chore: add sbom workflow

[qevolg]

Description

chore: add sbom workflow

Issue(s)

• close: https://project.feishu.cn/taosdata_td/feature/detail/6796378817

Checklist

Please check the items in the checklist if applicable.

• Is the user manual updated?
• Are the test cases passed and automated?
• Is there no significant decrease in test coverage?

[gemini-code-assist]

Summary of Changes

Hello @qevolg, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the security posture of the application by implementing a robust mechanism to redact sensitive information from log outputs. It ensures that credentials and tokens are automatically sanitized before being logged, thereby improving data privacy and reducing the risk of accidental exposure. The changes include the addition of a dedicated redaction utility, its integration into the logging system, and comprehensive unit tests to validate its functionality. Additionally, minor code cleanup was performed in a related file.

Highlights

• Sensitive Data Redaction: A new utility function, redactMessage, has been introduced to automatically identify and redact sensitive information such as passwords, tokens, bearer tokens, and URL credentials from log messages. This function handles both string and object inputs, including nested structures and arrays.
• Logger Integration: The redactMessage function has been integrated into the custom Winston logger format, ensuring that all messages processed by the logger are automatically sanitized before being written to logs.
• Comprehensive Testing: Extensive unit tests have been added for the redactMessage function, covering various scenarios including JSON-like strings, query parameters, object properties (case-insensitive), nested objects, arrays, and URL credentials, to ensure its robustness and correctness.
• Code Cleanup: Minor cleanup was performed in tmqResponse.ts by removing commented-out lines of code.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• nodejs/src/common/log.ts
  • Added redactMessage function to sanitize sensitive data in log messages.
  • Integrated redactMessage into the custom Winston log format.
• nodejs/src/tmq/tmqResponse.ts
  • Removed commented-out lines of code.
• nodejs/test/bulkPulling/log.test.ts
  • Added comprehensive unit tests for the redactMessage function.

Ignored Files

• Ignored by pattern: .github/workflows/** (1)
  • .github/workflows/build.yml

Activity

• No human activity has been recorded on this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a redactMessage function to prevent sensitive information like passwords and tokens from being exposed in logs. However, the current implementation has a critical vulnerability: it is susceptible to Denial of Service (DoS) attacks due to stack overflow with circular references and resource exhaustion with large objects/Buffers. Additionally, the string redaction logic is inconsistent and incomplete, potentially leading to credential leakage in string-formatted logs.

[Copilot]

Pull request overview

This PR implements security improvements to redact sensitive data from logs, adds comprehensive tests for the redaction functionality, and includes minor cleanup changes. The PR title "Chore/main/SBOM" suggests this may be related to Software Bill of Materials compliance, though the primary changes focus on log sanitization.

Changes:

• Added redactMessage function to sanitize passwords, tokens, and credentials from logs
• Added comprehensive test suite for the redaction functionality
• Removed commented-out debugging code
• Removed submodules checkout from GitHub Actions workflow

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 13 comments.

File	Description
nodejs/src/common/log.ts	Implemented redactMessage function to redact sensitive data (passwords, tokens) from log messages with regex patterns for strings and recursive redaction for objects
nodejs/test/bulkPulling/log.test.ts	Added 13 test cases covering string redaction, object redaction, nested structures, arrays, and edge cases for the redactMessage function
nodejs/src/tmq/tmqResponse.ts	Removed commented-out debugging code (console.log statements) from parseBlockInfos method
.github/workflows/build.yml	Removed submodules: "recursive" parameter from TDengine repository checkout step

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 80.58%. Comparing base (14bb9b8) to head (88261c3).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #103   +/-   ##
=======================================
  Coverage   80.58%   80.58%           
=======================================
  Files          30       30           
  Lines        2421     2421           
  Branches      415      415           
=======================================
  Hits         1951     1951           
  Misses        364      364           
  Partials      106      106           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[qevolg]

/gemini review

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!