Fix panic on empty sbom (#917)

* Implement fmt.Stringer with format.ID

Signed-off-by: Dan Luhring <dan+github@luhrings.com>

* Add failing test for formats processing empty SBOMs

Signed-off-by: Dan Luhring <dan+github@luhrings.com>

* Account for nil SPDX document during Syft model conversion

Signed-off-by: Dan Luhring <dan+github@luhrings.com>

internal/formats/common/spdxhelpers/to_syft_model.go

@@ -1,6 +1,7 @@
 package spdxhelpers
 
 import (
+	"errors"
 	"strconv"
 	"strings"
 
@@ -17,6 +18,10 @@ import (
 )
 
 func ToSyftModel(doc *spdx.Document2_2) (*sbom.SBOM, error) {
+	if doc == nil {
+		return nil, errors.New("cannot convert SPDX document to Syft model because document is nil")
+	}
+
 	spdxIDMap := make(map[string]interface{})
 
 	s := &sbom.SBOM{

syft/formats_test.go

@@ -1,6 +1,7 @@
 package syft
 
 import (
+	"bytes"
 	"io"
 	"os"
 	"testing"
@@ -41,6 +42,31 @@ func TestIdentify(t *testing.T) {
 	}
 }
 
+func TestFormats_EmptyInput(t *testing.T) {
+	for _, format := range formats {
+		t.Run(format.ID().String(), func(t *testing.T) {
+			t.Run("format.Decode", func(t *testing.T) {
+				input := bytes.NewReader(nil)
+
+				assert.NotPanics(t, func() {
+					decodedSBOM, err := format.Decode(input)
+					assert.Error(t, err)
+					assert.Nil(t, decodedSBOM)
+				})
+			})
+
+			t.Run("format.Validate", func(t *testing.T) {
+				input := bytes.NewReader(nil)
+
+				assert.NotPanics(t, func() {
+					err := format.Validate(input)
+					assert.Error(t, err)
+				})
+			})
+		})
+	}
+}
+
 func TestFormatByName(t *testing.T) {
 
 	tests := []struct {

syft/sbom/format.go

@@ -13,6 +13,11 @@ var (
 
 type FormatID string
 
+// String returns a string representation of the FormatID.
+func (f FormatID) String() string {
+	return string(f)
+}
+
 type Format interface {
 	ID() FormatID
 	Encode(io.Writer, SBOM) error