Skip to content

Fix wrong line number in private key detector (#4485) #4486

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Oct 14, 2025
Merged

Fix wrong line number in private key detector (#4485) #4486

merged 5 commits into from
Oct 14, 2025

Conversation

@kmgv
Copy link
Contributor

@kmgv kmgv commented Oct 4, 2025
edited
Loading

Description:

Private key detector findings report wrong line number when private key literal doesn't end with new line character.

After private is matched using regexp is goes through Normalize function and normalized result is used in result.Raw and then used in engine.FragmentLineOffset which looks for line of code.

Normalization step is crucial as ssh.ParseRawPrivateKey is quite strict about format of accepted key and this step can sieve false posivites as it can verify it private key is legit or just matches permisive regexp.

Normalize always adds newline char at end of string (as needed for validation) but such string, with new line at the end is then used for looking for LOC. If source chunk didn't have new line char right after private key engine will report default LOC.

This fix changes Result.Raw for private key detector to use raw match from regexp and not normalized string. This way engine can calculate correct LOC for such finding.

Related issue #4485

Checklist:

  • Tests passing (make test-community)?
  • Lint passing (make lint this requires golangci-lint)? - it doesn't even pass for main branch locally

@kmgv
Fix wrong line number in private key detector (trufflesecurity#4485)
95d1c2e 
Private key detector findings report wrong line number when private key
literal doesn't end with new line character.

After private is matched using regexp is goes through Normalize
function and normalized result is used in result.Raw and then used in
engine.FragmentLineOffset which looks for line of code.

Normalization step is crucial as ssh.ParseRawPrivateKey is quite strict
about format of accepted key and this step can sieve false posivites as
it can verify it private key is legit or just matches permisive regexp.

Normalize always adds newline char at end of string (as needed for
validation) but such string, with new line at the end is then used for
looking for LOC. If source chunk didn't have new line char right after
private key engine will report default LOC.

This fix changes Result.Raw for private key detector to use raw match
from regexp and not normalized string. This way engine can calculate
correct LOC for such finding.
@kmgv kmgv requested a review from a team as a code owner October 4, 2025 17:55
kashifkhan0771
kashifkhan0771 requested changes Oct 8, 2025
View reviewed changes
pkg/detectors/privatekey/privatekey.go Outdated
s1 := detectors.Result{
DetectorType: detectorspb.DetectorType_PrivateKey,
Raw: []byte(token),
Raw: []byte(match),
Copy link
Contributor

@kashifkhan0771 kashifkhan0771 Oct 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't recommend updating the Raw field value, as it's used as an identifier and changing it can interfere with existing findings. Your solution is correct, but instead, you can use:

s1.SetPrimarySecretValue(match)

This will instruct the engine to use match to determine the line number.

Copy link
Contributor Author

@kmgv kmgv Oct 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated as requested

kashifkhan0771 and others added 3 commits October 8, 2025 17:48
@kashifkhan0771
Merge branch 'main' into bugfix/private-key-loc
559bf82
@shahzadhaider1
Merge branch 'main' into bugfix/private-key-loc
7f9bd2a
@kmgv
Fix wrong line number in private key detector - use primary primarySe…
1bcea39 
…cret (trufflesecurity#4485)

Revert previous changes that changed result.Raw in primary key detector
as it  can interfere with existing finding. Use SetPrimarySecretValue(match)
instead
@kmgv kmgv requested a review from kashifkhan0771 October 11, 2025 08:30
@kashifkhan0771
Copy link
Contributor

kashifkhan0771 commented Oct 13, 2025

@trufflesecurity/backend This PR involves a detector change, so I’m not sure why the backend team is the owner. Could someone from the Backend team please review and merge it?

@shahzadhaider1
Copy link
Contributor

shahzadhaider1 commented Oct 13, 2025

@trufflesecurity/backend This PR involves a detector change, so I’m not sure why the backend team is the owner. Could someone from the Backend team please review and merge it?

@trufflesecurity/backend owns critical detectors

rosecodym
rosecodym approved these changes Oct 14, 2025
View reviewed changes
Copy link
Contributor

@rosecodym rosecodym left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this! I'm mostly deferring to @kashifkhan0771 :)

@rosecodym rosecodym merged commit 1ef44e7 into trufflesecurity:main Oct 14, 2025
13 checks passed
@shahzadhaider1 shahzadhaider1 mentioned this pull request Oct 15, 2025
Closed
@BrewTestBot BrewTestBot mentioned this pull request Oct 15, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rosecodym rosecodym rosecodym approved these changes

@kashifkhan0771 kashifkhan0771 kashifkhan0771 approved these changes

@shahzadhaider1 shahzadhaider1 shahzadhaider1 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@kmgv @kashifkhan0771 @shahzadhaider1 @rosecodym