Merge pull request #1345 from blackducksoftware/dev/zahidblackduck/IDETECT-4594

zahidblackduck · web-flow · commit 3853cef7b602 · 2025-03-11T18:56:27.000+06:00
Handle Duplicate Keys in `package.json` and `pnpm-lock` Files
diff --git a/detectable/src/main/java/com/blackduck/integration/detectable/detectables/npm/packagejson/CombinedPackageJsonExtractor.java b/detectable/src/main/java/com/blackduck/integration/detectable/detectables/npm/packagejson/CombinedPackageJsonExtractor.java
@@ -10,9 +10,10 @@
 import java.util.List;
 import java.util.Optional;
 
+import com.blackduck.integration.detectable.util.JsonSanitizer;
+import com.google.gson.Gson;
 import org.apache.commons.io.FileUtils;
 
-import com.google.gson.Gson;
 import com.blackduck.integration.detectable.detectables.npm.packagejson.model.PackageJson;
 
 public class CombinedPackageJsonExtractor {
@@ -31,7 +32,7 @@ public CombinedPackageJson constructCombinedPackageJson(String rootJsonPath, Str
             return null;
         }
         
-        PackageJson packageJson = Optional.ofNullable(packageJsonText)
+        PackageJson packageJson = Optional.ofNullable(JsonSanitizer.sanitize(packageJsonText))
             .map(content -> gson.fromJson(content, PackageJson.class))
             .orElse(null);
         
@@ -87,7 +88,6 @@ public CombinedPackageJson constructCombinedPackageJson(String rootJsonPath, Str
         return combinedPackageJson;
     }
 
-
     /**
      * Takes an absolute path to a workspace and converts it to a relative one for
      * future comparisons with contents of the package-lock.json file.
diff --git a/detectable/src/main/java/com/blackduck/integration/detectable/detectables/yarn/packagejson/PackageJsonReader.java b/detectable/src/main/java/com/blackduck/integration/detectable/detectables/yarn/packagejson/PackageJsonReader.java
@@ -4,10 +4,11 @@
 import java.util.List;
 import java.util.Map;
 
+import com.blackduck.integration.detectable.util.JsonSanitizer;
+import com.google.gson.Gson;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import com.google.gson.Gson;
 import com.blackduck.integration.detectable.detectables.npm.packagejson.model.YarnPackageJson;
 
 public class PackageJsonReader {
@@ -20,7 +21,7 @@ public PackageJsonReader(Gson gson) {
     }
 
     public NullSafePackageJson read(String packageJsonText) {
-        YarnPackageJson rawPackageJson = gson.fromJson(packageJsonText, YarnPackageJson.class);
+        YarnPackageJson rawPackageJson = gson.fromJson(JsonSanitizer.sanitize(packageJsonText), YarnPackageJson.class);
         return new NullSafePackageJson(rawPackageJson);
     }
 
diff --git a/detectable/src/main/java/com/blackduck/integration/detectable/util/JsonSanitizer.java b/detectable/src/main/java/com/blackduck/integration/detectable/util/JsonSanitizer.java
@@ -0,0 +1,11 @@
+package com.blackduck.integration.detectable.util;
+
+import com.google.gson.JsonObject;
+import com.google.gson.JsonParser;
+import com.google.gson.JsonSyntaxException;
+
+public class JsonSanitizer {
+    public static JsonObject sanitize(String json) throws JsonSyntaxException {
+        return JsonParser.parseString(json).getAsJsonObject();
+    }
+}
diff --git a/detectable/src/test/java/com/blackduck/integration/detectable/util/JsonSanitizerTest.java b/detectable/src/test/java/com/blackduck/integration/detectable/util/JsonSanitizerTest.java
@@ -0,0 +1,105 @@
+package com.blackduck.integration.detectable.util;
+
+import com.google.gson.JsonObject;
+import com.google.gson.JsonSyntaxException;
+import org.junit.jupiter.api.Test;
+import static org.junit.jupiter.api.Assertions.*;
+
+class JsonSanitizerTest {
+    @Test
+    void testValidJson() {
+        String json = "{ " +
+            "\"name\": \"my-project\", " +
+            "\"version\": \"1.0.0\", " +
+            "\"private\": true, " +
+            "\"scripts\": { " +
+            "\"start\": \"node index.js\", " +
+            "\"test\": \"jest\"" +
+            "}, " +
+            "\"dependencies\": { " +
+            "\"express\": \"^4.17.1\", " +
+            "\"lodash\": \"^4.17.21\"" +
+            "}, " +
+            "\"devDependencies\": { " +
+            "\"jest\": \"^27.0.0\", " +
+            "\"eslint\": \"^7.32.0\"" +
+            "}" +
+            "}";
+
+        JsonObject sanitized = JsonSanitizer.sanitize(json);
+
+        assertEquals("my-project", sanitized.get("name").getAsString());
+        assertEquals("1.0.0", sanitized.get("version").getAsString());
+        assertTrue(sanitized.get("private").getAsBoolean());
+        assertEquals("node index.js", sanitized.getAsJsonObject("scripts").get("start").getAsString());
+        assertEquals("^4.17.1", sanitized.getAsJsonObject("dependencies").get("express").getAsString());
+        assertEquals("^27.0.0", sanitized.getAsJsonObject("devDependencies").get("jest").getAsString());
+    }
+
+    @Test
+    void testDuplicateKeysInDependencies() {
+        String json = "{ " +
+            "\"dependencies\": { " +
+            "\"express\": \"^4.17.1\", " +
+            "\"express\": \"^5.0.0\"" +
+            "}" +
+            "}";
+
+        JsonObject sanitized = JsonSanitizer.sanitize(json);
+
+        assertEquals("^5.0.0", sanitized.getAsJsonObject("dependencies").get("express").getAsString()); // Last value is kept
+    }
+
+    @Test
+    void testNestedScriptsAndDependencies() {
+        String json = "{ " +
+            "\"scripts\": { " +
+            "\"build\": \"tsc\", " +
+            "\"start\": \"node dist/index.js\"" +
+            "}, " +
+            "\"dependencies\": { " +
+            "\"typescript\": \"^4.0.0\", " +
+            "\"node-fetch\": \"^2.6.1\"" +
+            "}" +
+            "}";
+
+        JsonObject sanitized = JsonSanitizer.sanitize(json);
+
+        assertEquals("tsc", sanitized.getAsJsonObject("scripts").get("build").getAsString());
+        assertEquals("^4.0.0", sanitized.getAsJsonObject("dependencies").get("typescript").getAsString());
+    }
+
+    @Test
+    void testInvalidJson() {
+        String json = "{ " +
+            "\"name\": \"my-project\", " +
+            "\"version\": \"1.0.0\"";
+
+        assertThrows(JsonSyntaxException.class, () -> JsonSanitizer.sanitize(json));
+    }
+
+    @Test
+    void testEmptyPackageJson() {
+        String json = "{}";
+
+        JsonObject sanitized = JsonSanitizer.sanitize(json);
+        assertTrue(sanitized.entrySet().isEmpty());
+    }
+
+    @Test
+    void testJsonWithNullValues() {
+        String json = "{ " +
+            "\"name\": \"my-project\", " +
+            "\"version\": null, " +
+            "\"dependencies\": { " +
+            "\"express\": \"^4.17.1\", " +
+            "\"lodash\": null " +
+            "} " +
+            "}";
+
+        JsonObject sanitized = JsonSanitizer.sanitize(json);
+
+        assertTrue(sanitized.get("version").isJsonNull());
+        assertTrue(sanitized.getAsJsonObject("dependencies").get("lodash").isJsonNull());
+    }
+}
