions/validate_hash\.rb: File contains non-secret commit hashes with high entropy
  modules/stdlib/lib/puppet/functions/validate_integer\.rb: File contains non-secret commit hashes with high entropy
  modules/stdlib/lib/puppet/functions/validate_ip_address\.rb: File contains non-secret commit hashes with high entropy
  modules/stdlib/lib/puppet/functions/validate_ipv4_address\.rb: File contains non-secret commit hashes with high entropy
  modules/stdlib/lib/puppet/functions/validate_ipv6_address\.rb: File contains non-secret commit hashes with high entropy
  modules/stdlib/lib/puppet/functions/validate_legacy\.rb: File contains non-secret commit hashes with high entropy
  modules/stdlib/lib/puppet/functions/validate_numeric\.rb: File contains non-secret commit hashes with high entropy
  modules/stdlib/lib/puppet/functions/validate_re\.rb: File contains non-secret commit hashes with high entropy
  modules/stdlib/lib/puppet/functions/validate_slength\.rb: File contains non-secret commit hashes with high entropy
  modules/stdlib/lib/puppet/functions/validate_string\.rb: File contains non-secret commit hashes with high entropy
  modules/stdlib/lib/puppet/parser/functions/loadjson\.rb: File flagged for username:[email protected] which is only an example and not used
  modules/stdlib/lib/puppet/parser/functions/loadyaml\.rb: File flagged for username:[email protected] which is only an example and not used
  modules/stdlib/spec/functions/base64_spec\.rb: File contains a very long string that will cause the base64 encoder to produce output with multiple lines
  modules/stdlib/spec/functions/str2saltedsha512_spec\.rb: File contains non-secret strings with high entropy
  modules/stdlib/spec/functions/validate_x509_rsa_key_pair_spec\.rb: File contains ky pair used for testing formatting only
  modules/stdlib/lib/puppet/functions/validate_array\.rb: File contains non-secret commit hashes with high entropy
  modules/stdlib/spec/type_aliases/compat__ipv6_spec\.rb: File contains non-secret commit strings with high entropy

Excluded signatures:
  47e1139b56a470f3d3c3bc58a0ace84a6c793ac7937e47e66fba661d19103d04: Jenkinsfile - Non Secret Path - /var/lib/jenkins/rpmbuild/RPMS/x86_64/ManagedPuppet-
  cf3173a40f51179864e4baf562eefd0d48847646843bb7c272381a1e00df8696: make_rpm.sh - Non Secret Path - +SOURCES_DIR=rpmbuild/sources
  4a4ce4aaa5745d3aae6fa54661dd7ea10f36cc4494e52d199de0a4dadc7a574d: authorized_keys file - Non Secret Path - modules/jenkins_build_server/files/authorized_keys
  14898e62435823e24dae6e1db4fc747601e43d686651fd166f0a903a47def09f: Redis configuration file - Non Secret Path - modules/redis/files/redis.conf
  cfc1c6b5a6e44dc9f2c27de161a6d6be94cf40170767c210cabd823971a0259f: Non Secret filename in commit history - a/modules/yum_repos/files/NODESOURCE-GPG-SIGNING-KEY-EL
  806a28ca8730b26765eefa8de68740c91439651e22d4fb2be375c5baf77ad62e: Non Secret filename in commit history - b/modules/yum_repos/files/NODESOURCE-GPG-SIGNING-KEY-EL
  3301c28d87e2ac8f77c9576371084a707f24caf81ab8f9a00e2094f75052946d: File containing non secret checksum - modules/rbenv/plugins/ruby-build/test/fixtures/definitions/with-checksum
  06e9024730cfb752d9dda39b5de38450713529f1fb45dfa3e418420ef19f6d1d: File containing non secret checksum - modules/rbenv/plugins/ruby-build/test/fixtures/definitions/with-md5-checksum
  2b0c0d9a2b826b72c72c89e3286eca957b2c63df7aeabeb9df360f3532ed18f1: File contains non-secret random character list - modules/stdlib/lib/puppet/functions/seeded_rand_string.rb
  ba100b9c9245e1b4dc8af84ab39200b55bd5b57d34417b4e8eac907560d96464: File contains non-secret password hash function which is publicly available for this 3rd party module - modules/stdlib/spec/acceptance/pw_hash_spec.rb
  647c04497e1e567ebfa7ec5a6c1e671cea5d73abb4f4f8943eaed3dc2e4c9858: File contains non-secret string with a through z - modules/stdlib/spec/acceptance/sort_spec.rb
  2557ebddbfa69681233e58b53a2c9e740ef2291fb53386c113924525b032f6b9: File contains non-secret string with user1:[email protected] that is just an example and not used - modules/stdlib/spec/functions/loadjson_spec.rb
  a07fd8e58c0600cd54d171ba5877ea4ecc6dcac19a85913008865ea0ab2eecd9: File contains non-secret string with user1:[email protected] that is just an example and not used - modules/stdlib/spec/functions/loadyaml_spec.rb
  94a35dd1cfd02748960dbb34051f13450fd5b34b64544040d19a5da4df9abe95: Non-secret password salt. Part of 3rd party module available in a public repo - modules/stdlib/spec/functions/pw_hash_spec.rb
  1ffbb463e4ecfa848908b96ea77538e0051b350cf09ea7db09ea708f355d44ec: Contains 12345678901234567890 as part of an example ipv6 address - modules/stdlib/spec/functions/validate_ipv6_address_spec.rb

Excluded entropy patterns:

In this case, tartufo is being run from within the directory the repo is located in:

/mnt/c/Users/mlamarca/Documents/GitHub/puppet

Code Example

Repo "puppet" used in this bug report

Command that works properly:

tartufo --output-format report -v scan-local-repo .

Command that omits exclusions from the report:

tartufo --output-format report -v scan-local-repo ${GITHUBREPO}

Where ${GITHUBREPO} is not the present working directory

Environment

Running in WSL

Environment details:

$ cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04.5 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.5 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

This is the contents of the tartufo.toml file in the "puppet" repo used in this bug report:

Click to expand contents of tartufo.toml

[tool.tartufo]
repo-path = "."
json = false
regex = true
entropy = true
exclude-path-patterns = [
 {path-pattern = 'tartufo\.toml', reason = 'Tartufo config file'},
 {path-pattern = 'modules/port_template/templates/port_template\.erb', reason = 'Port templates IDs'},
 {path-pattern = 'modules/salt/files/master_sign\.pub', reason = 'Public key needed on all salt minions.'},
 {path-pattern = 'modules/rbenv/checksums\.json', reason = 'Non-secret checksum file'},
 {path-pattern = 'modules/rbenv/plugins/ruby-build/share/ruby-build', reason = 'Directory containing ruby-build install data for many different versions. Hashes in this directory are not secret.'},
 {path-pattern = 'modules/rbenv/plugins/ruby-build/\.travis\.yml', reason = 'Publicly available AWS access credentials used for downloading rbenv install data'},
 {path-pattern = 'modules/rbenv/plugins/ruby-build/test/cache\.bats', reason = 'Non-secret shasum contained in file'},
 {path-pattern = 'modules/rbenv/plugins/ruby-build/test/checksum\.bats', reason = 'Non-secret shasum contained in file'},
 {path-pattern = 'modules/rbenv/plugins/ruby-build/test/mirror\.bats', reason = 'Non-secret checksum contained in file'},
 {path-pattern = 'modules/stdlib/CONTRIBUTING\.md', reason = 'Contains non-secret text blob with high entropy'},
 {path-pattern = 'modules/stdlib/README\.md', reason = 'File contains non-secret strings with high entropy like example IPv6 and example base64 strings'},
 {path-pattern = 'modules/stdlib/readmes/README_ja_JP\.md', reason = 'File contains non-secret strings with high entropy like example IPv6 and example base64 strings'},
 {path-pattern = 'modules/stdlib/Rakefile', reason = 'File contains non-secret strings with high entropy like ref value'},
 {path-pattern = 'modules/stdlib/checksums\.json', reason = 'File contains many non-secret checksum strings'},
 {path-pattern = 'modules/rbenv/tests/patches/1\.9\.2-p180_centos\.patch', reason = 'File contains non-secret high entropy strings in patch notes'},
 {path-pattern = 'modules/stdlib/Gemfile', reason = 'File contains non-secret ref values with high entropy'},
 {path-pattern = 'modules/stdlib/lib/puppet/functions/is_absolute_path\.rb', reason = 'File contains non-secret commit hashes with high entropy'},
 {path-pattern = 'modules/stdlib/lib/puppet/functions/is_array\.rb', reason = 'File contains non-secret commit hashes with high entropy'},
 {path-pattern = 'modules/stdlib/lib/puppet/functions/is_bool\.rb', reason = 'File contains non-secret commit hashes with high entropy'},
 {path-pattern = 'modules/stdlib/lib/puppet/functions/is_float\.rb', reason = 'File contains non-secret commit hashes with high entropy'},
 {path-pattern = 'modules/stdlib/lib/puppet/functions/is_ip_address\.rb', reason = 'File contains non-secret commit hashes with high entropy'},
 {path-pattern = 'modules/stdlib/lib/puppet/functions/is_ipv4_address\.rb', reason = 'File contains non-secret commit hashes with high entropy'},
 {path-pattern = 'modules/stdlib/lib/puppet/functions/is_ipv6_address\.rb', reason = 'File contains non-secret commit hashes with high entropy'},
 {path-pattern = 'modules/stdlib/lib/puppet/functions/is_numeric\.rb', reason = 'File contains non-secret commit hashes with high entropy'},
 {path-pattern = 'modules/stdlib/lib/puppet/functions/is_string\.rb', reason = 'File contains non-secret commit hashes with high entropy'},
 {path-pattern = 'modules/stdlib/lib/puppet/functions/validate_absolute_path\.rb', reason = 'File contains non-secret commit hashes with high entropy'},
 {path-pattern = 'modules/stdlib/lib/puppet/functions/validate_bool\.rb', reason = 'File contains non-secret commit hashes with high entropy'},
 {path-pattern = 'modules/stdlib/lib/puppet/functions/validate_hash\.rb', reason = 'File contains non-secret commit hashes with high entropy'},
 {path-pattern = 'modules/stdlib/lib/puppet/functions/validate_integer\.rb', reason = 'File contains non-secret commit hashes with high entropy'},
 {path-pattern = 'modules/stdlib/lib/puppet/functions/validate_ip_address\.rb', reason = 'File contains non-secret commit hashes with high entropy'},
 {path-pattern = 'modules/stdlib/lib/puppet/functions/validate_ipv4_address\.rb', reason = 'File contains non-secret commit hashes with high entropy'},
 {path-pattern = 'modules/stdlib/lib/puppet/functions/validate_ipv6_address\.rb', reason = 'File contains non-secret commit hashes with high entropy'},
 {path-pattern = 'modules/stdlib/lib/puppet/functions/validate_legacy\.rb', reason = 'File contains non-secret commit hashes with high entropy'},
 {path-pattern = 'modules/stdlib/lib/puppet/functions/validate_numeric\.rb', reason = 'File contains non-secret commit hashes with high entropy'},
 {path-pattern = 'modules/stdlib/lib/puppet/functions/validate_re\.rb', reason = 'File contains non-secret commit hashes with high entropy'},
 {path-pattern = 'modules/stdlib/lib/puppet/functions/validate_slength\.rb', reason = 'File contains non-secret commit hashes with high entropy'},
 {path-pattern = 'modules/stdlib/lib/puppet/functions/validate_string\.rb', reason = 'File contains non-secret commit hashes with high entropy'},
 {path-pattern = 'modules/stdlib/lib/puppet/parser/functions/loadjson\.rb', reason = 'File flagged for username:[email protected] which is only an example and not used'},
 {path-pattern = 'modules/stdlib/lib/puppet/parser/functions/loadyaml\.rb', reason = 'File flagged for username:[email protected] which is only an example and not used'},
 {path-pattern = 'modules/stdlib/spec/functions/base64_spec\.rb', reason = 'File contains a very long string that will cause the base64 encoder to produce output with multiple lines'},
 {path-pattern = 'modules/stdlib/spec/functions/str2saltedsha512_spec\.rb', reason = 'File contains non-secret strings with high entropy'},
 {path-pattern = 'modules/stdlib/spec/functions/validate_x509_rsa_key_pair_spec\.rb', reason = 'File contains ky pair used for testing formatting only'},
 {path-pattern = 'modules/stdlib/lib/puppet/functions/validate_array\.rb', reason = 'File contains non-secret commit hashes with high entropy'},
 {path-pattern = 'modules/stdlib/spec/type_aliases/compat__ipv6_spec\.rb', reason = 'File contains non-secret commit strings with high entropy'},
]

exclude-signatures = [
    {signature = "47e1139b56a470f3d3c3bc58a0ace84a6c793ac7937e47e66fba661d19103d04", reason = 'Jenkinsfile - Non Secret Path - /var/lib/jenkins/rpmbuild/RPMS/x86_64/ManagedPuppet-'},
    {signature = "cf3173a40f51179864e4baf562eefd0d48847646843bb7c272381a1e00df8696", reason = 'make_rpm.sh - Non Secret Path - +SOURCES_DIR=rpmbuild/sources'},
    {signature = "4a4ce4aaa5745d3aae6fa54661dd7ea10f36cc4494e52d199de0a4dadc7a574d", reason = 'authorized_keys file - Non Secret Path - modules/jenkins_build_server/files/authorized_keys'},
    {signature = "14898e62435823e24dae6e1db4fc747601e43d686651fd166f0a903a47def09f", reason = 'Redis configuration file - Non Secret Path - modules/redis/files/redis.conf'},
    {signature = "cfc1c6b5a6e44dc9f2c27de161a6d6be94cf40170767c210cabd823971a0259f", reason = 'Non Secret filename in commit history - a/modules/yum_repos/files/NODESOURCE-GPG-SIGNING-KEY-EL'},
    {signature = "806a28ca8730b26765eefa8de68740c91439651e22d4fb2be375c5baf77ad62e", reason = 'Non Secret filename in commit history - b/modules/yum_repos/files/NODESOURCE-GPG-SIGNING-KEY-EL'},
    {signature = "3301c28d87e2ac8f77c9576371084a707f24caf81ab8f9a00e2094f75052946d", reason = 'File containing non secret checksum - modules/rbenv/plugins/ruby-build/test/fixtures/definitions/with-checksum'},
    {signature = "06e9024730cfb752d9dda39b5de38450713529f1fb45dfa3e418420ef19f6d1d", reason = 'File containing non secret checksum - modules/rbenv/plugins/ruby-build/test/fixtures/definitions/with-md5-checksum'},
    {signature = "2b0c0d9a2b826b72c72c89e3286eca957b2c63df7aeabeb9df360f3532ed18f1", reason = 'File contains non-secret random character list - modules/stdlib/lib/puppet/functions/seeded_rand_string.rb'},
    {signature = "ba100b9c9245e1b4dc8af84ab39200b55bd5b57d34417b4e8eac907560d96464", reason = 'File contains non-secret password hash function which is publicly available for this 3rd party module - modules/stdlib/spec/acceptance/pw_hash_spec.rb'},
    {signature = "647c04497e1e567ebfa7ec5a6c1e671cea5d73abb4f4f8943eaed3dc2e4c9858", reason = 'File contains non-secret string with a through z - modules/stdlib/spec/acceptance/sort_spec.rb'},
    {signature = "2557ebddbfa69681233e58b53a2c9e740ef2291fb53386c113924525b032f6b9", reason = 'File contains non-secret string with user1:[email protected] that is just an example and not used - modules/stdlib/spec/functions/loadjson_spec.rb'},
    {signature = "a07fd8e58c0600cd54d171ba5877ea4ecc6dcac19a85913008865ea0ab2eecd9", reason = 'File contains non-secret string with user1:[email protected] that is just an example and not used - modules/stdlib/spec/functions/loadyaml_spec.rb'},
    {signature = "94a35dd1cfd02748960dbb34051f13450fd5b34b64544040d19a5da4df9abe95", reason = 'Non-secret password salt. Part of 3rd party module available in a public repo - modules/stdlib/spec/functions/pw_hash_spec.rb'},
    {signature = "1ffbb463e4ecfa848908b96ea77538e0051b350cf09ea7db09ea708f355d44ec", reason = 'Contains 12345678901234567890 as part of an example ipv6 address - modules/stdlib/spec/functions/validate_ipv6_address_spec.rb'},
]

@mlamarca-godaddy mlamarca-godaddy added the bug Something isn't working label Dec 20, 2022
@mlamarca-godaddy mlamarca-godaddy changed the title Tartufo does not put exclusions in report file when using '--output-format report' when repo is not the present working directory Tartufo does not put exclusions in report file when using --output-format report when repo is not the present working directory Dec 20, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mlamarca-godaddy