Merge pull request #76 from Skyscanner/release

Release

tests/unit/rules/test_rules.py

@@ -99,8 +99,7 @@ def test_check(ruleslist, expectation):
     rules = WhisperRules(ruleslist=ruleslist)
     result = 0
     for key, value, _ in Yml(rules).pairs(filepath):
-        if rules.check(key, value, filepath, []):
-            result += 1
+        result += len(list(rules.check(key, value, filepath, [])))
     assert result == expectation
 
 

tests/unit/test_cli.py

@@ -69,7 +69,9 @@ def test_cli_info():
 
 @pytest.mark.parametrize(("arg", "expected"), [("", 0), ("-e 123", 123)])
 def test_cli_exitcode(arg, expected):
-    proc = subprocess.Popen(shlex.split(f"whispers {arg} tests/fixtures/apikeys.yml"), stdout=subprocess.DEVNULL)
+    proc = subprocess.Popen(
+        shlex.split(f"whispers {arg} -r apikey tests/fixtures/apikeys.yml"), stdout=subprocess.DEVNULL
+    )
     proc.communicate()
     assert proc.returncode == expected
 
@@ -85,7 +87,10 @@ def test_cli_exitcode(arg, expected):
 def test_cli_severity(arg, expected):
     fd, tmp = mkstemp(suffix=".yml", text=True)
     proc = subprocess.Popen(
-        shlex.split(f"whispers -o {tmp} {arg} tests/fixtures/severity.yml"), stdout=subprocess.DEVNULL
+        shlex.split(
+            f"whispers -o {tmp} {arg} -r aws-id,privatekey,apikey,slack-webhook,base64 tests/fixtures/severity.yml"
+        ),
+        stdout=subprocess.DEVNULL,
     )
     proc.communicate()
     result = load_yaml_from_file(Path(tmp))

tests/unit/test_secrets.py

@@ -20,7 +20,7 @@ def test_exclude_by_keys_and_values(configfile, src):
 
 
 @pytest.mark.parametrize(
-    ("src", "keys"),
+    ("src", "expected"),
     [
         ("privatekeys.yml", ["access", "key", "rsa", "dsa", "ec", "openssh"]),
         ("privatekeys.json", ["access", "key", "rsa", "dsa", "ec", "openssh"]),
@@ -33,13 +33,11 @@ def test_exclude_by_keys_and_values(configfile, src):
         ("cloudformation.json", ["NoncompliantDBPassword"]),
     ],
 )
-def test_detection_by_key(src, keys):
+def test_detection_by_key(src, expected):
     args = parse_args([fixture_path(src)])
     secrets = core.run(args)
-    for key in keys:
-        assert next(secrets).key == key
-    with pytest.raises(StopIteration):
-        next(secrets)
+    result = list(map(lambda x: x.key, secrets))
+    assert set(result) == set(expected)
 
 
 @pytest.mark.parametrize(
@@ -100,14 +98,11 @@ def test_detection_by_value(src, count):
     args = parse_args([fixture_path(src)])
     args.config = core.load_config(CONFIG_PATH.joinpath("detection_by_value.yml"))
     secrets = core.run(args)
-    for _ in range(count):
-        value = next(secrets).value
+    result = list(map(lambda x: x.value, secrets))
+    for value in result:
         if value.isnumeric():
             continue
-        result = "hardcoded" in value.lower() or b"hardcoded" in b64decode(value)
-        assert result is True
-    with pytest.raises(StopIteration):
-        next(secrets)
+        assert "hardcoded" in value.lower() or b"hardcoded" in b64decode(value)
 
 
 def test_detection_by_filename():
@@ -145,13 +140,11 @@ def test_detection_by_rule(src, count, rule_id):
     args = parse_args(["-r", rule_id, fixture_path(src)])
     args.config = core.load_config(CONFIG_PATH.joinpath("detection_by_value.yml"))
     secrets = core.run(args)
-    for _ in range(count):
-        value = next(secrets).value.lower()
+    result = list(map(lambda x: x.value.lower(), secrets))
+    for value in result:
         if value.isnumeric():
             continue
         assert "hardcoded" in value
-    with pytest.raises(StopIteration):
-        next(secrets)
 
 
 @pytest.mark.parametrize(

whispers/__version__.py

@@ -1,3 +1,3 @@
-VERSION = (1, 5, 0)
+VERSION = (1, 5, 1)
 
 __version__ = ".".join(map(str, VERSION))

whispers/rules/__init__.py

@@ -112,7 +112,7 @@ def check(self, key: str, value: str, filepath: Path, foundlines: List[int]) ->
                         break
             if not rule_matched:
                 continue
-            return Secret(
+            yield Secret(
                 filepath.as_posix(),
                 find_line_number(filepath, key, value, foundlines),
                 key,

whispers/rules/aws.yml

@@ -23,7 +23,6 @@ aws-token:
   message: AWS Session Token
   severity: BLOCKER
   value:
-    regex: ^(?=.*[a-z])(?=.*[A-Z])[A-Za-z0-9\+\/]{270,450}$
+    regex: ^(?=.*[A-Z])(?=.*[a-z])(?=.*[0-9])[A-Za-z0-9\+\/]{270,450}$
     ignorecase: False
     isBase64: True  # base64-encoded
-    isAscii: False  # binary content

whispers/secrets.py

@@ -82,18 +82,18 @@ def detect_secrets(self, key: str, value: str, filepath: Path, breadcrumbs: list
             return None  # Not static
         if self.is_excluded(breadcrumbs):
             return None  # Excluded via config
-        return self.rules.check(key, value, filepath, self.foundlines[filepath.as_posix()])
+        yield from self.rules.check(key, value, filepath, self.foundlines[filepath.as_posix()])
 
     def scan(self, filename: str) -> Optional[Secret]:
         plugin = WhisperPlugins(filename, self.rules)
         if not plugin:
             return None
         self.foundlines[plugin.filepath.as_posix()] = []
-        yield self.detect_secrets("file", plugin.filepath.as_posix(), plugin.filepath)
+        yield from self.detect_secrets("file", plugin.filepath.as_posix(), plugin.filepath)
         for ret in plugin.pairs():
             if len(ret) == 2:
                 key, value = ret
-                yield self.detect_secrets(key, value, plugin.filepath)
+                yield from self.detect_secrets(key, value, plugin.filepath)
             elif len(ret) == 3:
                 key, value, breadcrumbs = ret
-                yield self.detect_secrets(key, value, plugin.filepath, breadcrumbs=breadcrumbs)
+                yield from self.detect_secrets(key, value, plugin.filepath, breadcrumbs=breadcrumbs)