oss/syft
2
0
Fork 0
mirror of https://github.com/anchore/syft.git synced 2025-11-17 08:23:15 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: read only single package.json or package-lock.json document

Browse Source 
Previously, this used a for loop over a json decoder, reading N
package.json objects from a file stream. Because a single file stream
containing the JSON for more than one package.json is unexpected, and
because on some filesystems the loop failed to exit, instead read a
single package.json object from the decoder.

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
This commit is contained in:
Will Murphy 2025-02-28 13:07:27 -05:00
parent f6605a3817
commit e0bfd2f98a
2 changed files with 12 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
syft/pkg/cataloger/javascript/parse_package_json.go
View File

@ -55,22 +55,18 @@ func parsePackageJSON(_ context.Context, _ file.Resolver, _ *generic.Environment
var pkgs []pkg.Package
dec := json.NewDecoder(reader)
for {
var p packageJSON
if err := dec.Decode(&p); errors.Is(err, io.EOF) {
break
} else if err != nil {
return nil, nil, fmt.Errorf("failed to parse package.json file: %w", err)
}
// always create a package, regardless of having a valid name and/or version,
// a compliance filter later will remove these packages based on compliance rules
pkgs = append(
pkgs,
newPackageJSONPackage(p, reader.Location.WithAnnotation(pkg.EvidenceAnnotationKey, pkg.PrimaryEvidenceAnnotation)),
)
var p packageJSON
if err := dec.Decode(&p); err != nil && !errors.Is(err, io.EOF) {
return nil, nil, fmt.Errorf("failed to parse package.json file: %w", err)
}
// always create a package, regardless of having a valid name and/or version,
// a compliance filter later will remove these packages based on compliance rules
pkgs = append(
pkgs,
newPackageJSONPackage(p, reader.Location.WithAnnotation(pkg.EvidenceAnnotationKey, pkg.PrimaryEvidenceAnnotation)),
)
pkg.Sort(pkgs)
return pkgs, nil, nil

8
syft/pkg/cataloger/javascript/parse_package_lock.go
View File

@ -66,12 +66,8 @@ func (a genericPackageLockAdapter) parsePackageLock(_ context.Context, resolver
dec := json.NewDecoder(reader)
var lock packageLock
for {
if err := dec.Decode(&lock); errors.Is(err, io.EOF) {
break
} else if err != nil {
return nil, nil, fmt.Errorf("failed to parse package-lock.json file: %w", err)
}
if err := dec.Decode(&lock); err != nil && !errors.Is(err, io.EOF) {
return nil, nil, fmt.Errorf("failed to parse package-lock.json file: %w", err)
}
if lock.LockfileVersion == 1 {