From 31f1d7dbf05f4b26decdcbaa4414610ad955f644 Mon Sep 17 00:00:00 2001 From: Alex Goodman Date: Mon, 16 Oct 2023 11:04:33 -0400 Subject: [PATCH] Fix panic for empty input to Swift cataloger (#2226) * survive invalid input in swift parser Signed-off-by: Alex Goodman * add empty file Signed-off-by: Alex Goodman --------- Signed-off-by: Alex Goodman --- .../cataloger/swift/parse_package_resolved.go | 13 +++++++++- .../swift/parse_package_resolved_test.go | 25 +++++++++++++++++++ .../bad-version-packages.resolved | 3 +++ .../test-fixtures/empty-packages.resolved | 1 + 4 files changed, 41 insertions(+), 1 deletion(-) create mode 100644 syft/pkg/cataloger/swift/test-fixtures/bad-version-packages.resolved create mode 100644 syft/pkg/cataloger/swift/test-fixtures/empty-packages.resolved diff --git a/syft/pkg/cataloger/swift/parse_package_resolved.go b/syft/pkg/cataloger/swift/parse_package_resolved.go index abead252b9f8..2fb99b8982f3 100644 --- a/syft/pkg/cataloger/swift/parse_package_resolved.go +++ b/syft/pkg/cataloger/swift/parse_package_resolved.go @@ -6,6 +6,7 @@ import ( "fmt" "io" + "github.com/anchore/syft/internal/log" "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/pkg" @@ -67,7 +68,17 @@ func parsePackageResolved(_ file.Resolver, _ *generic.Environment, reader file.L } } - var pins, err = pinsForVersion(packageResolvedData, packageResolvedData["version"].(float64)) + if packageResolvedData["version"] == nil { + log.Trace("no version found in Package.resolved file, skipping") + return nil, nil, nil + } + + version, ok := packageResolvedData["version"].(float64) + if !ok { + return nil, nil, fmt.Errorf("failed to parse Package.resolved file: version is not a number") + } + + var pins, err = pinsForVersion(packageResolvedData, version) if err != nil { return nil, nil, err } diff --git a/syft/pkg/cataloger/swift/parse_package_resolved_test.go b/syft/pkg/cataloger/swift/parse_package_resolved_test.go index 25d7c3a87d7a..9f0c8fd4c54a 100644 --- a/syft/pkg/cataloger/swift/parse_package_resolved_test.go +++ b/syft/pkg/cataloger/swift/parse_package_resolved_test.go @@ -1,8 +1,12 @@ package swift import ( + "os" + "path/filepath" "testing" + "github.com/stretchr/testify/require" + "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/pkg" @@ -80,3 +84,24 @@ func TestParsePackageResolved(t *testing.T) { pkgtest.TestFileParser(t, fixture, parsePackageResolved, expectedPkgs, expectedRelationships) } + +func TestParsePackageResolved_empty(t *testing.T) { + // regression for https://github.com/anchore/syft/issues/2225 + fixture := "test-fixtures/empty-packages.resolved" + + pkgtest.TestFileParser(t, fixture, parsePackageResolved, nil, nil) + + dir := t.TempDir() + fixture = filepath.Join(dir, "Package.resolved") + _, err := os.Create(fixture) + require.NoError(t, err) + + pkgtest.TestFileParser(t, fixture, parsePackageResolved, nil, nil) +} + +func TestParsePackageResolved_versionNotANumber(t *testing.T) { + // regression for https://github.com/anchore/syft/issues/2225 + fixture := "test-fixtures/bad-version-packages.resolved" + + pkgtest.NewCatalogTester().FromFile(t, fixture).WithError().TestParser(t, parsePackageResolved) +} diff --git a/syft/pkg/cataloger/swift/test-fixtures/bad-version-packages.resolved b/syft/pkg/cataloger/swift/test-fixtures/bad-version-packages.resolved new file mode 100644 index 000000000000..72e8a5721911 --- /dev/null +++ b/syft/pkg/cataloger/swift/test-fixtures/bad-version-packages.resolved @@ -0,0 +1,3 @@ +{ + "version" : "2" +} \ No newline at end of file diff --git a/syft/pkg/cataloger/swift/test-fixtures/empty-packages.resolved b/syft/pkg/cataloger/swift/test-fixtures/empty-packages.resolved new file mode 100644 index 000000000000..9e26dfeeb6e6 --- /dev/null +++ b/syft/pkg/cataloger/swift/test-fixtures/empty-packages.resolved @@ -0,0 +1 @@ +{} \ No newline at end of file