Merge branch 'main' into users/jasonpaulos/add-linux-syft-scope-param

Author: jasonpaulos

src/Microsoft.ComponentDetection.Contracts/FileComponentDetector.cs

@@ -125,9 +125,9 @@ private async Task<IndividualDetectorScanResult> ProcessAsync(
                 MaxDegreeOfParallelism = threadsToUse,
             });
 
-        var preprocessedObserbable = await this.OnPrepareDetectionAsync(processRequests, detectorArgs, cancellationToken);
+        var preprocessedObservable = await this.OnPrepareDetectionAsync(processRequests, detectorArgs, cancellationToken);
 
-        await preprocessedObserbable.ForEachAsync(processRequest => processor.Post(processRequest));
+        await preprocessedObservable.ForEachAsync(processRequest => processor.Post(processRequest));
 
         processor.Complete();
 

src/Microsoft.ComponentDetection.Detectors/pip/IPyPiClient.cs

@@ -207,7 +207,25 @@ public async Task<PythonProject> GetProjectAsync(PipDependencySpecification spec
         }
 
         var response = await request.Content.ReadAsStringAsync();
-        var project = JsonSerializer.Deserialize<PythonProject>(response);
+
+        // System.Text.Json throws on empty strings, unlike Newtonsoft.Json which returned null
+        if (string.IsNullOrWhiteSpace(response))
+        {
+            this.logger.LogWarning("Empty response from PyPI for {SpecName}", spec.Name);
+            return new PythonProject();
+        }
+
+        PythonProject project;
+        try
+        {
+            project = JsonSerializer.Deserialize<PythonProject>(response);
+        }
+        catch (JsonException ex)
+        {
+            this.logger.LogWarning(ex, "Invalid JSON response from PyPI for {SpecName}", spec.Name);
+            return new PythonProject();
+        }
+
         var versions = new PythonProject
         {
             Info = project.Info,

src/Microsoft.ComponentDetection.Detectors/pip/PipCommandService.cs

@@ -215,7 +215,23 @@ private async Task<CommandLineExecutionResult> ExecuteCommandAsync(
             }
 
             var reportOutput = await this.fileUtilityService.ReadAllTextAsync(reportFile);
-            return (JsonSerializer.Deserialize<PipInstallationReport>(reportOutput), reportFile);
+
+            if (string.IsNullOrWhiteSpace(reportOutput))
+            {
+                throw new InvalidOperationException($"PipReport: Empty pip installation report for file {path}.");
+            }
+
+            PipInstallationReport report;
+            try
+            {
+                report = JsonSerializer.Deserialize<PipInstallationReport>(reportOutput);
+            }
+            catch (JsonException ex)
+            {
+                throw new InvalidOperationException($"PipReport: Invalid generated pip installation report JSON for {path}.", ex);
+            }
+
+            return (report, reportFile);
         }
         finally
         {

src/Microsoft.ComponentDetection.Detectors/pip/PipReportComponentDetector.cs

@@ -200,7 +200,24 @@ protected override async Task OnFileFoundAsync(ProcessRequest processRequest, ID
                 {
                     this.Logger.LogInformation("PipReport: Using pre-generated pip report '{ReportFile}' for package file '{File}'.", existingReport.FullName, file.Location);
                     var reportOutput = await this.fileUtilityService.ReadAllTextAsync(existingReport);
-                    var report = JsonSerializer.Deserialize<PipInstallationReport>(reportOutput);
+
+                    // System.Text.Json throws on empty strings, unlike Newtonsoft.Json which returned null
+                    if (string.IsNullOrWhiteSpace(reportOutput))
+                    {
+                        this.Logger.LogDebug("PipReport: Empty report file '{ReportFile}' for package file '{File}'.", existingReport.FullName, file.Location);
+                        continue;
+                    }
+
+                    PipInstallationReport report;
+                    try
+                    {
+                        report = JsonSerializer.Deserialize<PipInstallationReport>(reportOutput);
+                    }
+                    catch (JsonException ex)
+                    {
+                        this.Logger.LogWarning(ex, "PipReport: Invalid JSON in report file '{ReportFile}' for package file '{File}'.", existingReport.FullName, file.Location);
+                        continue;
+                    }
 
                     if (await this.IsValidPreGeneratedReportAsync(report, pythonExePath, file.Location))
                     {
@@ -234,8 +251,16 @@ protected override async Task OnFileFoundAsync(ProcessRequest processRequest, ID
 
                 // Call pip executable to generate the installation report of a given project file.
                 (var report, var reportFile) = await this.pipCommandService.GenerateInstallationReportAsync(file.Location, pipExePath, pythonExePath, childCts.Token);
-                reports.Add(report);
-                reportFiles.Add(reportFile);
+
+                if (report is not null)
+                {
+                    reports.Add(report);
+                }
+
+                if (reportFile is not null)
+                {
+                    reportFiles.Add(reportFile);
+                }
             }
 
             if (reports.Count == 0)

src/Microsoft.ComponentDetection.Detectors/swiftpm/SwiftResolvedComponentDetector.cs

@@ -62,6 +62,12 @@ private void ProcessPackageResolvedFile(ISingleFileComponentRecorder singleFileC
     {
         var parsedResolvedFile = this.ReadAndParseResolvedFile(componentStream.Stream);
 
+        if (parsedResolvedFile?.Pins == null)
+        {
+            this.Logger.LogWarning("Failed to parse Package.resolved file at {Location}", componentStream.Location);
+            return;
+        }
+
         foreach (var package in parsedResolvedFile.Pins)
         {
             try
@@ -109,6 +115,21 @@ private SwiftResolvedFile ReadAndParseResolvedFile(Stream stream)
             resolvedFile = reader.ReadToEnd();
         }
 
-        return JsonSerializer.Deserialize<SwiftResolvedFile>(resolvedFile);
+        // System.Text.Json throws on empty strings, unlike Newtonsoft.Json which returned null
+        if (string.IsNullOrWhiteSpace(resolvedFile))
+        {
+            this.Logger.LogDebug("Empty Package.resolved file encountered");
+            return null;
+        }
+
+        try
+        {
+            return JsonSerializer.Deserialize<SwiftResolvedFile>(resolvedFile);
+        }
+        catch (JsonException ex)
+        {
+            this.Logger.LogWarning(ex, "Invalid JSON in Package.resolved file");
+            return null;
+        }
     }
 }

src/Microsoft.ComponentDetection.Detectors/vcpkg/VcpkgComponentDetector.cs

@@ -71,7 +71,7 @@ protected override async Task<IObservable<ProcessRequest>> OnPrepareDetectionAsy
     {
         var filteredProcessRequests = new List<ProcessRequest>();
 
-        await processRequests.ForEachAsync(async pr =>
+        await processRequests.ForEachAsync(pr =>
         {
             var fileLocation = pr.ComponentStream.Location;
             var fileName = Path.GetFileName(fileLocation);
@@ -80,18 +80,42 @@ await processRequests.ForEachAsync(async pr =>
             {
                 this.Logger.LogDebug("Discovered VCPKG package manifest file at: {Location}", pr.ComponentStream.Location);
 
-                using (var reader = new StreamReader(pr.ComponentStream.Stream))
+                using var reader = new StreamReader(pr.ComponentStream.Stream);
+
+                string contents;
+                try
+                {
+                    contents = reader.ReadToEnd();
+                }
+                catch (Exception ex)
                 {
-                    var contents = await reader.ReadToEndAsync().ConfigureAwait(false);
-                    var manifestData = JsonSerializer.Deserialize<ManifestInfo>(contents);
+                    this.Logger.LogDebug(ex, "Failed to read {ManifestInfoFile} at {Path}", ManifestInfoFile, pr.ComponentStream.Location);
+                    return;
+                }
 
-                    if (manifestData == null || string.IsNullOrWhiteSpace(manifestData.ManifestPath))
+                // System.Text.Json throws on empty strings, unlike Newtonsoft.Json which returned null
+                if (string.IsNullOrWhiteSpace(contents))
+                {
+                    this.Logger.LogDebug("Empty {ManifestInfoFile} file at {Path}", ManifestInfoFile, pr.ComponentStream.Location);
+                }
+                else
+                {
+                    try
                     {
-                        this.Logger.LogDebug("Failed to deserialize manifest-info.json or missing ManifestPath at {Path}", pr.ComponentStream.Location);
+                        var manifestData = JsonSerializer.Deserialize<ManifestInfo>(contents);
+
+                        if (string.IsNullOrWhiteSpace(manifestData?.ManifestPath))
+                        {
+                            this.Logger.LogDebug("Failed to deserialize {ManifestInfoFile} or missing ManifestPath at {Path}", ManifestInfoFile, pr.ComponentStream.Location);
+                        }
+                        else
+                        {
+                            this.manifestMappings.TryAdd(fileLocation, manifestData.ManifestPath);
+                        }
                     }
-                    else
+                    catch (JsonException ex)
                     {
-                        this.manifestMappings.TryAdd(fileLocation, manifestData.ManifestPath);
+                        this.Logger.LogWarning(ex, "Invalid JSON in {ManifestInfoFile} at {Path}", ManifestInfoFile, pr.ComponentStream.Location);
                     }
                 }
             }
@@ -211,7 +235,8 @@ private ISingleFileComponentRecorder GetManifestComponentRecorder(ISingleFileCom
             }
 
             this.Logger.LogDebug(
-                "No valid manifest-info.json found at either '{PreferredManifest}' or '{FallbackManifest}' for base location '{VcpkgInstalledDir}'. Returning original recorder.",
+                "No valid {ManifestInfoFile} found at either '{PreferredManifest}' or '{FallbackManifest}' for base location '{VcpkgInstalledDir}'. Returning original recorder.",
+                ManifestInfoFile,
                 preferredManifest,
                 fallbackManifest,
                 vcpkgInstalledDir);

test/Microsoft.ComponentDetection.Detectors.Tests/Microsoft.ComponentDetection.Detectors.Tests.csproj

@@ -57,6 +57,18 @@
         <None Update="Mocks\test.component-detection-pip-report.json">
           <CopyToOutputDirectory>Always</CopyToOutputDirectory>
         </None>
+        <None Update="Mocks\EmptyReport\requirements.txt">
+          <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+        </None>
+        <None Update="Mocks\EmptyReport\test.component-detection-pip-report.json">
+          <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+        </None>
+        <None Update="Mocks\InvalidJsonReport\requirements.txt">
+          <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+        </None>
+        <None Update="Mocks\InvalidJsonReport\test.component-detection-pip-report.json">
+          <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+        </None>
         <None Update="TestFiles\go_WithLocalReferences.mod">
           <CopyToOutputDirectory>Always</CopyToOutputDirectory>
         </None>

test/Microsoft.ComponentDetection.Detectors.Tests/Mocks/EmptyReport/requirements.txt

@@ -0,0 +1 @@
+requests==2.28.1

test/Microsoft.ComponentDetection.Detectors.Tests/Mocks/EmptyReport/test.component-detection-pip-report.json

@@ -0,0 +1 @@
+requests==2.28.1