From 4aa2d8c0af499dc330603931e122c56a314d1205 Mon Sep 17 00:00:00 2001
From: William Murphy <will.murphy@anchore.com>
Date: Wed, 20 Dec 2023 10:57:06 -0500
Subject: [PATCH] fix: don't panic when hackage missing in haskell stack yaml
 lock (#2448)

Fixes a bug where previously the haskell cataloger would panic
when parsing a stack.yaml.lock file that had an entry with an empty
hackage string.

Signed-off-by: houdini91 <mdstrauss91@gmail.com>
Signed-off-by: Will Murphy <will.murphy@anchore.com>
Co-authored-by: houdini91 <mdstrauss91@gmail.com>
---
 syft/pkg/cataloger/haskell/parse_stack_lock.go     | 14 ++++++++++++--
 .../haskell/test-fixtures/stack.yaml.lock          | 13 +++++++++++++
 2 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/syft/pkg/cataloger/haskell/parse_stack_lock.go b/syft/pkg/cataloger/haskell/parse_stack_lock.go
index 40dc6aa6c..62ee5bc16 100644
--- a/syft/pkg/cataloger/haskell/parse_stack_lock.go
+++ b/syft/pkg/cataloger/haskell/parse_stack_lock.go
@@ -63,6 +63,9 @@ func parseStackLock(_ file.Resolver, _ *generic.Environment, reader file.Locatio
 	}
 
 	for _, pack := range lockFile.Packages {
+		if pack.Completed.Hackage == "" {
+			continue
+		}
 		pkgName, pkgVersion, pkgHash := parseStackPackageEncoding(pack.Completed.Hackage)
 		pkgs = append(
 			pkgs,
@@ -80,13 +83,20 @@ func parseStackLock(_ file.Resolver, _ *generic.Environment, reader file.Locatio
 
 	return pkgs, nil, nil
 }
+
 func parseStackPackageEncoding(pkgEncoding string) (name, version, hash string) {
 	lastDashIdx := strings.LastIndex(pkgEncoding, "-")
+	if lastDashIdx == -1 {
+		name = pkgEncoding
+		return
+	}
 	name = pkgEncoding[:lastDashIdx]
 	remainingEncoding := pkgEncoding[lastDashIdx+1:]
 	encodingSplits := strings.Split(remainingEncoding, "@")
 	version = encodingSplits[0]
-	startHash, endHash := strings.Index(encodingSplits[1], ":")+1, strings.Index(encodingSplits[1], ",")
-	hash = encodingSplits[1][startHash:endHash]
+	if len(encodingSplits) > 1 {
+		startHash, endHash := strings.Index(encodingSplits[1], ":")+1, strings.Index(encodingSplits[1], ",")
+		hash = encodingSplits[1][startHash:endHash]
+	}
 	return
 }
diff --git a/syft/pkg/cataloger/haskell/test-fixtures/stack.yaml.lock b/syft/pkg/cataloger/haskell/test-fixtures/stack.yaml.lock
index a18542255..220765043 100644
--- a/syft/pkg/cataloger/haskell/test-fixtures/stack.yaml.lock
+++ b/syft/pkg/cataloger/haskell/test-fixtures/stack.yaml.lock
@@ -67,6 +67,19 @@ packages:
       sha256: 557c438345de19f82bf01d676100da2a191ef06f624e7a4b90b09ac17cbb52a5
   original:
     hackage: ptr-0.16.8.2@sha256:708ebb95117f2872d2c5a554eb6804cf1126e86abe793b2673f913f14e5eb1ac,3959
+- completed:
+    commit: a5847301404583e16d55cd4d051b8e605d704fbc
+    git: https://github.com/runtimeverification/haskell-backend.git
+    name: kore
+    pantry-tree:
+      sha256: 30a502eda589be5af735b1b59760ce3e0235c0cae8961978a46b3564dd8db32b
+      size: 44685
+    subdir: kore
+    version: 0.60.0.0
+  original:
+    commit: a5847301404583e16d55cd4d051b8e605d704fbc
+    git: https://github.com/runtimeverification/haskell-backend.git
+    subdir: kore
 snapshots:
 - completed:
     size: 618951