feat: add Black Duck API token detector#5063
Open
New1Direction wants to merge 1 commit into
Open
Conversation
|
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Reviewed by Cursor Bugbot for commit 0ab5e6f. Configure here.
Black Duck API tokens are base64 of "uuid:uuid". The detector decodes the candidate and only keeps it when it's a uuid pair, then verifies against the self-hosted server's /api/tokens/authenticate endpoint. Closes trufflesecurity#3012
New1Direction
force-pushed
the
feat/blackduck-detector
branch
from
0ab5e6f to
21c659f
Compare
Author
|
Thanks for the review — both findings were valid and are fixed in 21c659f:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a detector for Black Duck API tokens (the SCA tool). Closes #3012.
Black Duck tokens are base64 of
uuid:uuid(100 chars ending in==). Matching just the base64 shape is noisy, so the detector decodes the candidate and only keeps it when it's a colon-separated pair of UUIDs.Black Duck is self-hosted, so verifying needs the server URL. I grab it from the surrounding context and POST to
{server}/api/tokens/authenticatewithAuthorization: token <token>. 200 = valid, 401/403 = invalid, anything else is left indeterminate.Tests:
go test -tags=detectors ./pkg/detectors/blackduck/A couple of notes:
Note
Medium Risk
Verification performs outbound HTTP to user-supplied Black Duck hosts with discovered tokens; behavior follows existing self-hosted detector patterns but live verification was not validated against a real server.
Overview
Adds a Black Duck secret scanner that finds base64 API tokens (decoded as
uuid:uuid) nearblackduck/black_duckkeywords, pairs them with a co-located server URL, and registersDetectorType_BlackDuck(1053) in the default engine list.Detection filters out raw base64 noise by requiring a valid UUID pair after decode. Findings are only emitted when a server URL is present in the same chunk (same pattern as Portainer token), with optional verification via
POST {url}/api/tokens/authenticateandAuthorization: token <token>(200 = verified, 401/403 = unverified).Includes unit tests for token+URL matching, invalid token shape, token-only (no result), and
BLACK_DUCK_*env-style prefixes.Reviewed by Cursor Bugbot for commit 21c659f. Bugbot is set up for automated code reviews on this repo. Configure here.