Skip to content

feat(rule): maven proxy#306

Open
hugo-syn wants to merge 4 commits into
praetorian-inc:mainfrom
hugo-syn:maven
Open

feat(rule): maven proxy#306
hugo-syn wants to merge 4 commits into
praetorian-inc:mainfrom
hugo-syn:maven

Conversation

@hugo-syn

@hugo-syn hugo-syn commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

cf: #283

@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 38180c22-b2af-4041-b48f-f81852cb1306

📥 Commits

Reviewing files that changed from the base of the PR and between 42f71e6 and d99f0f5.

📒 Files selected for processing (1)
  • pkg/rule/rules/maven.yml
🚧 Files skipped from review as they are similar to previous changes (1)
  • pkg/rule/rules/maven.yml

Walkthrough

Adds np.maven.1 for Maven settings XML credentials in pkg/rule/rules/maven.yml and includes it in the default ruleset. The rule matches <server> or <proxy> XML blocks with <username> followed by <password>, captures the password as token, sets base_score: 50, requires min_entropy: 3, and suppresses common placeholder or masked values.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
pkg/rule/rules/maven.yml (1)

6-9: 🎯 Functional Correctness | 🔵 Trivial | 💤 Low value

Rule assumes strict username-before-password ordering with limited separator length.

The pattern requires <username> immediately followed by <password> within \s{1,200} whitespace. Real settings.xml files with comments, blank lines, or reversed element order (password before username) between the two tags won't match, producing false negatives.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/rule/rules/maven.yml` around lines 6 - 9, The Maven rules pattern is too
strict because it only matches <username> immediately before <password> with a
short whitespace-only gap, so valid settings.xml variants with comments, blank
lines, or reversed order are missed. Update the regex in the maven rule to allow
either tag order and to tolerate broader separators between credentials, while
keeping the same token capture behavior in the rule pattern.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/rule/rules/maven.yml`:
- Around line 5-9: Remove the unsupported negative lookahead from the Maven rule
pattern in maven.yml so ValidateRule can compile it with Go regexp. Keep the
password capture in the pattern and, if you still need to exclude placeholder
values, move that logic to pattern_requirements.ignore_if_contains. Use the
existing pattern block as the target and ensure the rule still loads
successfully.

---

Nitpick comments:
In `@pkg/rule/rules/maven.yml`:
- Around line 6-9: The Maven rules pattern is too strict because it only matches
<username> immediately before <password> with a short whitespace-only gap, so
valid settings.xml variants with comments, blank lines, or reversed order are
missed. Update the regex in the maven rule to allow either tag order and to
tolerate broader separators between credentials, while keeping the same token
capture behavior in the rule pattern.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: e56bfceb-060e-4ae3-b354-9e0cd43fb009

📥 Commits

Reviewing files that changed from the base of the PR and between dce431e and b9d9ce9.

📒 Files selected for processing (1)
  • pkg/rule/rules/maven.yml

Comment thread pkg/rule/rules/maven.yml Outdated

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b9d9ce92f0

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread pkg/rule/rules/maven.yml
@@ -0,0 +1,31 @@
rules:
- name: Maven Settings XML Credentials
id: np.maven.1

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Add the Maven rule to the default ruleset

As added, np.maven.1 is loaded as a builtin rule but is not referenced by any builtin ruleset. Normal titus scan runs default to --ruleset default (cmd/titus/scan.go) and loadRules applies ApplyRuleset, so this detector is filtered out unless the user explicitly chooses --ruleset all or custom rules; the Maven proxy passwords this change targets will still be missed in the default scan workflow.

Useful? React with 👍 / 👎.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
pkg/rule/rules/maven.yml (1)

11-15: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick win

Consider broadening placeholder list.

Only three masking patterns are excluded. Common placeholders like CHANGEME, REDACTED, PLACEHOLDER, INSERT_PASSWORD_HERE would reduce false positives from templated/example settings.xml files.

♻️ Suggested additions
     pattern_requirements:
       ignore_if_contains:
         - "****"
         - "xxxx"
         - "YOUR_PASSWORD"
+        - "CHANGEME"
+        - "REDACTED"
+        - "PLACEHOLDER"
+        - "INSERT_PASSWORD_HERE"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/rule/rules/maven.yml` around lines 11 - 15, The masking exclusions in the
Maven rule are too narrow, so templated example values still trigger false
positives. Update the pattern_requirements.ignore_if_contains list in the maven
rule to include additional common placeholders such as CHANGEME, REDACTED,
PLACEHOLDER, and INSERT_PASSWORD_HERE, alongside the existing entries, so the
rule better recognizes example settings content.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@pkg/rule/rules/maven.yml`:
- Around line 11-15: The masking exclusions in the Maven rule are too narrow, so
templated example values still trigger false positives. Update the
pattern_requirements.ignore_if_contains list in the maven rule to include
additional common placeholders such as CHANGEME, REDACTED, PLACEHOLDER, and
INSERT_PASSWORD_HERE, alongside the existing entries, so the rule better
recognizes example settings content.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 21125b28-77c3-4063-8d8e-65f1539dd6da

📥 Commits

Reviewing files that changed from the base of the PR and between b9d9ce9 and 681d725.

📒 Files selected for processing (2)
  • pkg/rule/rules/maven.yml
  • pkg/rule/rulesets/default.yml

@michaelweber

Copy link
Copy Markdown
Collaborator

Thanks for this — proxy/server credential leakage in Maven configs is a real and useful thing to catch. Before we merge, though, we'd like to find a way to make this more targeted / less generalized, because as written it's likely to be a high false-positive source.

The pattern matches a bare <username>…</username> immediately followed by <password>…</password> anywhere in any file. That's generic XML basic-auth, not Maven-specific — it'll fire on Tomcat/Jetty/Spring/JBoss/Jenkins configs, test fixtures, and even prose/docs, none of which are Maven settings.xml.

I built the rule and ran it against a few realistic, non-secret fixtures. It produced 4 false positives out of 5 matches (80%):

Captured password Source Why it's a FP
Kx9$mQ2vLp7wZ!aR settings.xml <server> ✅ real secret (true positive)
password Spring datasource XML ❌ the literal word
${env.REPO_PASSWORD} settings.xml ❌ env-var reference, not a secret
changeit tomcat-users.xml ❌ universal Java default
example_password a Markdown doc ❌ documentation — not even XML

Contributing factors:

  1. No Maven anchor. Nothing ties the match to Maven (<server> / <proxy> wrapper, a sibling <id>, or settings.xml context). Both <server> and <proxy> entries in settings.xml always carry an <id>, so anchoring on that (or on the enclosing element) would scope this to Maven dramatically.
  2. Very permissive value class. [^<]{3,100} accepts template vars (${…}, {{…}}), defaults, and literal words like password.
  3. Thin negative filter. ignore_if_contains: ["****","xxxx","YOUR_PASSWORD"] caught none of the above. Consider adding a min_entropy floor and expanding the ignore list (e.g. ${, {{, changeit, changeme, password, example, test, admin, secret), and ideally ignoring anything containing ${/{{ (property/env refs).
  4. base_score: 75 is on the high side for a credential that can't be API-validated (it'll be reported unvalidated), which amplifies the noise.

Suggested direction: anchor to the Maven structure (require the <server>/<proxy> context or a nearby <id>…</id>), tighten the value class + add entropy, and expand the placeholder filter. Happy to help iterate on a revised pattern and re-run it against the FP fixtures to confirm the noise drops out.

Performance-wise there's no concern — bounded quantifiers, no catastrophic-backtracking risk, and the <username> literal makes it a cheap Hyperscan prefilter. The blocker is purely the false-positive surface.

@hugo-syn

hugo-syn commented Jul 7, 2026

Copy link
Copy Markdown
Contributor Author

Hello @michaelweber I've made some changes let me know if it's better.

Also I took example with #282 but I don't see it in the ruleset default.yml is it normal ?

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (2)
pkg/rule/rules/maven.yml (2)

15-25: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick win

Ignore list still missing some placeholder terms called out for this rule.

PR objectives asked to exclude password, admin, and secret as generic/default words, but they're absent here.

♻️ Proposed addition
         - "changeit"
         - "changeme"
+        - "password"
+        - "admin"
+        - "secret"
         - "example"
         - "test"
         - "dummy"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/rule/rules/maven.yml` around lines 15 - 25, The ignore list for the Maven
rule is still missing the generic placeholder terms requested by the review.
Update the ignore_if_contains entries in the maven rule configuration to include
password, admin, and secret alongside the existing defaults, keeping the change
in the same rule definition so the matcher in this config skips those common
placeholder values.

29-35: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

No negative_examples for known false-positive fixtures.

PR objectives cite specific FP cases (Spring datasource XML, settings.xml ${env.REPO_PASSWORD} placeholder, tomcat-users.xml changeit, Markdown docs). Adding negative_examples covering these would lock in regression protection now that ignore filters/entropy are being tightened.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/rule/rules/maven.yml` around lines 29 - 35, Add negative_examples for the
known false-positive fixture cases referenced in the review, since the current
examples section only shows a positive secret and does not protect against
regressions. Update the rule definition around the examples block to include
negative_examples entries for the Spring datasource XML, settings.xml with
${env.REPO_PASSWORD}, tomcat-users.xml using changeit, and Markdown docs so the
tightened ignore/entropy logic is validated against these fixtures.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/rule/rules/maven.yml`:
- Around line 13-14: The min_entropy setting is currently nested under
pattern_requirements in the Maven rule, but yamlPatternRequirements does not
parse it, so it never reaches Rule.MinEntropy. Move min_entropy to the top level
of the yamlRule mapping so pkg/rule/yaml.go can populate MinEntropy, and keep
pattern_requirements limited to the supported nested fields used by
passesEntropyCheck.

---

Nitpick comments:
In `@pkg/rule/rules/maven.yml`:
- Around line 15-25: The ignore list for the Maven rule is still missing the
generic placeholder terms requested by the review. Update the ignore_if_contains
entries in the maven rule configuration to include password, admin, and secret
alongside the existing defaults, keeping the change in the same rule definition
so the matcher in this config skips those common placeholder values.
- Around line 29-35: Add negative_examples for the known false-positive fixture
cases referenced in the review, since the current examples section only shows a
positive secret and does not protect against regressions. Update the rule
definition around the examples block to include negative_examples entries for
the Spring datasource XML, settings.xml with ${env.REPO_PASSWORD},
tomcat-users.xml using changeit, and Markdown docs so the tightened
ignore/entropy logic is validated against these fixtures.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 68179025-5a80-468f-bfe5-c47f1dbd26b4

📥 Commits

Reviewing files that changed from the base of the PR and between 681d725 and 42f71e6.

📒 Files selected for processing (1)
  • pkg/rule/rules/maven.yml

Comment thread pkg/rule/rules/maven.yml Outdated
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants