pkg/analyzer/analyzers/client.go

@@ -114,7 +114,7 @@ type AnalyzerRoundTripper struct {
 
 func (r AnalyzerRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
 	resp, err := r.parent.RoundTrip(req)
-	if err != nil || methodIsSafe(req.Method) {
+	if err != nil || IsMethodSafe(req.Method) {
 		return resp, err
 	}
 	// Check that unsafe methods did NOT return a valid status code.
@@ -126,7 +126,7 @@ func (r AnalyzerRoundTripper) RoundTrip(req *http.Request) (*http.Response, erro
 
 // methodIsSafe is a helper method to check whether the HTTP method is safe according to MDN Web Docs.
 // https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods#safe_idempotent_and_cacheable_request_methods
-func methodIsSafe(method string) bool {
+func IsMethodSafe(method string) bool {
 	switch strings.ToUpper(method) {
 	case http.MethodGet, http.MethodHead, http.MethodOptions, http.MethodTrace:
 		return true

pkg/analyzer/analyzers/huggingface/scopes.go

@@ -48,7 +48,7 @@ var user_scopes = map[string]map[string]string{
 		"user.billing.read": "Read access to user's billing usage",
 	},
 	"Collections": {
-		"collection.read":  "Read access to all ollections under user's namespace",
+		"collection.read":  "Read access to all collections under user's namespace",
 		"collection.write": "Write access to all collections under user's namespace",
 	},
 	"Discussions & Posts": {

pkg/analyzer/analyzers/opsgenie/opsgenie.go

@@ -132,7 +132,16 @@ func (h *HttpStatusTest) RunTest(cfg *config.Config, headers map[string]string)
 	}
 
 	// Create new HTTP request
-	client := analyzers.NewAnalyzeClientUnrestricted(cfg)
+	var client *http.Client
+
+	// Non-safe Opsgenie APIs are asynchronous and always return 202 if credential has the permission.
+	// For Safe API Methods, use the restricted client
+	if analyzers.IsMethodSafe(h.Method) {
+		client = analyzers.NewAnalyzeClient(cfg)
+	} else {
+		client = analyzers.NewAnalyzeClientUnrestricted(cfg)
+	}
+
 	req, err := http.NewRequest(h.Method, h.Endpoint, data)
 	if err != nil {
 		return false, err

pkg/custom_detectors/custom_detectors.go

@@ -129,7 +129,11 @@ func (c *CustomRegexWebhook) createResults(ctx context.Context, match map[string
 	var raw string
 	for _, values := range match {
 		// values[0] contains the entire regex match.
-		raw += values[0]
+		secret := values[0]
+		if len(values) > 1 {
+			secret = values[1]
+		}
+		raw += secret
 	}
 	result := detectors.Result{
 		DetectorType: detectorspb.DetectorType_CustomRegex,

pkg/custom_detectors/custom_detectors_test.go

@@ -199,13 +199,13 @@ func TestDetector(t *testing.T) {
 		// "password" is normally flagged as a false positive, but CustomRegex
 		// should allow the user to decide and report it as a result.
 		Keywords: []string{"password"},
-		Regex:    map[string]string{"regex": "password=.*"},
+		Regex:    map[string]string{"regex": "password=\"(.*)\""},
 	})
 	assert.NoError(t, err)
 	results, err := detector.FromData(context.Background(), false, []byte(`password="123456"`))
 	assert.NoError(t, err)
 	assert.Equal(t, 1, len(results))
-	assert.Equal(t, results[0].Raw, []byte(`password="123456"`))
+	assert.Equal(t, results[0].Raw, []byte(`123456`))
 }
 
 func BenchmarkProductIndices(b *testing.B) {

pkg/sources/jenkins/jenkins.go

@@ -123,7 +123,7 @@ func (s *Source) Init(aCtx context.Context, name string, jobId sources.JobID, so
 	case *sourcespb.Jenkins_Unauthenticated:
 		unparsedURL = conn.Endpoint
 	default:
-		return errors.Errorf("Invalid configuration given for source. Name: %s, Type: %s", name, s.Type())
+		return errors.Errorf("unknown or unspecified authentication method provided for Jenkins source %q (unauthenticated scans must be explicitly configured)", name)
 	}
 
 	s.url, err = url.Parse(unparsedURL)