newrelic · noahmmcgivern · Jan 23, 2024 · Dec 3, 2023 · Dec 3, 2023 · Dec 3, 2023
diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml
@@ -56,6 +56,9 @@ jobs:
     steps:
       - name: Checkout sources
         uses: actions/checkout@v3
+        with:
+          #  git-scanning tests need entire git history to work
+          fetch-depth: 0
       - name: Install ${{ matrix.rust }}-${{ matrix.target }} toolchain
         uses: actions-rs/toolchain@v1
         with:

diff --git a/Cargo.toml b/Cargo.toml
@@ -7,7 +7,7 @@ members = [
 name = "rusty_hogs"
 version = "1.0.11"
 authors = ["Scott Cutler <scutler@newrelic.com>"]
-edition = "2018"
+edition = "2021"
 description = "This project provides a set of scanners that will use regular expressions to try and detect the presence of sensitive information such as API keys, passwords, and personal information. It includes a set of regular expressions by default, but will also accept a JSON object containing your custom regular expressions."
 homepage = "https://github.com/newrelic/rusty-hog"
 keywords = ["secret", "scanner", "regex", "rusty", "hog"]
@@ -18,38 +18,41 @@ license = "Apache-2.0"
 [dependencies]
 rusty_hog_scanner = { path = "crates/rusty-hog-scanner" }
 tokio = { version = "1", features = ["full"] }
-git2 = "0.13"
+git2 = "0.18"
 serde = "1.0"
 serde_json = "1.0"
 serde_derive = "^1"
-clap = "2"
+clap = "4"
 regex = "1"
 url = "2"
 tempdir = "0.3"
-base64 = "0.13"
+base64 = "0.21"
 log = "0.4"
-simple_logger = "1.11"
-simple-error = "0.2"
+simple_logger = "4.3"
+simple-error = "0.3"
 chrono = "0.4"
 encoding = "0.2"
 hex = "0.4"
-lambda_runtime = "0.3"
-rust-s3 = "0.26"
-google-drive3 = "2.0.4"
-hyper = "^0.14"
-hyper-rustls = "^0.22"
-yup-oauth2 = "^5.0"
+lambda_runtime = "0.8"
+rust-s3 = { version = "0.33", features = ["blocking"] }
+google-drive3 = "5.0"
+hyper = { version = "^0.14", features = ["client"] }
+hyper-rustls = "^0.24"
+yup-oauth2 = "^8.3"
 walkdir = "2"
-zip = "0.5"
+zip = "0.6"
 tar = "0.4"
 flate2 = "1.0"
 tempfile = "3.2"
-path-clean = "0.1.0"
+path-clean = "1.0"
 anyhow = "1.0"
 
 [dev-dependencies]
 escargot = "0.5.0"
 
 [profile.release]
 lto = true
-codegen-units = 1
+codegen-units = 1
+
+[package.metadata.cross.target.x86_64-unknown-linux-musl]
+dockerfile = "Dockerfile.lambda"
diff --git a/Dockerfile.lambda b/Dockerfile.lambda
@@ -0,0 +1,16 @@
+ARG CROSS_BASE_IMAGE
+FROM ${CROSS_BASE_IMAGE}
+# Note that we're assuming an Ubuntu-based image in all cases though
+
+ARG CFLAGS=""
+ARG LDFLAGS=""
+
+ARG OPENSSL_BUILD_VER=3.0.12
+RUN cd /usr/local/src/ && curl -sLO https://www.openssl.org/source/openssl-${OPENSSL_BUILD_VER}.tar.gz && \
+    tar xzvf openssl-${OPENSSL_BUILD_VER}.tar.gz && cd openssl-${OPENSSL_BUILD_VER} && \
+    CROSS_COMPILE="x86_64-linux-musl-" ./Configure --prefix=/usr/local/openssl-${OPENSSL_BUILD_VER} linux-x86_64 && make && make install
+
+ENV OPENSSL_DIR="/usr/local/openssl-${OPENSSL_BUILD_VER}"
+ENV OPENSSL_STATIC="/usr/local/openssl-${OPENSSL_BUILD_VER}/lib"
+ENV CFLAGS="${CFLAGS} -I/usr/local/openssl-${OPENSSL_BUILD_VER}/include"
+ENV LDFLAGS="${LDFLAGS} -L/usr/local/openssl-${OPENSSL_BUILD_VER}/lib64"
diff --git a/crates/rusty-hog-scanner/Cargo.toml b/crates/rusty-hog-scanner/Cargo.toml
@@ -7,11 +7,11 @@ edition = "2021"
 serde = "1.0"
 serde_json = "1.0"
 serde_derive = "^1"
-clap = "2"
-simple_logger = "1.11"
-simple-error = "0.2"
+clap = "4"
+simple_logger = "4.3"
+simple-error = "0.3"
 anyhow = "1.0"
 log = "0.4"
-base64 = "0.13"
+base64 = "0.21"
 regex = "1"
 hex = "0.4"
diff --git a/crates/rusty-hog-scanner/src/lib.rs b/crates/rusty-hog-scanner/src/lib.rs
@@ -65,10 +65,10 @@
 //! assert_eq!(secrets.pop().unwrap(), "Email address");
 //! ```
 
-#[macro_use]
 extern crate clap;
 
 use anyhow::Result;
+use base64::{engine::general_purpose as Base64Engine, Engine as _};
 use clap::ArgMatches;
 use log::{self, debug, error, info, LevelFilter};
 use regex::bytes::{Match, Matches, Regex, RegexBuilder};
@@ -372,26 +372,26 @@ impl SecretScannerBuilder {
     /// Configure multiple values using the clap library's `ArgMatches` object.
     /// This function looks for a "CASE" flag and "REGEX", "ALLOWLIST", "DEFAULT_ENTROPY_THRESHOLD" values.
     pub fn conf_argm(mut self, arg_matches: &ArgMatches) -> Self {
-        self.case_insensitive = arg_matches.is_present("CASE");
-        self.regex_json_path = match arg_matches.value_of("REGEX") {
+        self.case_insensitive = arg_matches.get_flag("CASE");
+        self.regex_json_path = match arg_matches.get_one::<String>("REGEX") {
             Some(s) => Some(String::from(s)),
             None => None,
         };
-        self.pretty_print = arg_matches.is_present("PRETTYPRINT");
-        self.output_path = match arg_matches.value_of("OUTPUT") {
+        self.pretty_print = arg_matches.get_flag("PRETTYPRINT");
+        self.output_path = match arg_matches.get_one::<String>("OUTPUT") {
             Some(s) => Some(String::from(s)),
             None => None,
         };
-        self.allowlist_json_path = match arg_matches.value_of("ALLOWLIST") {
+        self.allowlist_json_path = match arg_matches.get_one::<String>("ALLOWLIST") {
             Some(s) => Some(String::from(s)),
             None => None,
         };
         self.default_entropy_threshold =
-            match value_t!(arg_matches.value_of("DEFAULT_ENTROPY_THRESHOLD"), f32) {
-                Ok(t) => t,
-                Err(_) => DEFAULT_ENTROPY_THRESHOLD,
+            match arg_matches.get_one::<f32>("DEFAULT_ENTROPY_THRESHOLD") {
+                Some(t) => *t,
+                None => DEFAULT_ENTROPY_THRESHOLD,
             };
-        self.add_entropy_findings = arg_matches.is_present("ENTROPY");
+        self.add_entropy_findings = arg_matches.get_flag("ENTROPY");
         self
     }
 
@@ -838,11 +838,11 @@ impl SecretScanner {
         let b64_words: Vec<String> = words
             .iter()
             .filter(|word| word.len() >= 20 && Self::is_base64_string(word))
-            .filter_map(|x| base64::decode(x).ok())
+            .filter_map(|x| Base64Engine::STANDARD_NO_PAD.decode(x).ok())
             .filter(|word| {
                 Self::calc_normalized_entropy(word, Some(255), false) > entropy_threshold
             })
-            .map(|word| String::from(base64::encode(&word).as_str()))
+            .map(|word| String::from(Base64Engine::STANDARD_NO_PAD.encode(&word).as_str()))
             .collect();
         let hex_words: Vec<String> = words
             .iter() // there must be a better way
@@ -1048,12 +1048,12 @@ impl PartialEq for SecretScanner {
             && self.regex_map.keys().eq(other.regex_map.keys())
             && self.pretty_print == other.pretty_print
             && match self.output_path.as_ref() {
-            None => other.output_path.is_none(),
-            Some(s) => match other.output_path.as_ref() {
-                None => false,
-                Some(t) => *s == *t,
-            },
-        }
+                None => other.output_path.is_none(),
+                Some(s) => match other.output_path.as_ref() {
+                    None => false,
+                    Some(t) => *s == *t,
+                },
+            }
     }
 }
 
@@ -1109,7 +1109,7 @@ mod tests {
             not_so_secret_but_has_the_word_secret_and_is_long
         "#,
         )
-            .into_bytes();
+        .into_bytes();
         let output = SecretScanner::entropy_findings(test_string.as_slice(), 0.6);
         // println!("{:?}", output);
         assert_eq!(output.len(), 1);
@@ -1164,7 +1164,7 @@ mod tests {
             not_so_secret_but_has_the_word_secret_and_is_long
         "#,
         )
-            .into_bytes();
+        .into_bytes();
         let mut findings: Vec<(String, String)> = Vec::new();
         // Main loop - split the data based on newlines, then run get_matches() on each line,
         // then make a list of findings in output
@@ -1209,7 +1209,7 @@ mod tests {
             <text>@<text>
         "#,
         )
-            .into_bytes();
+        .into_bytes();
         let mut findings: Vec<(String, String)> = Vec::new();
         // Main loop - split the data based on newlines, then run get_matches() on each line,
         // then make a list of findings in output

diff --git a/src/aws_scanning.rs b/src/aws_scanning.rs
@@ -44,7 +44,7 @@
 //! let region: Region = Region::UsWest2;
 //! let bucket: Bucket = match Bucket::new(bucket_string, region, credentials) {
 //! Ok(r) => r,
-//! Err(e) => panic!(e)
+//! Err(e) => panic!("{}", e)
 //! };
 //! let results = s3s.scan_s3_file(bucket, "s3://testbucket1/727463.json").unwrap();
 //! assert_eq!(results.len(), 0);
@@ -53,11 +53,11 @@
 use encoding::all::ASCII;
 use encoding::{DecoderTrap, Encoding};
 use log::{self, error, trace};
+use rusty_hog_scanner::SecretScanner;
 use s3::bucket::Bucket;
 use serde_derive::{Deserialize, Serialize};
 use simple_error::SimpleError;
 use std::str;
-use rusty_hog_scanner::SecretScanner;
 
 #[derive(Serialize, Deserialize, Debug, PartialEq, Eq, Hash, Clone, Default)]
 /// `serde_json` object that represents a single found secret - finding
@@ -105,8 +105,8 @@ impl S3Scanner {
         let mut output: Vec<S3Finding> = Vec::new();
 
         // Get the actual data from S3
-        let (data, code) = match bucket.get_object_blocking(filepath) {
-            Ok(x) => (x.0, x.1),
+        let (code, data) = match bucket.get_object_blocking(filepath) {
+            Ok(x) => (x.status_code(), x.to_vec()),
             Err(e) => return Err(SimpleError::new(e.to_string())),
         };
         trace!("Code: {}\nData: {:?}", code, data);