Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add snowflake detector #1653

Merged
merged 20 commits into from
Aug 24, 2023
Merged

add snowflake detector #1653

merged 20 commits into from
Aug 24, 2023

Conversation

zubairk14
Copy link
Contributor

@zubairk14 zubairk14 commented Aug 22, 2023
edited by dustin-decker
Loading

Resolves #1607

Description:

Explain the purpose of the PR.

  • Detect Snowflake secrets (compound URI of account, username, password)
  • Enrich Secret Result with account and databases that the secret has access to.

Checklist:

  • Tests passing (make test-community)?
  • Lint passing (make lint this requires golangci-lint)?

@zubairk14 zubairk14 requested a review from a team as a code owner August 22, 2023 21:13
@zubairk14 zubairk14 marked this pull request as draft August 22, 2023 21:14
@zubairk14 zubairk14 marked this pull request as ready for review August 22, 2023 22:51
dustin-decker
dustin-decker reviewed Aug 22, 2023
View reviewed changes
go.mod Outdated Show resolved Hide resolved
rosecodym
rosecodym previously requested changes Aug 23, 2023
View reviewed changes
Copy link
Collaborator

@rosecodym rosecodym left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in addition to my in-line comment, an indeterminate failure test would be nice if it's feasible

pkg/detectors/snowflake/snowflake.go Outdated
databases = append(databases, name)
}
s1.ExtraData["databases"] = strings.Join(databases, ", ")
s1.Verified = true
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The presence of a verification error (which is possible above) signals that the detector wasn't able to determine whether the candidate credentials are valid. That's not really consistent with setting Verified to true (which means that we know that the credentials are valid) - the framework assumes that you won't combine those two things, so you shouldn't. I'm not sure what the best solution here is - maybe putting those error messages somewhere else in the Result payload?

(I know that making this fourth "verification state" mathematically possible but forbidding its use is kind of weird, but it's the price we pay for being able to migrate detectors gradually.)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ahh - good point

@rosecodym rosecodym dismissed their stale review August 24, 2023 17:28

concerns addressed

@zubairk14 zubairk14 merged commit 5196463 into main Aug 24, 2023
9 checks passed
@zubairk14 zubairk14 deleted the snowflake branch August 24, 2023 17:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dustin-decker dustin-decker dustin-decker approved these changes

@rosecodym rosecodym Awaiting requested review from rosecodym

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Request for Snowflake detector
3 participants
@zubairk14 @dustin-decker @rosecodym