jdbc url with just host and port triggers false alert

[david-gang]

Please review the Community Note before submitting

TruffleHog Version

3.88.2

Trace Output

https://gist.github.com/david-gang/370f0b4ec43afe9a2bcd835c635a01fb

Expected Behavior

this is part of a local docker compose environment:

  flyway:
    image: flyway/flyway:10
    depends_on:
      - postgres
    command: migrate
    volumes:
      - ./flyway/sql:/flyway/sql
      - ./flyway/conf:/flyway/conf
    environment:
      FLYWAY_URL: jdbc:postgresql://postgres:5432/mydb
      FLYWAY_USER: postgres
      FLYWAY_PASSWORD: password
      FLYWAY_SCHEMAS: public
      FLYWAY_LOCATIONS: filesystem:/flyway/sql

Trufflehog shouldn't issue an error as i did not add here an username or password in the url

Actual Behavior

trufflehog fails with output

Found unverified result 🐷🔑❓
Verification issue: dial tcp: lookup postgres: no such host
dial tcp: lookup postgres: no such host
Detector Type: JDBC
Decoder Type: PLAIN
Raw result: jdbc:postgresql://postgres:5432/mydb
File: backend/docker-compose.yaml
Line: 25

I also don't understand that he does not alarm on FLYWAY_USER and FLYWAY_PASSWORD.

Steps to Reproduce

Take teh snippet above and save it into a file.
Run trufflehog

Environment

• OS: [e.g. iOS]
• Version [e.g. 22]

Additional Context

I know i can either exclude the detector or the file but this is not a nice solution.

References

• #0000

[david-gang]

Additionally even if i add

--results=verified,unknown

I am still getting the unverified result. i don't understand why

after going through the code i understand that if we have an unverified result with verification error it is called unknown. the wording

Found unverified result 🐷🔑❓

is confusing. maybe this can be changed.