Remove all punctuation from anchors in policies.md

zephyrdb · zephyrdb · commit 1780a518f65d · 2025-02-10T19:41:26.000-05:00
diff --git a/examples/policies-no-rego.md b/examples/policies-no-rego.md
@@ -10,7 +10,7 @@
 * [P1005: Pods must not run with access to the host IPC](#p1005-pods-must-not-run-with-access-to-the-host-ipc)
 * [P1006: Pods must not run with access to the host networking](#p1006-pods-must-not-run-with-access-to-the-host-networking)
 * [P1007: Pods must not run with access to the host PID namespace](#p1007-pods-must-not-run-with-access-to-the-host-pid-namespace)
-* [P1008: Pods must run as non-root](#p1008-pods-must-run-as-non-root)
+* [P1008: Pods must run as non\-root](#p1008-pods-must-run-as-non-root)
 * [P1009: PodSecurityPolicies must require all capabilities are dropped](#p1009-podsecuritypolicies-must-require-all-capabilities-are-dropped)
 * [P1010: PodSecurityPolicies must not allow privileged escalation](#p1010-podsecuritypolicies-must-not-allow-privileged-escalation)
 * [P1011: PodSecurityPolicies must not allow access to the host aliases](#p1011-podsecuritypolicies-must-not-allow-access-to-the-host-aliases)
@@ -21,13 +21,14 @@
 * [P2001: Images must not use the latest tag](#p2001-images-must-not-use-the-latest-tag)
 * [P2002: Containers must define resource constraints](#p2002-containers-must-define-resource-constraints)
 * [P2005: Roles must not allow use of privileged PodSecurityPolicies](#p2005-roles-must-not-allow-use-of-privileged-podsecuritypolicies)
-* [P2006: Tenants' containers must not run as privileged](#p2006-tenants'-containers-must-not-run-as-privileged)
+* [P2006: Tenants' containers must not run as privileged](#p2006-tenants-containers-must-not-run-as-privileged)
 
 ## Warnings
 
 * [P0001: Deprecated Deployment and DaemonSet API](#p0001-deprecated-deployment-and-daemonset-api)
+* [P0003: Title with\-punctuation\_	\!"\#$%&'\(\)\*\+,\./:;\<=\>?@\[\\\]^\`\{\|\}~marks](#p0003-title-with-punctuation_marks)
 * [P2003: Containers should not have a writable root filesystem](#p2003-containers-should-not-have-a-writable-root-filesystem)
-* [P2004: PodSecurityPolicies should require that a read-only root filesystem is set](#p2004-podsecuritypolicies-should-require-that-a-read-only-root-filesystem-is-set)
+* [P2004: PodSecurityPolicies should require that a read\-only root filesystem is set](#p2004-podsecuritypolicies-should-require-that-a-read-only-root-filesystem-is-set)
 
 ## P0002: Required Labels
 
@@ -168,7 +169,7 @@ boundary.
 
 _source: [pod-deny-host-pid](pod-deny-host-pid)_
 
-## P1008: Pods must run as non-root
+## P1008: Pods must run as non\-root
 
 **Severity:** Violation
 
@@ -341,7 +342,7 @@ _source: [container-deny-without-resource-constraints](container-deny-without-re
 
 **Resources:**
 
-- rbac.authorization.k8s.io/Role
+- rbac\.authorization\.k8s\.io/Role
 
 Workloads not running in the exempted namespaces must not use PodSecurityPolicies with privileged permissions.
 
@@ -359,7 +360,7 @@ _source: [role-deny-use-privileged-psp](role-deny-use-privileged-psp)_
 - apps/Deployment
 - apps/StatefulSet
 
-**MatchLabels:** is-tenant=true
+**MatchLabels:** is\-tenant=true
 
 Privileged containers can easily escalate to root privileges on the node. As
 such containers running as privileged or with sufficient capabilities granted
@@ -386,6 +387,25 @@ the version for both of these resources must be `apps/v1`.
 
 _source: [any-warn-deprecated-api-versions](any-warn-deprecated-api-versions)_
 
+## P0003: Title with\-punctuation\_	\!"\#$%&'\(\)\*\+,\./:;\<=\>?@\[\\\]^\`\{\|\}~marks
+
+**Severity:** Warning
+
+**Resources:**
+
+- \*/Pod
+
+**MatchLabels:** \_test\_=true
+
+**Parameters:**
+
+* \_param\_name\_: array of string
+
+This is only here to test _punctuation_ handling
+
+
+_source: [policy-markdown-punctuation](policy-markdown-punctuation)_
+
 ## P2003: Containers should not have a writable root filesystem
 
 **Severity:** Warning
@@ -403,7 +423,7 @@ important to make the root filesystem read-only.
 
 _source: [container-warn-no-ro-fs](container-warn-no-ro-fs)_
 
-## P2004: PodSecurityPolicies should require that a read-only root filesystem is set
+## P2004: PodSecurityPolicies should require that a read\-only root filesystem is set
 
 **Severity:** Warning
 
diff --git a/examples/policies.md b/examples/policies.md
@@ -10,7 +10,7 @@
 * [P1005: Pods must not run with access to the host IPC](#p1005-pods-must-not-run-with-access-to-the-host-ipc)
 * [P1006: Pods must not run with access to the host networking](#p1006-pods-must-not-run-with-access-to-the-host-networking)
 * [P1007: Pods must not run with access to the host PID namespace](#p1007-pods-must-not-run-with-access-to-the-host-pid-namespace)
-* [P1008: Pods must run as non-root](#p1008-pods-must-run-as-non-root)
+* [P1008: Pods must run as non\-root](#p1008-pods-must-run-as-non-root)
 * [P1009: PodSecurityPolicies must require all capabilities are dropped](#p1009-podsecuritypolicies-must-require-all-capabilities-are-dropped)
 * [P1010: PodSecurityPolicies must not allow privileged escalation](#p1010-podsecuritypolicies-must-not-allow-privileged-escalation)
 * [P1011: PodSecurityPolicies must not allow access to the host aliases](#p1011-podsecuritypolicies-must-not-allow-access-to-the-host-aliases)
@@ -21,13 +21,14 @@
 * [P2001: Images must not use the latest tag](#p2001-images-must-not-use-the-latest-tag)
 * [P2002: Containers must define resource constraints](#p2002-containers-must-define-resource-constraints)
 * [P2005: Roles must not allow use of privileged PodSecurityPolicies](#p2005-roles-must-not-allow-use-of-privileged-podsecuritypolicies)
-* [P2006: Tenants' containers must not run as privileged](#p2006-tenants'-containers-must-not-run-as-privileged)
+* [P2006: Tenants' containers must not run as privileged](#p2006-tenants-containers-must-not-run-as-privileged)
 
 ## Warnings
 
 * [P0001: Deprecated Deployment and DaemonSet API](#p0001-deprecated-deployment-and-daemonset-api)
+* [P0003: Title with\-punctuation\_	\!"\#$%&'\(\)\*\+,\./:;\<=\>?@\[\\\]^\`\{\|\}~marks](#p0003-title-with-punctuation_marks)
 * [P2003: Containers should not have a writable root filesystem](#p2003-containers-should-not-have-a-writable-root-filesystem)
-* [P2004: PodSecurityPolicies should require that a read-only root filesystem is set](#p2004-podsecuritypolicies-should-require-that-a-read-only-root-filesystem-is-set)
+* [P2004: PodSecurityPolicies should require that a read\-only root filesystem is set](#p2004-podsecuritypolicies-should-require-that-a-read-only-root-filesystem-is-set)
 
 ## P0002: Required Labels
 
@@ -364,7 +365,7 @@ pod_has_hostpid {
 
 _source: [pod-deny-host-pid](pod-deny-host-pid)_
 
-## P1008: Pods must run as non-root
+## P1008: Pods must run as non\-root
 
 **Severity:** Violation
 
@@ -773,7 +774,7 @@ _source: [container-deny-without-resource-constraints](container-deny-without-re
 
 **Resources:**
 
-- rbac.authorization.k8s.io/Role
+- rbac\.authorization\.k8s\.io/Role
 
 Workloads not running in the exempted namespaces must not use PodSecurityPolicies with privileged permissions.
 
@@ -831,7 +832,7 @@ _source: [role-deny-use-privileged-psp](role-deny-use-privileged-psp)_
 - apps/Deployment
 - apps/StatefulSet
 
-**MatchLabels:** is-tenant=true
+**MatchLabels:** is\-tenant=true
 
 Privileged containers can easily escalate to root privileges on the node. As
 such containers running as privileged or with sufficient capabilities granted
@@ -908,6 +909,39 @@ warn[msg] {
 
 _source: [any-warn-deprecated-api-versions](any-warn-deprecated-api-versions)_
 
+## P0003: Title with\-punctuation\_	\!"\#$%&'\(\)\*\+,\./:;\<=\>?@\[\\\]^\`\{\|\}~marks
+
+**Severity:** Warning
+
+**Resources:**
+
+- \*/Pod
+
+**MatchLabels:** \_test\_=true
+
+**Parameters:**
+
+* \_param\_name\_: array of string
+
+This is only here to test _punctuation_ handling
+
+### Rego
+
+```rego
+package policy_markdown_punctuation
+
+import data.lib.core
+
+policyID := "P0003"
+
+warn[msg] {
+  core.apiVersion == "foo/bar"
+  msg := core.format_with_id("Title tester", policyID)
+}
+```
+
+_source: [policy-markdown-punctuation](policy-markdown-punctuation)_
+
 ## P2003: Containers should not have a writable root filesystem
 
 **Severity:** Warning
@@ -955,7 +989,7 @@ no_read_only_filesystem(container) {
 
 _source: [container-warn-no-ro-fs](container-warn-no-ro-fs)_
 
-## P2004: PodSecurityPolicies should require that a read-only root filesystem is set
+## P2004: PodSecurityPolicies should require that a read\-only root filesystem is set
 
 **Severity:** Warning
 
diff --git a/examples/policy-markdown-punctuation/src.rego b/examples/policy-markdown-punctuation/src.rego
@@ -0,0 +1,28 @@
+# METADATA
+# title: " Title with-punctuation_	!\"#$%&'()*+,./:;<=>?@[\\]^`{|}~marks "
+# description: This is only here to test _punctuation_ handling
+# custom:
+#   matchers:
+#     kinds:
+#     - apiGroups:
+#       - "*"
+#       kinds:
+#       - Pod
+#     labelSelector:
+#       matchLabels:
+#         _test_: "true"
+#   parameters:
+#     _param_name_:
+#       type: array
+#       items:
+#         type: string
+package policy_markdown_punctuation
+
+import data.lib.core
+
+policyID := "P0003"
+
+warn[msg] {
+	core.apiVersion == "foo/bar"
+	msg := core.format_with_id("Title tester", policyID)
+}
diff --git a/examples/policy-markdown-punctuation/src_test.rego b/examples/policy-markdown-punctuation/src_test.rego
@@ -0,0 +1,5 @@
+package policy_markdown_punctuation
+
+test_ignoreme {
+	count(warn) == 1 with input as {"apiVersion": "foo/bar"}
+}
diff --git a/internal/commands/document.go b/internal/commands/document.go
@@ -38,6 +38,24 @@ type Document struct {
 //go:embed document_template.tpl
 var docTemplate string
 
+var (
+	// Escape the characters on this list: https://www.markdownguide.org/basic-syntax/#characters-you-can-escape
+	// (Admittedly, a few of these seem... odd.)
+	markdownReplacer = strings.NewReplacer(
+		"\\", "\\\\", "`", "\\`", "*", "\\*", "_", "\\_", "{", "\\{", "}", "\\}", "[", "\\[", "]", "\\]", "<", "\\<",
+		">", "\\>", "(", "\\(", ")", "\\)", "#", "\\#", "+", "\\+", "-", "\\-", ".", "\\.", "!", "\\!", "|", "\\|",
+	)
+
+	// Space -> -, remove tab and all ASCII punctuation except - and _
+	anchorReplacer = strings.NewReplacer(
+		" ", "-",
+		"\t", "", "!", "", "\"", "", "#", "", "$", "", "%", "", "&", "", "'", "", "(", "", ")", "",
+		"*", "", "+", "", ",", "", ".", "", "/", "", ":", "", ";", "", "<", "", "=", "", ">", "",
+		"?", "", "@", "", "[", "", "\\", "", "]", "", "^", "", "`", "", "{", "", "|", "", "}", "",
+		"~", "",
+	)
+)
+
 func newDocCommand() *cobra.Command {
 	cmd := cobra.Command{
 		Use:   "doc <dir>",
@@ -180,13 +198,15 @@ func getDocumentation(path string, outputDirectory string) (map[rego.Severity][]
 			url = strings.ReplaceAll(relDir, string(os.PathSeparator), "/")
 		}
 
-		documentTitle := policy.Title()
+		// Trailing whitespace breaks at least some Markdown parsers, it seems.  When generating the anchor, the space
+		// becomes - but then the anchor doesn't work, even though the trailing space is present in the heading line.
+		rawDocumentTitle := strings.TrimSpace(policy.Title())
 		if policy.PolicyID() != "" {
-			documentTitle = fmt.Sprintf("%s: %s", policy.PolicyID(), documentTitle)
+			rawDocumentTitle = fmt.Sprintf("%s: %s", policy.PolicyID(), rawDocumentTitle)
 		}
+		documentTitle := markdownReplacer.Replace(rawDocumentTitle)
 
-		anchor := strings.ToLower(strings.ReplaceAll(documentTitle, " ", "-"))
-		anchor = strings.ReplaceAll(anchor, ":", "")
+		anchor := anchorReplacer.Replace(strings.ToLower(rawDocumentTitle))
 
 		legacyMatchers, err := policy.Matchers()
 		if err != nil {
@@ -208,13 +228,17 @@ func getDocumentation(path string, outputDirectory string) (map[rego.Severity][]
 			logger.Warn("No kind matchers set, this can lead to poor policy performance.")
 			matchResources = append(matchResources, "Any Resource")
 		}
+		for i := range matchResources {
+			matchResources[i] = markdownReplacer.Replace(matchResources[i])
+		}
 
 		var matchLabels string
 		if policy.AnnotationLabelSelectorMatcher() != nil {
 			matchLabels = labelSelectorDocString(policy.AnnotationLabelSelectorMatcher())
 		} else {
 			matchLabels = legacyMatchers.MatchLabelsMatcher.String()
 		}
+		matchLabels = markdownReplacer.Replace(matchLabels)
 
 		parameters := policy.Parameters()
 		if len(policy.AnnotationParameters()) > 0 {
@@ -223,6 +247,9 @@ func getDocumentation(path string, outputDirectory string) (map[rego.Severity][]
 		sort.Slice(parameters, func(i, j int) bool {
 			return parameters[i].Name < parameters[j].Name
 		})
+		for i := range parameters {
+			parameters[i].Name = markdownReplacer.Replace(parameters[i].Name)
+		}
 
 		header := Header{
 			Title:       documentTitle,
