False vulnerabilities being reported by v2.17.0

[revanth844]

Summary

Latest release is reporting Severity-HIGH false-positives.

Steps to reproduce the behavior

package main

func main() {
        usersPerAccountLimit := "users_per_account_limit"
        _ = usersPerAccountLimit
}

gosec version

v2.17.0

Go version (output of 'go version')

go1.19.9

Operating system / Environment

linux/amd64

Expected behavior

gosec scan to pass

Actual behavior

G101 (CWE-798): Potential hardcoded credentials (Confidence: LOW, Severity: HIGH)

[dnwe]

Seemingly due to matching group 8 in the value pattern in #971 capturing any 24 char string (^(.*[:;,](\\s)*)?[0-9a-zA-Z-_]{24}$) and then the isHighEntropyString check truncating to 14 chars so then groups_per_acc is checked for entropy and considered high enough to warrant flagging. This seems likely to flag a lot of values

[puneet-traceable]

This is flagging any constant with a string value of length 24 characters.

[adamdecaf]

We're seeing a lot of false positives in the past few days.

Error: pkg/test/fuzzer.go:590:4: G101: Potential hardcoded credentials (gosec)
			moovPspID := "F02D534B55518A81C2148F0F65039A68E50A6BA2C9F84FE432ED3A1636A2CF72"
			^
Error: pkg/verification/service_rate_limiter_test.go:61:2: G101: Potential hardcoded credentials (gosec)
	fingerprint := "9fb23dd12fbb7b892bd15cb9a20e48223c96f20e13239d08e820ae97b8425a05"

txnID = "3637cfcc1eec55a50f78a7c435914583ccbc75a21dec9a0e94dfa077647146d7" 

[vitaly-eureka-security]

Seems that patternValue introduced in #971 catches any alphanumeric string of length 24.

[sxd]

I can confirm this bug, the new version it's catching a lot of false positive with variable names that aren't credentials

[ccojocar]

@morgenm Please could you have a look at this? It seems to be introduced by #971.

I think that we should restrict the regexp to match only a subset of well known secrets and API keys such as AWS, Azure, GitHub token etc. instead of matching any set of alphanumerical charters with high entropy.

Maybe incorporating some patterns for this database would be an interesting approach https://github.com/mazen160/secrets-patterns-db. These patterns looks like a good start:

• https://github.com/mazen160/secrets-patterns-db/blob/master/datasets/high-confidence.yml