PRP Veles for MongoDB Connection URL

[VickyTheViking]

#1016

[alessandro-Doyensec]

Hi @VickyTheViking

Thanks for the contribution, the PR looks good overall.

I just have a doubt: Would it make sense to incorporate this into urlcreds.NewDetector instead? Since that detector already identifies URLs with embedded credentials, it should presumably catch connection strings (for MongoDB and potentially other databases) as well.

In that case only the validation part should be added to the following function:

osv-scalibr/veles/secrets/urlcreds/validator.go

Line 60 in 65187ae

func (v *Validator) Validate(ctx context.Context, secret Credentials) (veles.ValidationStatus, error) {

cc @erikvarga for any additional context on this approach.

---

Note: I'm not opposed to keeping this as a separate detector, just wanted to point out that urlcreds.NewDetector exists.

[erikvarga]

Adding to Alessandro's comment, the main concern is that enabling both detectors (mongodburl and urlcreds) would find duplicate results. What I'd suggest is that we rewrite the FromMatch part of the urlcreds detector so that it returns a MongoDBConnectionURL secret struct instead of a generic urlcreds.Credentials if the scheme matches mongodb connection strings. Then we can remove the mongodb-specific detector but will still be able to use the validator to check mongodb URLs.

[alessandro-Doyensec]

Hi @VickyTheViking

Thanks for the changes, could you please also create a PR to https://github.com/google/security-testbeds containing a simple README on how to setup mongo and how to launch scalibr against it.

Use google/security-testbeds#194 as a reference.