added test files to detect-secrets and audited the secrets

Signed-off-by: Savvas Kyriacou <[email protected]>
galasa-dev · Jun 3, 2024 · d013c1a · d013c1a
1 parent 9b5ca23
commit d013c1a
Show file tree

Hide file tree

Showing 15 changed files with 167 additions and 46 deletions.
diff --git a/.secrets.baseline b/.secrets.baseline
@@ -0,0 +1,85 @@
+{
+  "exclude": {
+    "files": "^.secrets.baseline$",
+    "lines": null
+  },
+  "generated_at": "2024-06-03T14:55:28Z",
+  "plugins_used": [
+    {
+      "name": "AWSKeyDetector"
+    },
+    {
+      "name": "ArtifactoryDetector"
+    },
+    {
+      "name": "AzureStorageKeyDetector"
+    },
+    {
+      "base64_limit": 4.5,
+      "name": "Base64HighEntropyString"
+    },
+    {
+      "name": "BasicAuthDetector"
+    },
+    {
+      "name": "BoxDetector"
+    },
+    {
+      "name": "CloudantDetector"
+    },
+    {
+      "ghe_instance": "github.ibm.com",
+      "name": "GheDetector"
+    },
+    {
+      "name": "GitHubTokenDetector"
+    },
+    {
+      "hex_limit": 3,
+      "name": "HexHighEntropyString"
+    },
+    {
+      "name": "IbmCloudIamDetector"
+    },
+    {
+      "name": "IbmCosHmacDetector"
+    },
+    {
+      "name": "JwtTokenDetector"
+    },
+    {
+      "keyword_exclude": null,
+      "name": "KeywordDetector"
+    },
+    {
+      "name": "MailchimpDetector"
+    },
+    {
+      "name": "NpmDetector"
+    },
+    {
+      "name": "PrivateKeyDetector"
+    },
+    {
+      "name": "SlackDetector"
+    },
+    {
+      "name": "SoftlayerDetector"
+    },
+    {
+      "name": "SquareOAuthDetector"
+    },
+    {
+      "name": "StripeDetector"
+    },
+    {
+      "name": "TwilioKeyDetector"
+    }
+  ],
+  "results": {},
+  "version": "0.13.1+ibm.62.dss",
+  "word_list": {
+    "file": null,
+    "hash": null
+  }
+}
diff --git a/build-locally.sh b/build-locally.sh
@@ -78,6 +78,15 @@ Options are:
 EOF
 }
 
+function check_exit_code () {
+    # This function takes 3 parameters in the form:
+    # $1 an integer value of the returned exit code
+    # $2 an error message to display if $1 is not equal to 0
+    if [[ "$1" != "0" ]]; then 
+        error "$2" 
+        exit 1  
+    fi
+}
 #-----------------------------------------------------------------------------------------                   
 # Process parameters
 #-----------------------------------------------------------------------------------------                   
@@ -185,9 +194,36 @@ function build_code {
     info "Using command: ${cmd}"
     $cmd 2>&1 > ${log_file}
 
-    rc=$? ; if [[ "${rc}" != "0" ]]; then error "Failed to build ${project} see logs at ${log_file}" ; exit 1 ; fi
+    rc=$? 
+    check_exit_code $rc "Failed to build ${project} see logs at ${log_file}" 
     success "Project ${project} built - OK - log is at ${log_file}"
 
 }
 
-build_code
+function check_secrets {
+    h2 "updating secrets baseline"
+    cd ${BASEDIR}
+    detect-secrets scan --update .secrets.baseline
+    rc=$? 
+    check_exit_code $rc "Failed to run detect-secrets. Please check it is installed properly" 
+    success "updated secrets file"
+
+    h2 "running audit for secrets"
+    detect-secrets audit .secrets.baseline
+    rc=$? 
+    check_exit_code $rc "Failed to audit detect-secrets."
+
+    #Check all secrets have been audited
+    secrets=$(grep -c hashed_secret .secrets.baseline)
+    audits=$(grep -c is_secret .secrets.baseline)
+    if [[ "$secrets" != "$audits" ]]; then 
+        error "Not all secrets found have been audited"
+        exit 1  
+    fi
+    success "secrets audit complete"
+}
+
+
+build_code
+
+check_secrets
diff --git a/...t/dev.galasa.cicsts.manager/src/main/java/dev/galasa/cicsts/ICeciResponseOutputValue.java b/...t/dev.galasa.cicsts.manager/src/main/java/dev/galasa/cicsts/ICeciResponseOutputValue.java
@@ -1,8 +1,8 @@
-/*
- * Copyright contributors to the Galasa project
- *
- * SPDX-License-Identifier: EPL-2.0
- */
+/*
+ * Copyright contributors to the Galasa project
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ */
 
 package dev.galasa.cicsts;
 
@@ -14,7 +14,7 @@
  * show:<br>
  * <code>INTO('A.....')</code><br>
  * and in Hex:<br>
- * <code>INTO(X'C13456789ABC')</code><br>
+ * <code>INTO(X'C13456789ABC')</code><br> example hex in javadoc comment //pragma: allowlist secret
  * Both representations are available using the {@link #getTextValue()} and {@link #getHexValue()} methods respectively
  */
 public interface ICeciResponseOutputValue {

diff --git a/...alasa.docker.manager/src/test/java/dev/galasa/docker/internal/TestDockerRegistryImpl.java b/...alasa.docker.manager/src/test/java/dev/galasa/docker/internal/TestDockerRegistryImpl.java
@@ -115,7 +115,7 @@ public void retrieveBearerTokenUnauthorised() throws DockerManagerException, Mal
     	when(credentialsMock.getUsername()).thenReturn("testUsername");
     	when(credentialsMock.getPassword()).thenReturn("testPassword");
     	String user = "testUsername";
-    	String password = "testPassword";
+    	String password = "testPassword"; //unit test mock password //pragma: allowlist secret
     	when(clientMock.setAuthorisation(user, password)).thenReturn(clientMock);
     	when(clientMock.build()).thenReturn(clientMock);
     	// Base64 encoding credentials to replicate private encoding method (generateDockerRegistryAuthStructure)

diff --git a/...anagers-cloud-parent/dev.galasa.kubernetes.manager.ivt/src/main/resources/testSecret.yaml b/...anagers-cloud-parent/dev.galasa.kubernetes.manager.ivt/src/main/resources/testSecret.yaml
@@ -9,4 +9,4 @@ kind: Secret
 metadata:
   name: testsecret
 data:
-  test_password: dGVzdHBhc3N3b3Jk
+  test_password: dGVzdHBhc3N3b3Jk #This is used in in the IVT test only #pragma: allowlist secret
diff --git a/...ther-parent/dev.galasa.galasaecosystem.manager/src/main/resources/k8s/config-grafana.yaml b/...ther-parent/dev.galasa.galasaecosystem.manager/src/main/resources/k8s/config-grafana.yaml
@@ -90,7 +90,7 @@ data:
     ;password =
 
     # Use either URL or the previous fields to configure the database
-    # Example: mysql://user:secret@host:port/database
+    # Example: mysql://user:secret@host:port/database #pragma: allowlist secret
     ;url =
 
     # For "postgres" only, either "disable", "require" or "verify-full"
@@ -164,7 +164,7 @@ data:
     ;admin_user = admin
 
     # default admin password, can be changed before first start of grafana,  or in profile settings
-    ;admin_password = admin
+    ;admin_password = admin  #property is not used as it is commented out #pragma: allowlist secret
 
     # used for signing
     ;secret_key = SW2YcwTIb9zpOOhoPsMm
@@ -276,7 +276,7 @@ data:
     ;enabled = false
     ;allow_sign_up = true
     ;client_id = some_id
-    ;client_secret = some_secret
+    ;client_secret = some_secret #property is not used as it is commented out #pragma: allowlist secret
     ;scopes = user:email,read:org
     ;auth_url = https://github.com/login/oauth/authorize
     ;token_url = https://github.com/login/oauth/access_token
@@ -289,7 +289,7 @@ data:
     ;enabled = false
     ;allow_sign_up = true
     ;client_id = some_client_id
-    ;client_secret = some_client_secret
+    ;client_secret = some_client_secret #property is not used as it is commented out #pragma: allowlist secret
     ;scopes = https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email
     ;auth_url = https://accounts.google.com/o/oauth2/auth
     ;token_url = https://accounts.google.com/o/oauth2/token
@@ -302,7 +302,7 @@ data:
     ;name = OAuth
     ;allow_sign_up = true
     ;client_id = some_id
-    ;client_secret = some_secret
+    ;client_secret = some_secret #property is not used as it is commented out #pragma: allowlist secret
     ;scopes = user:email,read:org
     ;auth_url = https://foo.bar/login/oauth/authorize
     ;token_url = https://foo.bar/login/oauth/access_token
@@ -323,7 +323,7 @@ data:
     ;enabled = false
     ;allow_sign_up = true
     ;client_id = some_id
-    ;client_secret = some_secret
+    ;client_secret = some_secret #property is not used as it is commented out #pragma: allowlist secret
     ;scopes = user:email
     ;allowed_organizations =
 

diff --git a/...managers-testingtools-parent/dev.galasa.jmeter.manager.ivt/src/main/res/jmeter.properties b/...managers-testingtools-parent/dev.galasa.jmeter.manager.ivt/src/main/res/jmeter.properties
@@ -316,7 +316,7 @@ remote_hosts=127.0.0.1
 #server.rmi.ssl.keystore.file=rmi_keystore.jks
 #
 # Password of Keystore
-#server.rmi.ssl.keystore.password=changeit
+#server.rmi.ssl.keystore.password=changeit #property is not used as it is commented out #pragma: allowlist secret
 #
 # Key alias
 #server.rmi.ssl.keystore.alias=rmi
@@ -328,7 +328,7 @@ remote_hosts=127.0.0.1
 #server.rmi.ssl.truststore.file=rmi_keystore.jks
 #
 # Password of Trust store
-#server.rmi.ssl.truststore.password=changeit
+#server.rmi.ssl.truststore.password=changeit #property is not used as it is commented out #pragma: allowlist secret
 #
 # Set this if you don't want to use SSL for RMI
 #server.rmi.ssl.disable= false

diff --git a/...galasa.linux.manager/src/main/java/dev/galasa/linux/internal/shared/LinuxSharedImage.java b/...galasa.linux.manager/src/main/java/dev/galasa/linux/internal/shared/LinuxSharedImage.java
@@ -78,7 +78,7 @@ public LinuxSharedImage(LinuxManagerImpl manager, String tag, String hostid, Str
                 throw new LinuxManagerException("useradd of username " + this.username + " failed:-\n" + response);
             }
 
-            String tempPassword = "ThisIsTheFutureOfTesting";
+            String tempPassword = "ThisIsTheFutureOfTesting"; //Not a secret but this raises a vulnerability on server side runs. Issue has been raised to correct this //pragma: allowlist secret
             for(int i = 0; i < 4; i++) {
                 tempPassword = tempPassword + Integer.toString(this.random.nextInt(10));
             }

diff --git a/...ev.galasa.zos3270.manager/src/test/java/dev/galasa/zos3270/orders/GraphicsEscapeTest.java b/...ev.galasa.zos3270.manager/src/test/java/dev/galasa/zos3270/orders/GraphicsEscapeTest.java
@@ -90,7 +90,7 @@ public void testGeConvertToDatastream() throws Exception {
 
         System.out.println(hexDatastream);
 
-        assertThat(hexDatastream).as("Expected outbound datastream").isEqualTo("7D40401140C1F1F20850F3F4");
+        assertThat(hexDatastream).as("Expected outbound datastream").isEqualTo("7D40401140C1F1F20850F3F4"); // expected output as a hex code, not a secret //pragma: allowlist secret
 
     }
 

diff --git a/...ent/galasa-managers-zos-parent/dev.galasa.zos3270.manager/src/test/java/t/TestColour.java b/...ent/galasa-managers-zos-parent/dev.galasa.zos3270.manager/src/test/java/t/TestColour.java
@@ -22,7 +22,7 @@ public class TestColour extends Zos3270TestBase {
 
     public static void main(String[] args) throws DecoderException, Zos3270Exception {
 
-        String inbound = "f5c2115b611311c2601df8d59699948193408689859384a211c5401df0d596999481931df8c995a38595a28511c6501d40e385a2a340c99597a4a3404040401df011c8f0290341f442f7c0f8c889878893898788a3899587114b50290341f242f2c0f0d9858440d985a58599a285290341f242f2c0f0d98584408187818995114c6f290341f242f1c0f0c293a48540d985a58599a285290341f242f3c0f0d789959240d985a58599a285290341f242f4c0f0c79985859540d985a58599a285290341f242f5c0f0e3a49998a49689a28540d985a58599a285114df0290341f242f7c0f0e68889a38540d985a58599a28511505e290341f442f6c0f0e885939396a640e4958485999389958511d27a290341f142f6c0f0e885939396a640c29389959211d55c290242f6c0f0e885939396a640d6a4a393899585114c60290341f242f6c0f0e885939396a640d985a58599a285114040290242f7c0f0e385a2a340c5a7a3859584858440c481a381a2a39985819440d4819711d550290242f2c0f0d9858440d6a4a39389958511d940290242f2c0f0d98584290242f1c0f0c293a485290242f3c0f0d7899592290242f4c0f0c799858595290242f5c0f0e3a49998a49689a285290242f6c0f0e885939396a6290242f7c0f0e68889a3851df0c4858681a493a3115a50290242f2c0f8d98584290242f1c0f8c293a485290242f3c0f8d7899592290242f4c0f8c799858595290242f5c0f8e3a49998a49689a285290242f6c0f8e885939396a6290242f7c0f8e68889a3851df8c4858681a493a311d2f0290341f142f2c0f0d9858440c293899592115050290341f442f2c0f0d9858440e49584859993899585115b60290341f442f4c0c1115c6f1df0";      
+        String inbound = "f5c2115b611311c2601df8d59699948193408689859384a211c5401df0d596999481931df8c995a38595a28511c6501d40e385a2a340c99597a4a3404040401df011c8f0290341f442f7c0f8c889878893898788a3899587114b50290341f242f2c0f0d9858440d985a58599a285290341f242f2c0f0d98584408187818995114c6f290341f242f1c0f0c293a48540d985a58599a285290341f242f3c0f0d789959240d985a58599a285290341f242f4c0f0c79985859540d985a58599a285290341f242f5c0f0e3a49998a49689a28540d985a58599a285114df0290341f242f7c0f0e68889a38540d985a58599a28511505e290341f442f6c0f0e885939396a640e4958485999389958511d27a290341f142f6c0f0e885939396a640c29389959211d55c290242f6c0f0e885939396a640d6a4a393899585114c60290341f242f6c0f0e885939396a640d985a58599a285114040290242f7c0f0e385a2a340c5a7a3859584858440c481a381a2a39985819440d4819711d550290242f2c0f0d9858440d6a4a39389958511d940290242f2c0f0d98584290242f1c0f0c293a485290242f3c0f0d7899592290242f4c0f0c799858595290242f5c0f0e3a49998a49689a285290242f6c0f0e885939396a6290242f7c0f0e68889a3851df0c4858681a493a3115a50290242f2c0f8d98584290242f1c0f8c293a485290242f3c0f8d7899592290242f4c0f8c799858595290242f5c0f8e3a49998a49689a285290242f6c0f8e885939396a6290242f7c0f8e68889a3851df8c4858681a493a311d2f0290341f142f2c0f0d9858440c293899592115050290341f442f2c0f0d9858440e49584859993899585115b60290341f442f4c0c1115c6f1df0"; // expected input as a hex code, not a secret //pragma: allowlist secret
         byte[] inboundBytes = Hex.decodeHex(inbound);
 
         Network network = new Network("here", 1, "a");

diff --git a/...nt/galasa-managers-zos-parent/dev.galasa.zos3270.manager/src/test/java/t/TestInbound.java b/...nt/galasa-managers-zos-parent/dev.galasa.zos3270.manager/src/test/java/t/TestInbound.java
@@ -26,7 +26,7 @@ public static void main(String[] args) throws TerminalInterruptedException, Netw
 
 //        String inbound = "f5c01140c1131140401d004a54444a53303120776173207375636365737366756c2e204a534f4e20636f6e76657274656420746f20446174612e2020205472616e73666f726d20636f6d6d616e64207375636365737366756c2e1d00200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001d00200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001d00200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001d0020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000";
 
-        String inbound1 = "f5c311c5e41311405d290242f1c0f8c3e5c6d4e2f0f140e3c5e2e340d4c1d7e2c5e311c5d21d60c3e4e2e3d6d4c5d940d5e4d4c2c5d97a1dd1f1f1f1f1f1f11df011c7f6290242f1c060d7c1d9e340d5e4d4c2c5d97a1dd1f2f2f2f2f2f2f2f2f2f21df0114ad9290242f1c060d8e4c1d5e3c9e3e87a1dd1f3f3f3f340401df0115a50290242f2c061c3d6d5e3d9d6d340e3c5e2e34040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040";
+        String inbound1 = "f5c311c5e41311405d290242f1c0f8c3e5c6d4e2f0f140e3c5e2e340d4c1d7e2c5e311c5d21d60c3e4e2e3d6d4c5d940d5e4d4c2c5d97a1dd1f1f1f1f1f1f11df011c7f6290242f1c060d7c1d9e340d5e4d4c2c5d97a1dd1f2f2f2f2f2f2f2f2f2f21df0114ad9290242f1c060d8e4c1d5e3c9e3e87a1dd1f3f3f3f340401df0115a50290242f2c061c3d6d5e3d9d6d340e3c5e2e34040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040404040"; // expected input as a hex code, not a secret //pragma: allowlist secret
         String inbound2 = "f140114040124040";
         String inbound3 = "f1c611c26013";
         byte[] inbound1Bytes = Hex.decodeHex(inbound1);

diff --git a/...in/java/dev/galasa/zosfile/rseapi/manager/internal/RseapiZosDatasetAttributesListdsi.java b/...in/java/dev/galasa/zosfile/rseapi/manager/internal/RseapiZosDatasetAttributesListdsi.java
@@ -1,8 +1,8 @@
-/*
- * Copyright contributors to the Galasa project
- *
- * SPDX-License-Identifier: EPL-2.0
- */
+/*
+ * Copyright contributors to the Galasa project
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ */
 package dev.galasa.zosfile.rseapi.manager.internal;
 
 import java.io.BufferedReader;
@@ -58,7 +58,7 @@ public class RseapiZosDatasetAttributesListdsi {
     private static final String PROP_SYSCREATE    = "syscreate";    
     private static final String PROP_SYSREFDATE   = "sysrefdate";  
     private static final String PROP_SYSEXDATE    = "sysexdate";    
-    private static final String PROP_SYSPASSWORD  = "syspassword";
+    private static final String PROP_SYSPASSWORD  = "syspassword"; //Not a password but a pointer to a password //pragma: allowlist secret
     private static final String PROP_SYSRACFA     = "sysracfa";      
     private static final String PROP_SYSUPDATED   = "sysupdated";  
     private static final String PROP_SYSTRKSCYL   = "systrkscyl";  

diff --git a/...main/java/dev/galasa/zosfile/zosmf/manager/internal/ZosmfZosDatasetAttributesListdsi.java b/...main/java/dev/galasa/zosfile/zosmf/manager/internal/ZosmfZosDatasetAttributesListdsi.java
@@ -1,8 +1,8 @@
-/*
- * Copyright contributors to the Galasa project
- *
- * SPDX-License-Identifier: EPL-2.0
- */
+/*
+ * Copyright contributors to the Galasa project
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ */
 package dev.galasa.zosfile.zosmf.manager.internal;
 
 import java.io.BufferedReader;
@@ -61,7 +61,7 @@ public class ZosmfZosDatasetAttributesListdsi {
     private static final String PROP_SYSCREATE    = "syscreate";    
     private static final String PROP_SYSREFDATE   = "sysrefdate";  
     private static final String PROP_SYSEXDATE    = "sysexdate";    
-    private static final String PROP_SYSPASSWORD  = "syspassword";
+    private static final String PROP_SYSPASSWORD  = "syspassword"; //Not a password but a pointer to a password //pragma: allowlist secret
     private static final String PROP_SYSRACFA     = "sysracfa";      
     private static final String PROP_SYSUPDATED   = "sysupdated";  
     private static final String PROP_SYSTRKSCYL   = "systrkscyl";  

diff --git a/...asa.zosmf.manager/src/test/java/dev/galasa/zosmf/internal/properties/TestServerCreds.java b/...asa.zosmf.manager/src/test/java/dev/galasa/zosmf/internal/properties/TestServerCreds.java
@@ -1,8 +1,8 @@
-/*
- * Copyright contributors to the Galasa project
- *
- * SPDX-License-Identifier: EPL-2.0
- */
+/*
+ * Copyright contributors to the Galasa project
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ */
 package dev.galasa.zosmf.internal.properties;
 
 import org.junit.Assert;
@@ -28,7 +28,7 @@ public class TestServerCreds {
 //    
 //    private static final String SERVER_ID = "server";
 //    
-//    private static final String CREDS = "creds";
+//    private static final String CREDS = "creds"; commented out unit test //pragma: allowlist secret
 //    
 //    @Test
 //    public void testConstructor() {

diff --git a/...seapi.manager/src/test/java/dev/galasa/zosrseapi/internal/properties/TestServerCreds.java b/...seapi.manager/src/test/java/dev/galasa/zosrseapi/internal/properties/TestServerCreds.java
@@ -1,8 +1,8 @@
-/*
- * Copyright contributors to the Galasa project
- *
- * SPDX-License-Identifier: EPL-2.0
- */
+/*
+ * Copyright contributors to the Galasa project
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ */
 package dev.galasa.zosrseapi.internal.properties;
 
 import org.junit.Assert;
@@ -28,7 +28,7 @@ public class TestServerCreds {
 //    
 //    private static final String SERVER_ID = "server";
 //    
-//    private static final String CREDS = "creds";
+//    private static final String CREDS = "creds"; commented out unit test //pragma: allowlist secret
 //    
 //    @Test
 //    public void testConstructor() {