Mask api key in command logging (#1580)

* Mask api key in command logging

* Bump changelog

Author: james-fossa

Changelog.md

@@ -1,5 +1,9 @@
 # FOSSA CLI Changelog
 
+## 3.11.4
+
+- Stops logging a secret under `--x-snippet-scan`. ([#1579](https://github.com/fossas/fossa-cli/pull/1580))
+
 ## 3.11.3
 
 - Picks up the latest version of a dependency for `--x-snippet-scan`. ([#1579](https://github.com/fossas/fossa-cli/pull/1579))

src/App/Fossa/Ficus/Analyze.hs

@@ -151,7 +151,6 @@ runFicus ficusConfig = do
     logDebugWithTime "Ficus binary extracted, building command..."
     cmd <- ficusCommand ficusConfig bin
     logDebugWithTime "Executing ficus (streaming)"
-    logDebug $ "Ficus command: " <> pretty (renderCommand cmd)
     logDebug $ "Working directory: " <> pretty (toFilePath $ ficusConfigRootDir ficusConfig)
 
     logDebugWithTime "Creating process configuration..."
@@ -235,26 +234,41 @@ runFicus ficusConfig = do
 
 -- Run Ficus, passing config-based args as configuration.
 -- Caveat! This hard-codes some flags currently which may later need to be set on a strategy-by-strategy basis.
-ficusCommand :: Has Diagnostics sig m => FicusConfig -> BinaryPaths -> m Command
+ficusCommand :: (Has Diagnostics sig m, Has Logger sig m) => FicusConfig -> BinaryPaths -> m Command
 ficusCommand ficusConfig bin = do
   endpoint <- case ficusConfigEndpoint ficusConfig of
     Just baseUri -> do
       proxyUri <- setPath [PathComponent "api", PathComponent "proxy", PathComponent "analysis"] (TrailingSlash False) baseUri
       pure $ render proxyUri
     Nothing -> pure "https://app.fossa.com/api/proxy/analysis"
-  pure $
-    Command
-      { cmdName = toText $ toPath bin
-      , cmdArgs = configArgs endpoint
-      , cmdAllowErr = Never
-      }
+  let cmd =
+        Command
+          { cmdName = toText $ toPath bin
+          , cmdArgs = configArgs endpoint
+          , cmdAllowErr = Never
+          }
+  logDebug $ "Ficus command: " <> pretty (maskApiKeyInCommand $ renderCommand cmd)
+  pure cmd
   where
     configArgs endpoint = ["analyze", "--secret", secret, "--endpoint", endpoint, "--locator", locator, "--set", "all:skip-hidden-files", "--set", "all:gitignore", "--exclude", ".git", "--exclude", ".git/**"] ++ configExcludes ++ [targetDir]
     targetDir = toText $ toFilePath $ ficusConfigRootDir ficusConfig
     secret = maybe "" (toText . unApiKey) $ ficusConfigSecret ficusConfig
     locator = renderLocator $ Locator "custom" (projectName $ ficusConfigRevision ficusConfig) (Just $ projectRevision $ ficusConfigRevision ficusConfig)
     configExcludes = unGlobFilter <$> ficusConfigExclude ficusConfig
 
+    maskApiKeyInCommand :: Text -> Text
+    maskApiKeyInCommand cmdText =
+      case Text.splitOn " --secret " cmdText of
+        [before, after] ->
+          case Text.words after of
+            (_ : rest) ->
+              before
+                <> " --secret "
+                <> "******"
+                <> if null rest then "" else " " <> Text.unwords rest
+            [] -> cmdText
+        _ -> cmdText
+
 -- add a FicusMessage to the corresponding entry of an empty FicusMessages
 singletonFicusMessage :: FicusMessage -> FicusMessages
 singletonFicusMessage message = case message of