@cyclonedx/cdxgen 12.1.4 → 12.2.0

package/lib/server/server.js

@@ -48,7 +48,6 @@ const ALLOWED_PARAMS = [
   "deep",
   "profile",
   "exclude",
-  "includeFormulation",
   "includeCrypto",
   "standard",
   "minConfidence",
@@ -267,6 +266,10 @@ function gitClone(repoUrl, branch = null) {
   const gitArgs = [
     "-c",
     "alias.clone=",
+    "-c",
+    "core.fsmonitor=false",
+    "-c",
+    "safe.bareRepository=explicit",
     "clone",
     repoUrl,
     "--depth",
@@ -288,16 +291,26 @@ function gitClone(repoUrl, branch = null) {
     `Cloning Repo${branch ? ` with branch ${branch}` : ""} to ${tempDir}`,
   );
   const gitAllowProtocol = getGitAllowProtocol();
-  // See issue #1956
+  const envConfigs = {
+    GIT_CONFIG_COUNT: "2",
+    GIT_CONFIG_KEY_0: "core.fsmonitor",
+    GIT_CONFIG_VALUE_0: "false",
+    GIT_CONFIG_KEY_1: "safe.bareRepository",
+    GIT_CONFIG_VALUE_1: "explicit",
+  };
   const env = isSecureMode
     ? {
         ...process.env,
+        ...envConfigs,
         GIT_CONFIG_NOSYSTEM: "1",
         GIT_CONFIG_NOGLOBAL: "1",
         GIT_ALLOW_PROTOCOL: gitAllowProtocol,
       }
-    : { ...process.env, GIT_ALLOW_PROTOCOL: gitAllowProtocol };
-
+    : {
+        ...process.env,
+        ...envConfigs,
+        GIT_ALLOW_PROTOCOL: gitAllowProtocol,
+      };
   const result = safeSpawnSync("git", gitArgs, {
     shell: false,
     env,
@@ -359,6 +372,17 @@ export function parseValue(raw) {
   throw new TypeError(`Invalid value type: ${t}.`);
 }
 
+/**
+ * Parses allowed query/body parameters into a typed options object.
+ * Query parameters take priority over body parameters. Handles the
+ * `type` → `projectType` rename, lifecycle-based `installDeps` defaulting,
+ * and profile option expansion.
+ *
+ * @param {Object} q Parsed query string key/value map
+ * @param {Object} [body={}] Parsed request body key/value map
+ * @param {Object} [options={}] Seed options object to merge results into
+ * @returns {Object} Populated options object
+ */
 export function parseQueryString(q, body = {}, options = {}) {
   // Priority is query params followed by body
   for (const param of ALLOWED_PARAMS) {
@@ -378,9 +402,17 @@ export function parseQueryString(q, body = {}, options = {}) {
   return options;
 }
 
+/**
+ * Extracts query parameters from an incoming HTTP request object.
+ * Handles repeated keys by collecting their values into an array.
+ * Returns an empty object if the URL cannot be parsed.
+ *
+ * @param {Object} req Node.js/connect HTTP request object
+ * @returns {Object} Key/value map of query parameters from the request URL
+ */
 export function getQueryParams(req) {
   try {
-    if (!req || !req.url) {
+    if (!req?.url) {
       return {};
     }
 
@@ -389,7 +421,7 @@ export function getQueryParams(req) {
     const baseUrl = `${protocol}://${host}`;
 
     const fullUrl = new URL(req.url, baseUrl);
-    const params = {};
+    const params = Object.create(null);
 
     // Convert multiple values to an array
     for (const [key, value] of fullUrl.searchParams) {
@@ -436,21 +468,25 @@ const configureServer = (cdxgenServer) => {
 const ALL_INTERFACES = new Set(["0.0.0.0", "::", "::/128", "::/0"]);
 
 const start = (options) => {
+  if (isSecureMode && !process.permission) {
+    console.error(
+      "SECURE MODE: Node.js permission model not enabled. Use --permission flag.",
+    );
+    process.exit(1);
+  }
   console.log(`cdxgen server version ${CDXGEN_VERSION}`);
-
-  console.log(
-    "Listening on",
-    options.serverHost,
-    options.serverPort,
-    "without authentication!",
-  );
   if (ALL_INTERFACES.has(options.serverHost)) {
     console.log("Exposing cdxgen server on all IP address is a security risk!");
     if (isSecureMode) {
       process.exit(1);
     }
   }
-  if (+options.serverPort < 1024) {
+  const serverPort = Number(options.serverPort);
+  if (!Number.isInteger(serverPort) || serverPort <= 0 || serverPort > 65535) {
+    console.log("Invalid server port specified.");
+    process.exit(1);
+  }
+  if (serverPort < 1024) {
     console.log(
       "Running cdxgen server with a privileged port is a security risk!",
     );
@@ -490,9 +526,15 @@ const start = (options) => {
       process.exit(1);
     }
   }
+  console.log(
+    "Listening on",
+    options.serverHost,
+    serverPort,
+    "without authentication!",
+  );
   const cdxgenServer = http
     .createServer(app)
-    .listen(options.serverPort, options.serverHost);
+    .listen(serverPort, options.serverHost);
   configureServer(cdxgenServer);
 
   app.use("/health", (_req, res) => {
@@ -512,7 +554,7 @@ const start = (options) => {
     }
     const q = getQueryParams(req);
     let cleanup = false;
-    let reqOptions = {};
+    let reqOptions = Object.create(null);
     try {
       reqOptions = parseQueryString(
         q,

package/lib/server/server.poku.js

@@ -11,53 +11,71 @@ import {
   validateAndRejectGitSource,
 } from "./server.js";
 
+function nullProtoObj(obj) {
+  if (obj === null || typeof obj !== "object") {
+    return obj;
+  }
+  if (Array.isArray(obj)) {
+    return obj.map(nullProtoObj);
+  }
+  if (Object.prototype.toString.call(obj) === "[object Object]") {
+    const result = Object.create(null);
+    for (const [key, value] of Object.entries(obj)) {
+      result[key] = nullProtoObj(value);
+    }
+    return result;
+  }
+  return obj;
+}
+
+function checkEqual(actual, expected, message) {
+  assert.deepStrictEqual(nullProtoObj(actual), nullProtoObj(expected), message);
+}
+
 it("parseValue tests", () => {
-  assert.deepStrictEqual(parseValue("foo"), "foo");
-  assert.deepStrictEqual(parseValue("foo\n"), "foo");
-  assert.deepStrictEqual(parseValue("foo\r\n"), "foo");
-  assert.deepStrictEqual(parseValue(1), 1);
-  assert.deepStrictEqual(parseValue("true"), true);
-  assert.deepStrictEqual(parseValue("false"), false);
-  assert.deepStrictEqual(parseValue(["foo", "bar", 42]), ["foo", "bar", 42]);
+  checkEqual(parseValue("foo"), "foo");
+  checkEqual(parseValue("foo\n"), "foo");
+  checkEqual(parseValue("foo\r\n"), "foo");
+  checkEqual(parseValue(1), 1);
+  checkEqual(parseValue("true"), true);
+  checkEqual(parseValue("false"), false);
+  checkEqual(parseValue(["foo", "bar", 42]), ["foo", "bar", 42]);
   assert.throws(() => parseValue({ foo: "bar" }), TypeError);
   assert.throws(() => parseValue([42, "foo", { foo: "bar" }]), TypeError);
   assert.throws(() => parseValue([42, "foo", new Error()]), TypeError);
   assert.throws(() => parseValue(["foo", "bar", new String(42)]), TypeError);
-  assert.deepStrictEqual(parseValue(true), true);
-  assert.deepStrictEqual(parseValue(false), false);
-  assert.deepStrictEqual(parseValue(null), null);
-  assert.deepStrictEqual(parseValue(undefined), undefined);
-  assert.deepStrictEqual(parseValue([null, undefined, null]), [
+  checkEqual(parseValue(true), true);
+  checkEqual(parseValue(false), false);
+  checkEqual(parseValue(null), null);
+  checkEqual(parseValue(undefined), undefined);
+  checkEqual(parseValue([null, undefined, null]), [null, undefined, null]);
+  checkEqual(parseValue(""), "");
+  checkEqual(parseValue("   \n"), "   ");
+  checkEqual(parseValue("42"), "42");
+  checkEqual(parseValue("0"), "0");
+  checkEqual(parseValue("-1"), "-1");
+  checkEqual(parseValue("True"), "True");
+  checkEqual(parseValue("False"), "False");
+  checkEqual(parseValue(" TRUE "), " TRUE ");
+  checkEqual(parseValue(["true", "false", 0, "0", null, undefined]), [
+    true,
+    false,
+    0,
+    "0",
     null,
     undefined,
-    null,
   ]);
-  assert.deepStrictEqual(parseValue(""), "");
-  assert.deepStrictEqual(parseValue("   \n"), "   ");
-  assert.deepStrictEqual(parseValue("42"), "42");
-  assert.deepStrictEqual(parseValue("0"), "0");
-  assert.deepStrictEqual(parseValue("-1"), "-1");
-  assert.deepStrictEqual(parseValue("True"), "True");
-  assert.deepStrictEqual(parseValue("False"), "False");
-  assert.deepStrictEqual(parseValue(" TRUE "), " TRUE ");
-  assert.deepStrictEqual(
-    parseValue(["true", "false", 0, "0", null, undefined]),
-    [true, false, 0, "0", null, undefined],
-  );
   assert.throws(() => parseValue([["nested"]]), TypeError);
   assert.throws(() => parseValue(Symbol("test")), TypeError);
   assert.throws(() => parseValue(BigInt(42)), TypeError);
   // biome-ignore-start lint/suspicious/noEmptyBlockStatements: test
   assert.throws(() => parseValue(() => {}), TypeError);
   // biome-ignore-end lint/suspicious/noEmptyBlockStatements: test
-  assert.deepStrictEqual(parseValue(Number.NaN), Number.NaN);
-  assert.deepStrictEqual(
-    parseValue(Number.POSITIVE_INFINITY),
-    Number.POSITIVE_INFINITY,
-  );
+  checkEqual(parseValue(Number.NaN), Number.NaN);
+  checkEqual(parseValue(Number.POSITIVE_INFINITY), Number.POSITIVE_INFINITY);
   const obj = { toString: () => "foo" };
   assert.throws(() => parseValue(obj), TypeError);
-  assert.deepStrictEqual(parseValue("hello\r\n"), "hello");
+  checkEqual(parseValue("hello\r\n"), "hello");
 });
 
 describe("parseQueryString tests", () => {
@@ -70,22 +88,22 @@ describe("parseQueryString tests", () => {
     };
     const options = {};
     const result = parseQueryString(q, body, options);
-    assert.deepStrictEqual(result.foo, undefined);
-    assert.deepStrictEqual(result.excludeType, ["2"]);
-    assert.deepStrictEqual(result.technique, ["manifest-analysis"]);
+    checkEqual(result.foo, undefined);
+    checkEqual(result.excludeType, ["2"]);
+    checkEqual(result.technique, ["manifest-analysis"]);
   });
 
   it("splits type into projectType and removes type", () => {
     const options = { type: "a,b,c" };
     const result = parseQueryString({}, {}, options);
-    assert.deepStrictEqual(result.projectType, ["a", "b", "c"]);
-    assert.deepStrictEqual(result.type, undefined);
+    checkEqual(result.projectType, ["a", "b", "c"]);
+    checkEqual(result.type, undefined);
   });
 
   it("sets installDeps to false for pre-build lifecycle", () => {
     const options = { lifecycle: "pre-build" };
     const result = parseQueryString({}, {}, options);
-    assert.deepStrictEqual(result.installDeps, false);
+    checkEqual(result.installDeps, false);
   });
 });
 
@@ -102,23 +120,23 @@ describe("isAllowedHost()", () => {
 
   it("returns true if CDXGEN_SERVER_ALLOWED_HOSTS is not set", () => {
     delete process.env.CDXGEN_SERVER_ALLOWED_HOSTS;
-    assert.deepStrictEqual(isAllowedHost("anything"), true);
+    checkEqual(isAllowedHost("anything"), true);
   });
 
   it("returns true for a hostname that is in the list", () => {
     process.env.CDXGEN_SERVER_ALLOWED_HOSTS = "foo.com,bar.com";
-    assert.deepStrictEqual(isAllowedHost("foo.com"), true);
-    assert.deepStrictEqual(isAllowedHost("bar.com"), true);
+    checkEqual(isAllowedHost("foo.com"), true);
+    checkEqual(isAllowedHost("bar.com"), true);
   });
 
   it("returns false for a hostname not in the list", () => {
     process.env.CDXGEN_SERVER_ALLOWED_HOSTS = "foo.com,bar.com";
-    assert.deepStrictEqual(isAllowedHost("baz.com"), false);
+    checkEqual(isAllowedHost("baz.com"), false);
   });
 
   it("treats an empty-string env var as unset (returns true)", () => {
     process.env.CDXGEN_SERVER_ALLOWED_HOSTS = "";
-    assert.deepStrictEqual(isAllowedHost("whatever"), true);
+    checkEqual(isAllowedHost("whatever"), true);
   });
 });
 
@@ -203,15 +221,15 @@ describe("isAllowedPath()", () => {
 describe("isAllowedWinPath windows tests()", () => {
   it("returns false for windows device name paths", () => {
     if (isWin) {
-      assert.deepStrictEqual(isAllowedWinPath("CON:../foo"), false);
-      assert.deepStrictEqual(isAllowedWinPath("X:\\foo\\..\\bar"), true);
-      assert.deepStrictEqual(isAllowedWinPath("C:\\Users"), true);
-      assert.deepStrictEqual(isAllowedWinPath("C:\\🚀"), true);
-      assert.deepStrictEqual(isAllowedWinPath("C:"), true);
-      assert.deepStrictEqual(isAllowedWinPath("c:"), true);
-      assert.deepStrictEqual(isAllowedWinPath("CON:"), false);
-      assert.deepStrictEqual(isAllowedWinPath("COM¹:"), false);
-      assert.deepStrictEqual(isAllowedWinPath("COM¹:../foo"), false);
+      checkEqual(isAllowedWinPath("CON:../foo"), false);
+      checkEqual(isAllowedWinPath("X:\\foo\\..\\bar"), true);
+      checkEqual(isAllowedWinPath("C:\\Users"), true);
+      checkEqual(isAllowedWinPath("C:\\🚀"), true);
+      checkEqual(isAllowedWinPath("C:"), true);
+      checkEqual(isAllowedWinPath("c:"), true);
+      checkEqual(isAllowedWinPath("CON:"), false);
+      checkEqual(isAllowedWinPath("COM¹:"), false);
+      checkEqual(isAllowedWinPath("COM¹:../foo"), false);
       for (const d of [
         "PRN:.\\..\\bar",
         "LpT5:/another/path",
@@ -244,7 +262,7 @@ describe("isAllowedWinPath windows tests()", () => {
         "🚀:\\",
         "⚡:\\",
       ]) {
-        assert.deepStrictEqual(isAllowedWinPath(d), false);
+        checkEqual(isAllowedWinPath(d), false);
       }
     }
   });
@@ -264,7 +282,7 @@ describe("getQueryParams", () => {
     );
     const result = getQueryParams(req);
 
-    assert.deepStrictEqual(result, {
+    checkEqual(result, {
       url: "https://example.com",
       multiProject: "true",
       type: "js",
@@ -277,7 +295,7 @@ describe("getQueryParams", () => {
     );
     const result = getQueryParams(req);
 
-    assert.deepStrictEqual(result, {
+    checkEqual(result, {
       q: "hello world",
       filter: "category=tech",
     });
@@ -288,7 +306,7 @@ describe("getQueryParams", () => {
     const result = getQueryParams(req);
 
     // URLSearchParams.entries() returns the first value when there are duplicates
-    assert.deepStrictEqual(result, {
+    checkEqual(result, {
       tags: ["javascript", "react", "node"],
     });
   });
@@ -297,21 +315,21 @@ describe("getQueryParams", () => {
     const req = createMockRequest("/sbom");
     const result = getQueryParams(req);
 
-    assert.deepStrictEqual(result, {});
+    checkEqual(result, {});
   });
 
   it("should handle query string with only question mark", () => {
     const req = createMockRequest("/sbom?");
     const result = getQueryParams(req);
 
-    assert.deepStrictEqual(result, {});
+    checkEqual(result, {});
   });
 
   it("should handle parameters without values", () => {
     const req = createMockRequest("/api?flag1&flag2&param=value");
     const result = getQueryParams(req);
 
-    assert.deepStrictEqual(result, {
+    checkEqual(result, {
       flag1: "",
       flag2: "",
       param: "value",
@@ -325,7 +343,7 @@ describe("getQueryParams", () => {
     );
     const result = getQueryParams(req);
 
-    assert.deepStrictEqual(result, {
+    checkEqual(result, {
       param1: "value1",
     });
   });
@@ -338,7 +356,7 @@ describe("getQueryParams", () => {
     );
     const result = getQueryParams(req);
 
-    assert.deepStrictEqual(result, {
+    checkEqual(result, {
       token: "abc123",
     });
   });
@@ -349,7 +367,7 @@ describe("getQueryParams", () => {
     );
     const result = getQueryParams(req);
 
-    assert.deepStrictEqual(result, {
+    checkEqual(result, {
       name: "john",
       age: "25",
       active: "true",
@@ -362,7 +380,7 @@ describe("getQueryParams", () => {
     );
     const result = getQueryParams(req);
 
-    assert.deepStrictEqual(result, {
+    checkEqual(result, {
       q: "hello world!",
       category: "web development",
     });
@@ -372,14 +390,14 @@ describe("getQueryParams", () => {
     const req = createMockRequest(undefined);
     const result = getQueryParams(req);
 
-    assert.deepStrictEqual(result, {});
+    checkEqual(result, {});
   });
 
   it("should handle numeric values as strings", () => {
     const req = createMockRequest("/calculate?x=10&y=20&operation=add");
     const result = getQueryParams(req);
 
-    assert.deepStrictEqual(result, {
+    checkEqual(result, {
       x: "10",
       y: "20",
       operation: "add",
@@ -390,7 +408,7 @@ describe("getQueryParams", () => {
     const req = createMockRequest("/config?debug=true&verbose=false&enabled=1");
     const result = getQueryParams(req);
 
-    assert.deepStrictEqual(result, {
+    checkEqual(result, {
       debug: "true",
       verbose: "false",
       enabled: "1",
@@ -402,7 +420,7 @@ describe("getQueryParams", () => {
     const req = createMockRequest("not-a-valid-url");
     const result = getQueryParams(req);
 
-    assert.deepStrictEqual(result, {});
+    checkEqual(result, {});
   });
 
   it("should handle empty host gracefully", () => {
@@ -413,7 +431,7 @@ describe("getQueryParams", () => {
     };
     const result = getQueryParams(req);
 
-    assert.deepStrictEqual(result, {
+    checkEqual(result, {
       param: "value",
     });
   });
@@ -426,7 +444,7 @@ describe("getQueryParams", () => {
     };
     const result = getQueryParams(req);
 
-    assert.deepStrictEqual(result, {
+    checkEqual(result, {
       param: "value",
     });
   });
@@ -450,84 +468,60 @@ describe("validateGitSource() tests", () => {
   });
 
   it("should reject ext:: and fd:: outright", () => {
-    assert.deepStrictEqual(
+    checkEqual(
       validateAndRejectGitSource("ext::sh -c id").error,
       "Invalid Protocol",
     );
-    assert.deepStrictEqual(
-      validateAndRejectGitSource("fd::123").error,
-      "Invalid Protocol",
-    );
-    assert.deepStrictEqual(
+    checkEqual(validateAndRejectGitSource("fd::123").error, "Invalid Protocol");
+    checkEqual(
       validateAndRejectGitSource("EXT::sh -c id").error,
       "Invalid Protocol",
     );
   });
 
   it("should allow standard local paths to bypass validation", () => {
-    assert.deepStrictEqual(validateAndRejectGitSource("/tmp/local-path"), null);
-    assert.deepStrictEqual(
-      validateAndRejectGitSource("C:\\Users\\local"),
-      null,
-    );
+    checkEqual(validateAndRejectGitSource("/tmp/local-path"), null);
+    checkEqual(validateAndRejectGitSource("C:\\Users\\local"), null);
   });
 
   it("should handle ssh git@ format gracefully", () => {
-    assert.deepStrictEqual(
-      validateAndRejectGitSource("git@github.com:foo/bar.git"),
-      null,
-    );
+    checkEqual(validateAndRejectGitSource("git@github.com:foo/bar.git"), null);
   });
 
   it("should reject malformed git URLs", () => {
     // invalid URL format (can't parse via node's new URL object)
-    assert.deepStrictEqual(
+    checkEqual(
       validateAndRejectGitSource("http://[:::1]/bad-ipv6").error,
       "Invalid URL Format",
     );
   });
 
   it("should enforce GIT_ALLOW_PROTOCOL default schemes", () => {
-    assert.deepStrictEqual(
-      validateAndRejectGitSource("https://github.com/repo"),
-      null,
-    );
-    assert.deepStrictEqual(
-      validateAndRejectGitSource("http://github.com/repo"),
-      {
-        status: 400,
-        error: "Protocol Not Allowed",
-        details: "The protocol 'http:' is not permitted by GIT_ALLOW_PROTOCOL.",
-      },
-    );
-    assert.deepStrictEqual(
-      validateAndRejectGitSource("git://github.com/repo"),
-      null,
-    );
-    assert.deepStrictEqual(
-      validateAndRejectGitSource("ssh://github.com/repo"),
-      null,
-    );
-    assert.deepStrictEqual(
-      validateAndRejectGitSource("git+ssh://github.com/repo"),
-      null,
-    );
+    checkEqual(validateAndRejectGitSource("https://github.com/repo"), null);
+    checkEqual(validateAndRejectGitSource("http://github.com/repo"), {
+      status: 400,
+      error: "Protocol Not Allowed",
+      details: "The protocol 'http:' is not permitted by GIT_ALLOW_PROTOCOL.",
+    });
+    checkEqual(validateAndRejectGitSource("git://github.com/repo"), null);
+    checkEqual(validateAndRejectGitSource("ssh://github.com/repo"), null);
+    checkEqual(validateAndRejectGitSource("git+ssh://github.com/repo"), null);
 
     // ftp is not allowed by default
     const res = validateAndRejectGitSource("ftp://github.com/repo");
-    assert.deepStrictEqual(res.error, "Protocol Not Allowed");
-    assert.deepStrictEqual(
+    checkEqual(res.error, "Protocol Not Allowed");
+    checkEqual(
       res.details,
       "The protocol 'ftp:' is not permitted by GIT_ALLOW_PROTOCOL.",
     );
   });
 
   it("should reject protocol smuggling techniques", () => {
-    assert.deepStrictEqual(
+    checkEqual(
       validateAndRejectGitSource("git+ext://github.com/repo").error,
       "Protocol Not Allowed",
     );
-    assert.deepStrictEqual(
+    checkEqual(
       validateAndRejectGitSource("http+ext://github.com/repo").error,
       "Protocol Not Allowed",
     );
@@ -535,30 +529,24 @@ describe("validateGitSource() tests", () => {
 
   it("should respect custom CDXGEN_SERVER_GIT_ALLOW_PROTOCOL configs", () => {
     process.env.CDXGEN_SERVER_GIT_ALLOW_PROTOCOL = "https:git";
-    assert.deepStrictEqual(
-      validateAndRejectGitSource("https://github.com/repo"),
-      null,
-    );
-    assert.deepStrictEqual(
-      validateAndRejectGitSource("git://github.com/repo"),
-      null,
-    );
+    checkEqual(validateAndRejectGitSource("https://github.com/repo"), null);
+    checkEqual(validateAndRejectGitSource("git://github.com/repo"), null);
 
     // http is no longer allowed
     const res = validateAndRejectGitSource("http://github.com/repo");
-    assert.deepStrictEqual(res.error, "Protocol Not Allowed");
-    assert.deepStrictEqual(
+    checkEqual(res.error, "Protocol Not Allowed");
+    checkEqual(
       res.details,
       "The protocol 'http:' is not permitted by GIT_ALLOW_PROTOCOL.",
     );
   });
 
   it("should reject remote helper syntax (::) inside valid schemes", () => {
-    assert.deepStrictEqual(
+    checkEqual(
       validateAndRejectGitSource("https://github.com/ext::sh -c id").error,
       "Invalid URL Syntax",
     );
-    assert.deepStrictEqual(
+    checkEqual(
       validateAndRejectGitSource("git://foo::bar/repo").error,
       "Invalid URL Format",
     );
@@ -566,44 +554,35 @@ describe("validateGitSource() tests", () => {
 
   it("should validate allowed hosts", () => {
     process.env.CDXGEN_SERVER_ALLOWED_HOSTS = "github.com,gitlab.com";
-    assert.deepStrictEqual(
-      validateAndRejectGitSource("https://github.com/repo"),
-      null,
-    );
+    checkEqual(validateAndRejectGitSource("https://github.com/repo"), null);
 
     const res = validateAndRejectGitSource("https://evil.com/repo");
-    assert.deepStrictEqual(res.error, "Host Not Allowed");
-    assert.deepStrictEqual(res.status, 403);
+    checkEqual(res.error, "Host Not Allowed");
+    checkEqual(res.status, 403);
   });
 });
 it("should correctly normalize and validate various git@ (SCP-like) formats", () => {
-  assert.deepStrictEqual(
+  checkEqual(
     validateAndRejectGitSource("git@gitlab.com:group/project.git"),
     null,
   );
-  assert.deepStrictEqual(
+  checkEqual(
     validateAndRejectGitSource("git@bitbucket.org:workspace/repo:name.git"),
     null,
   );
-  assert.deepStrictEqual(
-    validateAndRejectGitSource("git@github.com/user/repo.git"),
-    null,
-  );
-  assert.deepStrictEqual(
+  checkEqual(validateAndRejectGitSource("git@github.com/user/repo.git"), null);
+  checkEqual(
     validateAndRejectGitSource("ssh://git@github.com/user/repo.git"),
     null,
   );
   process.env.CDXGEN_SERVER_ALLOWED_HOSTS = "github.com,bitbucket.org";
-  assert.deepStrictEqual(
-    validateAndRejectGitSource("git@github.com:user/repo.git"),
-    null,
-  );
-  assert.deepStrictEqual(
+  checkEqual(validateAndRejectGitSource("git@github.com:user/repo.git"), null);
+  checkEqual(
     validateAndRejectGitSource("git@bitbucket.org:workspace/repo.git"),
     null,
   );
   const deniedRes = validateAndRejectGitSource("git@evil.com:foo/bar.git");
-  assert.deepStrictEqual(deniedRes.status, 403);
-  assert.deepStrictEqual(deniedRes.error, "Host Not Allowed");
+  checkEqual(deniedRes.status, 403);
+  checkEqual(deniedRes.error, "Host Not Allowed");
   delete process.env.CDXGEN_SERVER_ALLOWED_HOSTS;
 });