Skip to content

Commit

Permalink
fix: panic if JSON relationship array contains null (spdx#239)
Browse files Browse the repository at this point in the history
Signed-off-by: Keith Zantow <kzantow@gmail.com>
  • Loading branch information
kzantow authored May 20, 2024
1 parent 606f188 commit 57d4b8e
Show file tree
Hide file tree
Showing 6 changed files with 166 additions and 0 deletions.
8 changes: 8 additions & 0 deletions spdx/v2/v2_2/document.go
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,14 @@ func (d *Document) UnmarshalJSON(b []byte) error {
return fmt.Sprintf("%v-%v->%v", common.RenderDocElementID(refA), rel, common.RenderDocElementID(refB))
}

// remove null relationships
for i := 0; i < len(d.Relationships); i++ {
if d.Relationships[i] == nil {
d.Relationships = append(d.Relationships[0:i], d.Relationships[i+1:]...)
i--
}
}

// index current list of relationships to ensure no duplication
for _, r := range d.Relationships {
relationshipExists[serializeRel(r)] = true
Expand Down
19 changes: 19 additions & 0 deletions spdx/v2/v2_2/json/json_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,25 @@ func TestLoad(t *testing.T) {
}
}

func Test_nullRelationships(t *testing.T) {
file, err := os.Open("testdata/spdx-null-relationships.json")
if err != nil {
panic(fmt.Errorf("error opening File: %s", err))
}

var got spdx.Document
err = json.ReadInto(file, &got)
if err != nil {
t.Errorf("json.parser.Load() error = %v", err)
return
}

require.Len(t, got.Relationships, 2)
for _, r := range got.Relationships {
require.NotNil(t, r)
}
}

func Test_Write(t *testing.T) {
want := example.Copy()

Expand Down
56 changes: 56 additions & 0 deletions spdx/v2/v2_2/json/testdata/spdx-null-relationships.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
{
"files": [ {
"fileName": "./Microsoft.CSharp.dll",
"SPDXID": "SPDXRef-File--Microsoft.CSharp.dll-E226415EEA8ABBBA041A635582440F75E873395C",
"checksums": [
{
"algorithm": "SHA256",
"checksumValue": "696b0b0d6ac06e620efd58db6f5f2e15fa2c9b91ddf8774ab8768c958d593254"
},
{
"algorithm": "SHA1",
"checksumValue": "e226415eea8abbba041a635582440f75e873395c"
}
],
"licenseConcluded": "NOASSERTION",
"licenseInfoInFile": [
"NOASSERTION"
],
"copyrightText": "NOASSERTION"
}],
"packages": [
{
"name": "read-pkg",
"SPDXID": "SPDXRef-Package-read-pkg-1.1.0-30839A4052AC42B4E1CAB4B52EBC7DE7B94BB36D",
"versionInfo": "1.1.0"
},
{
"name": "read-pkg",
"SPDXID": "SPDXRef-Package-read-pkg-1.1.0-30839A4052AC42B4E1CAB4B52EBC7DE7B94BB36D",
"versionInfo": "1.1.0"
}
],
"relationships": [
null,
{

},
null,
{

},
null
],
"spdxVersion": "SPDX-2.2",
"dataLicense": "CC0-1.0",
"SPDXID": "SPDXRef-DOCUMENT",
"name": "Coordinated Packages 229170",
"documentNamespace": "https://sbom.microsoft/1:2QSF7qZlbE-F7QrUJlEo7g:pHp_nUFvDUijZ4LrJ4RhoQ/696:229170/F8kPc6dwY0WXD1Rkc2z6cg",
"creationInfo": {
"created": "2021-12-08T21:06:16Z",
"creators": [
"Organization: Microsoft",
"Tool: Microsoft.SBOMTool-2.0.88"
]
}
}
8 changes: 8 additions & 0 deletions spdx/v2/v2_3/document.go
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,14 @@ func (d *Document) UnmarshalJSON(b []byte) error {
return fmt.Sprintf("%v-%v->%v", common.RenderDocElementID(refA), rel, common.RenderDocElementID(refB))
}

// remove null relationships
for i := 0; i < len(d.Relationships); i++ {
if d.Relationships[i] == nil {
d.Relationships = append(d.Relationships[0:i], d.Relationships[i+1:]...)
i--
}
}

// index current list of relationships to ensure no duplication
for _, r := range d.Relationships {
relationshipExists[serializeRel(r)] = true
Expand Down
19 changes: 19 additions & 0 deletions spdx/v2/v2_3/json/json_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,25 @@ func Test_Write(t *testing.T) {
}
}

func Test_nullRelationships(t *testing.T) {
file, err := os.Open("testdata/spdx-null-relationships.json")
if err != nil {
panic(fmt.Errorf("error opening File: %s", err))
}

var got spdx.Document
err = json.ReadInto(file, &got)
if err != nil {
t.Errorf("json.parser.Load() error = %v", err)
return
}

require.Len(t, got.Relationships, 2)
for _, r := range got.Relationships {
require.NotNil(t, r)
}
}

func Test_ShorthandFields(t *testing.T) {
contents := `{
"spdxVersion": "SPDX-2.3",
Expand Down
56 changes: 56 additions & 0 deletions spdx/v2/v2_3/json/testdata/spdx-null-relationships.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
{
"files": [ {
"fileName": "./Microsoft.CSharp.dll",
"SPDXID": "SPDXRef-File--Microsoft.CSharp.dll-E226415EEA8ABBBA041A635582440F75E873395C",
"checksums": [
{
"algorithm": "SHA256",
"checksumValue": "696b0b0d6ac06e620efd58db6f5f2e15fa2c9b91ddf8774ab8768c958d593254"
},
{
"algorithm": "SHA1",
"checksumValue": "e226415eea8abbba041a635582440f75e873395c"
}
],
"licenseConcluded": "NOASSERTION",
"licenseInfoInFile": [
"NOASSERTION"
],
"copyrightText": "NOASSERTION"
}],
"packages": [
{
"name": "read-pkg",
"SPDXID": "SPDXRef-Package-read-pkg-1.1.0-30839A4052AC42B4E1CAB4B52EBC7DE7B94BB36D",
"versionInfo": "1.1.0"
},
{
"name": "read-pkg",
"SPDXID": "SPDXRef-Package-read-pkg-1.1.0-30839A4052AC42B4E1CAB4B52EBC7DE7B94BB36D",
"versionInfo": "1.1.0"
}
],
"relationships": [
null,
{

},
null,
{

},
null
],
"spdxVersion": "SPDX-2.3",
"dataLicense": "CC0-1.0",
"SPDXID": "SPDXRef-DOCUMENT",
"name": "Coordinated Packages 229170",
"documentNamespace": "https://sbom.microsoft/1:2QSF7qZlbE-F7QrUJlEo7g:pHp_nUFvDUijZ4LrJ4RhoQ/696:229170/F8kPc6dwY0WXD1Rkc2z6cg",
"creationInfo": {
"created": "2021-12-08T21:06:16Z",
"creators": [
"Organization: Microsoft",
"Tool: Microsoft.SBOMTool-2.0.88"
]
}
}

0 comments on commit 57d4b8e

Please sign in to comment.