diff --git a/binary/proto/scan_result.proto b/binary/proto/scan_result.proto index 672d34b84..e3de75126 100644 --- a/binary/proto/scan_result.proto +++ b/binary/proto/scan_result.proto @@ -698,6 +698,7 @@ message SecretData { OnePasswordRecoveryCode onepassword_recovery_code = 41; OnePasswordConnectToken onepassword_connect_token = 42; Pgpass pgpass = 43; + NpmJSAccessToken npmjs_access_token = 44; } message GCPSAK { @@ -805,6 +806,10 @@ message SecretData { string key = 1; } + message NpmJSAccessToken { + string Token = 1; + } + message GithubAppRefreshToken { string token = 1; } diff --git a/binary/proto/scan_result_go_proto/scan_result.pb.go b/binary/proto/scan_result_go_proto/scan_result.pb.go index 2d0a1e042..0804a30f7 100644 --- a/binary/proto/scan_result_go_proto/scan_result.pb.go +++ b/binary/proto/scan_result_go_proto/scan_result.pb.go @@ -15,8 +15,8 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.36.8 -// protoc v3.21.1 +// protoc-gen-go v1.36.7 +// protoc v3.21.12 // source: proto/scan_result.proto package scan_result_go_proto @@ -5176,6 +5176,7 @@ type SecretData struct { // *SecretData_OnepasswordRecoveryCode // *SecretData_OnepasswordConnectToken // *SecretData_Pgpass_ + // *SecretData_NpmjsAccessToken Secret isSecretData_Secret `protobuf_oneof:"secret"` unknownFields protoimpl.UnknownFields sizeCache protoimpl.SizeCache @@ -5596,6 +5597,15 @@ func (x *SecretData) GetPgpass() *SecretData_Pgpass { return nil } +func (x *SecretData) GetNpmjsAccessToken() *SecretData_NpmJSAccessToken { + if x != nil { + if x, ok := x.Secret.(*SecretData_NpmjsAccessToken); ok { + return x.NpmjsAccessToken + } + } + return nil +} + type isSecretData_Secret interface { isSecretData_Secret() } @@ -5768,6 +5778,10 @@ type SecretData_Pgpass_ struct { Pgpass *SecretData_Pgpass `protobuf:"bytes,43,opt,name=pgpass,proto3,oneof"` } +type SecretData_NpmjsAccessToken struct { + NpmjsAccessToken *SecretData_NpmJSAccessToken `protobuf:"bytes,44,opt,name=npmjs_access_token,json=npmjsAccessToken,proto3,oneof"` +} + func (*SecretData_Gcpsak) isSecretData_Secret() {} func (*SecretData_AnthropicWorkspaceApiKey) isSecretData_Secret() {} @@ -5852,6 +5866,8 @@ func (*SecretData_OnepasswordConnectToken) isSecretData_Secret() {} func (*SecretData_Pgpass_) isSecretData_Secret() {} +func (*SecretData_NpmjsAccessToken) isSecretData_Secret() {} + type SecretStatus struct { state protoimpl.MessageState `protogen:"open.v1"` Status SecretStatus_SecretStatusEnum `protobuf:"varint,1,opt,name=status,proto3,enum=scalibr.SecretStatus_SecretStatusEnum" json:"status,omitempty"` @@ -7563,6 +7579,50 @@ func (x *SecretData_DigitalOceanAPIToken) GetKey() string { return "" } +type SecretData_NpmJSAccessToken struct { + state protoimpl.MessageState `protogen:"open.v1"` + Token string `protobuf:"bytes,1,opt,name=Token,proto3" json:"Token,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *SecretData_NpmJSAccessToken) Reset() { + *x = SecretData_NpmJSAccessToken{} + mi := &file_proto_scan_result_proto_msgTypes[88] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *SecretData_NpmJSAccessToken) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*SecretData_NpmJSAccessToken) ProtoMessage() {} + +func (x *SecretData_NpmJSAccessToken) ProtoReflect() protoreflect.Message { + mi := &file_proto_scan_result_proto_msgTypes[88] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use SecretData_NpmJSAccessToken.ProtoReflect.Descriptor instead. +func (*SecretData_NpmJSAccessToken) Descriptor() ([]byte, []int) { + return file_proto_scan_result_proto_rawDescGZIP(), []int{55, 20} +} + +func (x *SecretData_NpmJSAccessToken) GetToken() string { + if x != nil { + return x.Token + } + return "" +} + type SecretData_GithubAppRefreshToken struct { state protoimpl.MessageState `protogen:"open.v1"` Token string `protobuf:"bytes,1,opt,name=token,proto3" json:"token,omitempty"` @@ -7572,7 +7632,7 @@ type SecretData_GithubAppRefreshToken struct { func (x *SecretData_GithubAppRefreshToken) Reset() { *x = SecretData_GithubAppRefreshToken{} - mi := &file_proto_scan_result_proto_msgTypes[88] + mi := &file_proto_scan_result_proto_msgTypes[89] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -7584,7 +7644,7 @@ func (x *SecretData_GithubAppRefreshToken) String() string { func (*SecretData_GithubAppRefreshToken) ProtoMessage() {} func (x *SecretData_GithubAppRefreshToken) ProtoReflect() protoreflect.Message { - mi := &file_proto_scan_result_proto_msgTypes[88] + mi := &file_proto_scan_result_proto_msgTypes[89] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -7597,7 +7657,7 @@ func (x *SecretData_GithubAppRefreshToken) ProtoReflect() protoreflect.Message { // Deprecated: Use SecretData_GithubAppRefreshToken.ProtoReflect.Descriptor instead. func (*SecretData_GithubAppRefreshToken) Descriptor() ([]byte, []int) { - return file_proto_scan_result_proto_rawDescGZIP(), []int{55, 20} + return file_proto_scan_result_proto_rawDescGZIP(), []int{55, 21} } func (x *SecretData_GithubAppRefreshToken) GetToken() string { @@ -7616,7 +7676,7 @@ type SecretData_GithubAppServerToServerToken struct { func (x *SecretData_GithubAppServerToServerToken) Reset() { *x = SecretData_GithubAppServerToServerToken{} - mi := &file_proto_scan_result_proto_msgTypes[89] + mi := &file_proto_scan_result_proto_msgTypes[90] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -7628,7 +7688,7 @@ func (x *SecretData_GithubAppServerToServerToken) String() string { func (*SecretData_GithubAppServerToServerToken) ProtoMessage() {} func (x *SecretData_GithubAppServerToServerToken) ProtoReflect() protoreflect.Message { - mi := &file_proto_scan_result_proto_msgTypes[89] + mi := &file_proto_scan_result_proto_msgTypes[90] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -7641,7 +7701,7 @@ func (x *SecretData_GithubAppServerToServerToken) ProtoReflect() protoreflect.Me // Deprecated: Use SecretData_GithubAppServerToServerToken.ProtoReflect.Descriptor instead. func (*SecretData_GithubAppServerToServerToken) Descriptor() ([]byte, []int) { - return file_proto_scan_result_proto_rawDescGZIP(), []int{55, 21} + return file_proto_scan_result_proto_rawDescGZIP(), []int{55, 22} } func (x *SecretData_GithubAppServerToServerToken) GetToken() string { @@ -7660,7 +7720,7 @@ type SecretData_GithubClassicPersonalAccessToken struct { func (x *SecretData_GithubClassicPersonalAccessToken) Reset() { *x = SecretData_GithubClassicPersonalAccessToken{} - mi := &file_proto_scan_result_proto_msgTypes[90] + mi := &file_proto_scan_result_proto_msgTypes[91] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -7672,7 +7732,7 @@ func (x *SecretData_GithubClassicPersonalAccessToken) String() string { func (*SecretData_GithubClassicPersonalAccessToken) ProtoMessage() {} func (x *SecretData_GithubClassicPersonalAccessToken) ProtoReflect() protoreflect.Message { - mi := &file_proto_scan_result_proto_msgTypes[90] + mi := &file_proto_scan_result_proto_msgTypes[91] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -7685,7 +7745,7 @@ func (x *SecretData_GithubClassicPersonalAccessToken) ProtoReflect() protoreflec // Deprecated: Use SecretData_GithubClassicPersonalAccessToken.ProtoReflect.Descriptor instead. func (*SecretData_GithubClassicPersonalAccessToken) Descriptor() ([]byte, []int) { - return file_proto_scan_result_proto_rawDescGZIP(), []int{55, 22} + return file_proto_scan_result_proto_rawDescGZIP(), []int{55, 23} } func (x *SecretData_GithubClassicPersonalAccessToken) GetToken() string { @@ -7704,7 +7764,7 @@ type SecretData_GithubFineGrainedPersonalAccessToken struct { func (x *SecretData_GithubFineGrainedPersonalAccessToken) Reset() { *x = SecretData_GithubFineGrainedPersonalAccessToken{} - mi := &file_proto_scan_result_proto_msgTypes[91] + mi := &file_proto_scan_result_proto_msgTypes[92] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -7716,7 +7776,7 @@ func (x *SecretData_GithubFineGrainedPersonalAccessToken) String() string { func (*SecretData_GithubFineGrainedPersonalAccessToken) ProtoMessage() {} func (x *SecretData_GithubFineGrainedPersonalAccessToken) ProtoReflect() protoreflect.Message { - mi := &file_proto_scan_result_proto_msgTypes[91] + mi := &file_proto_scan_result_proto_msgTypes[92] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -7729,7 +7789,7 @@ func (x *SecretData_GithubFineGrainedPersonalAccessToken) ProtoReflect() protore // Deprecated: Use SecretData_GithubFineGrainedPersonalAccessToken.ProtoReflect.Descriptor instead. func (*SecretData_GithubFineGrainedPersonalAccessToken) Descriptor() ([]byte, []int) { - return file_proto_scan_result_proto_rawDescGZIP(), []int{55, 23} + return file_proto_scan_result_proto_rawDescGZIP(), []int{55, 24} } func (x *SecretData_GithubFineGrainedPersonalAccessToken) GetToken() string { @@ -7748,7 +7808,7 @@ type SecretData_GithubOAuthToken struct { func (x *SecretData_GithubOAuthToken) Reset() { *x = SecretData_GithubOAuthToken{} - mi := &file_proto_scan_result_proto_msgTypes[92] + mi := &file_proto_scan_result_proto_msgTypes[93] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -7760,7 +7820,7 @@ func (x *SecretData_GithubOAuthToken) String() string { func (*SecretData_GithubOAuthToken) ProtoMessage() {} func (x *SecretData_GithubOAuthToken) ProtoReflect() protoreflect.Message { - mi := &file_proto_scan_result_proto_msgTypes[92] + mi := &file_proto_scan_result_proto_msgTypes[93] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -7773,7 +7833,7 @@ func (x *SecretData_GithubOAuthToken) ProtoReflect() protoreflect.Message { // Deprecated: Use SecretData_GithubOAuthToken.ProtoReflect.Descriptor instead. func (*SecretData_GithubOAuthToken) Descriptor() ([]byte, []int) { - return file_proto_scan_result_proto_rawDescGZIP(), []int{55, 24} + return file_proto_scan_result_proto_rawDescGZIP(), []int{55, 25} } func (x *SecretData_GithubOAuthToken) GetToken() string { @@ -7792,7 +7852,7 @@ type SecretData_GithubAppUserToServerToken struct { func (x *SecretData_GithubAppUserToServerToken) Reset() { *x = SecretData_GithubAppUserToServerToken{} - mi := &file_proto_scan_result_proto_msgTypes[93] + mi := &file_proto_scan_result_proto_msgTypes[94] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -7804,7 +7864,7 @@ func (x *SecretData_GithubAppUserToServerToken) String() string { func (*SecretData_GithubAppUserToServerToken) ProtoMessage() {} func (x *SecretData_GithubAppUserToServerToken) ProtoReflect() protoreflect.Message { - mi := &file_proto_scan_result_proto_msgTypes[93] + mi := &file_proto_scan_result_proto_msgTypes[94] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -7817,7 +7877,7 @@ func (x *SecretData_GithubAppUserToServerToken) ProtoReflect() protoreflect.Mess // Deprecated: Use SecretData_GithubAppUserToServerToken.ProtoReflect.Descriptor instead. func (*SecretData_GithubAppUserToServerToken) Descriptor() ([]byte, []int) { - return file_proto_scan_result_proto_rawDescGZIP(), []int{55, 25} + return file_proto_scan_result_proto_rawDescGZIP(), []int{55, 26} } func (x *SecretData_GithubAppUserToServerToken) GetToken() string { @@ -7836,7 +7896,7 @@ type SecretData_TinkKeyset struct { func (x *SecretData_TinkKeyset) Reset() { *x = SecretData_TinkKeyset{} - mi := &file_proto_scan_result_proto_msgTypes[94] + mi := &file_proto_scan_result_proto_msgTypes[95] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -7848,7 +7908,7 @@ func (x *SecretData_TinkKeyset) String() string { func (*SecretData_TinkKeyset) ProtoMessage() {} func (x *SecretData_TinkKeyset) ProtoReflect() protoreflect.Message { - mi := &file_proto_scan_result_proto_msgTypes[94] + mi := &file_proto_scan_result_proto_msgTypes[95] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -7861,7 +7921,7 @@ func (x *SecretData_TinkKeyset) ProtoReflect() protoreflect.Message { // Deprecated: Use SecretData_TinkKeyset.ProtoReflect.Descriptor instead. func (*SecretData_TinkKeyset) Descriptor() ([]byte, []int) { - return file_proto_scan_result_proto_rawDescGZIP(), []int{55, 26} + return file_proto_scan_result_proto_rawDescGZIP(), []int{55, 27} } func (x *SecretData_TinkKeyset) GetContent() string { @@ -7880,7 +7940,7 @@ type SecretData_HashiCorpVaultToken struct { func (x *SecretData_HashiCorpVaultToken) Reset() { *x = SecretData_HashiCorpVaultToken{} - mi := &file_proto_scan_result_proto_msgTypes[95] + mi := &file_proto_scan_result_proto_msgTypes[96] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -7892,7 +7952,7 @@ func (x *SecretData_HashiCorpVaultToken) String() string { func (*SecretData_HashiCorpVaultToken) ProtoMessage() {} func (x *SecretData_HashiCorpVaultToken) ProtoReflect() protoreflect.Message { - mi := &file_proto_scan_result_proto_msgTypes[95] + mi := &file_proto_scan_result_proto_msgTypes[96] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -7905,7 +7965,7 @@ func (x *SecretData_HashiCorpVaultToken) ProtoReflect() protoreflect.Message { // Deprecated: Use SecretData_HashiCorpVaultToken.ProtoReflect.Descriptor instead. func (*SecretData_HashiCorpVaultToken) Descriptor() ([]byte, []int) { - return file_proto_scan_result_proto_rawDescGZIP(), []int{55, 27} + return file_proto_scan_result_proto_rawDescGZIP(), []int{55, 28} } func (x *SecretData_HashiCorpVaultToken) GetToken() string { @@ -7926,7 +7986,7 @@ type SecretData_HashiCorpVaultAppRoleCredentials struct { func (x *SecretData_HashiCorpVaultAppRoleCredentials) Reset() { *x = SecretData_HashiCorpVaultAppRoleCredentials{} - mi := &file_proto_scan_result_proto_msgTypes[96] + mi := &file_proto_scan_result_proto_msgTypes[97] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -7938,7 +7998,7 @@ func (x *SecretData_HashiCorpVaultAppRoleCredentials) String() string { func (*SecretData_HashiCorpVaultAppRoleCredentials) ProtoMessage() {} func (x *SecretData_HashiCorpVaultAppRoleCredentials) ProtoReflect() protoreflect.Message { - mi := &file_proto_scan_result_proto_msgTypes[96] + mi := &file_proto_scan_result_proto_msgTypes[97] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -7951,7 +8011,7 @@ func (x *SecretData_HashiCorpVaultAppRoleCredentials) ProtoReflect() protoreflec // Deprecated: Use SecretData_HashiCorpVaultAppRoleCredentials.ProtoReflect.Descriptor instead. func (*SecretData_HashiCorpVaultAppRoleCredentials) Descriptor() ([]byte, []int) { - return file_proto_scan_result_proto_rawDescGZIP(), []int{55, 28} + return file_proto_scan_result_proto_rawDescGZIP(), []int{55, 29} } func (x *SecretData_HashiCorpVaultAppRoleCredentials) GetRoleId() string { @@ -7984,7 +8044,7 @@ type SecretData_GCPAPIKey struct { func (x *SecretData_GCPAPIKey) Reset() { *x = SecretData_GCPAPIKey{} - mi := &file_proto_scan_result_proto_msgTypes[97] + mi := &file_proto_scan_result_proto_msgTypes[98] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -7996,7 +8056,7 @@ func (x *SecretData_GCPAPIKey) String() string { func (*SecretData_GCPAPIKey) ProtoMessage() {} func (x *SecretData_GCPAPIKey) ProtoReflect() protoreflect.Message { - mi := &file_proto_scan_result_proto_msgTypes[97] + mi := &file_proto_scan_result_proto_msgTypes[98] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -8009,7 +8069,7 @@ func (x *SecretData_GCPAPIKey) ProtoReflect() protoreflect.Message { // Deprecated: Use SecretData_GCPAPIKey.ProtoReflect.Descriptor instead. func (*SecretData_GCPAPIKey) Descriptor() ([]byte, []int) { - return file_proto_scan_result_proto_rawDescGZIP(), []int{55, 29} + return file_proto_scan_result_proto_rawDescGZIP(), []int{55, 30} } func (x *SecretData_GCPAPIKey) GetKey() string { @@ -8030,7 +8090,7 @@ type SecretData_HuggingfaceAPIKey struct { func (x *SecretData_HuggingfaceAPIKey) Reset() { *x = SecretData_HuggingfaceAPIKey{} - mi := &file_proto_scan_result_proto_msgTypes[98] + mi := &file_proto_scan_result_proto_msgTypes[99] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -8042,7 +8102,7 @@ func (x *SecretData_HuggingfaceAPIKey) String() string { func (*SecretData_HuggingfaceAPIKey) ProtoMessage() {} func (x *SecretData_HuggingfaceAPIKey) ProtoReflect() protoreflect.Message { - mi := &file_proto_scan_result_proto_msgTypes[98] + mi := &file_proto_scan_result_proto_msgTypes[99] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -8055,7 +8115,7 @@ func (x *SecretData_HuggingfaceAPIKey) ProtoReflect() protoreflect.Message { // Deprecated: Use SecretData_HuggingfaceAPIKey.ProtoReflect.Descriptor instead. func (*SecretData_HuggingfaceAPIKey) Descriptor() ([]byte, []int) { - return file_proto_scan_result_proto_rawDescGZIP(), []int{55, 30} + return file_proto_scan_result_proto_rawDescGZIP(), []int{55, 31} } func (x *SecretData_HuggingfaceAPIKey) GetKey() string { @@ -8089,7 +8149,7 @@ type SecretData_HashiCorpCloudPlatformCredentials struct { func (x *SecretData_HashiCorpCloudPlatformCredentials) Reset() { *x = SecretData_HashiCorpCloudPlatformCredentials{} - mi := &file_proto_scan_result_proto_msgTypes[99] + mi := &file_proto_scan_result_proto_msgTypes[100] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -8101,7 +8161,7 @@ func (x *SecretData_HashiCorpCloudPlatformCredentials) String() string { func (*SecretData_HashiCorpCloudPlatformCredentials) ProtoMessage() {} func (x *SecretData_HashiCorpCloudPlatformCredentials) ProtoReflect() protoreflect.Message { - mi := &file_proto_scan_result_proto_msgTypes[99] + mi := &file_proto_scan_result_proto_msgTypes[100] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -8114,7 +8174,7 @@ func (x *SecretData_HashiCorpCloudPlatformCredentials) ProtoReflect() protorefle // Deprecated: Use SecretData_HashiCorpCloudPlatformCredentials.ProtoReflect.Descriptor instead. func (*SecretData_HashiCorpCloudPlatformCredentials) Descriptor() ([]byte, []int) { - return file_proto_scan_result_proto_rawDescGZIP(), []int{55, 31} + return file_proto_scan_result_proto_rawDescGZIP(), []int{55, 32} } func (x *SecretData_HashiCorpCloudPlatformCredentials) GetClientId() string { @@ -8149,7 +8209,7 @@ type SecretData_HashiCorpCloudPlatformToken struct { func (x *SecretData_HashiCorpCloudPlatformToken) Reset() { *x = SecretData_HashiCorpCloudPlatformToken{} - mi := &file_proto_scan_result_proto_msgTypes[100] + mi := &file_proto_scan_result_proto_msgTypes[101] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -8161,7 +8221,7 @@ func (x *SecretData_HashiCorpCloudPlatformToken) String() string { func (*SecretData_HashiCorpCloudPlatformToken) ProtoMessage() {} func (x *SecretData_HashiCorpCloudPlatformToken) ProtoReflect() protoreflect.Message { - mi := &file_proto_scan_result_proto_msgTypes[100] + mi := &file_proto_scan_result_proto_msgTypes[101] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -8174,7 +8234,7 @@ func (x *SecretData_HashiCorpCloudPlatformToken) ProtoReflect() protoreflect.Mes // Deprecated: Use SecretData_HashiCorpCloudPlatformToken.ProtoReflect.Descriptor instead. func (*SecretData_HashiCorpCloudPlatformToken) Descriptor() ([]byte, []int) { - return file_proto_scan_result_proto_rawDescGZIP(), []int{55, 32} + return file_proto_scan_result_proto_rawDescGZIP(), []int{55, 33} } func (x *SecretData_HashiCorpCloudPlatformToken) GetToken() string { @@ -8249,7 +8309,7 @@ type SecretData_StripeSecretKey struct { func (x *SecretData_StripeSecretKey) Reset() { *x = SecretData_StripeSecretKey{} - mi := &file_proto_scan_result_proto_msgTypes[101] + mi := &file_proto_scan_result_proto_msgTypes[102] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -8261,7 +8321,7 @@ func (x *SecretData_StripeSecretKey) String() string { func (*SecretData_StripeSecretKey) ProtoMessage() {} func (x *SecretData_StripeSecretKey) ProtoReflect() protoreflect.Message { - mi := &file_proto_scan_result_proto_msgTypes[101] + mi := &file_proto_scan_result_proto_msgTypes[102] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -8274,7 +8334,7 @@ func (x *SecretData_StripeSecretKey) ProtoReflect() protoreflect.Message { // Deprecated: Use SecretData_StripeSecretKey.ProtoReflect.Descriptor instead. func (*SecretData_StripeSecretKey) Descriptor() ([]byte, []int) { - return file_proto_scan_result_proto_rawDescGZIP(), []int{55, 33} + return file_proto_scan_result_proto_rawDescGZIP(), []int{55, 34} } func (x *SecretData_StripeSecretKey) GetKey() string { @@ -8293,7 +8353,7 @@ type SecretData_StripeRestrictedKey struct { func (x *SecretData_StripeRestrictedKey) Reset() { *x = SecretData_StripeRestrictedKey{} - mi := &file_proto_scan_result_proto_msgTypes[102] + mi := &file_proto_scan_result_proto_msgTypes[103] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -8305,7 +8365,7 @@ func (x *SecretData_StripeRestrictedKey) String() string { func (*SecretData_StripeRestrictedKey) ProtoMessage() {} func (x *SecretData_StripeRestrictedKey) ProtoReflect() protoreflect.Message { - mi := &file_proto_scan_result_proto_msgTypes[102] + mi := &file_proto_scan_result_proto_msgTypes[103] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -8318,7 +8378,7 @@ func (x *SecretData_StripeRestrictedKey) ProtoReflect() protoreflect.Message { // Deprecated: Use SecretData_StripeRestrictedKey.ProtoReflect.Descriptor instead. func (*SecretData_StripeRestrictedKey) Descriptor() ([]byte, []int) { - return file_proto_scan_result_proto_rawDescGZIP(), []int{55, 34} + return file_proto_scan_result_proto_rawDescGZIP(), []int{55, 35} } func (x *SecretData_StripeRestrictedKey) GetKey() string { @@ -8337,7 +8397,7 @@ type SecretData_StripeWebhookSecret struct { func (x *SecretData_StripeWebhookSecret) Reset() { *x = SecretData_StripeWebhookSecret{} - mi := &file_proto_scan_result_proto_msgTypes[103] + mi := &file_proto_scan_result_proto_msgTypes[104] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -8349,7 +8409,7 @@ func (x *SecretData_StripeWebhookSecret) String() string { func (*SecretData_StripeWebhookSecret) ProtoMessage() {} func (x *SecretData_StripeWebhookSecret) ProtoReflect() protoreflect.Message { - mi := &file_proto_scan_result_proto_msgTypes[103] + mi := &file_proto_scan_result_proto_msgTypes[104] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -8362,7 +8422,7 @@ func (x *SecretData_StripeWebhookSecret) ProtoReflect() protoreflect.Message { // Deprecated: Use SecretData_StripeWebhookSecret.ProtoReflect.Descriptor instead. func (*SecretData_StripeWebhookSecret) Descriptor() ([]byte, []int) { - return file_proto_scan_result_proto_rawDescGZIP(), []int{55, 35} + return file_proto_scan_result_proto_rawDescGZIP(), []int{55, 36} } func (x *SecretData_StripeWebhookSecret) GetKey() string { @@ -8386,7 +8446,7 @@ type SecretData_GCPOAuth2ClientCredentials struct { func (x *SecretData_GCPOAuth2ClientCredentials) Reset() { *x = SecretData_GCPOAuth2ClientCredentials{} - mi := &file_proto_scan_result_proto_msgTypes[104] + mi := &file_proto_scan_result_proto_msgTypes[105] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -8398,7 +8458,7 @@ func (x *SecretData_GCPOAuth2ClientCredentials) String() string { func (*SecretData_GCPOAuth2ClientCredentials) ProtoMessage() {} func (x *SecretData_GCPOAuth2ClientCredentials) ProtoReflect() protoreflect.Message { - mi := &file_proto_scan_result_proto_msgTypes[104] + mi := &file_proto_scan_result_proto_msgTypes[105] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -8411,7 +8471,7 @@ func (x *SecretData_GCPOAuth2ClientCredentials) ProtoReflect() protoreflect.Mess // Deprecated: Use SecretData_GCPOAuth2ClientCredentials.ProtoReflect.Descriptor instead. func (*SecretData_GCPOAuth2ClientCredentials) Descriptor() ([]byte, []int) { - return file_proto_scan_result_proto_rawDescGZIP(), []int{55, 36} + return file_proto_scan_result_proto_rawDescGZIP(), []int{55, 37} } func (x *SecretData_GCPOAuth2ClientCredentials) GetId() string { @@ -8439,7 +8499,7 @@ type SecretData_GCPOAuth2AccessToken struct { func (x *SecretData_GCPOAuth2AccessToken) Reset() { *x = SecretData_GCPOAuth2AccessToken{} - mi := &file_proto_scan_result_proto_msgTypes[105] + mi := &file_proto_scan_result_proto_msgTypes[106] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -8451,7 +8511,7 @@ func (x *SecretData_GCPOAuth2AccessToken) String() string { func (*SecretData_GCPOAuth2AccessToken) ProtoMessage() {} func (x *SecretData_GCPOAuth2AccessToken) ProtoReflect() protoreflect.Message { - mi := &file_proto_scan_result_proto_msgTypes[105] + mi := &file_proto_scan_result_proto_msgTypes[106] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -8464,7 +8524,7 @@ func (x *SecretData_GCPOAuth2AccessToken) ProtoReflect() protoreflect.Message { // Deprecated: Use SecretData_GCPOAuth2AccessToken.ProtoReflect.Descriptor instead. func (*SecretData_GCPOAuth2AccessToken) Descriptor() ([]byte, []int) { - return file_proto_scan_result_proto_rawDescGZIP(), []int{55, 37} + return file_proto_scan_result_proto_rawDescGZIP(), []int{55, 38} } func (x *SecretData_GCPOAuth2AccessToken) GetToken() string { @@ -8498,7 +8558,7 @@ type SecretData_OnePasswordConnectToken struct { func (x *SecretData_OnePasswordConnectToken) Reset() { *x = SecretData_OnePasswordConnectToken{} - mi := &file_proto_scan_result_proto_msgTypes[106] + mi := &file_proto_scan_result_proto_msgTypes[107] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -8510,7 +8570,7 @@ func (x *SecretData_OnePasswordConnectToken) String() string { func (*SecretData_OnePasswordConnectToken) ProtoMessage() {} func (x *SecretData_OnePasswordConnectToken) ProtoReflect() protoreflect.Message { - mi := &file_proto_scan_result_proto_msgTypes[106] + mi := &file_proto_scan_result_proto_msgTypes[107] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -8523,7 +8583,7 @@ func (x *SecretData_OnePasswordConnectToken) ProtoReflect() protoreflect.Message // Deprecated: Use SecretData_OnePasswordConnectToken.ProtoReflect.Descriptor instead. func (*SecretData_OnePasswordConnectToken) Descriptor() ([]byte, []int) { - return file_proto_scan_result_proto_rawDescGZIP(), []int{55, 38} + return file_proto_scan_result_proto_rawDescGZIP(), []int{55, 39} } func (x *SecretData_OnePasswordConnectToken) GetDeviceUuid() string { @@ -8591,7 +8651,7 @@ type SecretData_OnePasswordSecretKey struct { func (x *SecretData_OnePasswordSecretKey) Reset() { *x = SecretData_OnePasswordSecretKey{} - mi := &file_proto_scan_result_proto_msgTypes[107] + mi := &file_proto_scan_result_proto_msgTypes[108] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -8603,7 +8663,7 @@ func (x *SecretData_OnePasswordSecretKey) String() string { func (*SecretData_OnePasswordSecretKey) ProtoMessage() {} func (x *SecretData_OnePasswordSecretKey) ProtoReflect() protoreflect.Message { - mi := &file_proto_scan_result_proto_msgTypes[107] + mi := &file_proto_scan_result_proto_msgTypes[108] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -8616,7 +8676,7 @@ func (x *SecretData_OnePasswordSecretKey) ProtoReflect() protoreflect.Message { // Deprecated: Use SecretData_OnePasswordSecretKey.ProtoReflect.Descriptor instead. func (*SecretData_OnePasswordSecretKey) Descriptor() ([]byte, []int) { - return file_proto_scan_result_proto_rawDescGZIP(), []int{55, 39} + return file_proto_scan_result_proto_rawDescGZIP(), []int{55, 40} } func (x *SecretData_OnePasswordSecretKey) GetKey() string { @@ -8635,7 +8695,7 @@ type SecretData_OnePasswordServiceToken struct { func (x *SecretData_OnePasswordServiceToken) Reset() { *x = SecretData_OnePasswordServiceToken{} - mi := &file_proto_scan_result_proto_msgTypes[108] + mi := &file_proto_scan_result_proto_msgTypes[109] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -8647,7 +8707,7 @@ func (x *SecretData_OnePasswordServiceToken) String() string { func (*SecretData_OnePasswordServiceToken) ProtoMessage() {} func (x *SecretData_OnePasswordServiceToken) ProtoReflect() protoreflect.Message { - mi := &file_proto_scan_result_proto_msgTypes[108] + mi := &file_proto_scan_result_proto_msgTypes[109] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -8660,7 +8720,7 @@ func (x *SecretData_OnePasswordServiceToken) ProtoReflect() protoreflect.Message // Deprecated: Use SecretData_OnePasswordServiceToken.ProtoReflect.Descriptor instead. func (*SecretData_OnePasswordServiceToken) Descriptor() ([]byte, []int) { - return file_proto_scan_result_proto_rawDescGZIP(), []int{55, 40} + return file_proto_scan_result_proto_rawDescGZIP(), []int{55, 41} } func (x *SecretData_OnePasswordServiceToken) GetKey() string { @@ -8679,7 +8739,7 @@ type SecretData_OnePasswordRecoveryCode struct { func (x *SecretData_OnePasswordRecoveryCode) Reset() { *x = SecretData_OnePasswordRecoveryCode{} - mi := &file_proto_scan_result_proto_msgTypes[109] + mi := &file_proto_scan_result_proto_msgTypes[110] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -8691,7 +8751,7 @@ func (x *SecretData_OnePasswordRecoveryCode) String() string { func (*SecretData_OnePasswordRecoveryCode) ProtoMessage() {} func (x *SecretData_OnePasswordRecoveryCode) ProtoReflect() protoreflect.Message { - mi := &file_proto_scan_result_proto_msgTypes[109] + mi := &file_proto_scan_result_proto_msgTypes[110] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -8704,7 +8764,7 @@ func (x *SecretData_OnePasswordRecoveryCode) ProtoReflect() protoreflect.Message // Deprecated: Use SecretData_OnePasswordRecoveryCode.ProtoReflect.Descriptor instead. func (*SecretData_OnePasswordRecoveryCode) Descriptor() ([]byte, []int) { - return file_proto_scan_result_proto_rawDescGZIP(), []int{55, 41} + return file_proto_scan_result_proto_rawDescGZIP(), []int{55, 42} } func (x *SecretData_OnePasswordRecoveryCode) GetKey() string { @@ -9131,7 +9191,7 @@ const file_proto_scan_result_proto_rawDesc = "" + "\x06Secret\x12+\n" + "\x06secret\x18\x01 \x01(\v2\x13.scalibr.SecretDataR\x06secret\x12-\n" + "\x06status\x18\x02 \x01(\v2\x15.scalibr.SecretStatusR\x06status\x12/\n" + - "\tlocations\x18\x03 \x03(\v2\x11.scalibr.LocationR\tlocations\"\xb78\n" + + "\tlocations\x18\x03 \x03(\v2\x11.scalibr.LocationR\tlocations\"\xb79\n" + "\n" + "SecretData\x124\n" + "\x06gcpsak\x18\x01 \x01(\v2\x1a.scalibr.SecretData.GCPSAKH\x00R\x06gcpsak\x12m\n" + @@ -9183,7 +9243,8 @@ const file_proto_scan_result_proto_rawDesc = "" + "\x19onepassword_service_token\x18( \x01(\v2+.scalibr.SecretData.OnePasswordServiceTokenH\x00R\x17onepasswordServiceToken\x12i\n" + "\x19onepassword_recovery_code\x18) \x01(\v2+.scalibr.SecretData.OnePasswordRecoveryCodeH\x00R\x17onepasswordRecoveryCode\x12i\n" + "\x19onepassword_connect_token\x18* \x01(\v2+.scalibr.SecretData.OnePasswordConnectTokenH\x00R\x17onepasswordConnectToken\x124\n" + - "\x06pgpass\x18+ \x01(\v2\x1a.scalibr.SecretData.PgpassH\x00R\x06pgpass\x1a\xb0\x03\n" + + "\x06pgpass\x18+ \x01(\v2\x1a.scalibr.SecretData.PgpassH\x00R\x06pgpass\x12T\n" + + "\x12npmjs_access_token\x18, \x01(\v2$.scalibr.SecretData.NpmJSAccessTokenH\x00R\x10npmjsAccessToken\x1a\xb0\x03\n" + "\x06GCPSAK\x12$\n" + "\x0eprivate_key_id\x18\x01 \x01(\tR\fprivateKeyId\x12!\n" + "\fclient_email\x18\x02 \x01(\tR\vclientEmail\x12\x1c\n" + @@ -9244,7 +9305,9 @@ const file_proto_scan_result_proto_rawDesc = "" + "\x1cPostmanCollectionAccessToken\x12\x10\n" + "\x03key\x18\x01 \x01(\tR\x03key\x1a(\n" + "\x14DigitalOceanAPIToken\x12\x10\n" + - "\x03key\x18\x01 \x01(\tR\x03key\x1a-\n" + + "\x03key\x18\x01 \x01(\tR\x03key\x1a(\n" + + "\x10NpmJSAccessToken\x12\x14\n" + + "\x05Token\x18\x01 \x01(\tR\x05Token\x1a-\n" + "\x15GithubAppRefreshToken\x12\x14\n" + "\x05token\x18\x01 \x01(\tR\x05token\x1a4\n" + "\x1cGithubAppServerToServerToken\x12\x14\n" + @@ -9396,7 +9459,7 @@ func file_proto_scan_result_proto_rawDescGZIP() []byte { } var file_proto_scan_result_proto_enumTypes = make([]protoimpl.EnumInfo, 5) -var file_proto_scan_result_proto_msgTypes = make([]protoimpl.MessageInfo, 111) +var file_proto_scan_result_proto_msgTypes = make([]protoimpl.MessageInfo, 112) var file_proto_scan_result_proto_goTypes = []any{ (VexJustification)(0), // 0: scalibr.VexJustification (SeverityEnum)(0), // 1: scalibr.SeverityEnum @@ -9491,34 +9554,35 @@ var file_proto_scan_result_proto_goTypes = []any{ (*SecretData_PostmanAPIKey)(nil), // 90: scalibr.SecretData.PostmanAPIKey (*SecretData_PostmanCollectionAccessToken)(nil), // 91: scalibr.SecretData.PostmanCollectionAccessToken (*SecretData_DigitalOceanAPIToken)(nil), // 92: scalibr.SecretData.DigitalOceanAPIToken - (*SecretData_GithubAppRefreshToken)(nil), // 93: scalibr.SecretData.GithubAppRefreshToken - (*SecretData_GithubAppServerToServerToken)(nil), // 94: scalibr.SecretData.GithubAppServerToServerToken - (*SecretData_GithubClassicPersonalAccessToken)(nil), // 95: scalibr.SecretData.GithubClassicPersonalAccessToken - (*SecretData_GithubFineGrainedPersonalAccessToken)(nil), // 96: scalibr.SecretData.GithubFineGrainedPersonalAccessToken - (*SecretData_GithubOAuthToken)(nil), // 97: scalibr.SecretData.GithubOAuthToken - (*SecretData_GithubAppUserToServerToken)(nil), // 98: scalibr.SecretData.GithubAppUserToServerToken - (*SecretData_TinkKeyset)(nil), // 99: scalibr.SecretData.TinkKeyset - (*SecretData_HashiCorpVaultToken)(nil), // 100: scalibr.SecretData.HashiCorpVaultToken - (*SecretData_HashiCorpVaultAppRoleCredentials)(nil), // 101: scalibr.SecretData.HashiCorpVaultAppRoleCredentials - (*SecretData_GCPAPIKey)(nil), // 102: scalibr.SecretData.GCPAPIKey - (*SecretData_HuggingfaceAPIKey)(nil), // 103: scalibr.SecretData.HuggingfaceAPIKey - (*SecretData_HashiCorpCloudPlatformCredentials)(nil), // 104: scalibr.SecretData.HashiCorpCloudPlatformCredentials - (*SecretData_HashiCorpCloudPlatformToken)(nil), // 105: scalibr.SecretData.HashiCorpCloudPlatformToken - (*SecretData_StripeSecretKey)(nil), // 106: scalibr.SecretData.StripeSecretKey - (*SecretData_StripeRestrictedKey)(nil), // 107: scalibr.SecretData.StripeRestrictedKey - (*SecretData_StripeWebhookSecret)(nil), // 108: scalibr.SecretData.StripeWebhookSecret - (*SecretData_GCPOAuth2ClientCredentials)(nil), // 109: scalibr.SecretData.GCPOAuth2ClientCredentials - (*SecretData_GCPOAuth2AccessToken)(nil), // 110: scalibr.SecretData.GCPOAuth2AccessToken - (*SecretData_OnePasswordConnectToken)(nil), // 111: scalibr.SecretData.OnePasswordConnectToken - (*SecretData_OnePasswordSecretKey)(nil), // 112: scalibr.SecretData.OnePasswordSecretKey - (*SecretData_OnePasswordServiceToken)(nil), // 113: scalibr.SecretData.OnePasswordServiceToken - (*SecretData_OnePasswordRecoveryCode)(nil), // 114: scalibr.SecretData.OnePasswordRecoveryCode - nil, // 115: scalibr.ContainerImageMetadata.OsInfoEntry - (*timestamppb.Timestamp)(nil), // 116: google.protobuf.Timestamp + (*SecretData_NpmJSAccessToken)(nil), // 93: scalibr.SecretData.NpmJSAccessToken + (*SecretData_GithubAppRefreshToken)(nil), // 94: scalibr.SecretData.GithubAppRefreshToken + (*SecretData_GithubAppServerToServerToken)(nil), // 95: scalibr.SecretData.GithubAppServerToServerToken + (*SecretData_GithubClassicPersonalAccessToken)(nil), // 96: scalibr.SecretData.GithubClassicPersonalAccessToken + (*SecretData_GithubFineGrainedPersonalAccessToken)(nil), // 97: scalibr.SecretData.GithubFineGrainedPersonalAccessToken + (*SecretData_GithubOAuthToken)(nil), // 98: scalibr.SecretData.GithubOAuthToken + (*SecretData_GithubAppUserToServerToken)(nil), // 99: scalibr.SecretData.GithubAppUserToServerToken + (*SecretData_TinkKeyset)(nil), // 100: scalibr.SecretData.TinkKeyset + (*SecretData_HashiCorpVaultToken)(nil), // 101: scalibr.SecretData.HashiCorpVaultToken + (*SecretData_HashiCorpVaultAppRoleCredentials)(nil), // 102: scalibr.SecretData.HashiCorpVaultAppRoleCredentials + (*SecretData_GCPAPIKey)(nil), // 103: scalibr.SecretData.GCPAPIKey + (*SecretData_HuggingfaceAPIKey)(nil), // 104: scalibr.SecretData.HuggingfaceAPIKey + (*SecretData_HashiCorpCloudPlatformCredentials)(nil), // 105: scalibr.SecretData.HashiCorpCloudPlatformCredentials + (*SecretData_HashiCorpCloudPlatformToken)(nil), // 106: scalibr.SecretData.HashiCorpCloudPlatformToken + (*SecretData_StripeSecretKey)(nil), // 107: scalibr.SecretData.StripeSecretKey + (*SecretData_StripeRestrictedKey)(nil), // 108: scalibr.SecretData.StripeRestrictedKey + (*SecretData_StripeWebhookSecret)(nil), // 109: scalibr.SecretData.StripeWebhookSecret + (*SecretData_GCPOAuth2ClientCredentials)(nil), // 110: scalibr.SecretData.GCPOAuth2ClientCredentials + (*SecretData_GCPOAuth2AccessToken)(nil), // 111: scalibr.SecretData.GCPOAuth2AccessToken + (*SecretData_OnePasswordConnectToken)(nil), // 112: scalibr.SecretData.OnePasswordConnectToken + (*SecretData_OnePasswordSecretKey)(nil), // 113: scalibr.SecretData.OnePasswordSecretKey + (*SecretData_OnePasswordServiceToken)(nil), // 114: scalibr.SecretData.OnePasswordServiceToken + (*SecretData_OnePasswordRecoveryCode)(nil), // 115: scalibr.SecretData.OnePasswordRecoveryCode + nil, // 116: scalibr.ContainerImageMetadata.OsInfoEntry + (*timestamppb.Timestamp)(nil), // 117: google.protobuf.Timestamp } var file_proto_scan_result_proto_depIdxs = []int32{ - 116, // 0: scalibr.ScanResult.start_time:type_name -> google.protobuf.Timestamp - 116, // 1: scalibr.ScanResult.end_time:type_name -> google.protobuf.Timestamp + 117, // 0: scalibr.ScanResult.start_time:type_name -> google.protobuf.Timestamp + 117, // 1: scalibr.ScanResult.end_time:type_name -> google.protobuf.Timestamp 7, // 2: scalibr.ScanResult.status:type_name -> scalibr.ScanStatus 8, // 3: scalibr.ScanResult.plugin_status:type_name -> scalibr.PluginStatus 9, // 4: scalibr.ScanResult.inventories_deprecated:type_name -> scalibr.Package @@ -9583,8 +9647,8 @@ var file_proto_scan_result_proto_depIdxs = []int32{ 15, // 63: scalibr.SPDXPackageMetadata.purl:type_name -> scalibr.Purl 15, // 64: scalibr.CDXPackageMetadata.purl:type_name -> scalibr.Purl 72, // 65: scalibr.PodmanMetadata.exposed_ports:type_name -> scalibr.PodmanMetadata.ExposedPortsEntry - 116, // 66: scalibr.PodmanMetadata.started_time:type_name -> google.protobuf.Timestamp - 116, // 67: scalibr.PodmanMetadata.finished_time:type_name -> google.protobuf.Timestamp + 117, // 66: scalibr.PodmanMetadata.started_time:type_name -> google.protobuf.Timestamp + 117, // 67: scalibr.PodmanMetadata.finished_time:type_name -> google.protobuf.Timestamp 57, // 68: scalibr.DockerContainersMetadata.ports:type_name -> scalibr.DockerPort 60, // 69: scalibr.Secret.secret:type_name -> scalibr.SecretData 61, // 70: scalibr.Secret.status:type_name -> scalibr.SecretStatus @@ -9603,51 +9667,52 @@ var file_proto_scan_result_proto_depIdxs = []int32{ 91, // 83: scalibr.SecretData.postman_collection_access_token:type_name -> scalibr.SecretData.PostmanCollectionAccessToken 81, // 84: scalibr.SecretData.azure_access_token:type_name -> scalibr.SecretData.AzureAccessToken 83, // 85: scalibr.SecretData.azure_identity_token:type_name -> scalibr.SecretData.AzureIdentityToken - 99, // 86: scalibr.SecretData.tink_keyset:type_name -> scalibr.SecretData.TinkKeyset + 100, // 86: scalibr.SecretData.tink_keyset:type_name -> scalibr.SecretData.TinkKeyset 86, // 87: scalibr.SecretData.gitlab_pat:type_name -> scalibr.SecretData.GitlabPat - 100, // 88: scalibr.SecretData.hashicorp_vault_token:type_name -> scalibr.SecretData.HashiCorpVaultToken - 101, // 89: scalibr.SecretData.hashicorp_vault_app_role_credentials:type_name -> scalibr.SecretData.HashiCorpVaultAppRoleCredentials - 102, // 90: scalibr.SecretData.gcp_api_key:type_name -> scalibr.SecretData.GCPAPIKey - 103, // 91: scalibr.SecretData.hugginface:type_name -> scalibr.SecretData.HuggingfaceAPIKey - 93, // 92: scalibr.SecretData.github_app_refresh_token:type_name -> scalibr.SecretData.GithubAppRefreshToken - 106, // 93: scalibr.SecretData.stripe_secret_key:type_name -> scalibr.SecretData.StripeSecretKey - 107, // 94: scalibr.SecretData.stripe_restricted_key:type_name -> scalibr.SecretData.StripeRestrictedKey - 108, // 95: scalibr.SecretData.stripe_webhook_secret:type_name -> scalibr.SecretData.StripeWebhookSecret - 109, // 96: scalibr.SecretData.gcp_oauth2_client_credentials:type_name -> scalibr.SecretData.GCPOAuth2ClientCredentials - 110, // 97: scalibr.SecretData.gcp_oauth2_access_token:type_name -> scalibr.SecretData.GCPOAuth2AccessToken - 94, // 98: scalibr.SecretData.github_app_server_to_server_token:type_name -> scalibr.SecretData.GithubAppServerToServerToken - 95, // 99: scalibr.SecretData.github_classic_personal_access_token:type_name -> scalibr.SecretData.GithubClassicPersonalAccessToken - 96, // 100: scalibr.SecretData.github_fine_grained_personal_access_token:type_name -> scalibr.SecretData.GithubFineGrainedPersonalAccessToken - 98, // 101: scalibr.SecretData.github_app_user_to_server_token:type_name -> scalibr.SecretData.GithubAppUserToServerToken - 97, // 102: scalibr.SecretData.github_oauth_token:type_name -> scalibr.SecretData.GithubOAuthToken + 101, // 88: scalibr.SecretData.hashicorp_vault_token:type_name -> scalibr.SecretData.HashiCorpVaultToken + 102, // 89: scalibr.SecretData.hashicorp_vault_app_role_credentials:type_name -> scalibr.SecretData.HashiCorpVaultAppRoleCredentials + 103, // 90: scalibr.SecretData.gcp_api_key:type_name -> scalibr.SecretData.GCPAPIKey + 104, // 91: scalibr.SecretData.hugginface:type_name -> scalibr.SecretData.HuggingfaceAPIKey + 94, // 92: scalibr.SecretData.github_app_refresh_token:type_name -> scalibr.SecretData.GithubAppRefreshToken + 107, // 93: scalibr.SecretData.stripe_secret_key:type_name -> scalibr.SecretData.StripeSecretKey + 108, // 94: scalibr.SecretData.stripe_restricted_key:type_name -> scalibr.SecretData.StripeRestrictedKey + 109, // 95: scalibr.SecretData.stripe_webhook_secret:type_name -> scalibr.SecretData.StripeWebhookSecret + 110, // 96: scalibr.SecretData.gcp_oauth2_client_credentials:type_name -> scalibr.SecretData.GCPOAuth2ClientCredentials + 111, // 97: scalibr.SecretData.gcp_oauth2_access_token:type_name -> scalibr.SecretData.GCPOAuth2AccessToken + 95, // 98: scalibr.SecretData.github_app_server_to_server_token:type_name -> scalibr.SecretData.GithubAppServerToServerToken + 96, // 99: scalibr.SecretData.github_classic_personal_access_token:type_name -> scalibr.SecretData.GithubClassicPersonalAccessToken + 97, // 100: scalibr.SecretData.github_fine_grained_personal_access_token:type_name -> scalibr.SecretData.GithubFineGrainedPersonalAccessToken + 99, // 101: scalibr.SecretData.github_app_user_to_server_token:type_name -> scalibr.SecretData.GithubAppUserToServerToken + 98, // 102: scalibr.SecretData.github_oauth_token:type_name -> scalibr.SecretData.GithubOAuthToken 89, // 103: scalibr.SecretData.slack_app_config_refresh_token:type_name -> scalibr.SecretData.SlackAppConfigRefreshToken 87, // 104: scalibr.SecretData.slack_app_level_token:type_name -> scalibr.SecretData.SlackAppLevelToken 88, // 105: scalibr.SecretData.slack_app_config_access_token:type_name -> scalibr.SecretData.SlackAppConfigAccessToken 79, // 106: scalibr.SecretData.azure_storage_account_access_key:type_name -> scalibr.SecretData.AzureStorageAccountAccessKey - 104, // 107: scalibr.SecretData.hashicorp_cloud_platform_credentials:type_name -> scalibr.SecretData.HashiCorpCloudPlatformCredentials - 105, // 108: scalibr.SecretData.hashicorp_cloud_platform_token:type_name -> scalibr.SecretData.HashiCorpCloudPlatformToken - 112, // 109: scalibr.SecretData.onepassword_secret_key:type_name -> scalibr.SecretData.OnePasswordSecretKey - 113, // 110: scalibr.SecretData.onepassword_service_token:type_name -> scalibr.SecretData.OnePasswordServiceToken - 114, // 111: scalibr.SecretData.onepassword_recovery_code:type_name -> scalibr.SecretData.OnePasswordRecoveryCode - 111, // 112: scalibr.SecretData.onepassword_connect_token:type_name -> scalibr.SecretData.OnePasswordConnectToken + 105, // 107: scalibr.SecretData.hashicorp_cloud_platform_credentials:type_name -> scalibr.SecretData.HashiCorpCloudPlatformCredentials + 106, // 108: scalibr.SecretData.hashicorp_cloud_platform_token:type_name -> scalibr.SecretData.HashiCorpCloudPlatformToken + 113, // 109: scalibr.SecretData.onepassword_secret_key:type_name -> scalibr.SecretData.OnePasswordSecretKey + 114, // 110: scalibr.SecretData.onepassword_service_token:type_name -> scalibr.SecretData.OnePasswordServiceToken + 115, // 111: scalibr.SecretData.onepassword_recovery_code:type_name -> scalibr.SecretData.OnePasswordRecoveryCode + 112, // 112: scalibr.SecretData.onepassword_connect_token:type_name -> scalibr.SecretData.OnePasswordConnectToken 82, // 113: scalibr.SecretData.pgpass:type_name -> scalibr.SecretData.Pgpass - 4, // 114: scalibr.SecretStatus.status:type_name -> scalibr.SecretStatus.SecretStatusEnum - 116, // 115: scalibr.SecretStatus.last_updated:type_name -> google.protobuf.Timestamp - 63, // 116: scalibr.Location.filepath:type_name -> scalibr.Filepath - 64, // 117: scalibr.Location.filepath_with_layer_details:type_name -> scalibr.FilepathWithLayerDetails - 65, // 118: scalibr.Location.environment_variable:type_name -> scalibr.EnvironmentVariable - 66, // 119: scalibr.Location.container_command:type_name -> scalibr.ContainerCommand - 11, // 120: scalibr.FilepathWithLayerDetails.layer_details:type_name -> scalibr.LayerDetails - 70, // 121: scalibr.ContainerImageMetadata.layer_metadata:type_name -> scalibr.LayerMetadata - 68, // 122: scalibr.ContainerImageMetadata.base_image_chains:type_name -> scalibr.BaseImageChain - 115, // 123: scalibr.ContainerImageMetadata.os_info:type_name -> scalibr.ContainerImageMetadata.OsInfoEntry - 69, // 124: scalibr.BaseImageChain.base_images:type_name -> scalibr.BaseImageDetails - 52, // 125: scalibr.PodmanMetadata.ExposedPortsEntry.value:type_name -> scalibr.Protocol - 126, // [126:126] is the sub-list for method output_type - 126, // [126:126] is the sub-list for method input_type - 126, // [126:126] is the sub-list for extension type_name - 126, // [126:126] is the sub-list for extension extendee - 0, // [0:126] is the sub-list for field type_name + 93, // 114: scalibr.SecretData.npmjs_access_token:type_name -> scalibr.SecretData.NpmJSAccessToken + 4, // 115: scalibr.SecretStatus.status:type_name -> scalibr.SecretStatus.SecretStatusEnum + 117, // 116: scalibr.SecretStatus.last_updated:type_name -> google.protobuf.Timestamp + 63, // 117: scalibr.Location.filepath:type_name -> scalibr.Filepath + 64, // 118: scalibr.Location.filepath_with_layer_details:type_name -> scalibr.FilepathWithLayerDetails + 65, // 119: scalibr.Location.environment_variable:type_name -> scalibr.EnvironmentVariable + 66, // 120: scalibr.Location.container_command:type_name -> scalibr.ContainerCommand + 11, // 121: scalibr.FilepathWithLayerDetails.layer_details:type_name -> scalibr.LayerDetails + 70, // 122: scalibr.ContainerImageMetadata.layer_metadata:type_name -> scalibr.LayerMetadata + 68, // 123: scalibr.ContainerImageMetadata.base_image_chains:type_name -> scalibr.BaseImageChain + 116, // 124: scalibr.ContainerImageMetadata.os_info:type_name -> scalibr.ContainerImageMetadata.OsInfoEntry + 69, // 125: scalibr.BaseImageChain.base_images:type_name -> scalibr.BaseImageDetails + 52, // 126: scalibr.PodmanMetadata.ExposedPortsEntry.value:type_name -> scalibr.Protocol + 127, // [127:127] is the sub-list for method output_type + 127, // [127:127] is the sub-list for method input_type + 127, // [127:127] is the sub-list for extension type_name + 127, // [127:127] is the sub-list for extension extendee + 0, // [0:127] is the sub-list for field type_name } func init() { file_proto_scan_result_proto_init() } @@ -9740,6 +9805,7 @@ func file_proto_scan_result_proto_init() { (*SecretData_OnepasswordRecoveryCode)(nil), (*SecretData_OnepasswordConnectToken)(nil), (*SecretData_Pgpass_)(nil), + (*SecretData_NpmjsAccessToken)(nil), } file_proto_scan_result_proto_msgTypes[57].OneofWrappers = []any{ (*Location_Filepath)(nil), @@ -9753,7 +9819,7 @@ func file_proto_scan_result_proto_init() { GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: unsafe.Slice(unsafe.StringData(file_proto_scan_result_proto_rawDesc), len(file_proto_scan_result_proto_rawDesc)), NumEnums: 5, - NumMessages: 111, + NumMessages: 112, NumExtensions: 0, NumServices: 0, }, diff --git a/binary/proto/secret.go b/binary/proto/secret.go index 241f39a24..416196f01 100644 --- a/binary/proto/secret.go +++ b/binary/proto/secret.go @@ -39,6 +39,7 @@ import ( veleshashicorpvault "github.com/google/osv-scalibr/veles/secrets/hashicorpvault" veleshashicorpcloudplatform "github.com/google/osv-scalibr/veles/secrets/hcp" "github.com/google/osv-scalibr/veles/secrets/huggingfaceapikey" + "github.com/google/osv-scalibr/veles/secrets/npmjsaccesstoken" velesonepasswordkeys "github.com/google/osv-scalibr/veles/secrets/onepasswordkeys" velesopenai "github.com/google/osv-scalibr/veles/secrets/openai" velesperplexity "github.com/google/osv-scalibr/veles/secrets/perplexityapikey" @@ -115,6 +116,8 @@ func velesSecretToProto(s veles.Secret) (*spb.SecretData, error) { return dockerHubPATToProto(t), nil case velesdigitalocean.DigitaloceanAPIToken: return digitaloceanAPIKeyToProto(t), nil + case npmjsaccesstoken.NpmJSAccessToken: + return npmJSAccessTokenToProto(t), nil case velesslacktoken.SlackAppConfigAccessToken: return slackAppConfigAccessTokenToProto(t), nil case velesslacktoken.SlackAppConfigRefreshToken: @@ -217,6 +220,16 @@ func digitaloceanAPIKeyToProto(s velesdigitalocean.DigitaloceanAPIToken) *spb.Se } } +func npmJSAccessTokenToProto(s npmjsaccesstoken.NpmJSAccessToken) *spb.SecretData { + return &spb.SecretData{ + Secret: &spb.SecretData_NpmjsAccessToken{ + NpmjsAccessToken: &spb.SecretData_NpmJSAccessToken{ + Token: s.Token, + }, + }, + } +} + func slackAppLevelTokenToProto(s velesslacktoken.SlackAppLevelToken) *spb.SecretData { return &spb.SecretData{ Secret: &spb.SecretData_SlackAppLevelToken_{ @@ -717,6 +730,8 @@ func velesSecretToStruct(s *spb.SecretData) (veles.Secret, error) { return gitlabPATToStruct(s.GetGitlabPat()), nil case *spb.SecretData_Digitalocean: return digitalOceanAPITokenToStruct(s.GetDigitalocean()), nil + case *spb.SecretData_NpmjsAccessToken: + return npmJSAccessTokenToStruct(s.GetNpmjsAccessToken()), nil case *spb.SecretData_SlackAppConfigRefreshToken_: return slackAppConfigRefreshTokenToStruct(s.GetSlackAppConfigRefreshToken()), nil case *spb.SecretData_SlackAppConfigAccessToken_: @@ -834,6 +849,12 @@ func digitalOceanAPITokenToStruct(kPB *spb.SecretData_DigitalOceanAPIToken) vele } } +func npmJSAccessTokenToStruct(kPB *spb.SecretData_NpmJSAccessToken) npmjsaccesstoken.NpmJSAccessToken { + return npmjsaccesstoken.NpmJSAccessToken{ + Token: kPB.GetToken(), + } +} + func slackAppLevelTokenToStruct(kPB *spb.SecretData_SlackAppLevelToken) velesslacktoken.SlackAppLevelToken { return velesslacktoken.SlackAppLevelToken{ Token: kPB.GetToken(), diff --git a/docs/supported_inventory_types.md b/docs/supported_inventory_types.md index c45e5645a..58c9121ed 100644 --- a/docs/supported_inventory_types.md +++ b/docs/supported_inventory_types.md @@ -109,8 +109,8 @@ See the docs on [how to add a new Extractor](/docs/new_extractor.md). ### Secrets -| Type | Extractor Plugin | -|-----------------------------------|--------------------------------------| +| Type | Extractor Plugin | +|---------------------------------------------|--------------------------------------| | Anthropic API key | `secrets/anthropicapikey` | | Azure Token | `secrets/azuretoken` | | DigitalOcean API key | `secrets/digitaloceanapikey` | @@ -131,6 +131,7 @@ See the docs on [how to add a new Extractor](/docs/new_extractor.md). | 1Password Secret Key | `secrets/onepasswordsecretkey` | | 1Password Service Token | `secrets/onepasswordservicetoken` | | 1Password Recovery Code | `secrets/onepasswordrecoverycode` | +| npmjs Registry Access Tokens | `secrets/npmjsaccesstoken` | | OpenAI API key | `secrets/openai` | | Perplexity API key | `secrets/perplexityapikey` | | Postgres pgpass file | `secrets/pgpass` | diff --git a/enricher/enricherlist/list.go b/enricher/enricherlist/list.go index 0223006af..a7a54b50a 100644 --- a/enricher/enricherlist/list.go +++ b/enricher/enricherlist/list.go @@ -42,6 +42,7 @@ import ( "github.com/google/osv-scalibr/veles/secrets/hashicorpvault" "github.com/google/osv-scalibr/veles/secrets/hcp" "github.com/google/osv-scalibr/veles/secrets/huggingfaceapikey" + "github.com/google/osv-scalibr/veles/secrets/npmjsaccesstoken" "github.com/google/osv-scalibr/veles/secrets/openai" "github.com/google/osv-scalibr/veles/secrets/perplexityapikey" "github.com/google/osv-scalibr/veles/secrets/postmanapikey" @@ -83,6 +84,7 @@ var ( fromVeles(anthropicapikey.NewWorkspaceValidator(), "secrets/anthropicapikeyworkspacevalidate", 0), fromVeles(anthropicapikey.NewModelValidator(), "secrets/anthropicapikeymodelvalidate", 0), fromVeles(digitaloceanapikey.NewValidator(), "secrets/digitaloceanapikeyvalidate", 0), + fromVeles(npmjsaccesstoken.NewValidator(), "secrets/npmjsaccesstoken", 0), fromVeles(slacktoken.NewAppLevelTokenValidator(), "secrets/slackappleveltokenvalidate", 0), fromVeles(slacktoken.NewAppConfigRefreshTokenValidator(), "secrets/slackconfigrefreshtokenvalidate", 0), fromVeles(slacktoken.NewAppConfigAccessTokenValidator(), "secrets/slackconfigaccesstokenvalidate", 0), diff --git a/extractor/filesystem/list/list.go b/extractor/filesystem/list/list.go index 5387de5ef..74345fdee 100644 --- a/extractor/filesystem/list/list.go +++ b/extractor/filesystem/list/list.go @@ -110,6 +110,7 @@ import ( "github.com/google/osv-scalibr/veles/secrets/hashicorpvault" "github.com/google/osv-scalibr/veles/secrets/hcp" "github.com/google/osv-scalibr/veles/secrets/huggingfaceapikey" + "github.com/google/osv-scalibr/veles/secrets/npmjsaccesstoken" "github.com/google/osv-scalibr/veles/secrets/onepasswordkeys" "github.com/google/osv-scalibr/veles/secrets/openai" "github.com/google/osv-scalibr/veles/secrets/perplexityapikey" @@ -274,6 +275,7 @@ var ( {azuretoken.NewDetector(), "secrets/azuretoken", 0}, {azurestorageaccountaccesskey.NewDetector(), "secrets/azurestorageaccountaccesskey", 0}, {digitaloceanapikey.NewDetector(), "secrets/digitaloceanapikey", 0}, + {npmjsaccesstoken.NewDetector(), "secrets/npmjsaccesstoken", 0}, {slacktoken.NewAppConfigAccessTokenDetector(), "secrets/slackappconfigaccesstoken", 0}, {slacktoken.NewAppConfigRefreshTokenDetector(), "secrets/slackappconfigrefreshtoken", 0}, {slacktoken.NewAppLevelTokenDetector(), "secrets/slackappleveltoken", 0}, diff --git a/veles/secrets/npmjsaccesstoken/detector.go b/veles/secrets/npmjsaccesstoken/detector.go new file mode 100644 index 000000000..2dbc77125 --- /dev/null +++ b/veles/secrets/npmjsaccesstoken/detector.go @@ -0,0 +1,44 @@ +// Copyright 2025 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Package npmjsaccesstoken contains a Veles Secret type and a Detector for +// npm.js Access Tokens (prefix `npm_`). +package npmjsaccesstoken + +import ( + "regexp" + + "github.com/google/osv-scalibr/veles" + "github.com/google/osv-scalibr/veles/secrets/common/simpletoken" +) + +// maxTokenLength is the maximum size of an npm.js access token. +const maxTokenLength = 40 + +// tokenRe is a regular expression that matches an npm.js access token. +// npm.js access tokens have the form: `npm_` followed by 36 +// alphanumeric characters. +var tokenRe = regexp.MustCompile(`npm_[a-zA-Z0-9]{36}`) + +// NewDetector returns a new simpletoken.Detector that matches +// npm.js access tokens. +func NewDetector() veles.Detector { + return simpletoken.Detector{ + MaxLen: maxTokenLength, + Re: tokenRe, + FromMatch: func(b []byte) (veles.Secret, bool) { + return NpmJSAccessToken{Token: string(b)}, true + }, + } +} diff --git a/veles/secrets/npmjsaccesstoken/detector_test.go b/veles/secrets/npmjsaccesstoken/detector_test.go new file mode 100644 index 000000000..b0bc7b35f --- /dev/null +++ b/veles/secrets/npmjsaccesstoken/detector_test.go @@ -0,0 +1,142 @@ +// Copyright 2025 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package npmjsaccesstoken_test + +import ( + "fmt" + "strings" + "testing" + + "github.com/google/go-cmp/cmp" + "github.com/google/go-cmp/cmp/cmpopts" + "github.com/google/osv-scalibr/veles" + "github.com/google/osv-scalibr/veles/secrets/npmjsaccesstoken" +) + +const testKey = `npm_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8` + +// TestDetector_truePositives tests for cases where we know the Detector +// will find a npm.js access token/s. +func TestDetector_truePositives(t *testing.T) { + engine, err := veles.NewDetectionEngine([]veles.Detector{npmjsaccesstoken.NewDetector()}) + if err != nil { + t.Fatal(err) + } + cases := []struct { + name string + input string + want []veles.Secret + }{{ + name: "simple matching string", + input: testKey, + want: []veles.Secret{ + npmjsaccesstoken.NpmJSAccessToken{Token: testKey}, + }, + }, { + name: "match at end of string", + input: `NPM_TOKEN=` + testKey, + want: []veles.Secret{ + npmjsaccesstoken.NpmJSAccessToken{Token: testKey}, + }, + }, { + name: "match in middle of string", + input: `NPM_TOKEN="` + testKey + `"`, + want: []veles.Secret{ + npmjsaccesstoken.NpmJSAccessToken{Token: testKey}, + }, + }, { + name: "multiple matches", + input: testKey + testKey + testKey, + want: []veles.Secret{ + npmjsaccesstoken.NpmJSAccessToken{Token: testKey}, + npmjsaccesstoken.NpmJSAccessToken{Token: testKey}, + npmjsaccesstoken.NpmJSAccessToken{Token: testKey}, + }, + }, { + name: "multiple distinct matches", + input: testKey + "\n" + testKey[:len(testKey)-1] + "a", + want: []veles.Secret{ + npmjsaccesstoken.NpmJSAccessToken{Token: testKey}, + npmjsaccesstoken.NpmJSAccessToken{Token: testKey[:len(testKey)-1] + "a"}, + }, + }, { + name: "larger input containing key", + input: fmt.Sprintf(` +:test_npm_token: npm-test +:NPM_TOKEN: %s + `, testKey), + want: []veles.Secret{ + npmjsaccesstoken.NpmJSAccessToken{Token: testKey}, + }, + }, { + name: "potential match longer than max key length", + input: testKey + `extra`, + want: []veles.Secret{ + npmjsaccesstoken.NpmJSAccessToken{Token: testKey}, + }, + }} + for _, tc := range cases { + t.Run(tc.name, func(t *testing.T) { + got, err := engine.Detect(t.Context(), strings.NewReader(tc.input)) + if err != nil { + t.Errorf("Detect() error: %v, want nil", err) + } + fmt.Printf("got = %+v\n", got) + if diff := cmp.Diff(tc.want, got, cmpopts.EquateEmpty()); diff != "" { + t.Errorf("Detect() diff (-want +got):\n%s", diff) + } + }) + } +} + +// TestDetector_trueNegatives tests for cases where we know the Detector +// will not find an npm.js access token. +func TestDetector_trueNegatives(t *testing.T) { + engine, err := veles.NewDetectionEngine([]veles.Detector{npmjsaccesstoken.NewDetector()}) + if err != nil { + t.Fatal(err) + } + cases := []struct { + name string + input string + want []veles.Secret + }{{ + name: "empty input", + input: "", + }, { + name: "short key should not match", + input: testKey[:len(testKey)-1], + }, { + name: "invalid character in key should not match", + input: `npm_!@#$%^&*()_+{}[]|:;<>?,./~` + `123456`, + }, { + name: "incorrect prefix should not match", + input: `npp_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6`, + }, { + name: "prefix missing should not match", + input: `a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8`, + }} + for _, tc := range cases { + t.Run(tc.name, func(t *testing.T) { + got, err := engine.Detect(t.Context(), strings.NewReader(tc.input)) + if err != nil { + t.Errorf("Detect() error: %v, want nil", err) + } + if diff := cmp.Diff(tc.want, got, cmpopts.EquateEmpty()); diff != "" { + t.Errorf("Detect() diff (-want +got):\n%s", diff) + } + }) + } +} diff --git a/veles/secrets/npmjsaccesstoken/npmjsaccesstoken.go b/veles/secrets/npmjsaccesstoken/npmjsaccesstoken.go new file mode 100644 index 000000000..18d19f3aa --- /dev/null +++ b/veles/secrets/npmjsaccesstoken/npmjsaccesstoken.go @@ -0,0 +1,22 @@ +// Copyright 2025 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package npmjsaccesstoken + +// NpmJSAccessToken is a Veles Secret that holds relevant information for a +// DigitalOcean API key (prefix `dop_v1_`). +// DigitaloceanAPIToken represents an API key used to authenticate requests +type NpmJSAccessToken struct { + Token string +} diff --git a/veles/secrets/npmjsaccesstoken/validator.go b/veles/secrets/npmjsaccesstoken/validator.go new file mode 100644 index 000000000..f0c889090 --- /dev/null +++ b/veles/secrets/npmjsaccesstoken/validator.go @@ -0,0 +1,85 @@ +// Copyright 2025 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package npmjsaccesstoken + +import ( + "context" + "fmt" + "io" + "net/http" + + "github.com/google/osv-scalibr/veles" +) + +// Validator validates npm.js access tokens via the npm registry API endpoint. +type Validator struct { + httpC *http.Client +} + +// ValidatorOption configures a Validator when creating it via NewValidator. +type ValidatorOption func(*Validator) + +// WithClient configures the http.Client that the Validator uses. +// +// By default, it uses http.DefaultClient. +func WithClient(c *http.Client) ValidatorOption { + return func(v *Validator) { + v.httpC = c + } +} + +// NewValidator creates a new Validator with the given ValidatorOptions. +func NewValidator(opts ...ValidatorOption) *Validator { + v := &Validator{ + httpC: http.DefaultClient, + } + for _, opt := range opts { + opt(v) + } + return v +} + +// Validate checks whether the given NpmJSAccessToken is valid. +// +// It performs a GET request to the npm registry whoami endpoint +// using the access token in the Authorization header. If the request returns +// HTTP 200, the token is considered valid. +// If 401 Unauthorized, the token is invalid. Other errors return ValidationFailed. +func (v *Validator) Validate(ctx context.Context, key NpmJSAccessToken) (veles.ValidationStatus, error) { + req, err := http.NewRequestWithContext(ctx, http.MethodGet, + "https://registry.npmjs.org/-/whoami", nil) + if err != nil { + return veles.ValidationFailed, fmt.Errorf("unable to create HTTP request: %w", err) + } + req.Header.Set("Authorization", "Bearer "+key.Token) + + res, err := v.httpC.Do(req) + if err != nil { + return veles.ValidationFailed, fmt.Errorf("HTTP GET failed: %w", err) + } + defer res.Body.Close() + _, err = io.ReadAll(res.Body) + if err != nil { + return veles.ValidationFailed, fmt.Errorf("failed to read response body: %w", err) + } + switch res.StatusCode { + case http.StatusOK: + return veles.ValidationValid, nil + case http.StatusUnauthorized: + return veles.ValidationInvalid, nil + default: + return veles.ValidationFailed, nil + } +} diff --git a/veles/secrets/npmjsaccesstoken/validator_test.go b/veles/secrets/npmjsaccesstoken/validator_test.go new file mode 100644 index 000000000..35166b516 --- /dev/null +++ b/veles/secrets/npmjsaccesstoken/validator_test.go @@ -0,0 +1,228 @@ +// Copyright 2025 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package npmjsaccesstoken_test + +import ( + "context" + "net/http" + "net/http/httptest" + "net/url" + "strings" + "testing" + + "github.com/google/osv-scalibr/veles" + "github.com/google/osv-scalibr/veles/secrets/npmjsaccesstoken" +) + +const validatorTestKey = "npm_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8" + +// mockTransport redirects requests to the test server +type mockTransport struct { + testServer *httptest.Server +} + +func (m *mockTransport) RoundTrip(req *http.Request) (*http.Response, error) { + // Replace the original URL with our test server URL + if req.URL.Host == "registry.npmjs.org" { + testURL, _ := url.Parse(m.testServer.URL) + req.URL.Scheme = testURL.Scheme + req.URL.Host = testURL.Host + } + return http.DefaultTransport.RoundTrip(req) +} + +// mockNpmRegistryServer creates a mock npm registry API server for testing +func mockNpmRegistryServer(t *testing.T, expectedKey string, serverResponseCode int) *httptest.Server { + t.Helper() + + return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + // Check if it's a GET request to the expected endpoint + if r.Method != http.MethodGet || r.URL.Path != "/-/whoami" { + t.Errorf("unexpected request: %s %s, expected: GET /-/whoami", r.Method, r.URL.Path) + http.Error(w, "not found", http.StatusNotFound) + return + } + + // Check Authorization header + authHeader := r.Header.Get("Authorization") + if !strings.Contains(authHeader, expectedKey) { + w.Header().Set("Content-Type", "application/json") + w.WriteHeader(http.StatusUnauthorized) + return + } + + // Set response + w.Header().Set("Content-Type", "application/json") + w.WriteHeader(serverResponseCode) + })) +} + +func TestValidator(t *testing.T) { + cases := []struct { + name string + key string + serverExpectedKey string + serverResponseCode int + want veles.ValidationStatus + expectError bool + }{ + { + name: "valid_key", + key: validatorTestKey, + serverExpectedKey: validatorTestKey, + serverResponseCode: http.StatusOK, + want: veles.ValidationValid, + }, + { + name: "invalid_key_unauthorized", + key: "random_string", + serverExpectedKey: validatorTestKey, + serverResponseCode: http.StatusUnauthorized, + want: veles.ValidationInvalid, + }, + { + name: "server_error", + serverResponseCode: http.StatusInternalServerError, + want: veles.ValidationFailed, + }, + { + name: "bad_gateway", + serverResponseCode: http.StatusBadGateway, + want: veles.ValidationFailed, + }, + } + + for _, tc := range cases { + t.Run(tc.name, func(t *testing.T) { + // Create a mock server + server := mockNpmRegistryServer(t, tc.serverExpectedKey, tc.serverResponseCode) + defer server.Close() + + // Create a client with custom transport + client := &http.Client{ + Transport: &mockTransport{testServer: server}, + } + + // Create a validator with a mock client + validator := npmjsaccesstoken.NewValidator( + npmjsaccesstoken.WithClient(client), + ) + + // Create a test key + key := npmjsaccesstoken.NpmJSAccessToken{Token: tc.key} + + // Test validation + got, err := validator.Validate(t.Context(), key) + + // Check error expectation + if tc.expectError { + if err == nil { + t.Errorf("Validate() expected error, got nil") + } + } else { + if err != nil { + t.Errorf("Validate() unexpected error: %v", err) + } + } + + // Check validation status + if got != tc.want { + t.Errorf("Validate() = %v, want %v", got, tc.want) + } + }) + } +} + +func TestValidator_ContextCancellation(t *testing.T) { + // Create a server that delays response + server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(http.StatusOK) + })) + defer server.Close() + + // Create a client with custom transport + client := &http.Client{ + Transport: &mockTransport{testServer: server}, + } + + validator := npmjsaccesstoken.NewValidator( + npmjsaccesstoken.WithClient(client), + ) + + key := npmjsaccesstoken.NpmJSAccessToken{Token: validatorTestKey} + + // Create a cancelled context + ctx, cancel := context.WithCancel(t.Context()) + cancel() + + // Test validation with cancelled context + got, err := validator.Validate(ctx, key) + + if err == nil { + t.Errorf("Validate() expected error due to context cancellation, got nil") + } + if got != veles.ValidationFailed { + t.Errorf("Validate() = %v, want %v", got, veles.ValidationFailed) + } +} + +func TestValidator_InvalidRequest(t *testing.T) { + // Create a mock server that returns 401 Unauthorized + server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(http.StatusUnauthorized) + })) + defer server.Close() + + // Create a client with custom transport + client := &http.Client{ + Transport: &mockTransport{testServer: server}, + } + + validator := npmjsaccesstoken.NewValidator( + npmjsaccesstoken.WithClient(client), + ) + + testCases := []struct { + name string + key string + expected veles.ValidationStatus + }{ + { + name: "empty_key", + key: "", + expected: veles.ValidationInvalid, + }, + { + name: "invalid_key_format", + key: "invalid-key-format", + expected: veles.ValidationInvalid, + }, + } + + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + key := npmjsaccesstoken.NpmJSAccessToken{Token: tc.key} + + got, err := validator.Validate(t.Context(), key) + + if err != nil { + t.Errorf("Validate() unexpected error for %s: %v", tc.name, err) + } + if got != tc.expected { + t.Errorf("Validate() = %v, want %v for %s", got, tc.expected, tc.name) + } + }) + } +}