diff --git a/syft/license/license.go b/syft/license/license.go index e9dd93c6235..c2b9d260295 100644 --- a/syft/license/license.go +++ b/syft/license/license.go @@ -3,6 +3,7 @@ package license import ( "fmt" + "runtime/debug" "github.com/github/go-spdx/v2/spdxexp" @@ -16,19 +17,28 @@ const ( Concluded Type = "concluded" ) -func ParseExpression(expression string) (string, error) { +func ParseExpression(expression string) (ex string, err error) { + // https://github.com/anchore/syft/issues/1837 + // The current spdx library can panic when parsing some expressions + // This is a temporary fix to recover and patch until we can investigate and contribute + // a fix to the upstream github library + defer func() { + if r := recover(); r != nil { + err = fmt.Errorf("recovered from panic while parsing license expression at: \n%s", string(debug.Stack())) + } + }() + licenseID, exists := spdxlicense.ID(expression) if exists { return licenseID, nil } - // If it doesn't exist initially in the SPDX list it might be a more complex expression // ignored variable is any invalid expressions // TODO: contribute to spdxexp to expose deprecated license IDs // https://github.com/anchore/syft/issues/1814 valid, _ := spdxexp.ValidateLicenses([]string{expression}) if !valid { - return "", fmt.Errorf("failed to validate spdx expression: %s", expression) + return "", fmt.Errorf("invalid SPDX expression: %s", expression) } return expression, nil diff --git a/syft/pkg/license.go b/syft/pkg/license.go index 0e0a3f04b99..8278ba7bd90 100644 --- a/syft/pkg/license.go +++ b/syft/pkg/license.go @@ -62,7 +62,7 @@ func (l Licenses) Swap(i, j int) { func NewLicense(value string) License { spdxExpression, err := license.ParseExpression(value) if err != nil { - log.Trace("unable to parse license expression: %w", err) + log.Trace("unable to parse license expression for %q: %w", value, err) } return License{