Fix broken & inaccurate detector unit tests · trufflesecurity/trufflehog#3817

(7 评论) (0 反应) (1 负责人)Go (26,285 star) (2,397 fork)batch import

bugcontributions welcomedgood first issuepkg/detectors

描述

The detector unit tests were created by "reverse engineering" the patterns, thus they do not provide any real value or confirm how accurate the detectors are.

Additionally, the structure of the tests are (in my opinion) not maintainable as they are difficult to understand and do not reflect any realistic scenarios.

https://github.com/trufflesecurity/trufflehog/blob/def734a783b2d4542f2b353d326130d618f3c421/pkg/detectors/netsuite/netsuite_test.go#L14-L44

Examples

There are dozens, if not hundreds, of problematic test files. These are illustrative.

BombBomb

The "valid" tests for BombBomb do not match the detector's pattern.

https://github.com/trufflesecurity/trufflehog/blob/def734a783b2d4542f2b353d326130d618f3c421/pkg/detectors/bombbomb/bombbomb.go#L24

https://github.com/trufflesecurity/trufflehog/blob/def734a783b2d4542f2b353d326130d618f3c421/pkg/detectors/bombbomb/bombbomb_test.go#L15

Kraken

The "valid" pattern is nonsensical and not correct base64 encoding. The detector should not match this, that is a defect.

https://github.com/trufflesecurity/trufflehog/blob/def734a783b2d4542f2b353d326130d618f3c421/pkg/detectors/kraken/kraken_test.go#L16

https://support.kraken.com/hc/en-us/articles/360000919966-How-to-create-an-API-key

viewneo

A few hundred detectors contain tests tightly coupled to the current implementation of PrefixRegex. Any changes to the prefix pattern will break the detector tests, which seems inadvisable.

https://github.com/trufflesecurity/trufflehog/blob/def734a783b2d4542f2b353d326130d618f3c421/pkg/detectors/viewneo/viewneo_test.go#L38-L42

贡献者指南

技术栈: go
领域: testing
议题类型: bug
难度: 4
预计时间: 3-5 days
活动状态: active
清晰度: mostly clear
前置要求: Go programmingunderstanding of detector patternstest writing in Go
新手友好度: 25
研究方向: The issue identifies that detector unit tests across many files (e.g., pkg/detectors/netsuite/netsuite test.go, bombbomb test.go, kraken test.go, viewneo test.go) are inaccurate and tightly coupled to implementation details. First, review the examples provided to understand the specific problems: invalid test data, incorrect base64 encoding, and reliance on PrefixRegex. Then, investigate a subset of detectors to define a standard for valid test patterns that match real world credentials. After establishing a pattern, refactor the tests to be accurate and maintainable, and consider how to decouple them from internal regex changes. Do not fix all tests at once; propose a plan for incremental improvements and get maintainer feedback.