Sanitize Patterns, Licenses 2025-07-29

README.md

@@ -137,7 +137,7 @@ jobs:
           aws-region: us-east-1
 
       - name: Upload SBOM
-        uses: ClickHouse/ClickBom@v1.0.5
+        uses: ClickHouse/ClickBom@v1.0.6
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }}
@@ -180,7 +180,7 @@ jobs:
           aws-region: us-east-1
 
       - name: Upload SBOM
-        uses: ClickHouse/ClickBom@v1.0.5
+        uses: ClickHouse/ClickBom@v1.0.6
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }}
@@ -234,7 +234,7 @@ jobs:
           aws-region: us-east-1
 
       - name: Upload SBOM
-        uses: ClickHouse/ClickBom@v1.0.5
+        uses: ClickHouse/ClickBom@v1.0.6
         with:
           github-token: ${{ steps.generate-token.outputs.token }}
           aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }}
@@ -299,7 +299,7 @@ jobs:
           aws-region: us-east-1
 
       - name: Upload SBOM
-        uses: ClickHouse/ClickBom@v1.0.5
+        uses: ClickHouse/ClickBom@v1.0.6
         with:
           github-token: ${{ steps.generate-token.outputs.token }}
           aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }}
@@ -363,7 +363,7 @@ jobs:
           aws-region: us-east-1
 
       - name: Upload SBOM
-        uses: ClickHouse/ClickBom@v1.0.5
+        uses: ClickHouse/ClickBom@v1.0.6
         with:
           github-token: ${{ steps.generate-token.outputs.token }}
           aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }}
@@ -405,7 +405,7 @@ jobs:
           aws-region: us-east-1
 
       - name: Upload SBOM
-        uses: ClickHouse/ClickBom@v1.0.5
+        uses: ClickHouse/ClickBom@v1.0.6
         with:
           github-token: ${{ steps.generate-token.outputs.token }}
           aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }}
@@ -459,7 +459,7 @@ jobs:
           aws-region: us-east-1
 
       - name: Merge Production SBOMs Only
-        uses: ClickHouse/ClickBom@v1.0.5
+        uses: ClickHouse/ClickBom@v1.0.6
         with:
           github-token: ${{ steps.generate-token.outputs.token }}
           aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }}
@@ -514,7 +514,7 @@ jobs:
           aws-region: us-east-1
 
       - name: Upload SBOM from Mend
-        uses: ClickHouse/ClickBom@v1.0.5
+        uses: ClickHouse/ClickBom@v1.0.6
         with:
           aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }}
           aws-secret-access-key: ${{ steps.aws-creds.outputs.aws-secret-access-key }}
@@ -565,7 +565,7 @@ jobs:
           aws-region: us-east-1
 
       - name: Upload SBOM from Wiz
-        uses: ClickHouse/ClickBom@v1.0.5
+        uses: ClickHouse/ClickBom@v1.0.6
         with:
           aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }}
           aws-secret-access-key: ${{ steps.aws-creds.outputs.aws-secret-access-key }}

lib/sanitize.sh

@@ -176,6 +176,38 @@ sanitize_database_name() {
     echo "$sanitized"
 }
 
+# Sanitize comma-separated patterns (for include/exclude)
+sanitize_patterns() {
+    local patterns="$1"
+
+    if [[ -z "$patterns" ]]; then
+        echo ""
+        return
+    fi
+
+    # Split by comma and sanitize each pattern
+    local sanitized_patterns=()
+    IFS=',' read -ra pattern_array <<< "$patterns"
+
+    for pattern in "${pattern_array[@]}"; do
+        # Trim whitespace
+        pattern=$(echo "$pattern" | xargs)
+
+        # Remove dangerous characters but keep wildcards
+        local sanitized_pattern
+        sanitized_pattern=$(echo "$pattern" | sed 's/[^a-zA-Z0-9.*_-]//g')
+
+        if [[ -n "$sanitized_pattern" ]]; then
+            sanitized_patterns+=("$sanitized_pattern")
+        fi
+    done
+
+    # Join back with commas
+    local result
+    result=$(IFS=','; echo "${sanitized_patterns[*]}")
+    echo "$result"
+}
+
 # Main sanitization function - sanitizes all environment variables
 sanitize_inputs() {
     log_debug "Sanitizing input parameters..."
@@ -347,15 +379,15 @@ sanitize_inputs() {
     #     log_debug "Validated MERGE: $MERGE"
     # fi
 
-    # if [[ -n "${INCLUDE:-}" ]]; then
-    #     INCLUDE=$(sanitize_patterns "$INCLUDE")
-    #     log_debug "Sanitized INCLUDE: $INCLUDE"
-    # fi
+    if [[ -n "${INCLUDE:-}" ]]; then
+        INCLUDE=$(sanitize_patterns "$INCLUDE")
+        log_debug "Sanitized INCLUDE: $INCLUDE"
+    fi
 
-    # if [[ -n "${EXCLUDE:-}" ]]; then
-    #     EXCLUDE=$(sanitize_patterns "$EXCLUDE")
-    #     log_debug "Sanitized EXCLUDE: $EXCLUDE"
-    # fi
+    if [[ -n "${EXCLUDE:-}" ]]; then
+        EXCLUDE=$(sanitize_patterns "$EXCLUDE")
+        log_debug "Sanitized EXCLUDE: $EXCLUDE"
+    fi
 
     # Sanitize tokens (GitHub token, etc.) - just remove dangerous characters
     if [[ -n "${GITHUB_TOKEN:-}" ]]; then

license-mappings.json

@@ -166,6 +166,26 @@
   "github.com/aws/smithy-go": "Apache-2.0",
   "github.com/aymanbagabas/go-osc52/v2": "MIT",
   "github.com/aymerick/douceur": "MIT",
+  "github.com/Azure/azure-amqp-common-go/v3": "MIT",
+  "github.com/Azure/azure-pipeline-go": "MIT",
+  "github.com/Azure/azure-sdk-for-go-extensions": "MIT",
+  "github.com/Azure/azure-sdk-for-go/sdk/azcore": "MIT",
+  "github.com/Azure/azure-sdk-for-go/sdk/azidentity": "MIT",
+  "github.com/Azure/azure-sdk-for-go/sdk/containers/azcontainerregistry": "MIT",
+  "github.com/Azure/azure-sdk-for-go/sdk/internal": "MIT",
+  "github.com/Azure/azure-sdk-for-go/sdk/messaging/azservicebus": "MIT",
+  "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v3": "MIT",
+  "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice/v4": "MIT",
+  "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice/v6": "MIT",
+  "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi": "MIT",
+  "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v5": "MIT",
+  "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resourcegraph/armresourcegraph": "MIT",
+  "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources": "MIT",
+  "github.com/Azure/azure-sdk-for-go/sdk/storage/azblob": "MIT",
+  "github.com/Azure/azure-storage-blob-go": "MIT",
+  "github.com/Azure/go-amqp": "MIT",
+  "github.com/Azure/go-ansiterm": "MIT",
+  "github.com/AzureAD/microsoft-authentication-library-for-go": "MIT",
   "github.com/bahlo/generic-list-go": "BSD-3-Clause",
   "github.com/baidubce/bce-sdk-go": "Apache-2.0",
   "github.com/bboreham/go-loser": "Apache-2.0",
@@ -184,40 +204,67 @@
   "github.com/briandowns/spinner": "Apache-2.0",
   "github.com/bufbuild/protocompile": "Apache-2.0",
   "github.com/buger/jsonparser": "MIT",
+  "github.com/BurntSushi/toml": "MIT",
   "github.com/butuzov/ireturn": "MIT",
   "github.com/butuzov/mirror": "MIT",
   "github.com/bytedance/sonic": "Apache-2.0",
   "github.com/bytedance/sonic/loader": "Apache-2.0",
-  "github.com/Azure/azure-amqp-common-go/v3": "MIT",
-  "github.com/Azure/azure-pipeline-go": "MIT",
-  "github.com/Azure/azure-sdk-for-go-extensions": "MIT",
-  "github.com/Azure/azure-sdk-for-go/sdk/azcore": "MIT",
-  "github.com/Azure/azure-sdk-for-go/sdk/azidentity": "MIT",
-  "github.com/Azure/azure-sdk-for-go/sdk/containers/azcontainerregistry": "MIT",
-  "github.com/Azure/azure-sdk-for-go/sdk/internal": "MIT",
-  "github.com/Azure/azure-sdk-for-go/sdk/messaging/azservicebus": "MIT",
-  "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v3": "MIT",
-  "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice/v4": "MIT",
-  "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice/v6": "MIT",
-  "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi": "MIT",
-  "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v5": "MIT",
-  "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resourcegraph/armresourcegraph": "MIT",
-  "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources": "MIT",
-  "github.com/Azure/azure-sdk-for-go/sdk/storage/azblob": "MIT",
-  "github.com/Azure/azure-storage-blob-go": "MIT",
-  "github.com/Azure/go-amqp": "MIT",
-  "github.com/Azure/go-ansiterm": "MIT",
-  "github.com/AzureAD/microsoft-authentication-library-for-go": "MIT",
-  "github.com/BurntSushi/toml": "MIT",
+  "github.com/c-bata/go-prompt": "MIT",
+  "github.com/cactus/go-statsd-client/statsd": "MIT",
+  "github.com/cactus/go-statsd-client/v5": "MIT",
+  "github.com/casbin/casbin/v2": "Apache-2.0",
+  "github.com/casbin/govaluate": "MIT",
+  "github.com/catenacyber/perfsprint": "MIT",
+  "github.com/ccojocar/zxcvbn-go": "MIT",
   "github.com/cenkalti/backoff/v4": "MIT",
+  "github.com/cenkalti/backoff/v5": "MIT",
+  "github.com/census-instrumentation/opencensus-proto": "Apache-2.0",
+  "github.com/cert-manager/cert-manager": "Apache-2.0",
+  "github.com/cespare/xxhash/v2": "MIT",
+  "github.com/chai2010/gettext-go": "BSD-3-Clause",
+  "github.com/charithe/durationcheck": "Apache-2.0",
+  "github.com/charmbracelet/bubbles": "MIT",
+  "github.com/charmbracelet/bubbletea": "MIT",
+  "github.com/charmbracelet/colorprofile": "MIT",
+  "github.com/charmbracelet/glamour": "MIT",
+  "github.com/charmbracelet/lipgloss": "MIT",
+  "github.com/charmbracelet/x/ansi": "MIT",
+  "github.com/charmbracelet/x/cellbuff": "MIT",
+  "github.com/charmbracelet/x/exp/slice": "MIT",
+  "github.com/charmbracelet/x/term": "MIT",
+  "github.com/chavacava/garif": "MIT",
+  "github.com/chzyer/readline": "MIT",
+  "github.com/cihub/seelog": "BSD-3-Clause",
+  "github.com/cilium/cilium": "Apache-2.0",
+  "github.com/cilium/ebpf": "MIT",
+  "github.com/cilium/hive": "Apache-2.0",
+  "github.com/cilium/proxy": "Apache-2.0",
+  "github.com/ckaznocha/intrange": "MIT",
+  "github.com/clbanning/mxj": "BSD-3-Clause",
   "github.com/ClickHouse/ch-go": "Apache-2.0",
   "github.com/ClickHouse/clickhouse-go/v2": "Apache-2.0",
+  "github.com/cloudflare/circl": "BSD-3-Clause",
+  "github.com/cloudprober/cloudprober": "Apache-2.0",
+  "github.com/cloudwego/base64x": "Apache-2.0",
+  "github.com/cloudwego/iasm": "Apache-2.0",
+  "github.com/cncf/xds/go": "Apache-2.0",
+  "github.com/coder/quartz": "CC0-1.0",
+  "github.com/coder/websocket": "ISC",
+  "github.com/containerd/console": "Apache-2.0",
+  "github.com/containerd/containerd": "Apache-2.0",
   "github.com/containerd/errdefs": "Apache-2.0",
   "github.com/containerd/errdefs/pkg": "Apache-2.0",
   "github.com/containerd/log": "Apache-2.0",
   "github.com/containerd/platforms": "Apache-2.0",
+  "github.com/containerd/stargz-snapshotter/estargz": "Apache-2.0",
+  "github.com/coreos/go-oidc/v3": "Apache-2.0",
+  "github.com/coreos/go-systemd/v22": "Apache-2.0",
   "github.com/cpuguy83/dockercfg": "MIT",
+  "github.com/cpuguy83/go-md2man/v2": "MIT",
   "github.com/Crocmagnon/fatcontext": "MIT",
+  "github.com/curioswitch/go-reassign": "MIT",
+  "github.com/cyphar/filepath-securejoin": "BSD-3-Clause",
+  "github.com/daixiang0/gci": "BSD-3-Clause",
   "github.com/DATA-DOG/go-sqlmock": "BSD-3-Clause",
   "github.com/DataDog/appsec-internal-go": "Apache-2.0",
   "github.com/DataDog/datadog-agent/pkg/obfuscate": "Apache-2.0",
@@ -237,11 +284,24 @@
   "github.com/DataDog/sketches-go": "Apache-2.0",
   "github.com/DataDog/zstd": "BSD-3-Clause",
   "github.com/davecgh/go-spew": "ISC",
+  "github.com/deckarep/golang-set/v2": "MIT",
+  "github.com/decred/dcrd/dcrec/secp256k1/v4": "ISC",
+  "github.com/denis-tingaikin/go-header": "GPL-3.0",
+  "github.com/denisenkom/go-mssqldb": "BSD-3-Clause",
+  "github.com/dennwc/varint": "MIT",
+  "github.com/dgryski/go-farm": "MIT",
+  "github.com/dgryski/go-rendezvous": "MIT",
   "github.com/distribution/reference": "Apache-2.0",
   "github.com/Djarvur/go-err113": "MIT",
+  "github.com/dlclark/regexp2": "MIT",
+  "github.com/docker/cli": "MIT",
+  "github.com/docker/distribution": "Apache-2.0",
   "github.com/docker/docker": "Apache-2.0",
+  "github.com/docker/docker-credential-helpers": "MIT",
   "github.com/docker/go-connections": "Apache-2.0",
+  "github.com/docker/go-metrics": "Apache-2.0",
   "github.com/docker/go-units": "Apache-2.0",
+  "github.com/dustin/go-humanize": "MIT",
   "github.com/ebitengine/purego": "Apache-2.0",
   "github.com/felixge/httpsnoop": "MIT",
   "github.com/GaijinEntertainment/go-exhaustruct/v3": "MIT",

test/simple.bats

@@ -707,3 +707,52 @@ EOF
     [ "$status" -eq 0 ]
     [[ "$output" == "testdatabase" ]]
 }
+
+# Test 79: sanitize_patterns accepts valid patterns
+@test "sanitize_patterns accepts valid patterns" {
+    run sanitize_patterns "*.json,test*.txt,file.log"
+    [ "$status" -eq 0 ]
+    [[ "$output" == "*.json,test*.txt,file.log" ]]
+}
+
+# Test 80: sanitize_patterns trims whitespace
+@test "sanitize_patterns trims whitespace" {
+    run sanitize_patterns " *.json , test*.txt , file.log "
+    [ "$status" -eq 0 ]
+    [[ "$output" == "*.json,test*.txt,file.log" ]]
+}
+
+# Test 81: sanitize_patterns removes dangerous characters
+@test "sanitize_patterns removes dangerous characters" {
+    run sanitize_patterns "*.json,test\$bad.txt"
+    [ "$status" -eq 0 ]
+    [[ "$output" == "*.json,testbad.txt" ]]
+}
+
+# Test 82: sanitize_patterns preserves valid wildcards
+@test "sanitize_patterns preserves wildcards" {
+    run sanitize_patterns "*-prod.json,production-*.json"
+    [ "$status" -eq 0 ]
+    [[ "$output" == "*-prod.json,production-*.json" ]]
+}
+
+# Test 83: sanitize_patterns handles empty input
+@test "sanitize_patterns handles empty input" {
+    run sanitize_patterns ""
+    [ "$status" -eq 0 ]
+    [[ "$output" == "" ]]
+}
+
+# Test 84: sanitize_patterns removes empty patterns
+@test "sanitize_patterns removes empty patterns" {
+    run sanitize_patterns "*.json,,test*.txt"
+    [ "$status" -eq 0 ]
+    [[ "$output" == "*.json,test*.txt" ]]
+}
+
+# Test 85: sanitize_patterns handles single pattern
+@test "sanitize_patterns handles single pattern" {
+    run sanitize_patterns "*.json"
+    [ "$status" -eq 0 ]
+    [[ "$output" == "*.json" ]]
+}