pivotal-cf / cred-alert Goto Github PK

     public EmailPreferenceModel(boolean isPreferred, String emailPreferenceTitleTranslationKey, String emailPreferenceDescriptionTranslationKey) {
         this.isPreferred = isPreferred;
         this.emailPreferenceTitleTranslationKey = emailPreferenceTitleTranslationKey;
-        this.emailPreferenceDescriptionTranslationKey = emailPreferenceDescriptionTranslationKey;
     }

     public boolean isPreferred() {
@@ -45,10 +44,6 @@ public class EmailPreferenceModel {
         return emailPreferenceDescriptionTranslationKey;
     }

-    public void setEmailPreferenceDescriptionTranslationKey(String emailPreferenceDescriptionTranslationKey) {
-        this.emailPreferenceDescriptionTranslationKey = emailPreferenceDescriptionTranslationKey;
-    }
-
     public EmailPreference getEmailPreference() {
         return emailPreference;
     }

Sample of false positive detected.

• 1 - there's no credentials anywhere
• 2 - commented code .. but nothing changes .. (what might be ok in cas that there's credentials there .. but.. there's none)
• 3 - remove code .. fixes it.. but.. is wrong

I noticed that on a recent leak, that a couple of fields would not have been caught by cred-alert. At the time, we were not using cred-alert. We are now, and it would be nice to catch these situations.

ivyrepo_passwd: "snipped"
docker_password: snipped

It would be nice if the help text mentioned the -f flag for scanning archives.

Although they're deprecated they're still supported.
PivNet generates them using this exact method: http://www.rubydoc.info/github/plataformatec/devise/master/Devise#friendly_token-class_method

Here's an example: yGWeD8xzxT4vgSPi7uu5

Is it possible to pass credential scan ignore files as argument?
example : cred-alert-cli scan -f . --exclude-file .credscanignore

Many developers in our organization are on Windows, and already have go installed.

1. Is there a way to use this on Windows?
2. If not, could that be fixed?
3. If so, can that be added to the README

I use git-crypt to encrypt some files within a git repo. Cred-alert seem to pick those credentials and force me to git commit with -n to override. Would be great if cred-alert would skip files that are encrypted by git-crypt

I'd love to be able to help solve some of the open issues, but the Readme does not contain enough information for me to know to to build the code and run the tests. I tried, but some steps were missing.

4. A false positive which isn't a credential at all! Please let us know about
   this case in our Slack channel (#pcf-security-triage).

Not sure where / how to find this channel

We just pulled in git-hooks-core into Pivotal's workstation-setup. @larham suggested this change:

"I wish there was a brew install cred-alert so that there wouldn't be a download from an s3 bucket"

Hi there - I'm getting a segfault on Apple Silicon with the latest release of cred-alert-cli. I get it regardless of whether I run the command bare or by explicitly setting the architecture using arch --x86_64 cred-alert-cli.

Not sure what other information to provide, so here's the output of uname -v

Darwin Kernel Version 20.1.0: Sat Oct 31 00:07:10 PDT 2020; root:xnu-7195.50.7~2/RELEASE_ARM64_T8101

After a while I end up with thousands of cred-alert-cli* and inflator-errors* directories in /tmp, most of which are empty.

These should be culled automatically by the CLI when they are empty.

I'm trying out cred-alert-cli in preparation for using the git hooks in https://github.com/pivotal-cf/git-hooks-core, and I'm seeing some false negatives that seem to be due to behavior of --diff

Platform and Versions

• Mac OS 10.11.6 (El Capitan)
• cred-alert-cli version db35f3e
• git --version 2.14.1

What I tried:

cd myrepo
cp ~/.ssh/id_rsa .
git add id_rsa
git diff --cached | cred-alert-cli scan --diff
echo $?

What I expected:

• A warning about the id_rsa file printed to the terminal
• echo $? should output nonzero

What I observed

• Nothing printed by cred-alert-cli
• echo $? outputs 0.

Bizarrely, cred-alert-cli does output the expected warning if I don't use the --diff flag.

It works as expected on a different Mac with OS 10.12.6 Sierra and git 2.13.0.

I am not sure if this is user error (should I not use --diff?) or if it points to a bug in cred-alert-cli.

The cf git hooks use --diff for checking git diffs, so if that's not correct, I'll open an issue there.

Thanks for any guidance you can provide :)

I was trying to commit some code. cred-alert hook told me the version I have is old and I should run some update command.

I ran the command, then it turns out the command failed because it doesn't have write permission to folders where it is installed.

So I run it with 'sudo' instead. This seemed to work and downloaded and installed something.

Next I try to git commit the stuff I had started to commit before. This did not work, I didn't get any error messages, but it seems like git commit just silently exits without doing anything.

I assumed the problem must be cred-alert git hooks are broken.

So... I disable the githook by running these commands:

cd ~/git/pivotal-cf
mv git-hooks-core/ git-hooks-core-DISABLED

Next time I try 'git commit' everything works fine. So my conclusion is that indeed running cred-alert-cli update broke my git setup.

I'm following the build instructions per the README.md but getting errors.

levanter:cred-alert sean$ go build cmd/cred-alert-cli can't load package: package cmd/cred-alert-cli: cannot find package "." in: /usr/local/Cellar/go/1.9.3/libexec/src/cmd/cred-alert-cli levanter:cred-alert sean$

Any thoughts?

https://sites.google.com/a/pivotal.io/cloud-foundry/program-management/security/cred-alert-cli-instructions?pli=1

Not sure if intended ..

There are inconsistencies in the install/deployment process for calling cred-alert. The README.md page of this wiki has someone move a binary named cred-alert-cli to /usr/local/bin/ but we downloaded cred-alert-cli_${OS_NAME}. Then we later call it from a local directory as cred-alert.

A consistent naming convention should be used throughout the documentation as the application is used in other repo's/docs/guides (e.g. https://github.com/pivotal-cf/git-hooks-core).

testing tracker / gitbot integration