fix(baseline): work with --redact (#1741)

detect/baseline.go

@@ -9,27 +9,25 @@ import (
 	"github.com/zricethezav/gitleaks/v8/report"
 )
 
-func IsNew(finding report.Finding, baseline []report.Finding) bool {
+func IsNew(finding report.Finding, redact uint, baseline []report.Finding) bool {
 	// Explicitly testing each property as it gives significantly better performance in comparison to cmp.Equal(). Drawback is that
 	// the code requires maintenance if/when the Finding struct changes
 	for _, b := range baseline {
-
-		if finding.Author == b.Author &&
-			finding.Commit == b.Commit &&
-			finding.Date == b.Date &&
+		if finding.RuleID == b.RuleID &&
 			finding.Description == b.Description &&
-			finding.Email == b.Email &&
-			finding.EndColumn == b.EndColumn &&
+			finding.StartLine == b.StartLine &&
 			finding.EndLine == b.EndLine &&
-			finding.Entropy == b.Entropy &&
+			finding.StartColumn == b.StartColumn &&
+			finding.EndColumn == b.EndColumn &&
+			(redact > 0 || (finding.Match == b.Match && finding.Secret == b.Secret)) &&
 			finding.File == b.File &&
-			// Omit checking finding.Fingerprint - if the format of the fingerprint changes, the users will see unexpected behaviour
-			finding.Match == b.Match &&
+			finding.Commit == b.Commit &&
+			finding.Author == b.Author &&
+			finding.Email == b.Email &&
+			finding.Date == b.Date &&
 			finding.Message == b.Message &&
-			finding.RuleID == b.RuleID &&
-			finding.Secret == b.Secret &&
-			finding.StartColumn == b.StartColumn &&
-			finding.StartLine == b.StartLine {
+			// Omit checking finding.Fingerprint - if the format of the fingerprint changes, the users will see unexpected behaviour
+			finding.Entropy == b.Entropy {
 			return false
 		}
 	}

detect/baseline_test.go

@@ -11,59 +11,150 @@ import (
 )
 
 func TestIsNew(t *testing.T) {
-	tests := []struct {
+	t.Parallel()
+	tests := map[string]struct {
 		findings report.Finding
+		redact   uint
 		baseline []report.Finding
 		expect   bool
 	}{
-		{
+		// new
+		"new - commit doesn't match baseline": {
 			findings: report.Finding{
-				Author: "a",
 				Commit: "0000",
+				Author: "a",
 			},
 			baseline: []report.Finding{
 				{
+					Commit: "0002",
 					Author: "a",
-					Commit: "0000",
 				},
 			},
-			expect: false,
+			expect: true,
 		},
-		{
+		"new - redacted, different baseline": {
 			findings: report.Finding{
-				Author: "a",
-				Commit: "0000",
+				RuleID:      "private-key",
+				Description: "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.",
+				StartLine:   1,
+				EndLine:     15,
+				StartColumn: 1,
+				EndColumn:   30,
+				Match:       "REDACTED",
+				Secret:      "REDACTED",
+				File:        "key.txt",
+				Commit:      "6d3ba1f7653822c0f8ac9a9af56daaa2cd8bbcad",
+				Entropy:     5.9834013,
+				Author:      "James Bond",
+				Email:       "jbond@gov.co.uk",
+				Date:        "2025-03-02T15:10:40Z",
+				Message:     "init",
+				Fingerprint: "6d3ba1f7653822c0f8ac9a9af56daaa2cd8bbcad:key.txt:private-key:1",
 			},
 			baseline: []report.Finding{
 				{
-					Author: "a",
-					Commit: "0002",
+					RuleID:      "private-key",
+					Description: "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.",
+					StartLine:   1,
+					EndLine:     15,
+					StartColumn: 1,
+					EndColumn:   30,
+					Match:       "-----BEGIN RSA PRIVATE KEY-----\nMIICWgIBAAKBgFIckgeuo80H6skLd1FKYfJC75/tnmtDWO4Rf2AFqrYZdu71VKGR\noGfEVl7AmvxTd9u6tnPtWjAeu9k2VMQcOtXEwgU0A6H09EBcS1EVN/I8pcNw1qjO\nkJ7ZA8AhZk/OpVAK7665CEny7ISRNZnx1nPaHjlb8lebPzlWOvxX9wjbAgMBAAEC\ngYBN6wqv+4s4juC/cwAAxeL4L4iQbL497yS+lSAYEIiUUMnJrEhpIXXjwi5rr73i\n35oHisCEdaF1tFRxpNr/VgKFsM1KqQUZvCVRE9Rokfe23QkQDvcxh9CI/Ah9Eofp\nx/m5DjSsRKrbIpOOAC3J3B/s02HRmxy8tRYnQVqWXzAH8QJBAJdBgXi62KI1eytU\n7l3Q8ymkS1OHzSOGBEYPpZZQ7WRpZlv/06cKfJBT/dGgA4z9i9ySs8cWUoh+FGYX\nlkDB4c0CQQCK+TwfAFvrkSWorZ9Gjb6y2LZQPUufTzJNhzhK5XObCDbwyMXEM/Vs\newiyUFljlI/A9PjcrmkgrDLUMD4+og1HAkAs2t01W1uhBvEm0YH6yltCDxnThKM+\nFKEx0bQOVqN/so4LXFt83uw/tNjBkI1dA1e1qr+rm6AQICuWdwo03ApFAkBktes4\nuCTk2GHHFFM5aN0KdHviOBlGULkub9B+jjsx3UkbQxP2dITlYV/TAOFWhcGLXru+\nCPKMR93p4TAqaXtfAkA+ZZDb0mA9rtaetJlSoo6XgwI/+kqltADch9dcyqYBHwjr\nAEkzUKvmCxNAK4GEPA79FZFp30kDx+buysyeX9qY\n-----END RSA PRIVATE KEY-----",
+					Secret:      "-----BEGIN RSA PRIVATE KEY-----\nMIICWgIBAAKBgFIckgeuo80H6skLd1FKYfJC75/tnmtDWO4Rf2AFqrYZdu71VKGR\noGfEVl7AmvxTd9u6tnPtWjAeu9k2VMQcOtXEwgU0A6H09EBcS1EVN/I8pcNw1qjO\nkJ7ZA8AhZk/OpVAK7665CEny7ISRNZnx1nPaHjlb8lebPzlWOvxX9wjbAgMBAAEC\ngYBN6wqv+4s4juC/cwAAxeL4L4iQbL497yS+lSAYEIiUUMnJrEhpIXXjwi5rr73i\n35oHisCEdaF1tFRxpNr/VgKFsM1KqQUZvCVRE9Rokfe23QkQDvcxh9CI/Ah9Eofp\nx/m5DjSsRKrbIpOOAC3J3B/s02HRmxy8tRYnQVqWXzAH8QJBAJdBgXi62KI1eytU\n7l3Q8ymkS1OHzSOGBEYPpZZQ7WRpZlv/06cKfJBT/dGgA4z9i9ySs8cWUoh+FGYX\nlkDB4c0CQQCK+TwfAFvrkSWorZ9Gjb6y2LZQPUufTzJNhzhK5XObCDbwyMXEM/Vs\newiyUFljlI/A9PjcrmkgrDLUMD4+og1HAkAs2t01W1uhBvEm0YH6yltCDxnThKM+\nFKEx0bQOVqN/so4LXFt83uw/tNjBkI1dA1e1qr+rm6AQICuWdwo03ApFAkBktes4\nuCTk2GHHFFM5aN0KdHviOBlGULkub9B+jjsx3UkbQxP2dITlYV/TAOFWhcGLXru+\nCPKMR93p4TAqaXtfAkA+ZZDb0mA9rtaetJlSoo6XgwI/+kqltADch9dcyqYBHwjr\nAEkzUKvmCxNAK4GEPA79FZFp30kDx+buysyeX9qY\n-----END RSA PRIVATE KEY-----",
+					File:        "key.txt",
+					Commit:      "e55e00ca1690a6b5b612d28b3d9ada3fd1775ac4",
+					Entropy:     5.9834013,
+					Author:      "James Bond",
+					Email:       "jbond@gov.co.uk",
+					Date:        "2025-02-02T17:45:30Z",
+					Message:     "init",
+					Fingerprint: "e55e00ca1690a6b5b612d28b3d9ada3fd1775ac4:key.txt:private-key:1",
 				},
 			},
 			expect: true,
 		},
-		{
+
+		// not new
+		"not new - commit+author matches": {
 			findings: report.Finding{
+				Commit: "0000",
 				Author: "a",
+			},
+			baseline: []report.Finding{
+				{
+					Commit: "0000",
+					Author: "a",
+				},
+			},
+			expect: false,
+		},
+		"not new - commit+author matches, tags ignored": {
+			findings: report.Finding{
 				Commit: "0000",
+				Author: "a",
 				Tags:   []string{"a", "b"},
 			},
 			baseline: []report.Finding{
 				{
-					Author: "a",
 					Commit: "0000",
+					Author: "a",
 					Tags:   []string{"a", "c"},
 				},
 			},
 			expect: false, // Updated tags doesn't make it a new finding
 		},
+		"not new - redacted, everything else matches": {
+			findings: report.Finding{
+				RuleID:      "private-key",
+				Description: "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.",
+				StartLine:   1,
+				EndLine:     15,
+				StartColumn: 1,
+				EndColumn:   30,
+				Match:       "REDACTED",
+				Secret:      "REDACTED",
+				File:        "key.txt",
+				Commit:      "e55e00ca1690a6b5b612d28b3d9ada3fd1775ac4",
+				Entropy:     5.9834013,
+				Author:      "James Bond",
+				Email:       "jbond@gov.co.uk",
+				Date:        "2025-02-02T17:45:30Z",
+				Message:     "init",
+				Fingerprint: "e55e00ca1690a6b5b612d28b3d9ada3fd1775ac4:key.txt:private-key:1",
+			},
+			redact: 100,
+			baseline: []report.Finding{
+				{
+					RuleID:      "private-key",
+					Description: "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.",
+					StartLine:   1,
+					EndLine:     15,
+					StartColumn: 1,
+					EndColumn:   30,
+					Match:       "-----BEGIN RSA PRIVATE KEY-----\nMIICWgIBAAKBgFIckgeuo80H6skLd1FKYfJC75/tnmtDWO4Rf2AFqrYZdu71VKGR\noGfEVl7AmvxTd9u6tnPtWjAeu9k2VMQcOtXEwgU0A6H09EBcS1EVN/I8pcNw1qjO\nkJ7ZA8AhZk/OpVAK7665CEny7ISRNZnx1nPaHjlb8lebPzlWOvxX9wjbAgMBAAEC\ngYBN6wqv+4s4juC/cwAAxeL4L4iQbL497yS+lSAYEIiUUMnJrEhpIXXjwi5rr73i\n35oHisCEdaF1tFRxpNr/VgKFsM1KqQUZvCVRE9Rokfe23QkQDvcxh9CI/Ah9Eofp\nx/m5DjSsRKrbIpOOAC3J3B/s02HRmxy8tRYnQVqWXzAH8QJBAJdBgXi62KI1eytU\n7l3Q8ymkS1OHzSOGBEYPpZZQ7WRpZlv/06cKfJBT/dGgA4z9i9ySs8cWUoh+FGYX\nlkDB4c0CQQCK+TwfAFvrkSWorZ9Gjb6y2LZQPUufTzJNhzhK5XObCDbwyMXEM/Vs\newiyUFljlI/A9PjcrmkgrDLUMD4+og1HAkAs2t01W1uhBvEm0YH6yltCDxnThKM+\nFKEx0bQOVqN/so4LXFt83uw/tNjBkI1dA1e1qr+rm6AQICuWdwo03ApFAkBktes4\nuCTk2GHHFFM5aN0KdHviOBlGULkub9B+jjsx3UkbQxP2dITlYV/TAOFWhcGLXru+\nCPKMR93p4TAqaXtfAkA+ZZDb0mA9rtaetJlSoo6XgwI/+kqltADch9dcyqYBHwjr\nAEkzUKvmCxNAK4GEPA79FZFp30kDx+buysyeX9qY\n-----END RSA PRIVATE KEY-----",
+					Secret:      "-----BEGIN RSA PRIVATE KEY-----\nMIICWgIBAAKBgFIckgeuo80H6skLd1FKYfJC75/tnmtDWO4Rf2AFqrYZdu71VKGR\noGfEVl7AmvxTd9u6tnPtWjAeu9k2VMQcOtXEwgU0A6H09EBcS1EVN/I8pcNw1qjO\nkJ7ZA8AhZk/OpVAK7665CEny7ISRNZnx1nPaHjlb8lebPzlWOvxX9wjbAgMBAAEC\ngYBN6wqv+4s4juC/cwAAxeL4L4iQbL497yS+lSAYEIiUUMnJrEhpIXXjwi5rr73i\n35oHisCEdaF1tFRxpNr/VgKFsM1KqQUZvCVRE9Rokfe23QkQDvcxh9CI/Ah9Eofp\nx/m5DjSsRKrbIpOOAC3J3B/s02HRmxy8tRYnQVqWXzAH8QJBAJdBgXi62KI1eytU\n7l3Q8ymkS1OHzSOGBEYPpZZQ7WRpZlv/06cKfJBT/dGgA4z9i9ySs8cWUoh+FGYX\nlkDB4c0CQQCK+TwfAFvrkSWorZ9Gjb6y2LZQPUufTzJNhzhK5XObCDbwyMXEM/Vs\newiyUFljlI/A9PjcrmkgrDLUMD4+og1HAkAs2t01W1uhBvEm0YH6yltCDxnThKM+\nFKEx0bQOVqN/so4LXFt83uw/tNjBkI1dA1e1qr+rm6AQICuWdwo03ApFAkBktes4\nuCTk2GHHFFM5aN0KdHviOBlGULkub9B+jjsx3UkbQxP2dITlYV/TAOFWhcGLXru+\nCPKMR93p4TAqaXtfAkA+ZZDb0mA9rtaetJlSoo6XgwI/+kqltADch9dcyqYBHwjr\nAEkzUKvmCxNAK4GEPA79FZFp30kDx+buysyeX9qY\n-----END RSA PRIVATE KEY-----",
+					File:        "key.txt",
+					Commit:      "e55e00ca1690a6b5b612d28b3d9ada3fd1775ac4",
+					Entropy:     5.9834013,
+					Author:      "James Bond",
+					Email:       "jbond@gov.co.uk",
+					Date:        "2025-02-02T17:45:30Z",
+					Message:     "init",
+					Fingerprint: "e55e00ca1690a6b5b612d28b3d9ada3fd1775ac4:key.txt:private-key:1",
+				},
+			},
+			expect: false,
+		},
 	}
-	for _, test := range tests {
-		assert.Equal(t, test.expect, IsNew(test.findings, test.baseline))
+	for name, test := range tests {
+		t.Run(name, func(t *testing.T) {
+			assert.Equal(t, test.expect, IsNew(test.findings, test.redact, test.baseline))
+		})
 	}
 }
 
 func TestFileLoadBaseline(t *testing.T) {
+	t.Parallel()
 	tests := []struct {
 		Filename      string
 		ExpectedError error
@@ -89,6 +180,7 @@ func TestFileLoadBaseline(t *testing.T) {
 }
 
 func TestIgnoreIssuesInBaseline(t *testing.T) {
+	t.Parallel()
 	tests := []struct {
 		findings    []report.Finding
 		baseline    []report.Finding

detect/detect.go

@@ -603,7 +603,7 @@ func (d *Detector) AddFinding(finding report.Finding) {
 		}
 	}
 
-	if d.baseline != nil && !IsNew(finding, d.baseline) {
+	if d.baseline != nil && !IsNew(finding, d.Redact, d.baseline) {
 		logger.Debug().
 			Str("fingerprint", finding.Fingerprint).
 			Msgf("skipping finding: baseline")