Make detector Result.SecretParts initialization stricter#4948
Make detector Result.SecretParts initialization stricter#4948mcastorina wants to merge 3 commits intomainfrom
Conversation
This means all detectors.Result objects must be created with the SecretParts field set.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 3e6aaa4. Configure here.
|
|
||
| for username := range usernames { | ||
| s1.RawV2 = []byte(fmt.Sprintf("%s:%s", username, token)) | ||
| s1.SecretParts["username"] = username |
There was a problem hiding this comment.
Shared map mutation corrupts previously appended results
Medium Severity
The SecretParts map is initialized once per token at line 70, then mutated inside the inner username loop at line 75 via s1.SecretParts["username"] = username. Because maps in Go are reference types, when s1 is appended to results at line 88, the copy shares the same underlying map. Subsequent iterations overwrite "username" for all previously appended results, causing them to all reflect the last username processed rather than their own.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 3e6aaa4. Configure here.
There was a problem hiding this comment.
This is an existing bug and out of scope for this PR. Follow-up work will address this.
3 participants
Description:
Update the
hack/checksecretpartstool to enforce initializingResultwith aSecretPartsfield and clean up existing detectors to pass this lint check.The reason for this change is because all
Resultobjects must haveSecretPartsset.Checklist:
make test-community)?make lintthis requires golangci-lint)?Note
Medium Risk
Touches many detector implementations and changes the static check to fail any
detectors.Result{}literal missingSecretParts, which could surface new CI failures or subtly change reported metadata. Core scanning/verification logic is largely unchanged, but the breadth of detector edits raises regression risk.Overview
Updates
hack/checksecretpartsto be stricter: it now flags everydetectors.Result{}/&detectors.Result{}composite literal that omits aSecretPartskey, and no longer treats laterSecretPartsassignments or other package references as satisfying the rule; messaging/docs/tests were updated accordingly.Migrates a broad set of detectors to comply by initializing
Result.SecretPartsat construction time (and in a few cases mutating the map later to add fields like endpoints/usernames), removing prior patterns that only setSecretPartsafter successful verification.Reviewed by Cursor Bugbot for commit 3e6aaa4. Bugbot is set up for automated code reviews on this repo. Configure here.