Skip to content

Commit fd8f2c7

Browse files
authored
Sanitize Patterns, Licenses 2025-07-29 (#22)
* Sanitize Patterns, Licenses 2025-07-29 Signed-off-by: Julio Jimenez <julio@clickhouse.com> * Sanitize Patterns, Licenses 2025-07-29 Signed-off-by: Julio Jimenez <julio@clickhouse.com> * Sanitize Patterns, Licenses 2025-07-29 Signed-off-by: Julio Jimenez <julio@clickhouse.com> * Sanitize Patterns, Licenses 2025-07-29 Signed-off-by: Julio Jimenez <julio@clickhouse.com> * Sanitize Patterns, Licenses 2025-07-29 Signed-off-by: Julio Jimenez <julio@clickhouse.com> * licenses Signed-off-by: Julio Jimenez <julio@clickhouse.com> * licenses Signed-off-by: Julio Jimenez <julio@clickhouse.com> --------- Signed-off-by: Julio Jimenez <julio@clickhouse.com>
1 parent cfcd863 commit fd8f2c7

4 files changed

Lines changed: 179 additions & 38 deletions

File tree

README.md

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -137,7 +137,7 @@ jobs:
137137
aws-region: us-east-1
138138

139139
- name: Upload SBOM
140-
uses: ClickHouse/ClickBom@v1.0.5
140+
uses: ClickHouse/ClickBom@v1.0.6
141141
with:
142142
github-token: ${{ secrets.GITHUB_TOKEN }}
143143
aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }}
@@ -180,7 +180,7 @@ jobs:
180180
aws-region: us-east-1
181181

182182
- name: Upload SBOM
183-
uses: ClickHouse/ClickBom@v1.0.5
183+
uses: ClickHouse/ClickBom@v1.0.6
184184
with:
185185
github-token: ${{ secrets.GITHUB_TOKEN }}
186186
aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }}
@@ -234,7 +234,7 @@ jobs:
234234
aws-region: us-east-1
235235

236236
- name: Upload SBOM
237-
uses: ClickHouse/ClickBom@v1.0.5
237+
uses: ClickHouse/ClickBom@v1.0.6
238238
with:
239239
github-token: ${{ steps.generate-token.outputs.token }}
240240
aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }}
@@ -299,7 +299,7 @@ jobs:
299299
aws-region: us-east-1
300300

301301
- name: Upload SBOM
302-
uses: ClickHouse/ClickBom@v1.0.5
302+
uses: ClickHouse/ClickBom@v1.0.6
303303
with:
304304
github-token: ${{ steps.generate-token.outputs.token }}
305305
aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }}
@@ -363,7 +363,7 @@ jobs:
363363
aws-region: us-east-1
364364

365365
- name: Upload SBOM
366-
uses: ClickHouse/ClickBom@v1.0.5
366+
uses: ClickHouse/ClickBom@v1.0.6
367367
with:
368368
github-token: ${{ steps.generate-token.outputs.token }}
369369
aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }}
@@ -405,7 +405,7 @@ jobs:
405405
aws-region: us-east-1
406406

407407
- name: Upload SBOM
408-
uses: ClickHouse/ClickBom@v1.0.5
408+
uses: ClickHouse/ClickBom@v1.0.6
409409
with:
410410
github-token: ${{ steps.generate-token.outputs.token }}
411411
aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }}
@@ -459,7 +459,7 @@ jobs:
459459
aws-region: us-east-1
460460
461461
- name: Merge Production SBOMs Only
462-
uses: ClickHouse/ClickBom@v1.0.5
462+
uses: ClickHouse/ClickBom@v1.0.6
463463
with:
464464
github-token: ${{ steps.generate-token.outputs.token }}
465465
aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }}
@@ -514,7 +514,7 @@ jobs:
514514
aws-region: us-east-1
515515
516516
- name: Upload SBOM from Mend
517-
uses: ClickHouse/ClickBom@v1.0.5
517+
uses: ClickHouse/ClickBom@v1.0.6
518518
with:
519519
aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }}
520520
aws-secret-access-key: ${{ steps.aws-creds.outputs.aws-secret-access-key }}
@@ -565,7 +565,7 @@ jobs:
565565
aws-region: us-east-1
566566
567567
- name: Upload SBOM from Wiz
568-
uses: ClickHouse/ClickBom@v1.0.5
568+
uses: ClickHouse/ClickBom@v1.0.6
569569
with:
570570
aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }}
571571
aws-secret-access-key: ${{ steps.aws-creds.outputs.aws-secret-access-key }}

lib/sanitize.sh

Lines changed: 40 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -176,6 +176,38 @@ sanitize_database_name() {
176176
echo "$sanitized"
177177
}
178178

179+
# Sanitize comma-separated patterns (for include/exclude)
180+
sanitize_patterns() {
181+
local patterns="$1"
182+
183+
if [[ -z "$patterns" ]]; then
184+
echo ""
185+
return
186+
fi
187+
188+
# Split by comma and sanitize each pattern
189+
local sanitized_patterns=()
190+
IFS=',' read -ra pattern_array <<< "$patterns"
191+
192+
for pattern in "${pattern_array[@]}"; do
193+
# Trim whitespace
194+
pattern=$(echo "$pattern" | xargs)
195+
196+
# Remove dangerous characters but keep wildcards
197+
local sanitized_pattern
198+
sanitized_pattern=$(echo "$pattern" | sed 's/[^a-zA-Z0-9.*_-]//g')
199+
200+
if [[ -n "$sanitized_pattern" ]]; then
201+
sanitized_patterns+=("$sanitized_pattern")
202+
fi
203+
done
204+
205+
# Join back with commas
206+
local result
207+
result=$(IFS=','; echo "${sanitized_patterns[*]}")
208+
echo "$result"
209+
}
210+
179211
# Main sanitization function - sanitizes all environment variables
180212
sanitize_inputs() {
181213
log_debug "Sanitizing input parameters..."
@@ -347,15 +379,15 @@ sanitize_inputs() {
347379
# log_debug "Validated MERGE: $MERGE"
348380
# fi
349381

350-
# if [[ -n "${INCLUDE:-}" ]]; then
351-
# INCLUDE=$(sanitize_patterns "$INCLUDE")
352-
# log_debug "Sanitized INCLUDE: $INCLUDE"
353-
# fi
382+
if [[ -n "${INCLUDE:-}" ]]; then
383+
INCLUDE=$(sanitize_patterns "$INCLUDE")
384+
log_debug "Sanitized INCLUDE: $INCLUDE"
385+
fi
354386

355-
# if [[ -n "${EXCLUDE:-}" ]]; then
356-
# EXCLUDE=$(sanitize_patterns "$EXCLUDE")
357-
# log_debug "Sanitized EXCLUDE: $EXCLUDE"
358-
# fi
387+
if [[ -n "${EXCLUDE:-}" ]]; then
388+
EXCLUDE=$(sanitize_patterns "$EXCLUDE")
389+
log_debug "Sanitized EXCLUDE: $EXCLUDE"
390+
fi
359391

360392
# Sanitize tokens (GitHub token, etc.) - just remove dangerous characters
361393
if [[ -n "${GITHUB_TOKEN:-}" ]]; then

license-mappings.json

Lines changed: 81 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -166,6 +166,26 @@
166166
"github.com/aws/smithy-go": "Apache-2.0",
167167
"github.com/aymanbagabas/go-osc52/v2": "MIT",
168168
"github.com/aymerick/douceur": "MIT",
169+
"github.com/Azure/azure-amqp-common-go/v3": "MIT",
170+
"github.com/Azure/azure-pipeline-go": "MIT",
171+
"github.com/Azure/azure-sdk-for-go-extensions": "MIT",
172+
"github.com/Azure/azure-sdk-for-go/sdk/azcore": "MIT",
173+
"github.com/Azure/azure-sdk-for-go/sdk/azidentity": "MIT",
174+
"github.com/Azure/azure-sdk-for-go/sdk/containers/azcontainerregistry": "MIT",
175+
"github.com/Azure/azure-sdk-for-go/sdk/internal": "MIT",
176+
"github.com/Azure/azure-sdk-for-go/sdk/messaging/azservicebus": "MIT",
177+
"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v3": "MIT",
178+
"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice/v4": "MIT",
179+
"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice/v6": "MIT",
180+
"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi": "MIT",
181+
"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v5": "MIT",
182+
"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resourcegraph/armresourcegraph": "MIT",
183+
"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources": "MIT",
184+
"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob": "MIT",
185+
"github.com/Azure/azure-storage-blob-go": "MIT",
186+
"github.com/Azure/go-amqp": "MIT",
187+
"github.com/Azure/go-ansiterm": "MIT",
188+
"github.com/AzureAD/microsoft-authentication-library-for-go": "MIT",
169189
"github.com/bahlo/generic-list-go": "BSD-3-Clause",
170190
"github.com/baidubce/bce-sdk-go": "Apache-2.0",
171191
"github.com/bboreham/go-loser": "Apache-2.0",
@@ -184,40 +204,67 @@
184204
"github.com/briandowns/spinner": "Apache-2.0",
185205
"github.com/bufbuild/protocompile": "Apache-2.0",
186206
"github.com/buger/jsonparser": "MIT",
207+
"github.com/BurntSushi/toml": "MIT",
187208
"github.com/butuzov/ireturn": "MIT",
188209
"github.com/butuzov/mirror": "MIT",
189210
"github.com/bytedance/sonic": "Apache-2.0",
190211
"github.com/bytedance/sonic/loader": "Apache-2.0",
191-
"github.com/Azure/azure-amqp-common-go/v3": "MIT",
192-
"github.com/Azure/azure-pipeline-go": "MIT",
193-
"github.com/Azure/azure-sdk-for-go-extensions": "MIT",
194-
"github.com/Azure/azure-sdk-for-go/sdk/azcore": "MIT",
195-
"github.com/Azure/azure-sdk-for-go/sdk/azidentity": "MIT",
196-
"github.com/Azure/azure-sdk-for-go/sdk/containers/azcontainerregistry": "MIT",
197-
"github.com/Azure/azure-sdk-for-go/sdk/internal": "MIT",
198-
"github.com/Azure/azure-sdk-for-go/sdk/messaging/azservicebus": "MIT",
199-
"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v3": "MIT",
200-
"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice/v4": "MIT",
201-
"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice/v6": "MIT",
202-
"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi": "MIT",
203-
"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v5": "MIT",
204-
"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resourcegraph/armresourcegraph": "MIT",
205-
"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources": "MIT",
206-
"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob": "MIT",
207-
"github.com/Azure/azure-storage-blob-go": "MIT",
208-
"github.com/Azure/go-amqp": "MIT",
209-
"github.com/Azure/go-ansiterm": "MIT",
210-
"github.com/AzureAD/microsoft-authentication-library-for-go": "MIT",
211-
"github.com/BurntSushi/toml": "MIT",
212+
"github.com/c-bata/go-prompt": "MIT",
213+
"github.com/cactus/go-statsd-client/statsd": "MIT",
214+
"github.com/cactus/go-statsd-client/v5": "MIT",
215+
"github.com/casbin/casbin/v2": "Apache-2.0",
216+
"github.com/casbin/govaluate": "MIT",
217+
"github.com/catenacyber/perfsprint": "MIT",
218+
"github.com/ccojocar/zxcvbn-go": "MIT",
212219
"github.com/cenkalti/backoff/v4": "MIT",
220+
"github.com/cenkalti/backoff/v5": "MIT",
221+
"github.com/census-instrumentation/opencensus-proto": "Apache-2.0",
222+
"github.com/cert-manager/cert-manager": "Apache-2.0",
223+
"github.com/cespare/xxhash/v2": "MIT",
224+
"github.com/chai2010/gettext-go": "BSD-3-Clause",
225+
"github.com/charithe/durationcheck": "Apache-2.0",
226+
"github.com/charmbracelet/bubbles": "MIT",
227+
"github.com/charmbracelet/bubbletea": "MIT",
228+
"github.com/charmbracelet/colorprofile": "MIT",
229+
"github.com/charmbracelet/glamour": "MIT",
230+
"github.com/charmbracelet/lipgloss": "MIT",
231+
"github.com/charmbracelet/x/ansi": "MIT",
232+
"github.com/charmbracelet/x/cellbuff": "MIT",
233+
"github.com/charmbracelet/x/exp/slice": "MIT",
234+
"github.com/charmbracelet/x/term": "MIT",
235+
"github.com/chavacava/garif": "MIT",
236+
"github.com/chzyer/readline": "MIT",
237+
"github.com/cihub/seelog": "BSD-3-Clause",
238+
"github.com/cilium/cilium": "Apache-2.0",
239+
"github.com/cilium/ebpf": "MIT",
240+
"github.com/cilium/hive": "Apache-2.0",
241+
"github.com/cilium/proxy": "Apache-2.0",
242+
"github.com/ckaznocha/intrange": "MIT",
243+
"github.com/clbanning/mxj": "BSD-3-Clause",
213244
"github.com/ClickHouse/ch-go": "Apache-2.0",
214245
"github.com/ClickHouse/clickhouse-go/v2": "Apache-2.0",
246+
"github.com/cloudflare/circl": "BSD-3-Clause",
247+
"github.com/cloudprober/cloudprober": "Apache-2.0",
248+
"github.com/cloudwego/base64x": "Apache-2.0",
249+
"github.com/cloudwego/iasm": "Apache-2.0",
250+
"github.com/cncf/xds/go": "Apache-2.0",
251+
"github.com/coder/quartz": "CC0-1.0",
252+
"github.com/coder/websocket": "ISC",
253+
"github.com/containerd/console": "Apache-2.0",
254+
"github.com/containerd/containerd": "Apache-2.0",
215255
"github.com/containerd/errdefs": "Apache-2.0",
216256
"github.com/containerd/errdefs/pkg": "Apache-2.0",
217257
"github.com/containerd/log": "Apache-2.0",
218258
"github.com/containerd/platforms": "Apache-2.0",
259+
"github.com/containerd/stargz-snapshotter/estargz": "Apache-2.0",
260+
"github.com/coreos/go-oidc/v3": "Apache-2.0",
261+
"github.com/coreos/go-systemd/v22": "Apache-2.0",
219262
"github.com/cpuguy83/dockercfg": "MIT",
263+
"github.com/cpuguy83/go-md2man/v2": "MIT",
220264
"github.com/Crocmagnon/fatcontext": "MIT",
265+
"github.com/curioswitch/go-reassign": "MIT",
266+
"github.com/cyphar/filepath-securejoin": "BSD-3-Clause",
267+
"github.com/daixiang0/gci": "BSD-3-Clause",
221268
"github.com/DATA-DOG/go-sqlmock": "BSD-3-Clause",
222269
"github.com/DataDog/appsec-internal-go": "Apache-2.0",
223270
"github.com/DataDog/datadog-agent/pkg/obfuscate": "Apache-2.0",
@@ -237,11 +284,24 @@
237284
"github.com/DataDog/sketches-go": "Apache-2.0",
238285
"github.com/DataDog/zstd": "BSD-3-Clause",
239286
"github.com/davecgh/go-spew": "ISC",
287+
"github.com/deckarep/golang-set/v2": "MIT",
288+
"github.com/decred/dcrd/dcrec/secp256k1/v4": "ISC",
289+
"github.com/denis-tingaikin/go-header": "GPL-3.0",
290+
"github.com/denisenkom/go-mssqldb": "BSD-3-Clause",
291+
"github.com/dennwc/varint": "MIT",
292+
"github.com/dgryski/go-farm": "MIT",
293+
"github.com/dgryski/go-rendezvous": "MIT",
240294
"github.com/distribution/reference": "Apache-2.0",
241295
"github.com/Djarvur/go-err113": "MIT",
296+
"github.com/dlclark/regexp2": "MIT",
297+
"github.com/docker/cli": "MIT",
298+
"github.com/docker/distribution": "Apache-2.0",
242299
"github.com/docker/docker": "Apache-2.0",
300+
"github.com/docker/docker-credential-helpers": "MIT",
243301
"github.com/docker/go-connections": "Apache-2.0",
302+
"github.com/docker/go-metrics": "Apache-2.0",
244303
"github.com/docker/go-units": "Apache-2.0",
304+
"github.com/dustin/go-humanize": "MIT",
245305
"github.com/ebitengine/purego": "Apache-2.0",
246306
"github.com/felixge/httpsnoop": "MIT",
247307
"github.com/GaijinEntertainment/go-exhaustruct/v3": "MIT",

test/simple.bats

Lines changed: 49 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -707,3 +707,52 @@ EOF
707707
[ "$status" -eq 0 ]
708708
[[ "$output" == "testdatabase" ]]
709709
}
710+
711+
# Test 79: sanitize_patterns accepts valid patterns
712+
@test "sanitize_patterns accepts valid patterns" {
713+
run sanitize_patterns "*.json,test*.txt,file.log"
714+
[ "$status" -eq 0 ]
715+
[[ "$output" == "*.json,test*.txt,file.log" ]]
716+
}
717+
718+
# Test 80: sanitize_patterns trims whitespace
719+
@test "sanitize_patterns trims whitespace" {
720+
run sanitize_patterns " *.json , test*.txt , file.log "
721+
[ "$status" -eq 0 ]
722+
[[ "$output" == "*.json,test*.txt,file.log" ]]
723+
}
724+
725+
# Test 81: sanitize_patterns removes dangerous characters
726+
@test "sanitize_patterns removes dangerous characters" {
727+
run sanitize_patterns "*.json,test\$bad.txt"
728+
[ "$status" -eq 0 ]
729+
[[ "$output" == "*.json,testbad.txt" ]]
730+
}
731+
732+
# Test 82: sanitize_patterns preserves valid wildcards
733+
@test "sanitize_patterns preserves wildcards" {
734+
run sanitize_patterns "*-prod.json,production-*.json"
735+
[ "$status" -eq 0 ]
736+
[[ "$output" == "*-prod.json,production-*.json" ]]
737+
}
738+
739+
# Test 83: sanitize_patterns handles empty input
740+
@test "sanitize_patterns handles empty input" {
741+
run sanitize_patterns ""
742+
[ "$status" -eq 0 ]
743+
[[ "$output" == "" ]]
744+
}
745+
746+
# Test 84: sanitize_patterns removes empty patterns
747+
@test "sanitize_patterns removes empty patterns" {
748+
run sanitize_patterns "*.json,,test*.txt"
749+
[ "$status" -eq 0 ]
750+
[[ "$output" == "*.json,test*.txt" ]]
751+
}
752+
753+
# Test 85: sanitize_patterns handles single pattern
754+
@test "sanitize_patterns handles single pattern" {
755+
run sanitize_patterns "*.json"
756+
[ "$status" -eq 0 ]
757+
[[ "$output" == "*.json" ]]
758+
}

0 commit comments

Comments
 (0)