From 0238919b0f1c5af6438a97a261c7a7862b5d31b3 Mon Sep 17 00:00:00 2001 From: houdini91 Date: Wed, 18 May 2022 16:41:40 +0300 Subject: [PATCH 1/3] Malformed licenses field in package json warn not skip Signed-off-by: houdini91 --- .../cataloger/javascript/parse_package_json.go | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/syft/pkg/cataloger/javascript/parse_package_json.go b/syft/pkg/cataloger/javascript/parse_package_json.go index d80781d6fb4..e93e7728d66 100644 --- a/syft/pkg/cataloger/javascript/parse_package_json.go +++ b/syft/pkg/cataloger/javascript/parse_package_json.go @@ -27,7 +27,7 @@ type packageJSON struct { Latest []string `json:"latest"` Author author `json:"author"` License json.RawMessage `json:"license"` - Licenses []license `json:"licenses"` + Licenses json.RawMessage `json:"licenses"` Name string `json:"name"` Homepage string `json:"homepage"` Description string `json:"description"` @@ -145,8 +145,10 @@ func (p packageJSON) licensesFromJSON() ([]string, error) { return []string{singleLicense}, nil } + multiLicense, err := licensesFromJSON(p.Licenses) + // The "licenses" field is deprecated. It should be inspected as a last resort. - if p.Licenses != nil { + if multiLicense != nil && err == nil { mapLicenses := func(licenses []license) []string { mappedLicenses := make([]string, len(licenses)) for i, l := range licenses { @@ -155,12 +157,22 @@ func (p packageJSON) licensesFromJSON() ([]string, error) { return mappedLicenses } - return mapLicenses(p.Licenses), nil + return mapLicenses(multiLicense), nil } return nil, fmt.Errorf("unable to parse license field: %w", err) } +func licensesFromJSON(b []byte) ([]license, error) { + var licenseObject []license + err := json.Unmarshal(b, &licenseObject) + if err == nil { + return licenseObject, nil + } + + return nil, errors.New("unable to unmarshal licenses field") +} + // parsePackageJSON parses a package.json and returns the discovered JavaScript packages. func parsePackageJSON(path string, reader io.Reader) ([]*pkg.Package, []artifact.Relationship, error) { var packages []*pkg.Package From 62e470df42b8ecea22a5f8b5fa7527ea72572884 Mon Sep 17 00:00:00 2001 From: houdini91 Date: Thu, 19 May 2022 14:14:42 +0300 Subject: [PATCH 2/3] liceneses failed warn fix Signed-off-by: houdini91 --- syft/pkg/cataloger/javascript/parse_package_json.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/syft/pkg/cataloger/javascript/parse_package_json.go b/syft/pkg/cataloger/javascript/parse_package_json.go index e93e7728d66..4a105d515fa 100644 --- a/syft/pkg/cataloger/javascript/parse_package_json.go +++ b/syft/pkg/cataloger/javascript/parse_package_json.go @@ -160,7 +160,7 @@ func (p packageJSON) licensesFromJSON() ([]string, error) { return mapLicenses(multiLicense), nil } - return nil, fmt.Errorf("unable to parse license field: %w", err) + return nil, err } func licensesFromJSON(b []byte) ([]license, error) { @@ -170,7 +170,7 @@ func licensesFromJSON(b []byte) ([]license, error) { return licenseObject, nil } - return nil, errors.New("unable to unmarshal licenses field") + return nil, errors.New("unmarshal failed") } // parsePackageJSON parses a package.json and returns the discovered JavaScript packages. From 156fb93227c28a6e9986bc9523bf2012ce7795e1 Mon Sep 17 00:00:00 2001 From: houdini91 Date: Thu, 19 May 2022 14:24:18 +0300 Subject: [PATCH 3/3] package.json malformed licenses unitest Signed-off-by: houdini91 --- .../javascript/parse_package_json_test.go | 19 +++++++++++++++++++ .../pkg-json/package-malformed-license.json | 19 +++++++++++++++++++ 2 files changed, 38 insertions(+) create mode 100644 syft/pkg/cataloger/javascript/test-fixtures/pkg-json/package-malformed-license.json diff --git a/syft/pkg/cataloger/javascript/parse_package_json_test.go b/syft/pkg/cataloger/javascript/parse_package_json_test.go index 2c9d6ea07ab..427a50f61a7 100644 --- a/syft/pkg/cataloger/javascript/parse_package_json_test.go +++ b/syft/pkg/cataloger/javascript/parse_package_json_test.go @@ -71,6 +71,25 @@ func TestParsePackageJSON(t *testing.T) { }, }, }, + { + Fixture: "test-fixtures/pkg-json/package-malformed-license.json", + ExpectedPkg: pkg.Package{ + Name: "npm", + Version: "6.14.6", + Type: pkg.NpmPkg, + Licenses: nil, + Language: pkg.JavaScript, + MetadataType: pkg.NpmPackageJSONMetadataType, + Metadata: pkg.NpmPackageJSONMetadata{ + Name: "npm", + Version: "6.14.6", + Author: "Isaac Z. Schlueter (http://blog.izs.me)", + Homepage: "https://docs.npmjs.com/", + URL: "https://github.com/npm/cli", + Licenses: nil, + }, + }, + }, { Fixture: "test-fixtures/pkg-json/package-no-license.json", ExpectedPkg: pkg.Package{ diff --git a/syft/pkg/cataloger/javascript/test-fixtures/pkg-json/package-malformed-license.json b/syft/pkg/cataloger/javascript/test-fixtures/pkg-json/package-malformed-license.json new file mode 100644 index 00000000000..3ddba4d85c3 --- /dev/null +++ b/syft/pkg/cataloger/javascript/test-fixtures/pkg-json/package-malformed-license.json @@ -0,0 +1,19 @@ +{ + "version": "6.14.6", + "name": "npm", + "description": "a package manager for JavaScript", + "homepage": "https://docs.npmjs.com/", + "author": "Isaac Z. Schlueter (http://blog.izs.me)", + "repository": { + "type": "git", + "url": "https://github.com/npm/cli" + }, + "bugs": { + "url": "https://npm.community/c/bugs" + }, + "main": "./lib/npm.js", + "licenses": [ "MIT" ], + "engines": { + "node": "6 >=6.2.0 || 8 || >=9.3.0" + } +}