fix: panic if JSON relationship array contains null (#239)

Signed-off-by: Keith Zantow <kzantow@gmail.com>

Author: kzantow

spdx/v2/v2_2/document.go

@@ -120,6 +120,14 @@ func (d *Document) UnmarshalJSON(b []byte) error {
 		return fmt.Sprintf("%v-%v->%v", common.RenderDocElementID(refA), rel, common.RenderDocElementID(refB))
 	}
 
+	// remove null relationships
+	for i := 0; i < len(d.Relationships); i++ {
+		if d.Relationships[i] == nil {
+			d.Relationships = append(d.Relationships[0:i], d.Relationships[i+1:]...)
+			i--
+		}
+	}
+
 	// index current list of relationships to ensure no duplication
 	for _, r := range d.Relationships {
 		relationshipExists[serializeRel(r)] = true

spdx/v2/v2_2/json/json_test.go

@@ -40,6 +40,25 @@ func TestLoad(t *testing.T) {
 	}
 }
 
+func Test_nullRelationships(t *testing.T) {
+	file, err := os.Open("testdata/spdx-null-relationships.json")
+	if err != nil {
+		panic(fmt.Errorf("error opening File: %s", err))
+	}
+
+	var got spdx.Document
+	err = json.ReadInto(file, &got)
+	if err != nil {
+		t.Errorf("json.parser.Load() error = %v", err)
+		return
+	}
+
+	require.Len(t, got.Relationships, 2)
+	for _, r := range got.Relationships {
+		require.NotNil(t, r)
+	}
+}
+
 func Test_Write(t *testing.T) {
 	want := example.Copy()
 

spdx/v2/v2_2/json/testdata/spdx-null-relationships.json

@@ -0,0 +1,56 @@
+{
+    "files": [ {
+        "fileName": "./Microsoft.CSharp.dll",
+        "SPDXID": "SPDXRef-File--Microsoft.CSharp.dll-E226415EEA8ABBBA041A635582440F75E873395C",
+        "checksums": [
+            {
+                "algorithm": "SHA256",
+                "checksumValue": "696b0b0d6ac06e620efd58db6f5f2e15fa2c9b91ddf8774ab8768c958d593254"
+            },
+            {
+                "algorithm": "SHA1",
+                "checksumValue": "e226415eea8abbba041a635582440f75e873395c"
+            }
+        ],
+        "licenseConcluded": "NOASSERTION",
+        "licenseInfoInFile": [
+            "NOASSERTION"
+        ],
+        "copyrightText": "NOASSERTION"
+    }],
+    "packages": [
+        {
+            "name": "read-pkg",
+            "SPDXID": "SPDXRef-Package-read-pkg-1.1.0-30839A4052AC42B4E1CAB4B52EBC7DE7B94BB36D",
+            "versionInfo": "1.1.0"
+        },
+        {
+            "name": "read-pkg",
+            "SPDXID": "SPDXRef-Package-read-pkg-1.1.0-30839A4052AC42B4E1CAB4B52EBC7DE7B94BB36D",
+            "versionInfo": "1.1.0"
+        }
+    ],
+    "relationships": [
+        null,
+        {
+
+        },
+        null,
+        {
+
+        },
+        null
+    ],
+    "spdxVersion": "SPDX-2.2",
+    "dataLicense": "CC0-1.0",
+    "SPDXID": "SPDXRef-DOCUMENT",
+    "name": "Coordinated Packages 229170",
+    "documentNamespace": "https://sbom.microsoft/1:2QSF7qZlbE-F7QrUJlEo7g:pHp_nUFvDUijZ4LrJ4RhoQ/696:229170/F8kPc6dwY0WXD1Rkc2z6cg",
+    "creationInfo": {
+        "created": "2021-12-08T21:06:16Z",
+        "creators": [
+            "Organization: Microsoft",
+            "Tool: Microsoft.SBOMTool-2.0.88"
+        ]
+    }
+}

spdx/v2/v2_3/document.go

@@ -119,6 +119,14 @@ func (d *Document) UnmarshalJSON(b []byte) error {
 		return fmt.Sprintf("%v-%v->%v", common.RenderDocElementID(refA), rel, common.RenderDocElementID(refB))
 	}
 
+	// remove null relationships
+	for i := 0; i < len(d.Relationships); i++ {
+		if d.Relationships[i] == nil {
+			d.Relationships = append(d.Relationships[0:i], d.Relationships[i+1:]...)
+			i--
+		}
+	}
+
 	// index current list of relationships to ensure no duplication
 	for _, r := range d.Relationships {
 		relationshipExists[serializeRel(r)] = true

spdx/v2/v2_3/json/json_test.go

@@ -88,6 +88,25 @@ func Test_Write(t *testing.T) {
 	}
 }
 
+func Test_nullRelationships(t *testing.T) {
+	file, err := os.Open("testdata/spdx-null-relationships.json")
+	if err != nil {
+		panic(fmt.Errorf("error opening File: %s", err))
+	}
+
+	var got spdx.Document
+	err = json.ReadInto(file, &got)
+	if err != nil {
+		t.Errorf("json.parser.Load() error = %v", err)
+		return
+	}
+
+	require.Len(t, got.Relationships, 2)
+	for _, r := range got.Relationships {
+		require.NotNil(t, r)
+	}
+}
+
 func Test_ShorthandFields(t *testing.T) {
 	contents := `{
 		"spdxVersion": "SPDX-2.3",

spdx/v2/v2_3/json/testdata/spdx-null-relationships.json

@@ -0,0 +1,56 @@
+{
+    "files": [ {
+        "fileName": "./Microsoft.CSharp.dll",
+        "SPDXID": "SPDXRef-File--Microsoft.CSharp.dll-E226415EEA8ABBBA041A635582440F75E873395C",
+        "checksums": [
+            {
+                "algorithm": "SHA256",
+                "checksumValue": "696b0b0d6ac06e620efd58db6f5f2e15fa2c9b91ddf8774ab8768c958d593254"
+            },
+            {
+                "algorithm": "SHA1",
+                "checksumValue": "e226415eea8abbba041a635582440f75e873395c"
+            }
+        ],
+        "licenseConcluded": "NOASSERTION",
+        "licenseInfoInFile": [
+            "NOASSERTION"
+        ],
+        "copyrightText": "NOASSERTION"
+    }],
+    "packages": [
+        {
+            "name": "read-pkg",
+            "SPDXID": "SPDXRef-Package-read-pkg-1.1.0-30839A4052AC42B4E1CAB4B52EBC7DE7B94BB36D",
+            "versionInfo": "1.1.0"
+        },
+        {
+            "name": "read-pkg",
+            "SPDXID": "SPDXRef-Package-read-pkg-1.1.0-30839A4052AC42B4E1CAB4B52EBC7DE7B94BB36D",
+            "versionInfo": "1.1.0"
+        }
+    ],
+    "relationships": [
+        null,
+        {
+
+        },
+        null,
+        {
+
+        },
+        null
+    ],
+    "spdxVersion": "SPDX-2.3",
+    "dataLicense": "CC0-1.0",
+    "SPDXID": "SPDXRef-DOCUMENT",
+    "name": "Coordinated Packages 229170",
+    "documentNamespace": "https://sbom.microsoft/1:2QSF7qZlbE-F7QrUJlEo7g:pHp_nUFvDUijZ4LrJ4RhoQ/696:229170/F8kPc6dwY0WXD1Rkc2z6cg",
+    "creationInfo": {
+        "created": "2021-12-08T21:06:16Z",
+        "creators": [
+            "Organization: Microsoft",
+            "Tool: Microsoft.SBOMTool-2.0.88"
+        ]
+    }
+}