@cyclonedx/cdxgen 12.2.0 → 12.3.0

package/lib/helpers/table.poku.js

@@ -0,0 +1,186 @@
+import process from "node:process";
+
+import esmock from "esmock";
+import { assert, describe, it } from "poku";
+import sinon from "sinon";
+
+import { createStream, table } from "./table.js";
+
+const withStdoutTTY = (ttyValue, action) => {
+  const descriptor = Object.getOwnPropertyDescriptor(process.stdout, "isTTY");
+  Object.defineProperty(process.stdout, "isTTY", {
+    configurable: true,
+    enumerable: true,
+    value: ttyValue,
+    writable: true,
+  });
+  try {
+    action();
+  } finally {
+    if (descriptor) {
+      Object.defineProperty(process.stdout, "isTTY", descriptor);
+    } else {
+      delete process.stdout.isTTY;
+    }
+  }
+};
+
+describe("table()", () => {
+  it("renders headers, rows, and borders", () => {
+    const output = table(
+      [
+        ["Name", "Score"],
+        ["alpha", "100"],
+      ],
+      {
+        borderStyle: "ascii",
+        columns: [{ width: 8 }, { width: 5, alignment: "right" }],
+        header: { alignment: "center", content: "Report" },
+      },
+    );
+
+    assert.ok(output.includes("Report"));
+    assert.ok(output.includes("alpha"));
+    assert.ok(output.includes("  100"));
+    assert.ok(output.includes("+----------+-------+"));
+  });
+
+  it("wraps long words when wrapWord is enabled", () => {
+    const output = table([["A", "supercalifragilistic"]], {
+      borderStyle: "ascii",
+      columns: [{ width: 2 }, { width: 6, wrapWord: true }],
+    });
+
+    assert.ok(output.includes("superc"));
+    assert.ok(output.includes("alifra"));
+  });
+
+  it("preserves ANSI escape sequences while wrapping by characters", () => {
+    const output = table([["\x1b[1;35mabcdef\x1b[0m"]], {
+      borderStyle: "ascii",
+      columns: [{ width: 4, wrapWord: true }],
+    });
+
+    // biome-ignore lint/complexity/useRegexLiterals: avoid control-character regex literal warnings for ANSI pattern.
+    const ansiRegex = new RegExp("\\u001B\\[[0-?]*[ -/]*[@-~]", "g");
+    const ansiMatches = output.match(ansiRegex) || [];
+    assert.strictEqual(ansiMatches.length, 2);
+    assert.ok(output.includes("abcd"));
+    assert.ok(output.includes("ef"));
+  });
+
+  it("keeps falsy values like 0 and false in cells", () => {
+    const output = table([[0, false]], {
+      borderStyle: "ascii",
+      columns: [{ width: 3 }, { width: 5 }],
+    });
+
+    assert.ok(output.includes(" 0 "));
+    assert.ok(output.includes("false"));
+  });
+
+  it("uses unicode borders in auto mode on tty when not in CI", () => {
+    const originalCI = process.env.CI;
+    delete process.env.CI;
+
+    try {
+      withStdoutTTY(true, () => {
+        const output = table([["x"]], {
+          borderStyle: "auto",
+          columns: [{ width: 3 }],
+        });
+        assert.ok(output.includes("┌"));
+        assert.ok(output.includes("│"));
+      });
+    } finally {
+      if (originalCI === undefined) {
+        delete process.env.CI;
+      } else {
+        process.env.CI = originalCI;
+      }
+    }
+  });
+
+  it("uses ascii borders in auto mode when CI=true", () => {
+    const originalCI = process.env.CI;
+    process.env.CI = "true";
+
+    try {
+      withStdoutTTY(true, () => {
+        const output = table([["x"]], {
+          borderStyle: "auto",
+          columns: [{ width: 3 }],
+        });
+        assert.ok(output.includes("+"));
+        assert.ok(output.includes("|"));
+        assert.ok(!output.includes("┌"));
+      });
+    } finally {
+      if (originalCI === undefined) {
+        delete process.env.CI;
+      } else {
+        process.env.CI = originalCI;
+      }
+    }
+  });
+
+  it("uses TABLE_BORDER_STYLE=unicode from utils even when not tty", async () => {
+    const { table: tableWithUnicode } = await esmock("./table.js", {
+      "./utils.js": { TABLE_BORDER_STYLE: "unicode" },
+    });
+
+    withStdoutTTY(false, () => {
+      const output = tableWithUnicode([["x"]], {
+        columns: [{ width: 3 }],
+      });
+      assert.ok(output.includes("┌"));
+      assert.ok(output.includes("│"));
+    });
+  });
+
+  it("falls back to auto-detect when TABLE_BORDER_STYLE is auto", async () => {
+    const { table: tableWithAuto } = await esmock("./table.js", {
+      "./utils.js": { TABLE_BORDER_STYLE: "auto" },
+    });
+    const originalCI = process.env.CI;
+    process.env.CI = "true";
+
+    try {
+      withStdoutTTY(true, () => {
+        const output = tableWithAuto([["x"]], {
+          columns: [{ width: 3 }],
+        });
+        assert.ok(output.includes("+"));
+        assert.ok(output.includes("|"));
+      });
+    } finally {
+      if (originalCI === undefined) {
+        delete process.env.CI;
+      } else {
+        process.env.CI = originalCI;
+      }
+    }
+  });
+});
+
+describe("createStream()", () => {
+  it("writes rows incrementally to stdout and closes with a bottom border", () => {
+    const writeStub = sinon.stub(process.stdout, "write");
+    const stream = createStream({
+      borderStyle: "unicode",
+      columns: [{ width: 5 }, { width: 5 }],
+    });
+
+    stream.write(["h1", "h2"]);
+    stream.write(["v1", "v2"]);
+    stream.end();
+
+    assert.ok(writeStub.callCount >= 3);
+    assert.ok(writeStub.calledWithMatch("h1"));
+    assert.ok(writeStub.calledWithMatch("v2"));
+    const output = writeStub.args.map((args) => args[0]).join("");
+    assert.ok(output.includes("├"));
+    assert.ok(output.trimEnd().endsWith("┘"));
+    writeStub.restore();
+  });
+});

package/lib/helpers/unicodeScan.js

@@ -0,0 +1,147 @@
+const BIDI_CHARS = /[\u202A-\u202E\u2066-\u2069]/gu;
+// biome-ignore lint/suspicious/noControlCharactersInRegex: Hidden Unicode scanning must detect raw control ranges.
+const CONTROL_CHARS = /[\u0000-\u0008\u000B\u000C\u000E-\u001F\u007F-\u009F]/gu;
+const ZERO_WIDTH_CHARS = /[\u200B-\u200D\uFEFF]/gu;
+
+function formatCodePoint(char) {
+  return `U+${char.codePointAt(0).toString(16).toUpperCase().padStart(4, "0")}`;
+}
+
+function findMatchesByPattern(text, pattern, kind) {
+  const matches = [];
+  for (const match of text.matchAll(pattern)) {
+    matches.push({
+      char: match[0],
+      codePoint: formatCodePoint(match[0]),
+      index: match.index,
+      kind,
+    });
+  }
+  return matches;
+}
+
+function lineNumberForIndex(text, index) {
+  return text.slice(0, index).split(/\r?\n/u).length;
+}
+
+function commentLineNumbers(text, syntax) {
+  const commentLines = new Set();
+  if (!text) {
+    return commentLines;
+  }
+  const lines = text.split(/\r?\n/u);
+  if (syntax === "yaml") {
+    lines.forEach((line, lineIndex) => {
+      if (line.trim().startsWith("#")) {
+        commentLines.add(lineIndex + 1);
+      }
+    });
+    return commentLines;
+  }
+  if (syntax === "markdown") {
+    let inHtmlComment = false;
+    lines.forEach((line, lineIndex) => {
+      const hasCommentStart = line.includes("<!--");
+      const hasCommentEnd = line.includes("-->");
+      if (inHtmlComment || hasCommentStart) {
+        commentLines.add(lineIndex + 1);
+      }
+      if (hasCommentStart && !hasCommentEnd) {
+        inHtmlComment = true;
+      } else if (hasCommentEnd) {
+        inHtmlComment = false;
+      }
+    });
+  }
+  return commentLines;
+}
+
+/**
+ * Find dangerous Unicode characters and return their details.
+ *
+ * @param {string} text string to inspect
+ * @returns {{ char: string, codePoint: string, index: number, kind: string }[]} matches
+ */
+export function findDangerousUnicodeMatches(text) {
+  if (!text || typeof text !== "string") {
+    return [];
+  }
+  const matches = [
+    ...findMatchesByPattern(text, BIDI_CHARS, "bidirectional-control"),
+    ...findMatchesByPattern(text, ZERO_WIDTH_CHARS, "zero-width"),
+    ...findMatchesByPattern(text, CONTROL_CHARS, "control"),
+  ];
+  matches.sort((left, right) => left.index - right.index);
+  return matches;
+}
+
+/**
+ * Scan a text blob for dangerous Unicode characters and summarize where they appear.
+ *
+ * @param {string} text text to inspect
+ * @param {{ syntax?: "markdown" | "text" | "yaml" }} [options] scan options
+ * @returns {{
+ *   codePoints: string[],
+ *   commentCodePoints: string[],
+ *   contexts: string[],
+ *   hasHiddenUnicode: boolean,
+ *   inComments: boolean,
+ *   lineNumbers: number[],
+ *   matches: { char: string, codePoint: string, index: number, kind: string, lineNumber: number, inComment: boolean }[],
+ * }} scan result
+ */
+export function scanTextForHiddenUnicode(text, options = {}) {
+  const matches = findDangerousUnicodeMatches(text);
+  if (!matches.length) {
+    return {
+      codePoints: [],
+      commentCodePoints: [],
+      contexts: [],
+      hasHiddenUnicode: false,
+      inComments: false,
+      lineNumbers: [],
+      matches: [],
+    };
+  }
+  const commentLines = commentLineNumbers(text, options.syntax || "text");
+  const enrichedMatches = matches.map((match) => {
+    const lineNumber = lineNumberForIndex(text, match.index);
+    return {
+      ...match,
+      inComment: commentLines.has(lineNumber),
+      lineNumber,
+    };
+  });
+  const commentCodePoints = [
+    ...new Set(
+      enrichedMatches
+        .filter((match) => match.inComment)
+        .map((match) => match.codePoint),
+    ),
+  ];
+  const contentCodePoints = [
+    ...new Set(
+      enrichedMatches
+        .filter((match) => !match.inComment)
+        .map((match) => match.codePoint),
+    ),
+  ];
+  const contexts = [];
+  if (commentCodePoints.length) {
+    contexts.push("comment");
+  }
+  if (contentCodePoints.length) {
+    contexts.push("content");
+  }
+  return {
+    codePoints: [...new Set(enrichedMatches.map((match) => match.codePoint))],
+    commentCodePoints,
+    contexts,
+    hasHiddenUnicode: true,
+    inComments: commentCodePoints.length > 0,
+    lineNumbers: [
+      ...new Set(enrichedMatches.map((match) => match.lineNumber)),
+    ].sort((left, right) => left - right),
+    matches: enrichedMatches,
+  };
+}

package/lib/helpers/unicodeScan.poku.js

@@ -0,0 +1,45 @@
+import { assert, describe, it } from "poku";
+
+import {
+  findDangerousUnicodeMatches,
+  scanTextForHiddenUnicode,
+} from "./unicodeScan.js";
+
+describe("findDangerousUnicodeMatches()", () => {
+  it("finds bidirectional and zero-width characters with code points", () => {
+    const matches = findDangerousUnicodeMatches("safe\u202Evalue\u200Bhidden");
+
+    assert.strictEqual(matches.length, 2);
+    assert.deepStrictEqual(
+      matches.map((match) => match.codePoint),
+      ["U+202E", "U+200B"],
+    );
+  });
+});
+
+describe("scanTextForHiddenUnicode()", () => {
+  it("tracks markdown comment context for hidden Unicode", () => {
+    const scan = scanTextForHiddenUnicode(
+      "Visible line\n<!-- sneaky \u200B marker -->\nTrailing line",
+      { syntax: "markdown" },
+    );
+
+    assert.strictEqual(scan.hasHiddenUnicode, true);
+    assert.strictEqual(scan.inComments, true);
+    assert.deepStrictEqual(scan.commentCodePoints, ["U+200B"]);
+    assert.deepStrictEqual(scan.lineNumbers, [2]);
+    assert.deepStrictEqual(scan.contexts, ["comment"]);
+  });
+
+  it("tracks yaml comment context for hidden Unicode", () => {
+    const scan = scanTextForHiddenUnicode(
+      "name: build\n# hidden \u202E comment\njobs:\n  test:\n    runs-on: ubuntu-latest",
+      { syntax: "yaml" },
+    );
+
+    assert.strictEqual(scan.hasHiddenUnicode, true);
+    assert.strictEqual(scan.inComments, true);
+    assert.deepStrictEqual(scan.commentCodePoints, ["U+202E"]);
+    assert.deepStrictEqual(scan.lineNumbers, [2]);
+  });
+});