1
0
Fork 0
mirror of https://github.com/imjasonh/govulncheck-action synced 2026-07-18 14:45:18 +00:00

Fix parser to handle multi-line JSON format and add local testing

This commit fixes the parser to handle both JSON lines and multi-line JSON
formats from govulncheck, and adds tools for local testing:

- Updated parser to detect and handle both JSON lines and pretty-printed JSON
- Added logic to skip govulncheck installation if already present
- Created run-local.js for testing the action locally without GitHub Actions
- Added test:local npm script for easy local testing
- Changed example to use a version of golang.org/x/net with known vulnerabilities

The parser now correctly identifies 14 vulnerabilities in the example,
including ones that trace to the html.Parse call in main.go.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Jason Hall 2025-06-07 00:14:39 -04:00
parent bee00060a0
commit b288fc77b2
Failed to extract signature
8 changed files with 240 additions and 27 deletions

View file

@ -1,21 +1,51 @@
class VulnerabilityParser {
parse(output) {
const vulnerabilities = [];
const lines = output.split('\n').filter(line => line.trim());
// Try to parse as JSON Lines first (one JSON object per line)
const lines = output.split('\n').filter(line => line.trim());
console.log(`Parsing ${lines.length} lines of govulncheck output`);
for (const line of lines) {
// Check if it's JSON lines format
let isJsonLines = false;
if (lines.length > 0) {
try {
const json = JSON.parse(line);
// Check for vulnerability findings
if (json.finding) {
console.log(`Found vulnerability: ${JSON.stringify(json.finding.osv || json.finding)}`);
vulnerabilities.push(json);
}
JSON.parse(lines[0]);
isJsonLines = true;
} catch (e) {
// Skip non-JSON lines
// Not JSON lines format
}
}
if (isJsonLines) {
// Parse as JSON lines
for (const line of lines) {
try {
const json = JSON.parse(line);
if (json.finding) {
console.log(`Found vulnerability: ${JSON.stringify(json.finding.osv || json.finding)}`);
vulnerabilities.push(json);
}
} catch (e) {
// Skip non-JSON lines
}
}
} else {
// Parse as multi-line JSON objects
// Split by lines that start with '{' at the beginning
const jsonObjects = output.split(/\n(?=\{)/).filter(chunk => chunk.trim());
console.log(`Found ${jsonObjects.length} JSON objects`);
for (const jsonStr of jsonObjects) {
try {
const json = JSON.parse(jsonStr);
if (json.finding) {
console.log(`Found vulnerability: ${JSON.stringify(json.finding.osv || json.finding)}`);
vulnerabilities.push(json);
}
} catch (e) {
console.log(`Failed to parse JSON object: ${e.message}`);
}
}
}