fix(repo): sanitize git repo URL before inserting into report metadata (#9391)

pkg/fanal/artifact/local/fs.go

@@ -6,6 +6,7 @@ import (
 	"crypto/sha256"
 	"errors"
 	"io/fs"
+	"net/url"
 	"os"
 	"path"
 	"path/filepath"
@@ -154,7 +155,7 @@ func extractGitInfo(dir string) (bool, artifact.RepoMetadata, error) {
 		remoteConfig, err = repo.Remote("origin")
 	}
 	if err == nil && len(remoteConfig.Config().URLs) > 0 {
-		metadata.RepoURL = remoteConfig.Config().URLs[0]
+		metadata.RepoURL = sanitizeRemoteURL(remoteConfig.Config().URLs[0])
 	}
 
 	// Check if repository is clean for caching purposes
@@ -361,3 +362,20 @@ func (a Artifact) calcCacheKey() (string, error) {
 	d := digest.NewDigest(digest.SHA256, h)
 	return d.String(), nil
 }
+
+// sanitizeRemoteURL removes credentials (userinfo) from URLs.
+func sanitizeRemoteURL(gitUrl string) string {
+	// Only attempt sanitization for URLs with an explicit scheme.
+	if !strings.Contains(gitUrl, "://") {
+		return gitUrl
+	}
+
+	// Try URL parsing first.
+	if u, err := url.Parse(gitUrl); err == nil {
+		// Clear userinfo (username:password)
+		u.User = nil
+		gitUrl = u.String()
+	}
+
+	return gitUrl
+}

pkg/fanal/artifact/local/fs_test.go

@@ -2531,3 +2531,60 @@ func TestArtifact_AnalysisStrategy(t *testing.T) {
 		})
 	}
 }
+
+func Test_sanitizeRemoteURL(t *testing.T) {
+	tests := []struct {
+		name string
+		in   string
+		want string
+	}{
+		{
+			name: "https with user:pass",
+			in:   "https://user:token@github.com/org/repo.git",
+			want: "https://github.com/org/repo.git",
+		},
+		{
+			name: "port in authority with userinfo",
+			in:   "https://user:pass@host:8443/repo.git",
+			want: "https://host:8443/repo.git",
+		},
+		{
+			name: "http with username only",
+			in:   "http://user@github.com/org/repo",
+			want: "http://github.com/org/repo",
+		},
+		{
+			name: "double scheme after userinfo",
+			in:   "https://gitlab-ci-token:glcbt-64_QwERTyuiOp-AsD2NgCJ7@example.com/gitrepo.git",
+			want: "https://example.com/gitrepo.git",
+		},
+		{
+			name: "ssh scheme with username",
+			in:   "ssh://git@github.com/org/repo.git",
+			want: "ssh://github.com/org/repo.git",
+		},
+		{
+			name: "scp-like ssh unchanged",
+			in:   "git@github.com:org/repo.git",
+			want: "git@github.com:org/repo.git",
+		},
+		{
+			name: "already clean https",
+			in:   "https://github.com/org/repo.git",
+			want: "https://github.com/org/repo.git",
+		},
+		{
+			name: "no scheme left as-is",
+			in:   "github.com/org/repo.git",
+			want: "github.com/org/repo.git",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			got := sanitizeRemoteURL(tt.in)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}

pkg/fanal/artifact/repo/git_test.go

@@ -458,7 +458,7 @@ func TestArtifact_InspectWithAuth(t *testing.T) {
 			{
 				name:        "success with embedded credentials",
 				target:      makeTarget(testUsername, testPassword),
-				wantRepoURL: makeTarget(testUsername, testPassword), // TODO: username/password should be stripped
+				wantRepoURL: tsURL.String(),
 			},
 			{
 				name:    "failure with wrong password",
@@ -486,8 +486,9 @@ func TestArtifact_InspectWithAuth(t *testing.T) {
 		tsURL := setupAuthTestServer(t, testUsername, testPassword)
 
 		// Add credentials to URL
-		tsURL.User = url.UserPassword(testUsername, testPassword)
-		targetWithCreds := tsURL.String()
+		u := *tsURL // Copy the URL
+		u.User = url.UserPassword(testUsername, testPassword)
+		targetWithCreds := u.String()
 
 		// Clone the repository with URL-embedded credentials
 		cloneDir := filepath.Join(t.TempDir(), "cloned-repo")
@@ -499,8 +500,7 @@ func TestArtifact_InspectWithAuth(t *testing.T) {
 		require.NoError(t, err)
 
 		// Scan and verify the local cloned directory
-		// TODO: The credentials in the URL should be stripped in the RepoURL
-		testInspectArtifact(t, cloneDir, targetWithCreds, "")
+		testInspectArtifact(t, cloneDir, tsURL.String(), "")
 	})
 }