Malformed licenses field in package json warn not skip (#1004)

* Malformed licenses field in package json warn not skip Signed-off-by: houdini91 <mdstrauss91@gmail.com> * liceneses failed warn fix Signed-off-by: houdini91 <mdstrauss91@gmail.com> * package.json malformed licenses unitest Signed-off-by: houdini91 <mdstrauss91@gmail.com>
2025-11-17 16:33:21 +01:00 · 2022-05-19 23:10:34 +03:00 · 2022-05-19 23:10:34 +03:00 · d41afe05eb
commit d41afe05eb
parent 0f5a9eed09
3 changed files with 54 additions and 4 deletions
--- a/syft/pkg/cataloger/javascript/parse_package_json.go
+++ b/syft/pkg/cataloger/javascript/parse_package_json.go
@ -27,7 +27,7 @@ type packageJSON struct {
 	Latest       []string          `json:"latest"`
 	Author       author            `json:"author"`
 	License      json.RawMessage   `json:"license"`
-	Licenses     []license         `json:"licenses"`
+	Licenses     json.RawMessage   `json:"licenses"`
 	Name         string            `json:"name"`
 	Homepage     string            `json:"homepage"`
 	Description  string            `json:"description"`
@ -145,8 +145,10 @@ func (p packageJSON) licensesFromJSON() ([]string, error) {
 		return []string{singleLicense}, nil
 	}

+	multiLicense, err := licensesFromJSON(p.Licenses)
+
 	// The "licenses" field is deprecated. It should be inspected as a last resort.
-	if p.Licenses != nil {
+	if multiLicense != nil && err == nil {
 		mapLicenses := func(licenses []license) []string {
 			mappedLicenses := make([]string, len(licenses))
 			for i, l := range licenses {
@ -155,10 +157,20 @@ func (p packageJSON) licensesFromJSON() ([]string, error) {
 			return mappedLicenses
 		}

-		return mapLicenses(p.Licenses), nil
+		return mapLicenses(multiLicense), nil
 	}

-	return nil, fmt.Errorf("unable to parse license field: %w", err)
+	return nil, err
+}
+
+func licensesFromJSON(b []byte) ([]license, error) {
+	var licenseObject []license
+	err := json.Unmarshal(b, &licenseObject)
+	if err == nil {
+		return licenseObject, nil
+	}
+
+	return nil, errors.New("unmarshal failed")
 }

 // parsePackageJSON parses a package.json and returns the discovered JavaScript packages.
--- a/syft/pkg/cataloger/javascript/parse_package_json_test.go
+++ b/syft/pkg/cataloger/javascript/parse_package_json_test.go
@ -71,6 +71,25 @@ func TestParsePackageJSON(t *testing.T) {
 				},
 			},
 		},
+		{
+			Fixture: "test-fixtures/pkg-json/package-malformed-license.json",
+			ExpectedPkg: pkg.Package{
+				Name:         "npm",
+				Version:      "6.14.6",
+				Type:         pkg.NpmPkg,
+				Licenses:     nil,
+				Language:     pkg.JavaScript,
+				MetadataType: pkg.NpmPackageJSONMetadataType,
+				Metadata: pkg.NpmPackageJSONMetadata{
+					Name:     "npm",
+					Version:  "6.14.6",
+					Author:   "Isaac Z. Schlueter <i@izs.me> (http://blog.izs.me)",
+					Homepage: "https://docs.npmjs.com/",
+					URL:      "https://github.com/npm/cli",
+					Licenses: nil,
+				},
+			},
+		},
 		{
 			Fixture: "test-fixtures/pkg-json/package-no-license.json",
 			ExpectedPkg: pkg.Package{
--- a/syft/pkg/cataloger/javascript/test-fixtures/pkg-json/package-malformed-license.json
+++ b/syft/pkg/cataloger/javascript/test-fixtures/pkg-json/package-malformed-license.json
@ -0,0 +1,19 @@
+{
+  "version": "6.14.6",
+  "name": "npm",
+  "description": "a package manager for JavaScript",
+  "homepage": "https://docs.npmjs.com/",
+  "author": "Isaac Z. Schlueter <i@izs.me> (http://blog.izs.me)",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/npm/cli"
+  },
+  "bugs": {
+    "url": "https://npm.community/c/bugs"
+  },
+  "main": "./lib/npm.js",
+  "licenses": [ "MIT" ],
+  "engines": {
+    "node": "6 >=6.2.0 || 8 || >=9.3.0"
+  }
+}