hardened JSON imports (#1135)

---------

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

HISTORY.md

@@ -8,7 +8,7 @@ All notable changes to this project will be documented in this file.
   * Log output is less verbose, can be re-enabled via CLI switch `--verbose` ([#158] via [#1131])  
     Warnings and errors are still displayed as before.  
     This is considered a non-breaking change, since only informational logs and debug information is affected.
-  * Hardened JSON imports (via [#1132])
+  * Hardened JSON imports (via [#1132], [#1135])
 * Added
   * CLI switch `-v, --verbose` to increase output verbosity ([#158] via [#1131])  
     May be used multiple times, like `-vvv`.
@@ -21,6 +21,7 @@ All notable changes to this project will be documented in this file.
 [#1131]: https://github.com/CycloneDX/cyclonedx-node-npm/pull/1131
 [#1132]: https://github.com/CycloneDX/cyclonedx-node-npm/pull/1132
 [#1133]: https://github.com/CycloneDX/cyclonedx-node-npm/pull/1133
+[#1135]: https://github.com/CycloneDX/cyclonedx-node-npm/pull/1135
 
 ## 1.14.3 - 2023-12-01
 

src/builders.ts

@@ -354,7 +354,7 @@ export class BomBuilder {
     const packageJsonPath = path.join(data.path, 'package.json')
     try {
       return Object.assign(
-        loadJsonFile(packageJsonPath),
+        loadJsonFile(packageJsonPath) ?? {},
         data
       )
     } catch {
@@ -591,7 +591,7 @@ export class BomBuilder {
     /* eslint-enable no-labels */
 
     for (const packageJsonPath of packageJsonPaths) {
-      const packageData = loadJsonFile(packageJsonPath)
+      const packageData: object = loadJsonFile(packageJsonPath) ?? {}
       normalizePackageData(packageData /* add debug for warnings? */)
       const tool = this.toolBuilder.makeTool(packageData)
       if (tool !== undefined) {