Ignore all comits when `.gitleaksignore` fingerprint lacks SHA (#1156)

* fix: .gitleaksignore without sha in fingerprint

* chore: add prior commit to .gitleaksignore

.gitleaksignore

@@ -716,6 +716,9 @@ testdata/expected/git/small-branch-foo.txt:aws-access-token:15
 testdata/expected/git/small.txt:aws-access-token:15
 testdata/expected/git/small.txt:aws-access-token:44
 testdata/repos/nogit/main.go:aws-access-token:20
+testdata/repos/nogit/api.go:aws-access-token:20
+testdata/repos/small/api/ignoreCommit.go:aws-access-token:20
+testdata/repos/small/api/ignoreGlobal.go:aws-access-token:20
 3df8c3deb7bc1e34210bdbce114f1c6165bc6ac8:detect/detect_test.go:aws-access-token:513
 3df8c3deb7bc1e34210bdbce114f1c6165bc6ac8:detect/detect_test.go:aws-access-token:492
 3df8c3deb7bc1e34210bdbce114f1c6165bc6ac8:detect/detect_test.go:aws-access-token:414
@@ -756,5 +759,7 @@ acce01f2338434a78f6a4a06a097b0fd23280484:README.md:aws-access-token:220
 9701bf1724d822c0d5bbb7627535dd639a37bf56:detect/detect_test.go:aws-access-token:507
 9701bf1724d822c0d5bbb7627535dd639a37bf56:testdata/repos/staged/api/api.go:aws-access-token:6
 9701bf1724d822c0d5bbb7627535dd639a37bf56:testdata/repos/staged/api/api.go:aws-access-token:7
-
+adf617b3b4628e1160fa3d135b4c3dfd45c05e15:testdata/repos/nogit/api.go:aws-access-token:20
+adf617b3b4628e1160fa3d135b4c3dfd45c05e15:testdata/repos/small/api/ignoreGlobal.go:aws-access-token:20
+adf617b3b4628e1160fa3d135b4c3dfd45c05e15:testdata/repos/small/api/ignoreCommit.go:aws-access-token:20
 

detect/detect.go

@@ -147,7 +147,7 @@ func NewDetectorDefaultConfig() (*Detector, error) {
 }
 
 func (d *Detector) AddGitleaksIgnore(gitleaksIgnorePath string) error {
-	log.Debug().Msg("found .gitleaksignore file")
+	log.Debug().Msgf("found .gitleaksignore file: %s", gitleaksIgnorePath)
 	file, err := os.Open(gitleaksIgnorePath)
 
 	if err != nil {
@@ -598,16 +598,25 @@ func (d *Detector) Detect(fragment Fragment) []report.Finding {
 
 // addFinding synchronously adds a finding to the findings slice
 func (d *Detector) addFinding(finding report.Finding) {
-	if finding.Commit == "" {
-		finding.Fingerprint = fmt.Sprintf("%s:%s:%d", finding.File, finding.RuleID, finding.StartLine)
-	} else {
+	globalFingerprint := fmt.Sprintf("%s:%s:%d", finding.File, finding.RuleID, finding.StartLine)
+	if finding.Commit != "" {
 		finding.Fingerprint = fmt.Sprintf("%s:%s:%s:%d", finding.Commit, finding.File, finding.RuleID, finding.StartLine)
+	} else {
+		finding.Fingerprint = globalFingerprint
 	}
+
 	// check if we should ignore this finding
-	if _, ok := d.gitleaksIgnore[finding.Fingerprint]; ok {
-		log.Debug().Msgf("ignoring finding with Fingerprint %s",
+	if _, ok := d.gitleaksIgnore[globalFingerprint]; ok {
+		log.Debug().Msgf("ignoring finding with global Fingerprint %s",
 			finding.Fingerprint)
 		return
+	} else if finding.Commit != "" {
+		// Awkward nested if because I'm not sure how to chain these two conditions.
+		if _, ok := d.gitleaksIgnore[finding.Fingerprint]; ok {
+			log.Debug().Msgf("ignoring finding with Fingerprint %s",
+				finding.Fingerprint)
+			return
+		}
 	}
 
 	if d.baseline != nil && !IsNew(finding, d.baseline) {

detect/detect_test.go

@@ -6,6 +6,7 @@ import (
 	"path/filepath"
 	"testing"
 
+	"github.com/rs/zerolog/log"
 	"github.com/spf13/viper"
 	"github.com/stretchr/testify/assert"
 
@@ -474,6 +475,22 @@ func TestFromGit(t *testing.T) {
 			t.Error(err)
 		}
 		detector := NewDetector(cfg)
+
+		var ignorePath string
+		info, err := os.Stat(tt.source)
+		if err != nil {
+			log.Fatal().Err(err).Msg("could not call AddGitleaksIgnore")
+		}
+
+		if info.IsDir() {
+			ignorePath = filepath.Join(tt.source, ".gitleaksignore")
+		} else {
+			ignorePath = filepath.Join(filepath.Dir(tt.source), ".gitleaksignore")
+		}
+		if err = detector.AddGitleaksIgnore(ignorePath); err != nil {
+			log.Fatal().Err(err).Msg("could not call AddGitleaksIgnore")
+		}
+
 		findings, err := detector.DetectGit(tt.source, tt.logOpts, DetectType)
 		if err != nil {
 			t.Error(err)
@@ -554,7 +571,9 @@ func TestFromGitStaged(t *testing.T) {
 			t.Error(err)
 		}
 		detector := NewDetector(cfg)
-		detector.AddGitleaksIgnore(filepath.Join(tt.source, ".gitleaksignore"))
+		if err = detector.AddGitleaksIgnore(filepath.Join(tt.source, ".gitleaksignore")); err != nil {
+			log.Fatal().Err(err).Msg("could not call AddGitleaksIgnore")
+		}
 		findings, err := detector.DetectGit(tt.source, tt.logOpts, ProtectStagedType)
 		if err != nil {
 			t.Error(err)
@@ -617,6 +636,11 @@ func TestFromFiles(t *testing.T) {
 				},
 			},
 		},
+		{
+			source:           filepath.Join(repoBasePath, "nogit", "api.go"),
+			cfgName:          "simple",
+			expectedFindings: []report.Finding{},
+		},
 	}
 
 	for _, tt := range tests {
@@ -635,6 +659,21 @@ func TestFromFiles(t *testing.T) {
 		}
 		cfg, _ := vc.Translate()
 		detector := NewDetector(cfg)
+
+		var ignorePath string
+		info, err := os.Stat(tt.source)
+		if err != nil {
+			log.Fatal().Err(err).Msg("could not call AddGitleaksIgnore")
+		}
+
+		if info.IsDir() {
+			ignorePath = filepath.Join(tt.source, ".gitleaksignore")
+		} else {
+			ignorePath = filepath.Join(filepath.Dir(tt.source), ".gitleaksignore")
+		}
+		if err = detector.AddGitleaksIgnore(ignorePath); err != nil {
+			log.Fatal().Err(err).Msg("could not call AddGitleaksIgnore")
+		}
 		detector.FollowSymlinks = true
 		findings, err := detector.DetectFiles(tt.source)
 		if err != nil {

testdata/repos/nogit/.gitleaksignore

@@ -0,0 +1 @@
+../testdata/repos/nogit/api.go:aws-access-key:20

testdata/repos/nogit/api.go

@@ -0,0 +1,24 @@
+package main
+
+import "fmt"
+
+func main() {
+
+	var a = "initial"
+	fmt.Println(a)
+
+	var b, c int = 1, 2
+	fmt.Println(b, c)
+
+	var d = true
+	fmt.Println(d)
+
+	var e int
+	fmt.Println(e)
+
+	// opps I added a secret at line 20
+	awsToken := "AKIALALEMEL33243OLIA"
+
+	f := "apple"
+	fmt.Println(f)
+}

testdata/repos/small/.gitleaksignore

@@ -0,0 +1,2 @@
+api/ignoreGlobal.go:aws-access-key:20
+53cd7a3c6eb4937f413e3c25e4a9f39289afa69e:api/ignoreCommit.go:aws-access-key:20

testdata/repos/small/api/ignoreCommit.go

@@ -0,0 +1,24 @@
+package main
+
+import "fmt"
+
+func main() {
+
+	var a = "initial"
+	fmt.Println(a)
+
+	var b, c int = 1, 2
+	fmt.Println(b, c)
+
+	var d = true
+	fmt.Println(d)
+
+	var e int
+	fmt.Println(e)
+
+	// opps I added a secret at line 20
+	awsToken := "AKIALALEMEL33243OLIA"
+
+	f := "apple"
+	fmt.Println(f)
+}

testdata/repos/small/api/ignoreGlobal.go

@@ -0,0 +1,24 @@
+package main
+
+import "fmt"
+
+func main() {
+
+	var a = "initial"
+	fmt.Println(a)
+
+	var b, c int = 1, 2
+	fmt.Println(b, c)
+
+	var d = true
+	fmt.Println(d)
+
+	var e int
+	fmt.Println(e)
+
+	// opps I added a secret at line 20
+	awsToken := "AKIALALEMEL33243OLIA"
+
+	f := "apple"
+	fmt.Println(f)
+}

testdata/repos/small/dotGit/COMMIT_EDITMSG

@@ -1 +1 @@
-removing secret from foo package
+add .gitleaksignore test files

testdata/repos/small/dotGit/ORIG_HEAD

@@ -1 +1 @@
-1b6da43b82b22e4eaa10bcf8ee591e91abbfc587
+cada78a9bf157ec05573f19e682d211f811c2e2d

testdata/repos/small/dotGit/logs/HEAD

@@ -11,3 +11,7 @@ a122b33c6bad3ee54724f52f2caad385ab1982ab 1b6da43b82b22e4eaa10bcf8ee591e91abbfc58
 f1b58b97808f8e744f6a23c693859df5b5968901 2e1db472eeba53f06c4026ae4566ea022e36598e Zach Rice <zricer@protonmail.com> 1635897009 -0500	checkout: moving from foo to main
 2e1db472eeba53f06c4026ae4566ea022e36598e f1b58b97808f8e744f6a23c693859df5b5968901 Zach Rice <zricer@protonmail.com> 1635897062 -0500	checkout: moving from main to foo
 f1b58b97808f8e744f6a23c693859df5b5968901 2e1db472eeba53f06c4026ae4566ea022e36598e Zach Rice <zricer@protonmail.com> 1635897508 -0500	checkout: moving from foo to main
+2e1db472eeba53f06c4026ae4566ea022e36598e 4f77f1b3cc39d4b17e4cf4ba0a38f5daed9875b4 Richard Gomez <rmgomez368@gmail.com> 1681920523 -0400	commit: add .gitleaksignore test
+4f77f1b3cc39d4b17e4cf4ba0a38f5daed9875b4 cada78a9bf157ec05573f19e682d211f811c2e2d Richard Gomez <rmgomez368@gmail.com> 1681920658 -0400	commit (amend): add .gitleaksignore test
+cada78a9bf157ec05573f19e682d211f811c2e2d 2e1db472eeba53f06c4026ae4566ea022e36598e Richard Gomez <rmgomez368@gmail.com> 1681920730 -0400	reset: moving to HEAD~
+2e1db472eeba53f06c4026ae4566ea022e36598e 53cd7a3c6eb4937f413e3c25e4a9f39289afa69e Richard Gomez <rmgomez368@gmail.com> 1681920759 -0400	commit: add .gitleaksignore test files

testdata/repos/small/dotGit/logs/refs/heads/main

@@ -1,2 +1,6 @@
 0000000000000000000000000000000000000000 1b6da43b82b22e4eaa10bcf8ee591e91abbfc587 Zach Rice <zricer@protonmail.com> 1635896329 -0500	clone: from github.com:gitleaks/test.git
 1b6da43b82b22e4eaa10bcf8ee591e91abbfc587 2e1db472eeba53f06c4026ae4566ea022e36598e Zach Rice <zricer@protonmail.com> 1635896648 -0500	pull origin main: Fast-forward
+2e1db472eeba53f06c4026ae4566ea022e36598e 4f77f1b3cc39d4b17e4cf4ba0a38f5daed9875b4 Richard Gomez <rmgomez368@gmail.com> 1681920523 -0400	commit: add .gitleaksignore test
+4f77f1b3cc39d4b17e4cf4ba0a38f5daed9875b4 cada78a9bf157ec05573f19e682d211f811c2e2d Richard Gomez <rmgomez368@gmail.com> 1681920658 -0400	commit (amend): add .gitleaksignore test
+cada78a9bf157ec05573f19e682d211f811c2e2d 2e1db472eeba53f06c4026ae4566ea022e36598e Richard Gomez <rmgomez368@gmail.com> 1681920730 -0400	reset: moving to HEAD~
+2e1db472eeba53f06c4026ae4566ea022e36598e 53cd7a3c6eb4937f413e3c25e4a9f39289afa69e Richard Gomez <rmgomez368@gmail.com> 1681920759 -0400	commit: add .gitleaksignore test files

testdata/repos/small/dotGit/objects/ca/da78a9bf157ec05573f19e682d211f811c2e2d

@@ -0,0 +1 @@
+x
•ÎAjÃ0…á®uŠ¹@Ãh$�e!»ì{ƒ±5±E-+(ʦ§¯½@v�>xs-%w >zS…$:YF±ŽÅy"�,G¢k�bbó�¦û
զɤ:IpwäÙ#±¨Ì*xpÇaŒjäÕ×Úà+Ï«´·Zôέ,Ãq¼.Eòvšk¹€åhGÂ@>Ñ#š£/»¾ç9Äo$%8-¹o*ßϼìµ)t}vó¸ÁLë

testdata/repos/small/dotGit/refs/heads/main

@@ -1 +1 @@
-2e1db472eeba53f06c4026ae4566ea022e36598e
+53cd7a3c6eb4937f413e3c25e4a9f39289afa69e