STRLCPY/syft

fix: update config struct to not decode password/key (#1538)

* fix: update config struct to not decode password/key
* test: update tests to confirm no secrets in output

Signed-off-by: Christopher Phillips <[email protected]>
---------

Signed-off-by: Christopher Phillips <[email protected]>

Christopher Angelo Phillips committed with GitHub 1 year ago

9995950c

1 parent b6a496f1

Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)

Total 2 files Show one by one

■ ■ ■ ■ ■ ■

internal/config/attest.go

		skipped 2 lines
3	3		import "github.com/spf13/viper"
4	4
5	5		type attest struct {
6		-	Key string `yaml:"key" json:"key" mapstructure:"key"`
7		-	Password string `yaml:"password" json:"password" mapstructure:"password"`
	6	+	// IMPORTANT: do not show the attestation key/password in any YAML/JSON output (sensitive information)
	7	+	Key string `yaml:"-" json:"-" mapstructure:"key"`
	8	+	Password string `yaml:"-" json:"-" mapstructure:"password"`
8	9		}
9	10
10	11		func (cfg attest) loadDefaultValues(v *viper.Viper) {
		skipped 4 lines

■ ■ ■ ■ ■ ■

test/cli/packages_cmd_test.go

		skipped 228 lines
229	229		assertSuccessfulReturnCode,
230	230		},
231	231		},
	232	+	{
	233	+	name: "password and key not in config output",
	234	+	args: []string{"packages", "-vvv", "-o", "json", coverageImage},
	235	+	env: map[string]string{
	236	+	"SYFT_ATTEST_PASSWORD": "secret_password",
	237	+	"SYFT_ATTEST_KEY": "secret_key_path",
	238	+	},
	239	+	assertions: []traitAssertion{
	240	+	assertNotInOutput("secret_password"),
	241	+	assertNotInOutput("secret_key_path"),
	242	+	assertPackageCount(34),
	243	+	assertSuccessfulReturnCode,
	244	+	},
	245	+	},
232	246		}
233	247
234	248		for _, test := range tests {
		skipped 100 lines