feat: git url sanitation (#1191)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

.github/workflows/nodejs.yml

@@ -111,10 +111,10 @@ jobs:
           # as long as npm cannot auto-resolve engine-constraints, we need to help here
           case '${{ matrix.node-version }}' in
             '14')
-              dep_constraints='normalize-package-data@^5'
+              dep_constraints='normalize-package-data@^5 hosted-git-info@^6'
               ;;
             '14.0.0')
-              dep_constraints='normalize-package-data@^3'
+              dep_constraints='normalize-package-data@^3 hosted-git-info@^4'
               dev_requirements='jest@^26 jest-junit imurmurhash fast-glob'
               ;;
           esac

HISTORY.md

@@ -7,12 +7,13 @@ All notable changes to this project will be documented in this file.
 <!-- unreleased changes go here -->
 
 * Changed
-  * Try to sanitize distribution URLs (via [#1187])
+  * Try to sanitize distribution URLs (via [#1187], [#1191])
 * Added
   * More debug output when it comes to package manifest loading (via [#1189]) 
 
 [#1187]: https://github.com/CycloneDX/cyclonedx-node-npm/pull/1187
 [#1189]: https://github.com/CycloneDX/cyclonedx-node-npm/pull/1189
+[#1191]: https://github.com/CycloneDX/cyclonedx-node-npm/pull/1191
 
 ## 1.18.0 - 2024-05-08
 

package.json

@@ -49,11 +49,13 @@
   "dependencies": {
     "@cyclonedx/cyclonedx-library": "^6.6.0",
     "commander": "^10.0.0",
+    "hosted-git-info": "^4||^5||^6||^7",
     "normalize-package-data": "^3||^4||^5||^6",
     "packageurl-js": "^1.2.1",
     "xmlbuilder2": "^3.0.2"
   },
   "devDependencies": {
+    "@types/hosted-git-info": "^3.0.5",
     "@types/node": "ts5.4",
     "@types/normalize-package-data": "^2.4.1",
     "eslint": "8.57.0",

src/_helpers.ts

@@ -18,6 +18,7 @@ Copyright (c) OWASP Foundation. All Rights Reserved.
 */
 
 import { readFileSync, writeSync } from 'fs'
+import * as GitHost from 'hosted-git-info'
 
 export function loadJsonFile (path: string): any {
   return JSON.parse(readFileSync(path, 'utf8'))
@@ -57,11 +58,17 @@ export function tryRemoveSecretsFromUrl (url: string): string {
   }
 }
 
+export function trySanitizeGitUrl (gitUrl: string): string {
+  const gitInfo = GitHost.fromUrl(gitUrl)
+  if (gitInfo === undefined) {
+    return gitUrl
+  }
+  gitInfo.auth = undefined
+  return gitInfo.toString()
+}
+
 export function trySanitizeUrl (url: string): string {
-  /* @TODO normalize/sanitize git-urls & remove secrets from them
-    - https://github.com/CycloneDX/cyclonedx-javascript-library.git#v6.4.2
-    - git@github.com:CycloneDX/cyclonedx-javascript-library.git#v6.6.0
-    maybe use package 'hosted-git-info'
-  */
-  return tryRemoveSecretsFromUrl(url)
+  return tryRemoveSecretsFromUrl(
+    trySanitizeGitUrl(
+      url))
 }