-
Notifications
You must be signed in to change notification settings - Fork 23
/
Copy pathtools.py
61 lines (55 loc) · 1.72 KB
/
tools.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
from os import remove
from subprocess import run # nosec B404
from finding import Finding
from json import loads
def truffle_hog(path: str, repo, branch, extra_context, conf):
target = "file://" + path.replace("\\", "/")
truffle_hog = [
"trufflehog",
"--no-update",
"--json",
"git",
target,
"--fail",
]
truffle_hog.append(f"--branch={branch}")
output = run( # nosec B603 git branch has limited char set
truffle_hog, capture_output=True
)
if output.returncode == 0:
return []
ret = []
for line in output.stdout.decode("utf-8").split("\n"):
if line == "":
continue
f = Finding.fromTrufflehog(loads(line), repo, extra_context)
ret.append(f)
return ret
def gitleaks(path, repo, branch, extra_context, conf):
temp_path = f"{path}.out"
gitleaks = ["gitleaks", "detect", "-s", path, "-r", temp_path]
gitleaks.append(f"--log-opts={branch}")
if "config_file_path" in conf["gitleaks"]:
gitleaks.append(f"--config={conf['gitleaks']['config_file_path']}")
result = run( # nosec B603 git branch has limited char set
gitleaks, capture_output=True
)
if result.returncode == 1:
try:
with open(temp_path, "r") as f:
findings = f.read()
except:
return []
findings_list = loads(findings)
ret = []
for finding_dict in findings_list:
ret.append(Finding.fromGitLeak(finding_dict, repo, extra_context))
remove(temp_path)
return ret
else:
try:
remove(temp_path)
except FileNotFoundError:
# Expected sometimes
pass
return []