A large report will be written to report.json. Then I tidy up some of the vulnerabilities and run the same command again, I'd expect a smaller report in report.json, but instead I get an invalid JSON document.
It seems like the smaller report is being written to the first n lines of report.json, but anything afterwards that already exists in report.json is also being kept, which leads to the JSON document being invalid and any tooling that parses the report.json file to break.
Say I run the following command on an image with lots of vulnerable components:
A large report will be written to
report.json. Then I tidy up some of the vulnerabilities and run the same command again, I'd expect a smaller report inreport.json, but instead I get an invalid JSON document.It seems like the smaller report is being written to the first
nlines ofreport.json, but anything afterwards that already exists inreport.jsonis also being kept, which leads to the JSON document being invalid and any tooling that parses thereport.jsonfile to break.