diff --git a/README.md b/README.md index 8bb4d5c..fee313e 100644 --- a/README.md +++ b/README.md @@ -137,7 +137,7 @@ jobs: aws-region: us-east-1 - name: Upload SBOM - uses: ClickHouse/ClickBom@v1.0.5 + uses: ClickHouse/ClickBom@v1.0.6 with: github-token: ${{ secrets.GITHUB_TOKEN }} aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }} @@ -180,7 +180,7 @@ jobs: aws-region: us-east-1 - name: Upload SBOM - uses: ClickHouse/ClickBom@v1.0.5 + uses: ClickHouse/ClickBom@v1.0.6 with: github-token: ${{ secrets.GITHUB_TOKEN }} aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }} @@ -234,7 +234,7 @@ jobs: aws-region: us-east-1 - name: Upload SBOM - uses: ClickHouse/ClickBom@v1.0.5 + uses: ClickHouse/ClickBom@v1.0.6 with: github-token: ${{ steps.generate-token.outputs.token }} aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }} @@ -299,7 +299,7 @@ jobs: aws-region: us-east-1 - name: Upload SBOM - uses: ClickHouse/ClickBom@v1.0.5 + uses: ClickHouse/ClickBom@v1.0.6 with: github-token: ${{ steps.generate-token.outputs.token }} aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }} @@ -363,7 +363,7 @@ jobs: aws-region: us-east-1 - name: Upload SBOM - uses: ClickHouse/ClickBom@v1.0.5 + uses: ClickHouse/ClickBom@v1.0.6 with: github-token: ${{ steps.generate-token.outputs.token }} aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }} @@ -405,7 +405,7 @@ jobs: aws-region: us-east-1 - name: Upload SBOM - uses: ClickHouse/ClickBom@v1.0.5 + uses: ClickHouse/ClickBom@v1.0.6 with: github-token: ${{ steps.generate-token.outputs.token }} aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }} @@ -459,7 +459,7 @@ jobs: aws-region: us-east-1 - name: Merge Production SBOMs Only - uses: ClickHouse/ClickBom@v1.0.5 + uses: ClickHouse/ClickBom@v1.0.6 with: github-token: ${{ steps.generate-token.outputs.token }} aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }} @@ -514,7 +514,7 @@ jobs: aws-region: us-east-1 - name: Upload SBOM from Mend - uses: ClickHouse/ClickBom@v1.0.5 + uses: ClickHouse/ClickBom@v1.0.6 with: aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }} aws-secret-access-key: ${{ steps.aws-creds.outputs.aws-secret-access-key }} @@ -565,7 +565,7 @@ jobs: aws-region: us-east-1 - name: Upload SBOM from Wiz - uses: ClickHouse/ClickBom@v1.0.5 + uses: ClickHouse/ClickBom@v1.0.6 with: aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }} aws-secret-access-key: ${{ steps.aws-creds.outputs.aws-secret-access-key }} diff --git a/lib/sanitize.sh b/lib/sanitize.sh index f367216..8a43ca6 100644 --- a/lib/sanitize.sh +++ b/lib/sanitize.sh @@ -176,6 +176,38 @@ sanitize_database_name() { echo "$sanitized" } +# Sanitize comma-separated patterns (for include/exclude) +sanitize_patterns() { + local patterns="$1" + + if [[ -z "$patterns" ]]; then + echo "" + return + fi + + # Split by comma and sanitize each pattern + local sanitized_patterns=() + IFS=',' read -ra pattern_array <<< "$patterns" + + for pattern in "${pattern_array[@]}"; do + # Trim whitespace + pattern=$(echo "$pattern" | xargs) + + # Remove dangerous characters but keep wildcards + local sanitized_pattern + sanitized_pattern=$(echo "$pattern" | sed 's/[^a-zA-Z0-9.*_-]//g') + + if [[ -n "$sanitized_pattern" ]]; then + sanitized_patterns+=("$sanitized_pattern") + fi + done + + # Join back with commas + local result + result=$(IFS=','; echo "${sanitized_patterns[*]}") + echo "$result" +} + # Main sanitization function - sanitizes all environment variables sanitize_inputs() { log_debug "Sanitizing input parameters..." @@ -347,15 +379,15 @@ sanitize_inputs() { # log_debug "Validated MERGE: $MERGE" # fi - # if [[ -n "${INCLUDE:-}" ]]; then - # INCLUDE=$(sanitize_patterns "$INCLUDE") - # log_debug "Sanitized INCLUDE: $INCLUDE" - # fi + if [[ -n "${INCLUDE:-}" ]]; then + INCLUDE=$(sanitize_patterns "$INCLUDE") + log_debug "Sanitized INCLUDE: $INCLUDE" + fi - # if [[ -n "${EXCLUDE:-}" ]]; then - # EXCLUDE=$(sanitize_patterns "$EXCLUDE") - # log_debug "Sanitized EXCLUDE: $EXCLUDE" - # fi + if [[ -n "${EXCLUDE:-}" ]]; then + EXCLUDE=$(sanitize_patterns "$EXCLUDE") + log_debug "Sanitized EXCLUDE: $EXCLUDE" + fi # Sanitize tokens (GitHub token, etc.) - just remove dangerous characters if [[ -n "${GITHUB_TOKEN:-}" ]]; then diff --git a/license-mappings.json b/license-mappings.json index 3d1b54f..a51efe4 100644 --- a/license-mappings.json +++ b/license-mappings.json @@ -166,6 +166,26 @@ "github.com/aws/smithy-go": "Apache-2.0", "github.com/aymanbagabas/go-osc52/v2": "MIT", "github.com/aymerick/douceur": "MIT", + "github.com/Azure/azure-amqp-common-go/v3": "MIT", + "github.com/Azure/azure-pipeline-go": "MIT", + "github.com/Azure/azure-sdk-for-go-extensions": "MIT", + "github.com/Azure/azure-sdk-for-go/sdk/azcore": "MIT", + "github.com/Azure/azure-sdk-for-go/sdk/azidentity": "MIT", + "github.com/Azure/azure-sdk-for-go/sdk/containers/azcontainerregistry": "MIT", + "github.com/Azure/azure-sdk-for-go/sdk/internal": "MIT", + "github.com/Azure/azure-sdk-for-go/sdk/messaging/azservicebus": "MIT", + "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v3": "MIT", + "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice/v4": "MIT", + "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice/v6": "MIT", + "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi": "MIT", + "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v5": "MIT", + "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resourcegraph/armresourcegraph": "MIT", + "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources": "MIT", + "github.com/Azure/azure-sdk-for-go/sdk/storage/azblob": "MIT", + "github.com/Azure/azure-storage-blob-go": "MIT", + "github.com/Azure/go-amqp": "MIT", + "github.com/Azure/go-ansiterm": "MIT", + "github.com/AzureAD/microsoft-authentication-library-for-go": "MIT", "github.com/bahlo/generic-list-go": "BSD-3-Clause", "github.com/baidubce/bce-sdk-go": "Apache-2.0", "github.com/bboreham/go-loser": "Apache-2.0", @@ -184,40 +204,67 @@ "github.com/briandowns/spinner": "Apache-2.0", "github.com/bufbuild/protocompile": "Apache-2.0", "github.com/buger/jsonparser": "MIT", + "github.com/BurntSushi/toml": "MIT", "github.com/butuzov/ireturn": "MIT", "github.com/butuzov/mirror": "MIT", "github.com/bytedance/sonic": "Apache-2.0", "github.com/bytedance/sonic/loader": "Apache-2.0", - "github.com/Azure/azure-amqp-common-go/v3": "MIT", - "github.com/Azure/azure-pipeline-go": "MIT", - "github.com/Azure/azure-sdk-for-go-extensions": "MIT", - "github.com/Azure/azure-sdk-for-go/sdk/azcore": "MIT", - "github.com/Azure/azure-sdk-for-go/sdk/azidentity": "MIT", - "github.com/Azure/azure-sdk-for-go/sdk/containers/azcontainerregistry": "MIT", - "github.com/Azure/azure-sdk-for-go/sdk/internal": "MIT", - "github.com/Azure/azure-sdk-for-go/sdk/messaging/azservicebus": "MIT", - "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v3": "MIT", - "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice/v4": "MIT", - "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice/v6": "MIT", - "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi": "MIT", - "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v5": "MIT", - "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resourcegraph/armresourcegraph": "MIT", - "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources": "MIT", - "github.com/Azure/azure-sdk-for-go/sdk/storage/azblob": "MIT", - "github.com/Azure/azure-storage-blob-go": "MIT", - "github.com/Azure/go-amqp": "MIT", - "github.com/Azure/go-ansiterm": "MIT", - "github.com/AzureAD/microsoft-authentication-library-for-go": "MIT", - "github.com/BurntSushi/toml": "MIT", + "github.com/c-bata/go-prompt": "MIT", + "github.com/cactus/go-statsd-client/statsd": "MIT", + "github.com/cactus/go-statsd-client/v5": "MIT", + "github.com/casbin/casbin/v2": "Apache-2.0", + "github.com/casbin/govaluate": "MIT", + "github.com/catenacyber/perfsprint": "MIT", + "github.com/ccojocar/zxcvbn-go": "MIT", "github.com/cenkalti/backoff/v4": "MIT", + "github.com/cenkalti/backoff/v5": "MIT", + "github.com/census-instrumentation/opencensus-proto": "Apache-2.0", + "github.com/cert-manager/cert-manager": "Apache-2.0", + "github.com/cespare/xxhash/v2": "MIT", + "github.com/chai2010/gettext-go": "BSD-3-Clause", + "github.com/charithe/durationcheck": "Apache-2.0", + "github.com/charmbracelet/bubbles": "MIT", + "github.com/charmbracelet/bubbletea": "MIT", + "github.com/charmbracelet/colorprofile": "MIT", + "github.com/charmbracelet/glamour": "MIT", + "github.com/charmbracelet/lipgloss": "MIT", + "github.com/charmbracelet/x/ansi": "MIT", + "github.com/charmbracelet/x/cellbuff": "MIT", + "github.com/charmbracelet/x/exp/slice": "MIT", + "github.com/charmbracelet/x/term": "MIT", + "github.com/chavacava/garif": "MIT", + "github.com/chzyer/readline": "MIT", + "github.com/cihub/seelog": "BSD-3-Clause", + "github.com/cilium/cilium": "Apache-2.0", + "github.com/cilium/ebpf": "MIT", + "github.com/cilium/hive": "Apache-2.0", + "github.com/cilium/proxy": "Apache-2.0", + "github.com/ckaznocha/intrange": "MIT", + "github.com/clbanning/mxj": "BSD-3-Clause", "github.com/ClickHouse/ch-go": "Apache-2.0", "github.com/ClickHouse/clickhouse-go/v2": "Apache-2.0", + "github.com/cloudflare/circl": "BSD-3-Clause", + "github.com/cloudprober/cloudprober": "Apache-2.0", + "github.com/cloudwego/base64x": "Apache-2.0", + "github.com/cloudwego/iasm": "Apache-2.0", + "github.com/cncf/xds/go": "Apache-2.0", + "github.com/coder/quartz": "CC0-1.0", + "github.com/coder/websocket": "ISC", + "github.com/containerd/console": "Apache-2.0", + "github.com/containerd/containerd": "Apache-2.0", "github.com/containerd/errdefs": "Apache-2.0", "github.com/containerd/errdefs/pkg": "Apache-2.0", "github.com/containerd/log": "Apache-2.0", "github.com/containerd/platforms": "Apache-2.0", + "github.com/containerd/stargz-snapshotter/estargz": "Apache-2.0", + "github.com/coreos/go-oidc/v3": "Apache-2.0", + "github.com/coreos/go-systemd/v22": "Apache-2.0", "github.com/cpuguy83/dockercfg": "MIT", + "github.com/cpuguy83/go-md2man/v2": "MIT", "github.com/Crocmagnon/fatcontext": "MIT", + "github.com/curioswitch/go-reassign": "MIT", + "github.com/cyphar/filepath-securejoin": "BSD-3-Clause", + "github.com/daixiang0/gci": "BSD-3-Clause", "github.com/DATA-DOG/go-sqlmock": "BSD-3-Clause", "github.com/DataDog/appsec-internal-go": "Apache-2.0", "github.com/DataDog/datadog-agent/pkg/obfuscate": "Apache-2.0", @@ -237,11 +284,24 @@ "github.com/DataDog/sketches-go": "Apache-2.0", "github.com/DataDog/zstd": "BSD-3-Clause", "github.com/davecgh/go-spew": "ISC", + "github.com/deckarep/golang-set/v2": "MIT", + "github.com/decred/dcrd/dcrec/secp256k1/v4": "ISC", + "github.com/denis-tingaikin/go-header": "GPL-3.0", + "github.com/denisenkom/go-mssqldb": "BSD-3-Clause", + "github.com/dennwc/varint": "MIT", + "github.com/dgryski/go-farm": "MIT", + "github.com/dgryski/go-rendezvous": "MIT", "github.com/distribution/reference": "Apache-2.0", "github.com/Djarvur/go-err113": "MIT", + "github.com/dlclark/regexp2": "MIT", + "github.com/docker/cli": "MIT", + "github.com/docker/distribution": "Apache-2.0", "github.com/docker/docker": "Apache-2.0", + "github.com/docker/docker-credential-helpers": "MIT", "github.com/docker/go-connections": "Apache-2.0", + "github.com/docker/go-metrics": "Apache-2.0", "github.com/docker/go-units": "Apache-2.0", + "github.com/dustin/go-humanize": "MIT", "github.com/ebitengine/purego": "Apache-2.0", "github.com/felixge/httpsnoop": "MIT", "github.com/GaijinEntertainment/go-exhaustruct/v3": "MIT", diff --git a/test/simple.bats b/test/simple.bats index 36cc886..bfff8fd 100644 --- a/test/simple.bats +++ b/test/simple.bats @@ -707,3 +707,52 @@ EOF [ "$status" -eq 0 ] [[ "$output" == "testdatabase" ]] } + +# Test 79: sanitize_patterns accepts valid patterns +@test "sanitize_patterns accepts valid patterns" { + run sanitize_patterns "*.json,test*.txt,file.log" + [ "$status" -eq 0 ] + [[ "$output" == "*.json,test*.txt,file.log" ]] +} + +# Test 80: sanitize_patterns trims whitespace +@test "sanitize_patterns trims whitespace" { + run sanitize_patterns " *.json , test*.txt , file.log " + [ "$status" -eq 0 ] + [[ "$output" == "*.json,test*.txt,file.log" ]] +} + +# Test 81: sanitize_patterns removes dangerous characters +@test "sanitize_patterns removes dangerous characters" { + run sanitize_patterns "*.json,test\$bad.txt" + [ "$status" -eq 0 ] + [[ "$output" == "*.json,testbad.txt" ]] +} + +# Test 82: sanitize_patterns preserves valid wildcards +@test "sanitize_patterns preserves wildcards" { + run sanitize_patterns "*-prod.json,production-*.json" + [ "$status" -eq 0 ] + [[ "$output" == "*-prod.json,production-*.json" ]] +} + +# Test 83: sanitize_patterns handles empty input +@test "sanitize_patterns handles empty input" { + run sanitize_patterns "" + [ "$status" -eq 0 ] + [[ "$output" == "" ]] +} + +# Test 84: sanitize_patterns removes empty patterns +@test "sanitize_patterns removes empty patterns" { + run sanitize_patterns "*.json,,test*.txt" + [ "$status" -eq 0 ] + [[ "$output" == "*.json,test*.txt" ]] +} + +# Test 85: sanitize_patterns handles single pattern +@test "sanitize_patterns handles single pattern" { + run sanitize_patterns "*.json" + [ "$status" -eq 0 ] + [[ "$output" == "*.json" ]] +}