From 176dfdd9c10de21309ac5aa1c0e429a53c9fd39b Mon Sep 17 00:00:00 2001
From: Dan Luhring <dan.luhring@anchore.com>
Date: Fri, 22 Jan 2021 13:56:54 -0500
Subject: [PATCH 1/4] Don't create packages unless package.json has name and
 version

Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
---
 syft/cataloger/javascript/parse_package_json.go | 11 +++++++++++
 .../javascript/parse_package_json_test.go       | 17 +++++++++++++++++
 .../test-fixtures/pkg-json/package-partial.json |  5 +++++
 3 files changed, 33 insertions(+)
 create mode 100644 syft/cataloger/javascript/test-fixtures/pkg-json/package-partial.json

diff --git a/syft/cataloger/javascript/parse_package_json.go b/syft/cataloger/javascript/parse_package_json.go
index 077c433e7..0bccb100c 100644
--- a/syft/cataloger/javascript/parse_package_json.go
+++ b/syft/cataloger/javascript/parse_package_json.go
@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"github.com/anchore/syft/internal/log"
 	"io"
 	"regexp"
 
@@ -172,6 +173,12 @@ func parsePackageJSON(_ string, reader io.Reader) ([]pkg.Package, error) {
 			return nil, fmt.Errorf("failed to parse package.json file: %w", err)
 		}
 
+		if !p.hasMinimumRequiredValues() {
+			log.Debug("encountered package.json file without the minimum number of field values required for" +
+				" consideration as a package")
+			return nil, nil
+		}
+
 		licenses, err := licensesFromJSON(p)
 		if err != nil {
 			return nil, fmt.Errorf("failed to parse package.json file: %w", err)
@@ -195,3 +202,7 @@ func parsePackageJSON(_ string, reader io.Reader) ([]pkg.Package, error) {
 
 	return packages, nil
 }
+
+func (p PackageJSON) hasMinimumRequiredValues() bool {
+	return p.Name != "" && p.Version != ""
+}
diff --git a/syft/cataloger/javascript/parse_package_json_test.go b/syft/cataloger/javascript/parse_package_json_test.go
index c2940a7a2..6ac5f162a 100644
--- a/syft/cataloger/javascript/parse_package_json_test.go
+++ b/syft/cataloger/javascript/parse_package_json_test.go
@@ -142,3 +142,20 @@ func TestParsePackageJSON(t *testing.T) {
 		})
 	}
 }
+
+func TestParsePackageJSON_Partial(t *testing.T) { // see https://github.com/anchore/syft/issues/311
+	const fixtureFile = "test-fixtures/pkg-json/package-partial.json"
+	fixture, err := os.Open(fixtureFile)
+	if err != nil {
+		t.Fatalf("failed to open fixture: %+v", err)
+	}
+
+	actual, err := parsePackageJSON("", fixture)
+	if err != nil {
+		t.Fatalf("failed to parse package-lock.json: %+v", err)
+	}
+
+	if len(actual) != 0 {
+		t.Errorf("no packages should've been returned")
+	}
+}
diff --git a/syft/cataloger/javascript/test-fixtures/pkg-json/package-partial.json b/syft/cataloger/javascript/test-fixtures/pkg-json/package-partial.json
new file mode 100644
index 000000000..db7a90b51
--- /dev/null
+++ b/syft/cataloger/javascript/test-fixtures/pkg-json/package-partial.json
@@ -0,0 +1,5 @@
+{
+  "sideEffects": false,
+  "module": "../../esm/fp/isSaturday/index.js",
+  "typings": "../../typings.d.ts"
+}

From 9ec3ad58c81ea5a1d0c3cbe7614ddde06f5ea7ab Mon Sep 17 00:00:00 2001
From: Dan Luhring <dan.luhring@anchore.com>
Date: Tue, 19 Jan 2021 22:20:12 -0500
Subject: [PATCH 2/4] Update regression test expected value and pin deps

Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
---
 syft/cataloger/javascript/parse_package_json.go            | 3 ++-
 test/integration/regression_test.go                        | 2 +-
 .../test-fixtures/image-large-apk-data/Dockerfile          | 7 +++++--
 3 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/syft/cataloger/javascript/parse_package_json.go b/syft/cataloger/javascript/parse_package_json.go
index 0bccb100c..cccd0b51f 100644
--- a/syft/cataloger/javascript/parse_package_json.go
+++ b/syft/cataloger/javascript/parse_package_json.go
@@ -4,10 +4,11 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"github.com/anchore/syft/internal/log"
 	"io"
 	"regexp"
 
+	"github.com/anchore/syft/internal/log"
+
 	"github.com/anchore/syft/internal"
 
 	"github.com/mitchellh/mapstructure"
diff --git a/test/integration/regression_test.go b/test/integration/regression_test.go
index 1d5340d1f..34f8f2ff8 100644
--- a/test/integration/regression_test.go
+++ b/test/integration/regression_test.go
@@ -24,7 +24,7 @@ func TestRegression212ApkBufferSize(t *testing.T) {
 		t.Fatalf("failed to catalog image: %+v", err)
 	}
 
-	expectedPkgs := 57
+	expectedPkgs := 58
 	actualPkgs := 0
 	for range catalog.Enumerate(pkg.ApkPkg) {
 		actualPkgs += 1
diff --git a/test/integration/test-fixtures/image-large-apk-data/Dockerfile b/test/integration/test-fixtures/image-large-apk-data/Dockerfile
index 465f33bcf..357f0a5d9 100644
--- a/test/integration/test-fixtures/image-large-apk-data/Dockerfile
+++ b/test/integration/test-fixtures/image-large-apk-data/Dockerfile
@@ -1,2 +1,5 @@
-FROM alpine:latest
-RUN apk add tzdata vim alpine-sdk
+FROM alpine@sha256:d9a7354e3845ea8466bb00b22224d9116b183e594527fb5b6c3d30bc01a20378
+RUN apk add --no-cache \
+            tzdata=2020f-r0 \
+            vim=8.2.2320-r0 \
+            alpine-sdk=1.0-r0

From d5779a9822d4b2ec2182f60b29c18e498d49a89d Mon Sep 17 00:00:00 2001
From: Dan Luhring <dan.luhring@anchore.com>
Date: Fri, 22 Jan 2021 15:20:24 -0500
Subject: [PATCH 3/4] Clarify debug message for package.json omissions

Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
---
 syft/cataloger/javascript/parse_package_json.go | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/syft/cataloger/javascript/parse_package_json.go b/syft/cataloger/javascript/parse_package_json.go
index cccd0b51f..5a4fbadc9 100644
--- a/syft/cataloger/javascript/parse_package_json.go
+++ b/syft/cataloger/javascript/parse_package_json.go
@@ -174,9 +174,8 @@ func parsePackageJSON(_ string, reader io.Reader) ([]pkg.Package, error) {
 			return nil, fmt.Errorf("failed to parse package.json file: %w", err)
 		}
 
-		if !p.hasMinimumRequiredValues() {
-			log.Debug("encountered package.json file without the minimum number of field values required for" +
-				" consideration as a package")
+		if !p.hasNameAndVersionValues() {
+			log.Debug("encountered package.json file without a name and/or version field, ignoring this file")
 			return nil, nil
 		}
 
@@ -204,6 +203,6 @@ func parsePackageJSON(_ string, reader io.Reader) ([]pkg.Package, error) {
 	return packages, nil
 }
 
-func (p PackageJSON) hasMinimumRequiredValues() bool {
+func (p PackageJSON) hasNameAndVersionValues() bool {
 	return p.Name != "" && p.Version != ""
 }

From 4576c081b9ace0f2b5fb912f43f492653d3ded6c Mon Sep 17 00:00:00 2001
From: Dan Luhring <dan.luhring@anchore.com>
Date: Fri, 22 Jan 2021 15:20:42 -0500
Subject: [PATCH 4/4] Improve output for test case

Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
---
 syft/cataloger/javascript/parse_package_json_test.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/syft/cataloger/javascript/parse_package_json_test.go b/syft/cataloger/javascript/parse_package_json_test.go
index 6ac5f162a..83af1f9b1 100644
--- a/syft/cataloger/javascript/parse_package_json_test.go
+++ b/syft/cataloger/javascript/parse_package_json_test.go
@@ -155,7 +155,7 @@ func TestParsePackageJSON_Partial(t *testing.T) { // see https://github.com/anch
 		t.Fatalf("failed to parse package-lock.json: %+v", err)
 	}
 
-	if len(actual) != 0 {
-		t.Errorf("no packages should've been returned")
+	if actualCount := len(actual); actualCount != 0 {
+		t.Errorf("no packages should've been returned (but got %d packages)", actualCount)
 	}
 }