fix(postgres): honor ignore tags for default port URLs

[Dawn-Fighter]

Summary

• Preserve the original Postgres URI match as the primary secret so line-offset and ignore-tag handling use the source text.
• Add regression coverage for trufflehog:ignore on Postgres URLs that omit the explicit port and are normalized to :5432.

Tests

• go test ./pkg/detectors/postgres ./pkg/engine
• make test-community
• make lint
• go run ./hack/checksecretparts -fail ./pkg/detectors
• make man && git diff --exit-code docs/man/trufflehog.1

Addresses #4962.

---

Note

Medium Risk
Changes how the Postgres detector populates the result’s primary secret value so engine ignore-tag/line-offset matching uses the exact source text; this could affect matching behavior for Postgres URI findings but is narrowly scoped and covered by new tests.

Overview
Fixes Postgres URI findings where trufflehog:ignore could fail when the detector normalizes URLs by adding the default :5432 port.

The Postgres detector now preserves the original matched URI as Result’s primary secret value (while keeping Raw/RawV2 normalized), and URI parsing returns both the extracted params and the raw URI. Adds regression tests in postgres_test.go and engine_test.go to ensure ignore tags work for port-omitted Postgres URLs.

^{Reviewed by Cursor Bugbot for commit 40fcaa5. Bugbot is set up for automated code reviews on this repo. Configure here.}

[CLAassistant]

All committers have signed the CLA.

[gugacyber]

Fix is correct and well-scoped. The root cause is clear: findUriMatches was normalizing the URI (adding :5432) before returning it, so the raw text used for ignore-tag line matching no longer corresponded to what was in the source file.
The uriMatch struct is the right abstraction — keeps params and rawURI together without leaking the raw string into unrelated code paths.
One minor observation: SetPrimarySecretValue(candidateURI.rawURI) sets the primary secret to the raw URI, but Raw and RawV2 are still set to the normalized raw value a few lines above. For ignore-tag matching this is fine since SetPrimarySecretValue is what drives line offset lookup, but worth confirming that having Raw != primary secret value doesn't break any downstream consumers that assume they're the same.

[Dawn-Fighter]

Thank you for the review will do and commit again

[Dawn-Fighter]

i have commit again with your comment in mind .. please review and respond @gugacyber

[gugacyber]

The new TestPostgres_RawVsPrimarySecret test addresses exactly the concern I raised — it explicitly asserts that Raw/RawV2 hold the normalized form while GetPrimarySecretValue() returns the original source text, and the comment in the code explains the design decision clearly.
The approach is correct and well-documented. LGTM. Congrats on the fix!

[Dawn-Fighter]

Thank you ..