add exclude-regex-patterns

[jpaskhay]

This mimics the functionality of the exclude-entropy-patterns option, but for regex scans. It is heavily based off #192 and other subsequent work around that feature. This will help reduce false positives such as env variables for user info auth in URLs.

Note that the scope is forced to line and not configurable due to the way the regex scan is done compared to the entropy scan.

A few unrelated formatting changes were necessary for pre-commit linters to pass.

I ran into issues trying to get the development environment setup properly (mainly poetry version differences). The new tests that were added passed, but I was running into 2 unrelated test failures -- not sure if related to the dev setup issues.

To help us get this pull request reviewed and merged quickly, please be sure to include the following items:

• Tests (if applicable)
• Documentation (if applicable)
• Changelog entry
• A full explanation here in the PR description of the work done

PR Type

What kind of change does this PR introduce?

• Bugfix
• Feature
• Code style update (formatting, local variables)
• Refactoring (no functional changes, no api changes)
• Build related changes
• CI related changes
• Documentation content changes
• Tests
• Other

Backward Compatibility

Is this change backward compatible with the most recently released version? Does it introduce changes which might change the user experience in any way? Does it alter the API in any way?

• Yes (backward compatible)
• No (breaking changes)

Issue Linking

What's new?

• add exclude-regex-patterns option

[jpaskhay]

welp, guess that unit test failure wasn't related to my dev environment 😄 . will troubleshoot a bit more and hopefully have a fix soon

[rbailey-godaddy]

This generally looks pretty good - I have some nitpicking below and then there's the question of the failing CI tests, which we'll look at next...

[rbailey-godaddy]

You addressed this in the PR description, but it would be worth throwing in a line something like "The pattern is always tested against the entire line." (Or any other words that would explain why scope is a thing just above for entropy exclusions, but isn't here.)

[jpaskhay]

sure. will do

[rbailey-godaddy]

I haven't gotten to looking at the unit test failures yet, but I was surprised to see this return type change. What is the motivation for this? Isn't it still true that fail() never returns control to the caller?

[jpaskhay]

i was getting a mypy failure on the pre-commit hook with:

mypy.....................................................................Failed
- hook id: mypy
- exit code: 1
tartufo/util.py:261: error: Implicit return in function which does not return

i can try reverting this to see if it complains in CICD. this change as is has caused another side-effect linting issue, which i was surprised wasn't flagged locally in pre-commit

[rbailey-godaddy]

I think the mypy failure you're getting now is due to the return-value change:

tartufo/commands/update_signatures.py:273: error: Incompatible return value type (got "Optional[GitRepoScanner]", expected "GitRepoScanner")  [return-value]

It used to be that scanner was known not to be None by L273 because of the test at L250 combined with the knowledge that control would not return from the call to util.fail() on L252. Now mypy assumes control will return and that consequently scanner could still be None -- thus the error.

[jpaskhay]

yup, exactly. was just posting the previous mypy failure which led me to the NoReturn -> None change. wrapping up wordsmithing the documentation change and i'll push up a revert for this line along with it.

[jpaskhay]

i'm at a loss on the unit test failure. i did some troubleshooting locally, and the blake2s isn't getting mocked, so the real thing is getting called

the way it is getting patched seems proper (same w/ the various other patches in test_util.py). not seeing anything obvious that would've changed that in the change set 🤔 . even tried adding a importlib.reload(util)