Fix judbc detector detecting incomplete conn string and fixed invalid parsing of sql server string

MuneebUllahKhan222 · MuneebUllahKhan222 · commit 0007a1e0d0dd · 2026-01-01T14:05:23.000+05:00
diff --git a/pkg/detectors/jdbc/jdbc.go b/pkg/detectors/jdbc/jdbc.go
@@ -50,7 +50,8 @@ var _ detectors.Detector = (*Scanner)(nil)
 var _ detectors.CustomFalsePositiveChecker = (*Scanner)(nil)
 
 var (
-	keyPat = regexp.MustCompile(`(?i)jdbc:[\w]{3,10}:[^\s"'<>,(){}[\]&]{10,512}`)
+	// Matches typical JDBC connection strings amd ingores any special character at the end
+	keyPat = regexp.MustCompile(`(?i)jdbc:[\w]{3,10}:[^\s"'<>,{}[\]]{10,511}[A-Za-z0-9]`)
 )
 
 // Keywords are used for efficiently pre-filtering chunks.
diff --git a/pkg/detectors/jdbc/jdbc_test.go b/pkg/detectors/jdbc/jdbc_test.go
@@ -37,6 +37,8 @@ func TestJdbc_Pattern(t *testing.T) {
 							<jdbc-url>jdbc:mysql:localhost:3306/mydatabase</jdbc-url>
 							<jdbc-url>jdbc:sqlserver://x.x.x.x:1433;databaseName=MY-DB;user=MY-USER;password=MY-PASSWORD;encrypt=false</jdbc-url>
 							<jdbc-url>jdbc:sqlserver://localhost:1433;databaseName=AdventureWorks</jdbc-url>
+							<jdbc-url>(jdbc:mysql://testuser:testpassword@tcp(localhost:1521)/testdb)</jdbc-url>
+							<jdbc-url>jdbc:postgresql://localhost:1521/testdb?sslmode=disable&password=testpassword&user=testuser&</jdbc-url>
 							<working-dir>$ProjectFileDir$</working-dir>
 							</data-source>
 						</component>
@@ -47,6 +49,8 @@ func TestJdbc_Pattern(t *testing.T) {
 				"jdbc:mysql:localhost:3306/mydatabase",
 				"jdbc:sqlserver://x.x.x.x:1433;databaseName=MY-DB;user=MY-USER;password=MY-PASSWORD;encrypt=false",
 				"jdbc:sqlserver://localhost:1433;databaseName=AdventureWorks",
+				"jdbc:mysql://testuser:testpassword@tcp(localhost:1521)/testdb",
+				"jdbc:postgresql://localhost:1521/testdb?sslmode=disable&password=testpassword&user=testuser",
 			},
 		},
 		{
@@ -61,15 +65,19 @@ func TestJdbc_Pattern(t *testing.T) {
 						"jdbc:oracle:thin:@host:1521:db",
 						"jdbc:mysql://host:3306/db,other_param",
 						"jdbc:db2://host:50000/db?param=1"
-					]
-				}`,
+						"jdbc:postgresql://localhost:1521/testdb?sslmode=disable&password=testpassword&user=testuser"
+						"jdbc:mysql://testuser:testpassword@tcp(localhost:1521)/testdb"
+						]
+						}`,
 			want: []string{
 				"jdbc:postgresql://localhost:5432/mydb",
 				"jdbc:mysql://user:pass@host:3306/db?param=1",
 				"jdbc:sqlite:/data/test.db",
 				"jdbc:oracle:thin:@host:1521:db",
 				"jdbc:mysql://host:3306/db",
 				"jdbc:db2://host:50000/db?param=1",
+				"jdbc:postgresql://localhost:1521/testdb?sslmode=disable&password=testpassword&user=testuser",
+				"jdbc:mysql://testuser:testpassword@tcp(localhost:1521)/testdb",
 			},
 		},
 		{
diff --git a/pkg/detectors/jdbc/sqlserver.go b/pkg/detectors/jdbc/sqlserver.go
@@ -59,6 +59,11 @@ func ParseSqlServer(ctx logContext.Context, subname string) (jdbc, error) {
 			continue
 		}
 
+		// incase there is a bridge between jdbc and odbc, and conn string looks like this odbc:server
+		if split := strings.Split(key, ":"); len(split) > 1 {
+			key = split[1]
+		}
+
 		switch strings.ToLower(key) {
 		case "password", "spring.datasource.password", "pwd":
 			password = value
diff --git a/pkg/detectors/jdbc/sqlserver_integration_test.go b/pkg/detectors/jdbc/sqlserver_integration_test.go
@@ -12,6 +12,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/testcontainers/testcontainers-go"
 	"github.com/testcontainers/testcontainers-go/modules/mssql"
+	logContext "github.com/trufflesecurity/trufflehog/v3/pkg/context"
 )
 
 func TestSqlServer(t *testing.T) {
@@ -81,7 +82,8 @@ func TestSqlServer(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.input, func(t *testing.T) {
-			j, err := parseSqlServer(tt.input)
+			ctx := logContext.AddLogger(context.Background())
+			j, err := ParseSqlServer(ctx, tt.input)
 
 			if err != nil {
 				got := result{parseErr: true}
diff --git a/pkg/detectors/jdbc/sqlserver_test.go b/pkg/detectors/jdbc/sqlserver_test.go
@@ -115,3 +115,41 @@ func TestParseSqlServerUserIgnoredBug2(t *testing.T) {
 		})
 	}
 }
+
+func TestParseSqlServerWithJdbcAndOdbcBridgeString(t *testing.T) {
+	subname := "//odbc:server=localhost;port=1433;database=testdb;password=testpassword"
+
+	wantHost := "localhost"
+	wantPort := "1433"
+	wantPassword := "testpassword"
+	wantDatabase := "testdb"
+
+	ctx := logContext.AddLogger(context.Background())
+
+	j, err := ParseSqlServer(ctx, subname)
+	if err != nil {
+		t.Fatalf("parseSqlServer() error = %v", err)
+	}
+
+	if j == nil {
+		t.Fatalf("parseSqlServer() returned nil, expected valid connection.")
+	}
+
+	sqlServerConn, ok := j.(*SqlServerJDBC)
+	if !ok {
+		t.Fatalf("parseSqlServer() returned unexpected type %T, expected *SqlServerJDBC", j)
+	}
+
+	if sqlServerConn.Host != wantHost+":"+wantPort {
+		t.Errorf("Host mismatch. Got: %s, Want: %s", sqlServerConn.Host, wantHost+":"+wantPort)
+	}
+
+	if sqlServerConn.Password != wantPassword {
+		t.Errorf("Password mismatch. Got: %s, Want: %s", sqlServerConn.Password, wantPassword)
+	}
+
+	if sqlServerConn.Database != wantDatabase {
+		t.Errorf("Database mismatch. Got: %s, Want: %s", sqlServerConn.Database, wantDatabase)
+	}
+
+}

Original file line number	Diff line number	Diff line change
`@@ -50,7 +50,8 @@ var _ detectors.Detector = (*Scanner)(nil)`
`50`	`50`	`var _ detectors.CustomFalsePositiveChecker = (*Scanner)(nil)`
`51`	`51`
`52`	`52`	`var (`
`53`		- keyPat = regexp.MustCompile(`(?i)jdbc:[\w]{3,10}:[^\s"'<>,(){}[\]&]{10,512}`)
	`53`	`+ // Matches typical JDBC connection strings amd ingores any special character at the end`
	`54`	+ keyPat = regexp.MustCompile(`(?i)jdbc:[\w]{3,10}:[^\s"'<>,{}[\]]{10,511}[A-Za-z0-9]`)
`54`	`55`	`)`
`55`	`56`
`56`	`57`	`// Keywords are used for efficiently pre-filtering chunks.`