Skip to content

PRP: JDBC secret veles and validator#1774

Open
grandsilva wants to merge 5 commits intogoogle:mainfrom
grandsilva:jdbc_secret_extractor
Open

PRP: JDBC secret veles and validator#1774
grandsilva wants to merge 5 commits intogoogle:mainfrom
grandsilva:jdbc_secret_extractor

Conversation

@grandsilva
Copy link
Copy Markdown
Contributor

@grandsilva grandsilva commented Feb 16, 2026
edited
Loading

#1008

I tried to add parsers for all examples of JDBC URLs I could find for MySQL, PostgreSQL, and MSSQL.
Currently, I parsed the JDBC URLS and only extracted hosts in the detector because we only need to determine if the hosts are local or not.
Inside the validate function, the database name and user/pass are extracted.

@grandsilva grandsilva changed the title Jdbc secret extractor Jdbc secret veles and validator Feb 16, 2026
@grandsilva grandsilva changed the title Jdbc secret veles and validator PRP: JDBC secret veles and validator Feb 16, 2026
@grandsilva grandsilva force-pushed the jdbc_secret_extractor branch from b499625 to 2217a7d Compare February 16, 2026 15:32
@grandsilva grandsilva force-pushed the jdbc_secret_extractor branch from 2217a7d to 2a80f50 Compare February 16, 2026 15:33
grandsilva
grandsilva commented Feb 16, 2026
View reviewed changes
Comment thread veles/secrets/jdbcurlcreds/testsForDeployment/main.go Outdated
alessandro-Doyensec
alessandro-Doyensec reviewed Feb 24, 2026
View reviewed changes
Comment thread veles/secrets/jdbcurlcreds/detector.go
alessandro-Doyensec
alessandro-Doyensec reviewed Feb 24, 2026
View reviewed changes
Comment thread veles/secrets/jdbcurlcreds/detector.go Outdated
alessandro-Doyensec
alessandro-Doyensec reviewed Feb 24, 2026
View reviewed changes
Comment thread veles/secrets/jdbcurlcreds/urlcreds.go
// Credentials contains an URL with credentials.
type Credentials struct {
FullURL string
IsLocalDB bool
Copy link
Copy Markdown
Collaborator

@alessandro-Doyensec alessandro-Doyensec Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we can validate only PublicDBs I would rename IsLocalDB to IsPublicDB (and modify the logic accordingly) or something similar.

Copy link
Copy Markdown
Collaborator

@alessandro-Doyensec alessandro-Doyensec Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello @grandsilva

Any update on this?

Copy link
Copy Markdown
Contributor Author

@grandsilva grandsilva Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I explained it here: #1774 (comment)
Local databases are still important, according to this @erikvarga's comment: #1008 (comment)

alessandro-Doyensec
alessandro-Doyensec suggested changes Feb 24, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@alessandro-Doyensec alessandro-Doyensec left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello @grandsilva

Thanks for the contribution!

  1. Please checkout the comments I left for you to address

  2. Remember to add the plugin to the docs/supported_inventory_types.md file.

  3. Regarding:

    Currently, I parsed the JDBC URLS and only extracted hosts in the detector because we only need to determine if the hosts are local or not.

    I think it might also make sense to extract credentials in the detection step to be sure they're not empty. This may be redundant with the regex extraction though, so we can discuss it.

@grandsilva
Copy link
Copy Markdown
Contributor Author

grandsilva commented Feb 24, 2026

@alessandro-Doyensec Hi
I think the purpose of running scalibr is checking for local file systems, whether the extracted URLs are local or public, we should notify the users in both cases.

I think it might also make sense to extract credentials in the detection step to be sure they're not empty. This may be redundant with the regex extraction though, so we can discuss it.

Extracting secrets here means the URLs, not the credentials of the URLs.
Exposed JDBC URLs can be dangerous, since they can be used to quickly identify the IP and open ports on the system instead of scanning the whole ip ranges.
The reason that we are extracting the Host, port, and credentials is that we can connect to these JDBC URLs in the Validator; Otherwise, I wouldn't parse these kinds of URLs from the beginning.
JDBC URLs are different than ordinary HTTP URLs, so I think the URL itself can be a secret.

@grandsilva grandsilva mentioned this pull request Feb 24, 2026
Open
@alessandro-Doyensec
Copy link
Copy Markdown
Collaborator

alessandro-Doyensec commented Feb 25, 2026
edited
Loading

Hello @grandsilva

Looking at 285b9f9 I think some changes have not been included: for example I don't see the IsLocalHost function or the IsLocalDB field being renamed.

@alessandro-Doyensec
Copy link
Copy Markdown
Collaborator

alessandro-Doyensec commented Feb 25, 2026

Note: I suspect that the changes to the docs/supported_inventory_types.md file will cause a lot of merge conflicts, could you please modify only the relevant section?

@grandsilva grandsilva force-pushed the jdbc_secret_extractor branch from 285b9f9 to e279df4 Compare February 27, 2026 15:44
@grandsilva
IsLocalHost -> IsPrivateHost
0b8ff23 
add add the plugin to the docs/supported_inventory_types.md file
remove a temp test directory
@grandsilva grandsilva force-pushed the jdbc_secret_extractor branch from e279df4 to 0b8ff23 Compare February 27, 2026 15:49
alessandro-Doyensec
alessandro-Doyensec reviewed Mar 3, 2026
View reviewed changes
Comment thread veles/secrets/jdbcurlcreds/detector_test.go
alessandro-Doyensec
alessandro-Doyensec suggested changes Mar 3, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@alessandro-Doyensec alessandro-Doyensec left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello @grandsilva

Thanks for the changes. I left a few comments for you to address.

alessandro-Doyensec
alessandro-Doyensec approved these changes Mar 5, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@alessandro-Doyensec alessandro-Doyensec left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello @grandsilva

Thanks for the changes, the PR looks good to me

@alessandro-Doyensec alessandro-Doyensec added the lgtm The PR has been reviewed and approved ("Looks Good To Me") by vendors helping with code reviews. label Mar 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@alessandro-Doyensec alessandro-Doyensec alessandro-Doyensec approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

lgtm The PR has been reviewed and approved ("Looks Good To Me") by vendors helping with code reviews.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@grandsilva @alessandro-Doyensec