Box Detector: Extract Subject ID for Analyzer Integration

[shahzadhaider1]

Problem

The Box analyzer requires three credentials to run: client_id, client_secret, and subject_id (a numeric Box enterprise or user ID). The detector was only verifying client_id + client_secret and not populating AnalysisInfo at all, meaning the analyzer would always fail immediately with subject_id not found, making the detector:analyzer pipeline non-functional.

Changes

boxoauth.go

• Added subjectIdPat regex to extract numeric Box enterprise/user IDs from surrounding context near relevant keywords (enterprise, enterprise_id, user_id, subject, box_subject)
• After a credential pair is verified, one detectors.Result is emitted per found subject ID, each carrying the verified client_id, client_secret, and its respective subject_id in AnalysisInfo
• If no subject IDs are found in context, a single result is emitted with just client_id and client_secret
• verifyMatch is completely unchanged; the existing 400/unauthorized_client verification trick is preserved as-is

boxoauth_test.go

• Added pattern tests covering: single subject ID, multiple subject IDs (one result per ID), and no subject ID

Behavior Summary

Scenario	Results emitted
Valid pair, 1 subject ID found	1 result with client_id + client_secret + subject_id
Valid pair, N subject IDs found	N results, one per subject ID
Valid pair, no subject ID found	1 result with client_id + client_secret only
Invalid pair	unchanged, no results

Checklist:

• Tests passing (make test-community)?
• Lint passing (make lint this requires golangci-lint)?

---

Note

Medium Risk
Changes detection output cardinality and enriches verified results with analyzer-facing metadata, which could affect downstream processing and result volumes.

Overview
Extends the Box OAuth detector to also extract numeric subject_id values (enterprise/user IDs) and, when a credential pair verifies, populate Result.AnalysisInfo with client_id, client_secret, and subject_id for analyzer consumption.

FromData now emits one result per discovered subject ID (or a single result when none are present) while keeping the existing client_id/client_secret verification behavior; tests were updated to cover 0/1/multiple subject-ID cases and modernized to testify assertions.

^{Written by Cursor Bugbot for commit 399a358. This will update automatically on new commits. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

[cursor]

subject_id may attach to wrong credentials

Medium Severity

uniqueSubjectIdMatches is collected once for the entire input and then reused for every client_id/client_secret combination, so any subject_id found anywhere in the chunk can be emitted alongside unrelated credential pairs. This can mis-populate AnalysisInfo and produce incorrect detector→analyzer inputs when multiple Box-related values appear in the same chunk.

 

[mustansir14]

A suggestion:

Instead of having an if else flow based on subject IDs found and duplicating results creation logic for both the flows, you can do something similar to how organization IDs are passed to AnalysisInfo in the atlassian detector

The idea is basically to add a dummy (empty) entry for the subject ID to the uniqueMatch map if there are no subject IDs found, and treat it normally as any other credential part by looping over that. This will simplify the detector logic a lot IMO.