fix JDBC detector regex truncating trailing non-alphanumeric password characters (#4755)

Author: amanfcp

pkg/detectors/jdbc/jdbc.go

@@ -50,8 +50,10 @@ var _ detectors.Detector = (*Scanner)(nil)
 var _ detectors.CustomFalsePositiveChecker = (*Scanner)(nil)
 
 var (
-	// Matches typical JDBC connection strings amd ingores any special character at the end
-	keyPat = regexp.MustCompile(`(?i)jdbc:[\w]{3,10}:[^\s"'<>,{}[\]]{10,511}[A-Za-z0-9]`)
+	// Matches typical JDBC connection strings.
+	// The terminal character class additionally excludes () and & to avoid
+	// capturing surrounding delimiters (e.g. "(jdbc:…)" or "…&user=x&").
+	keyPat = regexp.MustCompile(`(?i)jdbc:[\w]{3,10}:[^\s"'<>,{}[\]]{10,511}[^\s"'<>,{}[\]()&]`)
 )
 
 // Keywords are used for efficiently pre-filtering chunks.

pkg/detectors/jdbc/jdbc_test.go

@@ -83,6 +83,13 @@ func TestJdbc_Pattern(t *testing.T) {
 				"jdbc:mysql://testuser:testpassword@tcp(localhost:1521)/testdb",
 			},
 		},
+		{
+			name: "trailing non-alphanumeric characters in password",
+			input: `jdbc:hive9://foo.example.com:10191/default;user=MyRoleUser;password=MyPa$$w0rd...`,
+			want: []string{
+				"jdbc:hive9://foo.example.com:10191/default;user=MyRoleUser;password=MyPa$$w0rd...",
+			},
+		},
 		{
 			name: "invalid pattern - false positives",
 			input: `