new plugin: npmjs registry secret detector \& validator

Author: secureness

binary/proto/scan_result.proto

@@ -698,6 +698,7 @@ message SecretData {
     OnePasswordRecoveryCode onepassword_recovery_code = 41;
     OnePasswordConnectToken onepassword_connect_token = 42;
     Pgpass pgpass = 43;
+    NpmJSAccessToken npmjs_access_token = 44;
   }
 
   message GCPSAK {
@@ -805,6 +806,10 @@ message SecretData {
     string key = 1;
   }
 
+  message NpmJSAccessToken {
+    string Token = 1;
+  }
+
   message GithubAppRefreshToken {
     string token = 1;
   }

binary/proto/scan_result_go_proto/scan_result.pb.go

@@ -39,6 +39,7 @@ import (
 	veleshashicorpvault "github.com/google/osv-scalibr/veles/secrets/hashicorpvault"
 	veleshashicorpcloudplatform "github.com/google/osv-scalibr/veles/secrets/hcp"
 	"github.com/google/osv-scalibr/veles/secrets/huggingfaceapikey"
+	"github.com/google/osv-scalibr/veles/secrets/npmjsaccesstoken"
 	velesonepasswordkeys "github.com/google/osv-scalibr/veles/secrets/onepasswordkeys"
 	velesopenai "github.com/google/osv-scalibr/veles/secrets/openai"
 	velesperplexity "github.com/google/osv-scalibr/veles/secrets/perplexityapikey"
@@ -115,6 +116,8 @@ func velesSecretToProto(s veles.Secret) (*spb.SecretData, error) {
 		return dockerHubPATToProto(t), nil
 	case velesdigitalocean.DigitaloceanAPIToken:
 		return digitaloceanAPIKeyToProto(t), nil
+	case npmjsaccesstoken.NpmJSAccessToken:
+		return npmJSAccessTokenToProto(t), nil
 	case velesslacktoken.SlackAppConfigAccessToken:
 		return slackAppConfigAccessTokenToProto(t), nil
 	case velesslacktoken.SlackAppConfigRefreshToken:
@@ -217,6 +220,16 @@ func digitaloceanAPIKeyToProto(s velesdigitalocean.DigitaloceanAPIToken) *spb.Se
 	}
 }
 
+func npmJSAccessTokenToProto(s npmjsaccesstoken.NpmJSAccessToken) *spb.SecretData {
+	return &spb.SecretData{
+		Secret: &spb.SecretData_NpmjsAccessToken{
+			NpmjsAccessToken: &spb.SecretData_NpmJSAccessToken{
+				Token: s.Token,
+			},
+		},
+	}
+}
+
 func slackAppLevelTokenToProto(s velesslacktoken.SlackAppLevelToken) *spb.SecretData {
 	return &spb.SecretData{
 		Secret: &spb.SecretData_SlackAppLevelToken_{
@@ -717,6 +730,8 @@ func velesSecretToStruct(s *spb.SecretData) (veles.Secret, error) {
 		return gitlabPATToStruct(s.GetGitlabPat()), nil
 	case *spb.SecretData_Digitalocean:
 		return digitalOceanAPITokenToStruct(s.GetDigitalocean()), nil
+	case *spb.SecretData_NpmjsAccessToken:
+		return npmJSAccessTokenToStruct(s.GetNpmjsAccessToken()), nil
 	case *spb.SecretData_SlackAppConfigRefreshToken_:
 		return slackAppConfigRefreshTokenToStruct(s.GetSlackAppConfigRefreshToken()), nil
 	case *spb.SecretData_SlackAppConfigAccessToken_:
@@ -834,6 +849,12 @@ func digitalOceanAPITokenToStruct(kPB *spb.SecretData_DigitalOceanAPIToken) vele
 	}
 }
 
+func npmJSAccessTokenToStruct(kPB *spb.SecretData_NpmJSAccessToken) npmjsaccesstoken.NpmJSAccessToken {
+	return npmjsaccesstoken.NpmJSAccessToken{
+		Token: kPB.GetToken(),
+	}
+}
+
 func slackAppLevelTokenToStruct(kPB *spb.SecretData_SlackAppLevelToken) velesslacktoken.SlackAppLevelToken {
 	return velesslacktoken.SlackAppLevelToken{
 		Token: kPB.GetToken(),

binary/proto/secret.go

@@ -72,7 +72,7 @@ func (o *LiveRegistry) Close() error {
 	return nil
 }
 
-// LiveKey wraps a winregistry.Key to provide an implementation of the registry.Key interface.
+// LiveKey wraps a winregistry.Token to provide an implementation of the registry.Key interface.
 type LiveKey struct {
 	key  *winregistry.Key
 	name string

common/windows/registry/live.go

@@ -295,7 +295,7 @@ func CheckForBashTask(ctx context.Context, airflowIP string, airflowServerPort i
 	}
 
 	if _, exists := data["env"]; !exists {
-		log.Infof("Key 'env' does not exist in the JSON data")
+		log.Infof("Token 'env' does not exist in the JSON data")
 		return false
 	}
 
@@ -369,14 +369,14 @@ func triggerAndWaitForDAG(ctx context.Context, airflowIP string, airflowServerPo
 
 	// Check for the existence of "message" and "execution_date"
 	if _, messagePresent := resBody["message"]; !messagePresent {
-		log.Errorf("Key 'message' not found in response body")
+		log.Errorf("Token 'message' not found in response body")
 		return false
 	}
 
 	log.Infof("\"%s\"\n", resBody["message"])
 
 	if _, execDatePresent := resBody["execution_date"]; !execDatePresent {
-		log.Errorf("Key 'execution_date' not found in response body")
+		log.Errorf("Token 'execution_date' not found in response body")
 		return false
 	}
 

detector/cve/untested/cve202011978/cve202011978.go

@@ -109,8 +109,8 @@ See the docs on [how to add a new Extractor](/docs/new_extractor.md).
 
 ### Secrets
 
-| Type                              | Extractor Plugin                     |
-|-----------------------------------|--------------------------------------|
+| Type                                        | Extractor Plugin                     |
+|---------------------------------------------|--------------------------------------|
 | Anthropic API key                           | `secrets/anthropicapikey`            |
 | Azure Token                                 | `secrets/azuretoken`                 |
 | DigitalOcean API key                        | `secrets/digitaloceanapikey`         |
@@ -131,6 +131,7 @@ See the docs on [how to add a new Extractor](/docs/new_extractor.md).
 | 1Password Secret Key                        | `secrets/onepasswordsecretkey`       |
 | 1Password Service Token                     | `secrets/onepasswordservicetoken`    |
 | 1Password Recovery Code                     | `secrets/onepasswordrecoverycode`    |
+| npmjs Registry Access Tokens                | `secrets/npmjsaccesstoken`           |
 | OpenAI API key                              | `secrets/openai`                     |
 | Perplexity API key                          | `secrets/perplexityapikey`           |
 | Postgres pgpass file                        | `secrets/pgpass`                     |

docs/supported_inventory_types.md

@@ -42,6 +42,7 @@ import (
 	"github.com/google/osv-scalibr/veles/secrets/hashicorpvault"
 	"github.com/google/osv-scalibr/veles/secrets/hcp"
 	"github.com/google/osv-scalibr/veles/secrets/huggingfaceapikey"
+	"github.com/google/osv-scalibr/veles/secrets/npmjsaccesstoken"
 	"github.com/google/osv-scalibr/veles/secrets/openai"
 	"github.com/google/osv-scalibr/veles/secrets/perplexityapikey"
 	"github.com/google/osv-scalibr/veles/secrets/postmanapikey"
@@ -83,6 +84,7 @@ var (
 		fromVeles(anthropicapikey.NewWorkspaceValidator(), "secrets/anthropicapikeyworkspacevalidate", 0),
 		fromVeles(anthropicapikey.NewModelValidator(), "secrets/anthropicapikeymodelvalidate", 0),
 		fromVeles(digitaloceanapikey.NewValidator(), "secrets/digitaloceanapikeyvalidate", 0),
+		fromVeles(npmjsaccesstoken.NewValidator(), "secrets/npmjsaccesstoken", 0),
 		fromVeles(slacktoken.NewAppLevelTokenValidator(), "secrets/slackappleveltokenvalidate", 0),
 		fromVeles(slacktoken.NewAppConfigRefreshTokenValidator(), "secrets/slackconfigrefreshtokenvalidate", 0),
 		fromVeles(slacktoken.NewAppConfigAccessTokenValidator(), "secrets/slackconfigaccesstokenvalidate", 0),

enricher/enricherlist/list.go

@@ -110,6 +110,7 @@ import (
 	"github.com/google/osv-scalibr/veles/secrets/hashicorpvault"
 	"github.com/google/osv-scalibr/veles/secrets/hcp"
 	"github.com/google/osv-scalibr/veles/secrets/huggingfaceapikey"
+	"github.com/google/osv-scalibr/veles/secrets/npmjsaccesstoken"
 	"github.com/google/osv-scalibr/veles/secrets/onepasswordkeys"
 	"github.com/google/osv-scalibr/veles/secrets/openai"
 	"github.com/google/osv-scalibr/veles/secrets/perplexityapikey"
@@ -274,6 +275,7 @@ var (
 		{azuretoken.NewDetector(), "secrets/azuretoken", 0},
 		{azurestorageaccountaccesskey.NewDetector(), "secrets/azurestorageaccountaccesskey", 0},
 		{digitaloceanapikey.NewDetector(), "secrets/digitaloceanapikey", 0},
+		{npmjsaccesstoken.NewDetector(), "secrets/npmjsaccesstoken", 0},
 		{slacktoken.NewAppConfigAccessTokenDetector(), "secrets/slackappconfigaccesstoken", 0},
 		{slacktoken.NewAppConfigRefreshTokenDetector(), "secrets/slackappconfigrefreshtoken", 0},
 		{slacktoken.NewAppLevelTokenDetector(), "secrets/slackappleveltoken", 0},

extractor/filesystem/list/list.go

@@ -88,10 +88,10 @@ func validateAPIKey(ctx context.Context, config *ValidationConfig, key string, e
 	// Check response status
 	switch res.StatusCode {
 	case http.StatusOK:
-		// Key is valid
+		// Token is valid
 		return veles.ValidationValid, nil
 	case http.StatusUnauthorized:
-		// Key is invalid
+		// Token is invalid
 		return veles.ValidationInvalid, nil
 	case http.StatusTooManyRequests:
 		// Rate limited - key is likely valid but we're being throttled.

veles/secrets/anthropicapikey/helpers.go

@@ -41,7 +41,7 @@ func mockAnthropicModelServer(t *testing.T, expectedKey string, statusCode int,
 
 		// Check headers
 		if r.Header.Get("X-Api-Key") != expectedKey {
-			t.Errorf("expected X-Api-Key: %s, got: %s", expectedKey, r.Header.Get("X-Api-Key"))
+			t.Errorf("expected X-Api-Token: %s, got: %s", expectedKey, r.Header.Get("X-Api-Key"))
 		}
 		if r.Header.Get("Anthropic-Version") != "2023-06-01" {
 			t.Errorf("expected Anthropic-Version: 2023-06-01, got: %s", r.Header.Get("Anthropic-Version"))