From e0bfd2f98addb60baa47ea47bcd5ef224d08256f Mon Sep 17 00:00:00 2001 From: Will Murphy Date: Fri, 28 Feb 2025 13:07:27 -0500 Subject: [PATCH] fix: read only single package.json or package-lock.json document Previously, this used a for loop over a json decoder, reading N package.json objects from a file stream. Because a single file stream containing the JSON for more than one package.json is unexpected, and because on some filesystems the loop failed to exit, instead read a single package.json object from the decoder. Signed-off-by: Will Murphy --- .../javascript/parse_package_json.go | 24 ++++++++----------- .../javascript/parse_package_lock.go | 8 ++----- 2 files changed, 12 insertions(+), 20 deletions(-) diff --git a/syft/pkg/cataloger/javascript/parse_package_json.go b/syft/pkg/cataloger/javascript/parse_package_json.go index cb9db5d76..57c1bb965 100644 --- a/syft/pkg/cataloger/javascript/parse_package_json.go +++ b/syft/pkg/cataloger/javascript/parse_package_json.go @@ -55,22 +55,18 @@ func parsePackageJSON(_ context.Context, _ file.Resolver, _ *generic.Environment var pkgs []pkg.Package dec := json.NewDecoder(reader) - for { - var p packageJSON - if err := dec.Decode(&p); errors.Is(err, io.EOF) { - break - } else if err != nil { - return nil, nil, fmt.Errorf("failed to parse package.json file: %w", err) - } - - // always create a package, regardless of having a valid name and/or version, - // a compliance filter later will remove these packages based on compliance rules - pkgs = append( - pkgs, - newPackageJSONPackage(p, reader.Location.WithAnnotation(pkg.EvidenceAnnotationKey, pkg.PrimaryEvidenceAnnotation)), - ) + var p packageJSON + if err := dec.Decode(&p); err != nil && !errors.Is(err, io.EOF) { + return nil, nil, fmt.Errorf("failed to parse package.json file: %w", err) } + // always create a package, regardless of having a valid name and/or version, + // a compliance filter later will remove these packages based on compliance rules + pkgs = append( + pkgs, + newPackageJSONPackage(p, reader.Location.WithAnnotation(pkg.EvidenceAnnotationKey, pkg.PrimaryEvidenceAnnotation)), + ) + pkg.Sort(pkgs) return pkgs, nil, nil diff --git a/syft/pkg/cataloger/javascript/parse_package_lock.go b/syft/pkg/cataloger/javascript/parse_package_lock.go index 003683b76..b7b2eeca6 100644 --- a/syft/pkg/cataloger/javascript/parse_package_lock.go +++ b/syft/pkg/cataloger/javascript/parse_package_lock.go @@ -66,12 +66,8 @@ func (a genericPackageLockAdapter) parsePackageLock(_ context.Context, resolver dec := json.NewDecoder(reader) var lock packageLock - for { - if err := dec.Decode(&lock); errors.Is(err, io.EOF) { - break - } else if err != nil { - return nil, nil, fmt.Errorf("failed to parse package-lock.json file: %w", err) - } + if err := dec.Decode(&lock); err != nil && !errors.Is(err, io.EOF) { + return nil, nil, fmt.Errorf("failed to parse package-lock.json file: %w", err) } if lock.LockfileVersion == 1 {