feat: update global & generic allowlist (#1618)

Author: rgmz

cmd/generate/config/base/config.go

@@ -82,7 +82,7 @@ func CreateGlobalConfig() config.Config {
 				regexp.MustCompile(`(^|/)npm-shrinkwrap\.json$`),
 				regexp.MustCompile(`(^|/)bower_components/.*?$`),
 				// TODO: Add more common static assets, such as swagger-ui.
-				regexp.MustCompile(`(^|/)(angular|jquery(-?ui)?|plotly|swagger-?ui)[a-zA-Z0-9.-]+(\.min)?\.js(\.map)?$`),
+				regexp.MustCompile(`(^|/)(angular|jquery(-?ui)?|plotly|swagger-?ui)[a-zA-Z0-9.-]*(\.min)?\.js(\.map)?$`),
 
 				// ----------- Python files -----------
 				// Dependencies and lock files.

cmd/generate/config/base/config_test.go

@@ -98,6 +98,7 @@ func TestConfigAllowlistPaths(t *testing.T) {
 				`swagger/swaggerui/swagger-ui-bundle.js.map`,
 				`swagger/swaggerui/swagger-ui-es-bundle.js.map`,
 				`src/main/static/swagger-ui.min.js`,
+				`swagger/swaggerui/swagger-ui.js`,
 			},
 		},
 		"python": {

cmd/generate/config/rules/generic.go

@@ -59,7 +59,7 @@ func GenericCredential() *config.Rule {
 						`|(credentials?[_.-]?id|withCredentials)` + // Jenkins plugins
 						// Key
 						`|(bucket|foreign|hot|natural|primary|schema|sequence)[_.-]?key` +
-						`|key[_.-]?(alias|board|code|ring|stone|storetype|word|up|down|left|right)` +
+						`|key[_.-]?(alias|board|code|ring|selector|size|stone|storetype|word|up|down|left|right)` +
 						`|key(store|tab)[_.-]?(file|path)` +
 						`|issuerkeyhash` + // part of ssl cert
 						`|(?-i:[DdMm]onkey|[DM]ONKEY)|keying` + // common words containing "key"
@@ -162,6 +162,8 @@ func GenericCredential() *config.Rule {
 		`sequenceKey = "18"`,
 		`app.keystore.file=env/cert.p12`,
 		`-DKEYTAB_FILE=/tmp/app.keytab`,
+		`	doc.Security.KeySize = PdfEncryptionKeySize.Key128Bit;`,
+		`o.keySelector=n,o.haKey=!1,`,
 		// TODO: Requires line-level allowlists.
 		//`<add key="SchemaTable" value="G:\SchemaTable.xml" />`,
 		//	`secret:

config/gitleaks.toml

@@ -550,7 +550,7 @@ keywords = [
 [rules.allowlist]
 regexTarget = "match"
 regexes = [
-    '''(?i)(accessor|access[_.-]?id|api[_.-]?(version|id)|rapid|capital|[a-z0-9-]*?api[a-z0-9-]*?:jar:|author|X-MS-Exchange-Organization-Auth|Authentication-Results|(credentials?[_.-]?id|withCredentials)|(bucket|foreign|hot|natural|primary|schema|sequence)[_.-]?key|key[_.-]?(alias|board|code|ring|stone|storetype|word|up|down|left|right)|key(store|tab)[_.-]?(file|path)|issuerkeyhash|(?-i:[DdMm]onkey|[DM]ONKEY)|keying|(secret)[_.-]?name|UserSecretsId|(api|credentials|token)[_.-]?(endpoint|ur[il])|public[_.-]?(key|token)|(key|token)[_.-]?file)''',
+    '''(?i)(accessor|access[_.-]?id|api[_.-]?(version|id)|rapid|capital|[a-z0-9-]*?api[a-z0-9-]*?:jar:|author|X-MS-Exchange-Organization-Auth|Authentication-Results|(credentials?[_.-]?id|withCredentials)|(bucket|foreign|hot|natural|primary|schema|sequence)[_.-]?key|key[_.-]?(alias|board|code|ring|selector|size|stone|storetype|word|up|down|left|right)|key(store|tab)[_.-]?(file|path)|issuerkeyhash|(?-i:[DdMm]onkey|[DM]ONKEY)|keying|(secret)[_.-]?name|UserSecretsId|(api|credentials|token)[_.-]?(endpoint|ur[il])|public[_.-]?(key|token)|(key|token)[_.-]?file)''',
 ]
 stopwords = [
     "000000",