[Docs] Hint on challenge-1 needs an update (trufflehog)

[za]

Hi there,

I think the hint on challenge-1 needs an update:

Scan the files using trufflehog . | grep password and the password will be in the output.

➜  wrongsecrets git:(master) trufflehog --version
trufflehog 3.59.0
➜  wrongsecrets git:(master) trufflehog .
trufflehog: error: expected command but got ".", try --help

[za]

It seems trufflehog needs to scan it using generic detector https://github.com/trufflesecurity/trufflehog/blob/main/examples/generic.yml#L15

[commjoen]

It seems to be version-dependent indeed:

• version 2: it is trufflehog .
• version 3: it seems to work with trufflehog filesystem . only this seems to be much slower.

Would you like to file a PR to show how both can be used properly?

[za]

Sure @commjoen I'll prepare a PR.

[za]

Hi @commjoen this command seems not working

➜  wrongsecrets git:(master) trufflehog filesystem . | grep password
🐷🔑🐷  TruffleHog. Unearth your secrets. 🐷🔑🐷

2024-01-22T09:57:25+07:00       info-0  trufflehog      finished scanning       {"chunks": 16579, "bytes": 206885751, "verified_secrets": 0, "unverified_secrets": 45, "scan_duration": "11.028594104s"}

I have prepared the PR and it's working with generic detector https://github.com/OWASP/wrongsecrets/pull/1195/files#diff-7cb51d7f736e82d7762d13369216848fc6eeae335a63aab3867542659f6eb825R24

I am wondering, is there a simpler way on trufflehog to scan by default using generic detector?

[za]

It seems to be version-dependent indeed:

• version 2: it is trufflehog .

Would you like to file a PR to show how both can be used properly?

Hi @commjoen I am not recommending to use trufflehog version 2.x as it was released > 5 years ago https://github.com/trufflesecurity/trufflehog/tags?after=v3.0.0

What do you think?

[commjoen]

Some installment paths only give version 2 ;-). So I am fine with showing both.

[za]

Haha... ok, because I was wondering how to install the version 2.

In that case, I'll just write as it is for version 2 and update the PR.

[commjoen]

pip3 install trufflehog
Collecting trufflehog
  Downloading truffleHog-2.2.1-py2.py3-none-any.whl (13 kB)
Collecting GitPython==3.0.6 (from trufflehog)
  Downloading GitPython-3.0.6-py3-none-any.whl (451 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 451.8/451.8 kB 8.8 MB/s eta 0:00:00
Collecting truffleHogRegexes==0.0.7 (from trufflehog)
  Downloading truffleHogRegexes-0.0.7-py2.py3-none-any.whl (2.5 kB)
Collecting gitdb2>=2.0.0 (from GitPython==3.0.6->trufflehog)
  Downloading gitdb2-4.0.2-py3-none-any.whl (1.1 kB)
Collecting gitdb>=4.0.1 (from gitdb2>=2.0.0->GitPython==3.0.6->trufflehog)
  Downloading gitdb-4.0.11-py3-none-any.whl.metadata (1.2 kB)
Collecting smmap<6,>=3.0.1 (from gitdb>=4.0.1->gitdb2>=2.0.0->GitPython==3.0.6->trufflehog)
  Downloading smmap-5.0.1-py3-none-any.whl.metadata (4.3 kB)
Downloading gitdb-4.0.11-py3-none-any.whl (62 kB)
   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 62.7/62.7 kB 2.2 MB/s eta 0:00:00
Downloading smmap-5.0.1-py3-none-any.whl (24 kB)
Installing collected packages: truffleHogRegexes, smmap, gitdb, gitdb2, GitPython, trufflehog
Successfully installed GitPython-3.0.6 gitdb-4.0.11 gitdb2-4.0.2 smmap-5.0.1 truffleHogRegexes-0.0.7 trufflehog-2.2.1

[notice] A new release of pip is available: 23.3.1 -> 23.3.2
[notice] To update, run: python3.11 -m pip install --upgrade pip
[22/01 9:31:55] ➜  wrongsecrets git:(only-publish-non-fork) 

so pip3 results in trufflehog 2 :(

[commjoen]

If we can have both that would be awesome!
Added a suggestion to your PR.

[za]

Hi @commjoen thanks for the suggestion. PR ready for review now. I have updated the doc.