Handle null SPDX relationship values without panicking (#1822)

- Fixes #1821

Signed-off-by: Narsimham Chelluri (Narsa) <narsa@kusari.dev>

pkg/ingestor/parser/spdx/parse_spdx.go

@@ -93,6 +93,12 @@ func (s *spdxParser) getTopLevelPackageSpdxIds() ([]string, error) {
 	// oci purl: pkg:oci/debian@sha256%3A244fd47e07d10?repository_url=ghcr.io/debian&tag=bullseye
 	var spdxIds []string
 	for _, r := range s.spdxDoc.Relationships {
+		if r == nil {
+			// when the upstream parser in https://github.com/spdx/tools-golang does not
+			// include null relationships in v2.2 SBOMs, we can remove this code
+			continue
+		}
+
 		// If both sides of the relationship contain the same string,
 		// it is not a valid DESCRIBES/DESCRIBED_BY relationship.
 		if r.RefA.ElementRefID == r.RefB.ElementRefID {
@@ -259,6 +265,12 @@ func (s *spdxParser) GetPredicates(ctx context.Context) *assembler.IngestPredica
 		}
 	}
 	for _, rel := range s.spdxDoc.Relationships {
+		if rel == nil {
+			// when the upstream parser in https://github.com/spdx/tools-golang does not
+			// include null relationships in v2.2 SBOMs, we can remove this code
+			continue
+		}
+
 		var foundId string
 		var relatedId string
 

pkg/ingestor/parser/spdx/parse_spdx_test.go

@@ -38,7 +38,7 @@ func pUrlToPkgDiscardError(pUrl string) *generated.PkgInputSpec {
 
 func Test_spdxParser(t *testing.T) {
 	packageOfns := "spdx"
-	//packageOfVersion := "sha256:a743268cd3c56f921f3fb706c"
+	packageXns := "pkg/golang.org/x"
 	depPackageOfVersion := "sha256:a743268cd3c56f921f3fb706cc0425c8ab78119fd433e38bb7c5dcd5635b0d10"
 	packageOfEmptyString := ""
 	ctx := logging.WithLogger(context.Background())
@@ -1033,6 +1033,69 @@ func Test_spdxParser(t *testing.T) {
 			},
 			wantErr: false,
 		},
+		{
+			name: "SPDX v2.2 with an empty relationship value (see https://github.com/guacsec/guac/issues/1821)",
+			additionalOpts: []cmp.Option{
+				cmpopts.IgnoreFields(generated.HasSBOMInputSpec{},
+					"KnownSince"),
+			}, doc: &processor.Document{
+				Blob: []byte(`
+				{
+					"spdxVersion": "SPDX-2.2",
+					"dataLicense": "CC0-1.0",
+					"SPDXID": "SPDXRef-DOCUMENT",
+					"creationInfo": {
+					  "created": "2020-11-24T01:12:27Z"
+					},
+					"name": "empty-relationship.spdx.json",
+					"documentNamespace": "https://example.com/for-testing",
+					"documentDescribes": [
+					  "SPDXRef-go-module-golang.org/x/text"
+					],
+					"packages": [
+					  {
+						"name": "golang.org/x/text",
+						"SPDXID": "SPDXRef-go-module-golang.org/x/text",
+						"downloadLocation": "go://golang.org/x/text@v0.0.0-20170915032832-14c0d48ead0c",
+						"filesAnalyzed": false,
+						"packageLicenseConcluded": "NOASSERTION",
+						"packageLicenseDeclared": "NOASSERTION",
+						"packageCopyrightText": "NOASSERTION"
+					  }
+					],
+					"relationships": [
+						{}
+					]
+				  }
+							  `),
+				Format: processor.FormatJSON,
+				Type:   processor.DocumentSPDX,
+				SourceInformation: processor.SourceInformation{
+					Collector: "TestCollector",
+					Source:    "TestSource",
+				},
+			},
+			wantPredicates: &assembler.IngestPredicates{
+				HasSBOM: []assembler.HasSBOMIngest{
+					{
+						Pkg: &generated.PkgInputSpec{
+							Type:      "guac",
+							Namespace: &packageXns,
+							Name:      "text",
+							Version:   &packageOfEmptyString,
+							Subpath:   &packageOfEmptyString,
+						},
+						HasSBOM: &generated.HasSBOMInputSpec{
+							Uri:              "https://example.com/for-testing",
+							Algorithm:        "sha256",
+							Digest:           "f0b160c3bc9001b17b1bdc0e398bd75b80cbe8ab8df48bc7a545ec5d9802c66d",
+							DownloadLocation: "TestSource",
+						},
+					},
+				},
+			},
+			wantErr: false,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {