False positive, and problems with ignoring

Question

False positive, and problems with ignoring

Closed this issue 3 years ago · 3 comments

got a false positive on https://ola.hallengren.com/scripts/MaintenanceSolution.sql

./MaintenanceSolution.sql:84:)WITH (PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON)

i went to ignore just this "secret" in the .secretsignore file like this:

[secrets]
)WITH (PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON)

but couldn't get it to ignore... had to add the whole file to .secretsignore

MaintenanceSolution.sql

[secrets]
)WITH (PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON)

this file's like 9100 lines long, so not ideal 😄

this is using secrets 0.1.2

Answer 1 · 2022-04-21T21:28:43.000Z

Thanks for reporting! I'll investigate and fix soon!

Answer 2 · 2022-04-22T04:27:40.000Z

I just pushed a fix that will go out in 0.1.3 (e3f7bf0). The reason ignoring didn't work is because the key it detected was "ALLOW_ROW_LOCKS", so you would have had to add that to the secrets ignore. I think if the tool highlighted the subset of the row that was detected as the secret it would have been more obvious. The other issue is that ALLOW_ROW_LOCKS shouldn't have been detected as a non-random string in the first place, which I suspect was flagged because my common bigram dataset doesn't have enough capital letter bigrams.

Answer 3 · 2022-04-22T12:04:50.000Z

I just pushed a fix that will go out in 0.1.3 (e3f7bf0). The reason ignoring didn't work is because the key it detected was "ALLOW_ROW_LOCKS", so you would have had to add that to the secrets ignore. I think if the tool highlighted the subset of the row that was detected as the secret it would have been more obvious. The other issue is that ALLOW_ROW_LOCKS shouldn't have been detected as a non-random string in the first place, which I suspect was flagged because my common bigram dataset doesn't have enough capital letter bigrams.

sounds good... highlight would be nice, but since you've already got the line number in the output, just simply outputting the secret would probably be sufficient too, maybe in single quotes or with some other delimiter, that might be more tool friendly than highlighting