Skip to content

Tartufo does not put exclusions in report file when using --output-format report when repo is not the present working directory #416

New issue
New issue
Open
Open
Tartufo does not put exclusions in report file when using --output-format report when repo is not the present working directory#416
Labels
bugSomething isn't working
@mlamarca-godaddy

Description

@mlamarca-godaddy
mlamarca-godaddy
opened on Dec 20, 2022

🐛 Bug Report

If I run tartufo to scan a directory from one level above my repo, it reads the tartufo.toml file to apply exclusions, but doesn't include any exclusions in the report file.

To Reproduce

This command:

tartufo --output-format report -v scan-local-repo ${GITHUBREPO}

Creates this output:

Tartufo Scan Results (Time: 2022-12-19T14:51:38.266660)
All clear. No secrets detected.

Configuration:
  version:             3.3.1
  entropy:             Enabled
    sensitivity: 75
  regex:               Enabled

Excluded paths:

Excluded signatures:

Excluded entropy patterns:

In this case, ${GITHUBREPO} is set to "puppet"
The local directory structure is setup as follows:

Directory tartufo is being run from:

/mnt/c/Users/mlamarca/Documents/GitHub

Directory repo is located in:

/mnt/c/Users/mlamarca/Documents/GitHub/puppet

Expected Behavior

If I run tartufo from within the repo directory, I get the expected output:

tartufo --output-format report -v scan-local-repo .
Click to expand output of previous command

Tartufo Scan Results (Time: 2022-12-19T15:04:55.437726)
All clear. No secrets detected.

Configuration:
  version:             3.3.1
  entropy:             Enabled
    sensitivity: 75
  regex:               Enabled

Excluded paths:
  tartufo\.toml: Tartufo config file
  modules/port_template/templates/port_template\.erb: Port templates IDs
  modules/salt/files/master_sign\.pub: Public key needed on all salt minions.
  modules/rbenv/checksums\.json: Non-secret checksum file
  modules/rbenv/plugins/ruby-build/share/ruby-build: Directory containing ruby-build install data for many different versions. Hashes in this directory are not secret.
  modules/rbenv/plugins/ruby-build/\.travis\.yml: Publicly available AWS access credentials used for downloading rbenv install data
  modules/rbenv/plugins/ruby-build/test/cache\.bats: Non-secret shasum contained in file
  modules/rbenv/plugins/ruby-build/test/checksum\.bats: Non-secret shasum contained in file
  modules/rbenv/plugins/ruby-build/test/mirror\.bats: Non-secret checksum contained in file
  modules/stdlib/CONTRIBUTING\.md: Contains non-secret text blob with high entropy
  modules/stdlib/README\.md: File contains non-secret strings with high entropy like example IPv6 and example base64 strings
  modules/stdlib/readmes/README_ja_JP\.md: File contains non-secret strings with high entropy like example IPv6 and example base64 strings
  modules/stdlib/Rakefile: File contains non-secret strings with high entropy like ref value
  modules/stdlib/checksums\.json: File contains many non-secret checksum strings
  modules/rbenv/tests/patches/1\.9\.2-p180_centos\.patch: File contains non-secret high entropy strings in patch notes
  modules/stdlib/Gemfile: File contains non-secret ref values with high entropy
  modules/stdlib/lib/puppet/functions/is_absolute_path\.rb: File contains non-secret commit hashes with high entropy
  modules/stdlib/lib/puppet/functions/is_array\.rb: File contains non-secret commit hashes with high entropy
  modules/stdlib/lib/puppet/functions/is_bool\.rb: File contains non-secret commit hashes with high entropy
  modules/stdlib/lib/puppet/functions/is_float\.rb: File contains non-secret commit hashes with high entropy
  modules/stdlib/lib/puppet/functions/is_ip_address\.rb: File contains non-secret commit hashes with high entropy
  modules/stdlib/lib/puppet/functions/is_ipv4_address\.rb: File contains non-secret commit hashes with high entropy
  modules/stdlib/lib/puppet/functions/is_ipv6_address\.rb: File contains non-secret commit hashes with high entropy
  modules/stdlib/lib/puppet/functions/is_numeric\.rb: File contains non-secret commit hashes with high entropy
  modules/stdlib/lib/puppet/functions/is_string\.rb: File contains non-secret commit hashes with high entropy
  modules/stdlib/lib/puppet/functions/validate_absolute_path\.rb: File contains non-secret commit hashes with high entropy
  modules/stdlib/lib/puppet/functions/validate_bool\.rb: File contains non-secret commit hashes with high entropy
  modules/stdlib/lib/puppet/functions/validate_hash\.rb: File contains non-secret commit hashes with high entropy
  modules/stdlib/lib/puppet/functions/validate_integer\.rb: File contains non-secret commit hashes with high entropy
  modules/stdlib/lib/puppet/functions/validate_ip_address\.rb: File contains non-secret commit hashes with high entropy
  modules/stdlib/lib/puppet/functions/validate_ipv4_address\.rb: File contains non-secret commit hashes with high entropy
  modules/stdlib/lib/puppet/functions/validate_ipv6_address\.rb: File contains non-secret commit hashes with high entropy
  modules/stdlib/lib/puppet/functions/validate_legacy\.rb: File contains non-secret commit hashes with high entropy
  modules/stdlib/lib/puppet/functions/validate_numeric\.rb: File contains non-secret commit hashes with high entropy
  modules/stdlib/lib/puppet/functions/validate_re\.rb: File contains non-secret commit hashes with high entropy
  modules/stdlib/lib/puppet/functions/validate_slength\.rb: File contains non-secret commit hashes with high entropy
  modules/stdlib/lib/puppet/functions/validate_string\.rb: File contains non-secret commit hashes with high entropy
  modules/stdlib/lib/puppet/parser/functions/loadjson\.rb: File flagged for username:[email protected] which is only an example and not used
  modules/stdlib/lib/puppet/parser/functions/loadyaml\.rb: File flagged for username:[email protected] which is only an example and not used
  modules/stdlib/spec/functions/base64_spec\.rb: File contains a very long string that will cause the base64 encoder to produce output with multiple lines
  modules/stdlib/spec/functions/str2saltedsha512_spec\.rb: File contains non-secret strings with high entropy
  modules/stdlib/spec/functions/validate_x509_rsa_key_pair_spec\.rb: File contains ky pair used for testing formatting only
  modules/stdlib/lib/puppet/functions/validate_array\.rb: File contains non-secret commit hashes with high entropy
  modules/stdlib/spec/type_aliases/compat__ipv6_spec\.rb: File contains non-secret commit strings with high entropy

Excluded signatures:
  47e1139b56a470f3d3c3bc58a0ace84a6c793ac7937e47e66fba661d19103d04: Jenkinsfile - Non Secret Path - /var/lib/jenkins/rpmbuild/RPMS/x86_64/ManagedPuppet-
  cf3173a40f51179864e4baf562eefd0d48847646843bb7c272381a1e00df8696: make_rpm.sh - Non Secret Path - +SOURCES_DIR=rpmbuild/sources
  4a4ce4aaa5745d3aae6fa54661dd7ea10f36cc4494e52d199de0a4dadc7a574d: authorized_keys file - Non Secret Path - modules/jenkins_build_server/files/authorized_keys
  14898e62435823e24dae6e1db4fc747601e43d686651fd166f0a903a47def09f: Redis configuration file - Non Secret Path - modules/redis/files/redis.conf
  cfc1c6b5a6e44dc9f2c27de161a6d6be94cf40170767c210cabd823971a0259f: Non Secret filename in commit history - a/modules/yum_repos/files/NODESOURCE-GPG-SIGNING-KEY-EL
  806a28ca8730b26765eefa8de68740c91439651e22d4fb2be375c5baf77ad62e: Non Secret filename in commit history - b/modules/yum_repos/files/NODESOURCE-GPG-SIGNING-KEY-EL
  3301c28d87e2ac8f77c9576371084a707f24caf81ab8f9a00e2094f75052946d: File containing non secret checksum - modules/rbenv/plugins/ruby-build/test/fixtures/definitions/with-checksum
  06e9024730cfb752d9dda39b5de38450713529f1fb45dfa3e418420ef19f6d1d: File containing non secret checksum - modules/rbenv/plugins/ruby-build/test/fixtures/definitions/with-md5-checksum
  2b0c0d9a2b826b72c72c89e3286eca957b2c63df7aeabeb9df360f3532ed18f1: File contains non-secret random character list - modules/stdlib/lib/puppet/functions/seeded_rand_string.rb
  ba100b9c9245e1b4dc8af84ab39200b55bd5b57d34417b4e8eac907560d96464: File contains non-secret password hash function which is publicly available for this 3rd party module - modules/stdlib/spec/acceptance/pw_hash_spec.rb
  647c04497e1e567ebfa7ec5a6c1e671cea5d73abb4f4f8943eaed3dc2e4c9858: File contains non-secret string with a through z - modules/stdlib/spec/acceptance/sort_spec.rb
  2557ebddbfa69681233e58b53a2c9e740ef2291fb53386c113924525b032f6b9: File contains non-secret string with user1:[email protected] that is just an example and not used - modules/stdlib/spec/functions/loadjson_spec.rb
  a07fd8e58c0600cd54d171ba5877ea4ecc6dcac19a85913008865ea0ab2eecd9: File contains non-secret string with user1:[email protected] that is just an example and not used - modules/stdlib/spec/functions/loadyaml_spec.rb
  94a35dd1cfd02748960dbb34051f13450fd5b34b64544040d19a5da4df9abe95: Non-secret password salt. Part of 3rd party module available in a public repo - modules/stdlib/spec/functions/pw_hash_spec.rb
  1ffbb463e4ecfa848908b96ea77538e0051b350cf09ea7db09ea708f355d44ec: Contains 12345678901234567890 as part of an example ipv6 address - modules/stdlib/spec/functions/validate_ipv6_address_spec.rb

Excluded entropy patterns:

In this case, tartufo is being run from within the directory the repo is located in:

/mnt/c/Users/mlamarca/Documents/GitHub/puppet

Code Example

Repo "puppet" used in this bug report

Command that works properly:

tartufo --output-format report -v scan-local-repo .

Command that omits exclusions from the report:

tartufo --output-format report -v scan-local-repo ${GITHUBREPO}

Where ${GITHUBREPO} is not the present working directory

Environment

Running in WSL

Environment details:

$ cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04.5 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.5 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

This is the contents of the tartufo.toml file in the "puppet" repo used in this bug report:

Click to expand contents of tartufo.toml

[tool.tartufo]
repo-path = "."
json = false
regex = true
entropy = true
exclude-path-patterns = [
 {path-pattern = 'tartufo\.toml', reason = 'Tartufo config file'},
 {path-pattern = 'modules/port_template/templates/port_template\.erb', reason = 'Port templates IDs'},
 {path-pattern = 'modules/salt/files/master_sign\.pub', reason = 'Public key needed on all salt minions.'},
 {path-pattern = 'modules/rbenv/checksums\.json', reason = 'Non-secret checksum file'},
 {path-pattern = 'modules/rbenv/plugins/ruby-build/share/ruby-build', reason = 'Directory containing ruby-build install data for many different versions. Hashes in this directory are not secret.'},
 {path-pattern = 'modules/rbenv/plugins/ruby-build/\.travis\.yml', reason = 'Publicly available AWS access credentials used for downloading rbenv install data'},
 {path-pattern = 'modules/rbenv/plugins/ruby-build/test/cache\.bats', reason = 'Non-secret shasum contained in file'},
 {path-pattern = 'modules/rbenv/plugins/ruby-build/test/checksum\.bats', reason = 'Non-secret shasum contained in file'},
 {path-pattern = 'modules/rbenv/plugins/ruby-build/test/mirror\.bats', reason = 'Non-secret checksum contained in file'},
 {path-pattern = 'modules/stdlib/CONTRIBUTING\.md', reason = 'Contains non-secret text blob with high entropy'},
 {path-pattern = 'modules/stdlib/README\.md', reason = 'File contains non-secret strings with high entropy like example IPv6 and example base64 strings'},
 {path-pattern = 'modules/stdlib/readmes/README_ja_JP\.md', reason = 'File contains non-secret strings with high entropy like example IPv6 and example base64 strings'},
 {path-pattern = 'modules/stdlib/Rakefile', reason = 'File contains non-secret strings with high entropy like ref value'},
 {path-pattern = 'modules/stdlib/checksums\.json', reason = 'File contains many non-secret checksum strings'},
 {path-pattern = 'modules/rbenv/tests/patches/1\.9\.2-p180_centos\.patch', reason = 'File contains non-secret high entropy strings in patch notes'},
 {path-pattern = 'modules/stdlib/Gemfile', reason = 'File contains non-secret ref values with high entropy'},
 {path-pattern = 'modules/stdlib/lib/puppet/functions/is_absolute_path\.rb', reason = 'File contains non-secret commit hashes with high entropy'},
 {path-pattern = 'modules/stdlib/lib/puppet/functions/is_array\.rb', reason = 'File contains non-secret commit hashes with high entropy'},
 {path-pattern = 'modules/stdlib/lib/puppet/functions/is_bool\.rb', reason = 'File contains non-secret commit hashes with high entropy'},
 {path-pattern = 'modules/stdlib/lib/puppet/functions/is_float\.rb', reason = 'File contains non-secret commit hashes with high entropy'},
 {path-pattern = 'modules/stdlib/lib/puppet/functions/is_ip_address\.rb', reason = 'File contains non-secret commit hashes with high entropy'},
 {path-pattern = 'modules/stdlib/lib/puppet/functions/is_ipv4_address\.rb', reason = 'File contains non-secret commit hashes with high entropy'},
 {path-pattern = 'modules/stdlib/lib/puppet/functions/is_ipv6_address\.rb', reason = 'File contains non-secret commit hashes with high entropy'},
 {path-pattern = 'modules/stdlib/lib/puppet/functions/is_numeric\.rb', reason = 'File contains non-secret commit hashes with high entropy'},
 {path-pattern = 'modules/stdlib/lib/puppet/functions/is_string\.rb', reason = 'File contains non-secret commit hashes with high entropy'},
 {path-pattern = 'modules/stdlib/lib/puppet/functions/validate_absolute_path\.rb', reason = 'File contains non-secret commit hashes with high entropy'},
 {path-pattern = 'modules/stdlib/lib/puppet/functions/validate_bool\.rb', reason = 'File contains non-secret commit hashes with high entropy'},
 {path-pattern = 'modules/stdlib/lib/puppet/functions/validate_hash\.rb', reason = 'File contains non-secret commit hashes with high entropy'},
 {path-pattern = 'modules/stdlib/lib/puppet/functions/validate_integer\.rb', reason = 'File contains non-secret commit hashes with high entropy'},
 {path-pattern = 'modules/stdlib/lib/puppet/functions/validate_ip_address\.rb', reason = 'File contains non-secret commit hashes with high entropy'},
 {path-pattern = 'modules/stdlib/lib/puppet/functions/validate_ipv4_address\.rb', reason = 'File contains non-secret commit hashes with high entropy'},
 {path-pattern = 'modules/stdlib/lib/puppet/functions/validate_ipv6_address\.rb', reason = 'File contains non-secret commit hashes with high entropy'},
 {path-pattern = 'modules/stdlib/lib/puppet/functions/validate_legacy\.rb', reason = 'File contains non-secret commit hashes with high entropy'},
 {path-pattern = 'modules/stdlib/lib/puppet/functions/validate_numeric\.rb', reason = 'File contains non-secret commit hashes with high entropy'},
 {path-pattern = 'modules/stdlib/lib/puppet/functions/validate_re\.rb', reason = 'File contains non-secret commit hashes with high entropy'},
 {path-pattern = 'modules/stdlib/lib/puppet/functions/validate_slength\.rb', reason = 'File contains non-secret commit hashes with high entropy'},
 {path-pattern = 'modules/stdlib/lib/puppet/functions/validate_string\.rb', reason = 'File contains non-secret commit hashes with high entropy'},
 {path-pattern = 'modules/stdlib/lib/puppet/parser/functions/loadjson\.rb', reason = 'File flagged for username:[email protected] which is only an example and not used'},
 {path-pattern = 'modules/stdlib/lib/puppet/parser/functions/loadyaml\.rb', reason = 'File flagged for username:[email protected] which is only an example and not used'},
 {path-pattern = 'modules/stdlib/spec/functions/base64_spec\.rb', reason = 'File contains a very long string that will cause the base64 encoder to produce output with multiple lines'},
 {path-pattern = 'modules/stdlib/spec/functions/str2saltedsha512_spec\.rb', reason = 'File contains non-secret strings with high entropy'},
 {path-pattern = 'modules/stdlib/spec/functions/validate_x509_rsa_key_pair_spec\.rb', reason = 'File contains ky pair used for testing formatting only'},
 {path-pattern = 'modules/stdlib/lib/puppet/functions/validate_array\.rb', reason = 'File contains non-secret commit hashes with high entropy'},
 {path-pattern = 'modules/stdlib/spec/type_aliases/compat__ipv6_spec\.rb', reason = 'File contains non-secret commit strings with high entropy'},
]

exclude-signatures = [
    {signature = "47e1139b56a470f3d3c3bc58a0ace84a6c793ac7937e47e66fba661d19103d04", reason = 'Jenkinsfile - Non Secret Path - /var/lib/jenkins/rpmbuild/RPMS/x86_64/ManagedPuppet-'},
    {signature = "cf3173a40f51179864e4baf562eefd0d48847646843bb7c272381a1e00df8696", reason = 'make_rpm.sh - Non Secret Path - +SOURCES_DIR=rpmbuild/sources'},
    {signature = "4a4ce4aaa5745d3aae6fa54661dd7ea10f36cc4494e52d199de0a4dadc7a574d", reason = 'authorized_keys file - Non Secret Path - modules/jenkins_build_server/files/authorized_keys'},
    {signature = "14898e62435823e24dae6e1db4fc747601e43d686651fd166f0a903a47def09f", reason = 'Redis configuration file - Non Secret Path - modules/redis/files/redis.conf'},
    {signature = "cfc1c6b5a6e44dc9f2c27de161a6d6be94cf40170767c210cabd823971a0259f", reason = 'Non Secret filename in commit history - a/modules/yum_repos/files/NODESOURCE-GPG-SIGNING-KEY-EL'},
    {signature = "806a28ca8730b26765eefa8de68740c91439651e22d4fb2be375c5baf77ad62e", reason = 'Non Secret filename in commit history - b/modules/yum_repos/files/NODESOURCE-GPG-SIGNING-KEY-EL'},
    {signature = "3301c28d87e2ac8f77c9576371084a707f24caf81ab8f9a00e2094f75052946d", reason = 'File containing non secret checksum - modules/rbenv/plugins/ruby-build/test/fixtures/definitions/with-checksum'},
    {signature = "06e9024730cfb752d9dda39b5de38450713529f1fb45dfa3e418420ef19f6d1d", reason = 'File containing non secret checksum - modules/rbenv/plugins/ruby-build/test/fixtures/definitions/with-md5-checksum'},
    {signature = "2b0c0d9a2b826b72c72c89e3286eca957b2c63df7aeabeb9df360f3532ed18f1", reason = 'File contains non-secret random character list - modules/stdlib/lib/puppet/functions/seeded_rand_string.rb'},
    {signature = "ba100b9c9245e1b4dc8af84ab39200b55bd5b57d34417b4e8eac907560d96464", reason = 'File contains non-secret password hash function which is publicly available for this 3rd party module - modules/stdlib/spec/acceptance/pw_hash_spec.rb'},
    {signature = "647c04497e1e567ebfa7ec5a6c1e671cea5d73abb4f4f8943eaed3dc2e4c9858", reason = 'File contains non-secret string with a through z - modules/stdlib/spec/acceptance/sort_spec.rb'},
    {signature = "2557ebddbfa69681233e58b53a2c9e740ef2291fb53386c113924525b032f6b9", reason = 'File contains non-secret string with user1:[email protected] that is just an example and not used - modules/stdlib/spec/functions/loadjson_spec.rb'},
    {signature = "a07fd8e58c0600cd54d171ba5877ea4ecc6dcac19a85913008865ea0ab2eecd9", reason = 'File contains non-secret string with user1:[email protected] that is just an example and not used - modules/stdlib/spec/functions/loadyaml_spec.rb'},
    {signature = "94a35dd1cfd02748960dbb34051f13450fd5b34b64544040d19a5da4df9abe95", reason = 'Non-secret password salt. Part of 3rd party module available in a public repo - modules/stdlib/spec/functions/pw_hash_spec.rb'},
    {signature = "1ffbb463e4ecfa848908b96ea77538e0051b350cf09ea7db09ea708f355d44ec", reason = 'Contains 12345678901234567890 as part of an example ipv6 address - modules/stdlib/spec/functions/validate_ipv6_address_spec.rb'},
]

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions