From 72c87752d40fcc84c6971d2c8f59d7e5cdf3caa2 Mon Sep 17 00:00:00 2001 From: Christopher Phillips Date: Tue, 23 May 2023 11:50:57 -0400 Subject: [PATCH 1/2] fix: add panic recovery for license parse Signed-off-by: Christopher Phillips --- syft/license/license.go | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/syft/license/license.go b/syft/license/license.go index e9dd93c6235..456a75e8bc6 100644 --- a/syft/license/license.go +++ b/syft/license/license.go @@ -6,6 +6,7 @@ import ( "github.com/github/go-spdx/v2/spdxexp" + "github.com/anchore/syft/internal/log" "github.com/anchore/syft/internal/spdxlicense" ) @@ -17,15 +18,25 @@ const ( ) func ParseExpression(expression string) (string, error) { + // https://github.com/anchore/syft/issues/1837 + // The current spdx library can panic when parsing some expressions + // This is a temporary fix to recover and patch until we can investigate and contribute + // a fix to the upstream github library + defer func() { + if r := recover(); r != nil { + log.Trace("recovered in parseExpression", r) + } + }() + licenseID, exists := spdxlicense.ID(expression) if exists { return licenseID, nil } - // If it doesn't exist initially in the SPDX list it might be a more complex expression // ignored variable is any invalid expressions // TODO: contribute to spdxexp to expose deprecated license IDs // https://github.com/anchore/syft/issues/1814 + valid, _ := spdxexp.ValidateLicenses([]string{expression}) if !valid { return "", fmt.Errorf("failed to validate spdx expression: %s", expression) From 83ea30012faa69d90d95aa3db83e8fd70f66c4d5 Mon Sep 17 00:00:00 2001 From: Christopher Phillips Date: Tue, 23 May 2023 12:50:08 -0400 Subject: [PATCH 2/2] fix: update error messages for caller and propagate error upstream Signed-off-by: Christopher Phillips --- syft/license/license.go | 9 ++++----- syft/pkg/license.go | 2 +- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/syft/license/license.go b/syft/license/license.go index 456a75e8bc6..c2b9d260295 100644 --- a/syft/license/license.go +++ b/syft/license/license.go @@ -3,10 +3,10 @@ package license import ( "fmt" + "runtime/debug" "github.com/github/go-spdx/v2/spdxexp" - "github.com/anchore/syft/internal/log" "github.com/anchore/syft/internal/spdxlicense" ) @@ -17,14 +17,14 @@ const ( Concluded Type = "concluded" ) -func ParseExpression(expression string) (string, error) { +func ParseExpression(expression string) (ex string, err error) { // https://github.com/anchore/syft/issues/1837 // The current spdx library can panic when parsing some expressions // This is a temporary fix to recover and patch until we can investigate and contribute // a fix to the upstream github library defer func() { if r := recover(); r != nil { - log.Trace("recovered in parseExpression", r) + err = fmt.Errorf("recovered from panic while parsing license expression at: \n%s", string(debug.Stack())) } }() @@ -36,10 +36,9 @@ func ParseExpression(expression string) (string, error) { // ignored variable is any invalid expressions // TODO: contribute to spdxexp to expose deprecated license IDs // https://github.com/anchore/syft/issues/1814 - valid, _ := spdxexp.ValidateLicenses([]string{expression}) if !valid { - return "", fmt.Errorf("failed to validate spdx expression: %s", expression) + return "", fmt.Errorf("invalid SPDX expression: %s", expression) } return expression, nil diff --git a/syft/pkg/license.go b/syft/pkg/license.go index 0e0a3f04b99..8278ba7bd90 100644 --- a/syft/pkg/license.go +++ b/syft/pkg/license.go @@ -62,7 +62,7 @@ func (l Licenses) Swap(i, j int) { func NewLicense(value string) License { spdxExpression, err := license.ParseExpression(value) if err != nil { - log.Trace("unable to parse license expression: %w", err) + log.Trace("unable to parse license expression for %q: %w", value, err) } return License{