Prevent Yocto/BitBake false positives with generic-api-key rule (#1783)

* fix: make config template work when providing non-iota values for MatchCondition

https://pkg.go.dev/text/template#hdr-Actions

> {{with pipeline}} T1 {{end}}
>	If the value of the pipeline is empty, no output is generated;
>	otherwise, dot is set to the value of the pipeline and T1 is
>	executed.

Within the `with` block `.MatchCondition` is implicit and must be omitted to
work. The fault/bug was not triggered before because this is the first
non-default MatchCondition apparently.

* feat: exclude false positive matches for Yocto/Bitbake from generic-api-key rule

Fixes #1775

cmd/generate/config/rules/config.tmpl

@@ -51,7 +51,7 @@ tags = [
     {{ range $j, $tag := . }}"{{ $tag }}",{{ end }}
 ]{{ end }}
 {{- with $rule.Allowlists }}{{ range $i, $allowlist := . }}{{ if or $allowlist.Regexes $allowlist.Paths $allowlist.Commits $allowlist.StopWords }}{{println}}[[rules.allowlists]]
-{{- with .MatchCondition }}{{println}}condition = "{{ .MatchCondition.String }}"{{ end }}
+{{- with .MatchCondition }}{{println}}condition = "{{ .String }}"{{ end }}
 {{- with .Commits -}}{{println}}commits = [
     {{ range $j, $commit := . }}"{{ $commit }}",{{ end }}
 ]{{ end }}

cmd/generate/config/rules/generic.go

@@ -100,6 +100,21 @@ func GenericCredential() *config.Rule {
 					regexp.MustCompile(`--mount=type=secret,`),
 				},
 			},
+			{
+				MatchCondition: config.AllowlistMatchAnd,
+				RegexTarget:    "line",
+				Regexes: []*regexp.Regexp{
+					regexp.MustCompile(`LICENSE[^=]*=\s*"[^"]+`),
+					regexp.MustCompile(`LIC_FILES_CHKSUM[^=]*=\s*"[^"]+`),
+					regexp.MustCompile(`SRC[^=]*=\s*"[a-zA-Z0-9]+`),
+				},
+				Paths: []*regexp.Regexp{
+					regexp.MustCompile(`\.bb$`),
+					regexp.MustCompile(`\.bbappend$`),
+					regexp.MustCompile(`\.bbclass$`),
+					regexp.MustCompile(`\.inc$`),
+				},
+			},
 		},
 	}
 
@@ -250,6 +265,10 @@ R5: Regulatory--21`,
 DYNATRACE_API_KEY=`,
 		`snowflake.password=
 jdbc.snowflake.url=`,
+
+		// Yocto/BitBake
+		`SRCREV_moby = "43fc912ef59a83054ea7f6706df4d53a7dea4d80"`,
+		`LIC_FILES_CHKSUM = "file://${WORKDIR}/license.html;md5=5c94767cedb5d6987c902ac850ded2c6"`,
 	}
 	return utils.Validate(r, tps, fps)
 }

config/gitleaks.toml

@@ -2077,6 +2077,17 @@ regexTarget = "line"
 regexes = [
     '''--mount=type=secret,''',
 ]
+[[rules.allowlists]]
+condition = "AND"
+paths = [
+    '''\.bb$''','''\.bbappend$''','''\.bbclass$''','''\.inc$''',
+]
+regexTarget = "line"
+regexes = [
+    '''LICENSE[^=]*=\s*"[^"]+''',
+    '''LIC_FILES_CHKSUM[^=]*=\s*"[^"]+''',
+    '''SRC[^=]*=\s*"[a-zA-Z0-9]+''',
+]
 
 [[rules]]
 id = "github-app-token"