mirror of
https://github.com/lunchcat/sif.git
synced 2026-07-03 19:34:53 -07:00
8c8f8afba3
modules/recon/maven-settings-exposure.yaml flags an exposed settings.xml through the settings or servers structure paired with a password element, so a mirror only config is not reported, then extracts the server username. modules/recon/gradle-properties-exposure.yaml flags an exposed gradle.properties through a password, secret or token property with a value on the same line, skipping comments and empty assignments, then extracts the property name. modules/recon/nuget-config-exposure.yaml flags an exposed nuget.config through a packageSourceCredentials section paired with a cleartext password key, so a plain package source list or an appsettings password is not reported, then extracts the feed username. internal/modules/buildtool_credential_exposure_test.go drives the three modules end to end through ExecuteHTTPModule and asserts the leak alongside the near misses a strict review wants pinned: a mirror only settings, a non credential properties file, a commented password, an empty value, a plain source list, an appsettings password, an html tutorial for each file, a plain 200 and a 404. verify: go test ./internal/modules, each matcher and extractor proven to bite (break -> red, restore -> green).