fix: panic if JSON relationship array contains null

Signed-off-by: Keith Zantow <kzantow@gmail.com>
spdx · May 8, 2024 · 5ed5bfa · 5ed5bfa
1 parent aa7bfad
commit 5ed5bfa
Show file tree

Hide file tree

Showing 3 changed files with 72 additions and 0 deletions.
diff --git a/spdx/common/testdata/spdx-null-relationship.json b/spdx/common/testdata/spdx-null-relationship.json
@@ -0,0 +1,58 @@
+{
+    "files": [ {
+        "fileName": "./Microsoft.CSharp.dll",
+        "SPDXID": "SPDXRef-File--Microsoft.CSharp.dll-E226415EEA8ABBBA041A635582440F75E873395C",
+        "checksums": [
+            {
+                "algorithm": "SHA256",
+                "checksumValue": "696b0b0d6ac06e620efd58db6f5f2e15fa2c9b91ddf8774ab8768c958d593254"
+            },
+            {
+                "algorithm": "SHA1",
+                "checksumValue": "e226415eea8abbba041a635582440f75e873395c"
+            }
+        ],
+        "licenseConcluded": "NOASSERTION",
+        "licenseInfoInFile": [
+            "NOASSERTION"
+        ],
+        "copyrightText": "NOASSERTION"
+    }],
+    "packages": [
+        {
+            "name": "read-pkg",
+            "SPDXID": "SPDXRef-Package-read-pkg-1.1.0-30839A4052AC42B4E1CAB4B52EBC7DE7B94BB36D",
+            "versionInfo": "1.1.0"
+        },
+        {
+            "name": "read-pkg",
+            "SPDXID": "SPDXRef-Package-read-pkg-1.1.0-30839A4052AC42B4E1CAB4B52EBC7DE7B94BB36D",
+            "versionInfo": "1.1.0"
+        }
+    ],
+    "relationships": [
+        null,
+        {
+
+        },
+        null,
+        {
+
+        }
+    ],
+    "spdxVersion": "SPDX-2.2",
+    "dataLicense": "CC0-1.0",
+    "SPDXID": "SPDXRef-DOCUMENT",
+    "name": "Coordinated Packages 229170",
+    "documentNamespace": "https://sbom.microsoft/1:2QSF7qZlbE-F7QrUJlEo7g:pHp_nUFvDUijZ4LrJ4RhoQ/696:229170/F8kPc6dwY0WXD1Rkc2z6cg",
+    "creationInfo": {
+        "created": "2021-12-08T21:06:16Z",
+        "creators": [
+            "Organization: Microsoft",
+            "Tool: Microsoft.SBOMTool-2.0.88"
+        ]
+    },
+    "documentDescribes": [
+        "SPDXRef-RootPackage"
+    ]
+}
diff --git a/spdx/v2/v2_2/document.go b/spdx/v2/v2_2/document.go
@@ -120,6 +120,13 @@ func (d *Document) UnmarshalJSON(b []byte) error {
 		return fmt.Sprintf("%v-%v->%v", common.RenderDocElementID(refA), rel, common.RenderDocElementID(refB))
 	}
 
+	// remove null relationships
+	for i, r := range d.Relationships {
+		if r == nil {
+			d.Relationships = append(d.Relationships[0:i], d.Relationships[i+1:]...)
+		}
+	}
+
 	// index current list of relationships to ensure no duplication
 	for _, r := range d.Relationships {
 		relationshipExists[serializeRel(r)] = true

diff --git a/spdx/v2/v2_3/document.go b/spdx/v2/v2_3/document.go
@@ -119,6 +119,13 @@ func (d *Document) UnmarshalJSON(b []byte) error {
 		return fmt.Sprintf("%v-%v->%v", common.RenderDocElementID(refA), rel, common.RenderDocElementID(refB))
 	}
 
+	// remove null relationships
+	for i, r := range d.Relationships {
+		if r == nil {
+			d.Relationships = append(d.Relationships[0:i], d.Relationships[i+1:]...)
+		}
+	}
+
 	// index current list of relationships to ensure no duplication
 	for _, r := range d.Relationships {
 		relationshipExists[serializeRel(r)] = true