syft should not warn on known bad package.json

[robbat2]

What would you like to be added:
syft should ignore explicitly malformed test file package.json

e.g. https://github.com/browserify/resolve/blob/main/test/resolver/malformed_package_json/package.json

Why is this needed:
Reduce false positive warnings in runs.

Other tooling already excludes the file: https://github.com/search?q=%22malformed_package_json%22&type=code

Additional context:

Syft runs presently throw these warnings for it:

#29 0.052 time="2024-11-21T05:23:08Z" level=info msg="starting syft scanner for buildkit v1.4.0"
#29 7.466 [0007]  WARN cataloger failed cataloger=javascript-package-cataloger error=failed to parse package.json file: unexpected EOF location=/app/node_modules/resolve/test/resolver/malformed_package_json/package.json
#29 37.18 [0037]  WARN cataloger failed cataloger=javascript-package-cataloger error=failed to parse package.json file: unexpected EOF location=/app/node_modules/eslint-plugin-react/node_modules/resolve/test/resolver/malformed_package_json/package.json
#29 37.27 [0037]  WARN unable to extract licenses from javascript package.json: unmarshal failed
#29 37.29 [0037]  WARN cataloger failed cataloger=javascript-package-cataloger error=failed to parse package.json file: unexpected EOF location=/app/node_modules/resolve/test/resolver/malformed_package_json/package.json

[willmurphyscode]

Hi @robbat2! Thanks for the issue.

Today I learned that malformed_package_json is a common name for a test fixture. Thanks!

What version of Syft are you using? Syft recently changed to treat unparseable files as known-unknowns (see #518) and no longer prints warnings here. I think if you upgrade Syft, you'll stop seeing the warnings, but the JSON output you get will list the malformed package JSON as known unknowns.

If you also wish to turn that off, or if you don't want to upgrade Syft right now, you can set Syft to ignore certain globs:
https://github.com/anchore/syft/wiki/configuration#list-of-configurable-values

Discussion: Should Syft exclude certain globs by default?

I've marked this as needs-discussion so we can discuss on our live stream whether there should be default excludes in Syft - right now Syft attempts to scan the entire image or directory by default, but it might make sense to exclude test fixtures from directory scans by default, for example, if we can figure out a good way that doesn't accidentally exclude too much.

[robbat2]

Unclear what version, this is coming from another pipeline - it would be whatever is used by buildkit v1.4.0 in GitHub Actions.

[willmurphyscode]

@robbat2 this warning is no longer printed in the latest version of Syft. Can you share exactly what GitHub action and version is generating the warning? Then we could at least ask them to upgrade or send an upgrade PR. I'm not sure what other action we can take; this is already fixed in latest Syft.

[robbat2]

Newer buildkit has improved it slightly:

#29 [linux/amd64] generating sbom using docker.io/docker/buildkit-syft-scanner:stable-1
#29 0.040 time="2025-01-10T17:40:00Z" level=info msg="starting syft scanner for buildkit v1.5.0"
#29 23.89 [0023]  WARN unable to extract licenses from javascript package.json: unmarshal failed
#29 DONE 43.1s

Can we drop even that WARN statement for known false-positive package.json files?