tools-golang icon indicating copy to clipboard operation
tools-golang copied to clipboard

Published 20 hours ago verified publisher icon spdx

Nil ptr deref panic when parsing JSON SBOM with a null relationships value

Open nchelluri opened this issue 1 year ago • 2 comments

If I try to parse spdx-null-rel.json - a JSON SBOM containing a null value in the relationships array, then I get a panic. I am using tools-golang v0.5.4.

nchelluri avatar Apr 25 '24 15:04 nchelluri

Hi @nchelluri I would just note that this does not look like it's a valid SPDX document -- instead of the required object, it has a null value for a relationship entry (rather than a null relationships array):

"relationships": [
  null
],

That said, the library shouldn't panic. Thanks for reporting!

kzantow avatar Apr 26 '24 15:04 kzantow

I definitely agree that the null value is invalid. I just happened to accidentally hack up an SBOM file in such a way that this happened. I was just testing some stuff out. (My main aim here is to say I am not writing an SBOM generator that generates invalid SPDX SBOMs)

nchelluri avatar Apr 26 '24 15:04 nchelluri