Malformed licenses field in package json warn not skip

Signed-off-by: houdini91 <mdstrauss91@gmail.com>
scribe-security · May 18, 2022 · 23ecfcb · 23ecfcb
1 parent 248023b
commit 23ecfcb
Showing 1 changed file with 15 additions and 3 deletions.
diff --git a/syft/pkg/cataloger/javascript/parse_package_json.go b/syft/pkg/cataloger/javascript/parse_package_json.go
@@ -27,7 +27,7 @@ type packageJSON struct {
 	Latest       []string          `json:"latest"`
 	Author       author            `json:"author"`
 	License      json.RawMessage   `json:"license"`
-	Licenses     []license         `json:"licenses"`
+	Licenses     json.RawMessage   `json:"licenses"`
 	Name         string            `json:"name"`
 	Homepage     string            `json:"homepage"`
 	Description  string            `json:"description"`
@@ -145,8 +145,10 @@ func (p packageJSON) licensesFromJSON() ([]string, error) {
 		return []string{singleLicense}, nil
 	}
 
+	multiLicense, err := licensesFromJSON(p.Licenses)
+
 	// The "licenses" field is deprecated. It should be inspected as a last resort.
-	if p.Licenses != nil {
+	if multiLicense != nil && err == nil {
 		mapLicenses := func(licenses []license) []string {
 			mappedLicenses := make([]string, len(licenses))
 			for i, l := range licenses {
@@ -155,12 +157,22 @@ func (p packageJSON) licensesFromJSON() ([]string, error) {
 			return mappedLicenses
 		}
 
-		return mapLicenses(p.Licenses), nil
+		return mapLicenses(multiLicense), nil
 	}
 
 	return nil, fmt.Errorf("unable to parse license field: %w", err)
 }
 
+func licensesFromJSON(b []byte) ([]license, error) {
+	var licenseObject []license
+	err := json.Unmarshal(b, &licenseObject)
+	if err == nil {
+		return licenseObject, nil
+	}
+
+	return nil, errors.New("unable to unmarshal licenses field")
+}
+
 // parsePackageJSON parses a package.json and returns the discovered JavaScript packages.
 func parsePackageJSON(path string, reader io.Reader) ([]*pkg.Package, []artifact.Relationship, error) {
 	var packages []*pkg.Package