Nil ptr deref panic when parsing JSON SBOM with a null relationships value

spdx / tools-golang

Collection of Go packages to work with SPDX files

Other

121 stars 56 forks source link

Nil ptr deref panic when parsing JSON SBOM with a null relationships value #238

Closed nchelluri closed 4 months ago

nchelluri commented 5 months ago

If I try to parse spdx-null-rel.json - a JSON SBOM containing a null value in the relationships array, then I get a panic. I am using tools-golang v0.5.4.

kzantow commented 5 months ago

Hi @nchelluri I would just note that this does not look like it's a valid SPDX document -- instead of the required object, it has a null value for a relationship entry (rather than a null relationships array):

"relationships": [
  null
],

That said, the library shouldn't panic. Thanks for reporting!

nchelluri commented 5 months ago

I definitely agree that the null value is invalid. I just happened to accidentally hack up an SBOM file in such a way that this happened. I was just testing some stuff out. (My main aim here is to say I am not writing an SBOM generator that generates invalid SPDX SBOMs)