From b5e7147417f8ad9dfe3ec69d961293cecbc9a72d Mon Sep 17 00:00:00 2001 From: za Date: Mon, 22 Jan 2024 10:00:57 +0700 Subject: [PATCH 1/5] issue 1193: update trufflehog command on the challenge 1 hint doc because with previous command it's not showing the result. Trufflehog needs to scan the filesystem and use generic detector from the example. Note: it's suggested to use the latest Trufflehog version. When this commit was made, the latest version is: 3.63.10 --- src/main/resources/explanations/challenge1_hint.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/resources/explanations/challenge1_hint.adoc b/src/main/resources/explanations/challenge1_hint.adoc index facd18ac5..b8b6e2c9e 100644 --- a/src/main/resources/explanations/challenge1_hint.adoc +++ b/src/main/resources/explanations/challenge1_hint.adoc @@ -21,4 +21,4 @@ You can solve this challenge by the following steps: 4. You can scan the repository with https://github.com/trufflesecurity/trufflehog[*Trufflehog*]. - Clone the repo with `git clone https://github.com/OWASP/wrongsecrets`. - Follow the instructions https://github.com/trufflesecurity/trufflehog[here] to install Trufflehog. -- Scan the files using `trufflehog . | grep password` and the password will be in the output. +- Scan the files using `trufflehog filesystem --config=$TRUFFLEHOG_DIR/examples/generic.yml . | grep password` and the password will be in the output. From 1863366b49f4cd37d6b2faabef16ed06331094d2 Mon Sep 17 00:00:00 2001 From: za Date: Mon, 22 Jan 2024 10:35:26 +0700 Subject: [PATCH 2/5] Issue 1193: it seems there's no simple command to scan for generic pattern we need to download the generic detector provided by trufflehog https://github.com/trufflesecurity/trufflehog/tree/4afc224c635d10e732119f715f93788af1502ce4/examples#generic-detector --- src/main/resources/explanations/challenge1_hint.adoc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/main/resources/explanations/challenge1_hint.adoc b/src/main/resources/explanations/challenge1_hint.adoc index b8b6e2c9e..cbedf3a5a 100644 --- a/src/main/resources/explanations/challenge1_hint.adoc +++ b/src/main/resources/explanations/challenge1_hint.adoc @@ -21,4 +21,6 @@ You can solve this challenge by the following steps: 4. You can scan the repository with https://github.com/trufflesecurity/trufflehog[*Trufflehog*]. - Clone the repo with `git clone https://github.com/OWASP/wrongsecrets`. - Follow the instructions https://github.com/trufflesecurity/trufflehog[here] to install Trufflehog. -- Scan the files using `trufflehog filesystem --config=$TRUFFLEHOG_DIR/examples/generic.yml . | grep password` and the password will be in the output. +- How to download trufflehog https://github.com/trufflesecurity/trufflehog/blob/4afc224c635d10e732119f715f93788af1502ce4/examples/README.md[generic detector] file +- Download trufflehog generic detector `wget https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/examples/generic.yml`. +- Scan the files using `trufflehog filesystem --config=$PWD/generic.yml . | grep password` and the password will be in the output. From 3760a17beaa6772d37cff5393288311b741cc5e7 Mon Sep 17 00:00:00 2001 From: za Date: Tue, 23 Jan 2024 09:43:27 +0700 Subject: [PATCH 3/5] Update src/main/resources/explanations/challenge1_hint.adoc as suggested by commjoen Co-authored-by: Jeroen Willemsen --- src/main/resources/explanations/challenge1_hint.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/resources/explanations/challenge1_hint.adoc b/src/main/resources/explanations/challenge1_hint.adoc index cbedf3a5a..a6ff0228b 100644 --- a/src/main/resources/explanations/challenge1_hint.adoc +++ b/src/main/resources/explanations/challenge1_hint.adoc @@ -21,6 +21,6 @@ You can solve this challenge by the following steps: 4. You can scan the repository with https://github.com/trufflesecurity/trufflehog[*Trufflehog*]. - Clone the repo with `git clone https://github.com/OWASP/wrongsecrets`. - Follow the instructions https://github.com/trufflesecurity/trufflehog[here] to install Trufflehog. -- How to download trufflehog https://github.com/trufflesecurity/trufflehog/blob/4afc224c635d10e732119f715f93788af1502ce4/examples/README.md[generic detector] file +- Follow these instructions to download the https://github.com/trufflesecurity/trufflehog/blob/4afc224c635d10e732119f715f93788af1502ce4/examples/README.md[generic detector] file - Download trufflehog generic detector `wget https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/examples/generic.yml`. - Scan the files using `trufflehog filesystem --config=$PWD/generic.yml . | grep password` and the password will be in the output. From e7b058dcf3ca90aa78c062cf6b2e5a856154d889 Mon Sep 17 00:00:00 2001 From: za Date: Tue, 23 Jan 2024 09:44:41 +0700 Subject: [PATCH 4/5] Update src/main/resources/explanations/challenge1_hint.adoc Added trufflehog version 2 which can be installed using pip. Note: trufflehog version 2 was released > 5 years ago and no longer maintaned. Co-authored-by: Jeroen Willemsen --- src/main/resources/explanations/challenge1_hint.adoc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/main/resources/explanations/challenge1_hint.adoc b/src/main/resources/explanations/challenge1_hint.adoc index a6ff0228b..c8e15203e 100644 --- a/src/main/resources/explanations/challenge1_hint.adoc +++ b/src/main/resources/explanations/challenge1_hint.adoc @@ -24,3 +24,7 @@ You can solve this challenge by the following steps: - Follow these instructions to download the https://github.com/trufflesecurity/trufflehog/blob/4afc224c635d10e732119f715f93788af1502ce4/examples/README.md[generic detector] file - Download trufflehog generic detector `wget https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/examples/generic.yml`. - Scan the files using `trufflehog filesystem --config=$PWD/generic.yml . | grep password` and the password will be in the output. + +5. Alternativel you can use the older Trufflehog 2: +- Have python and pip3 installed, and run `pip3 install trufflehog` to install Trufflehog 2. +- Scan the files using `trufflehog . | grep password` and the password will be in the output. From 69f12163b63f5151b9c679f0fc8e19798a85b235 Mon Sep 17 00:00:00 2001 From: za Date: Tue, 23 Jan 2024 09:49:11 +0700 Subject: [PATCH 5/5] Fix typo and adding note on trufflehog version 2 So the reader aware of the trufflehog version 2 situation. --- src/main/resources/explanations/challenge1_hint.adoc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/main/resources/explanations/challenge1_hint.adoc b/src/main/resources/explanations/challenge1_hint.adoc index c8e15203e..bc1b53415 100644 --- a/src/main/resources/explanations/challenge1_hint.adoc +++ b/src/main/resources/explanations/challenge1_hint.adoc @@ -25,6 +25,7 @@ You can solve this challenge by the following steps: - Download trufflehog generic detector `wget https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/examples/generic.yml`. - Scan the files using `trufflehog filesystem --config=$PWD/generic.yml . | grep password` and the password will be in the output. -5. Alternativel you can use the older Trufflehog 2: +5. Alternative, you can use the older Trufflehog 2: - Have python and pip3 installed, and run `pip3 install trufflehog` to install Trufflehog 2. - Scan the files using `trufflehog . | grep password` and the password will be in the output. +- Please note that Trufflehog 2 was released [> 5 years ago](https://github.com/trufflesecurity/trufflehog/tags?after=v3.0.0) and no longer [maintained](https://github.com/trufflesecurity/trufflehog/issues/2328).