Skip to content

Migrate Spdx22ComponentDetector from Newtonsoft.Json to System.Text.json #1571

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: users/jamagee/go-vcpkg-system.text.json
Choose a base branch
from
Open

Migrate Spdx22ComponentDetector from Newtonsoft.Json to System.Text.json #1571

wants to merge 2 commits into from
+84 −44

Conversation

@JamieMagee
Copy link
Member

@JamieMagee JamieMagee commented Nov 26, 2025

  • Replace JObject/JsonTextReader with JsonDocument.ParseAsync
  • Convert JObject property access to JsonElement.TryGetProperty pattern
  • Make OnFileFoundAsync properly async
  • Update exception handling from JsonReaderException to JsonException

@JamieMagee
Migrate vcpkg and Go detectors from Newtonsoft.Json to `System.Text…
f096423 
….Json`

- `VcpkgComponentDetector`: Replace `JsonConvert.DeserializeObject` with `JsonSerializer.Deserialize`
- `GoCLIParser`: Replace `JsonTextReader`/`JsonSerializer` with `Utf8JsonReader` for parsing multi-object JSON output from `go list`
  - .NET 9 added `AllowMultipleValues`, but unfortunately we are still on .NET 8
- Add explicit `[JsonPropertyName]` attributes to vcpkg contract classes using SPDX 2.2.1 schema field names
@JamieMagee
Migrate Spdx22ComponentDetector from Newtonsoft.Json to `System.T…
56a1717 
…ext.Json`

- Replace `JObject`/`JsonTextReader` with `JsonDocument.ParseAsync`
- Convert `JObject` property access to `JsonElement.TryGetProperty` pattern
- Make `OnFileFoundAsync` properly `async`
- Update exception handling from `JsonReaderException` to `JsonException`
@JamieMagee JamieMagee requested a review from a team as a code owner November 26, 2025 00:05
@JamieMagee JamieMagee requested review from RushabhBhansali and removed request for a team November 26, 2025 00:05
@codecov
Copy link

codecov bot commented Nov 26, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 77.77778% with 6 lines in your changes missing coverage. Please review.
✅ Project coverage is 89.6%. Comparing base (f096423) to head (56a1717).

Files with missing lines Patch % Lines
...etection.Detectors/spdx/Spdx22ComponentDetector.cs 77.7% 0 Missing and 6 partials ⚠️
Additional details and impacted files 
@@                           Coverage Diff                           @@
##           users/jamagee/go-vcpkg-system.text.json   #1571   +/-   ##
=======================================================================
  Coverage                                     89.5%   89.6%           
=======================================================================
  Files                                          426     426           
  Lines                                        36268   36272    +4     
  Branches                                      2262    2262           
=======================================================================
+ Hits                                         32494   32501    +7     
+ Misses                                        3312    3309    -3     
  Partials                                       462     462

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@JamieMagee JamieMagee requested a review from Copilot November 26, 2025 05:30
Copilot finished reviewing on behalf of JamieMagee November 26, 2025 05:31
Copilot AI reviewed Nov 26, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR migrates the Spdx22ComponentDetector from Newtonsoft.Json to System.Text.Json, aligning with modern .NET standards. The detector parses SPDX 2.2 SBOM files in JSON format to extract component metadata.

Key changes:

  • Replaced JObject/JsonTextReader with JsonDocument.ParseAsync for async JSON parsing
  • Converted property access patterns from nullable ?. operators to explicit TryGetProperty checks
  • Updated exception handling from JsonReaderException to JsonException
Comments suppressed due to low confidence (1)

src/Microsoft.ComponentDetection.Detectors/spdx/Spdx22ComponentDetector.cs:1

  • The JsonDocument returned by ParseAsync should be disposed. In DotNetComponentDetector (line 281), the document is not wrapped in a using statement, which could lead to a memory leak. However, in this file (line 60), you correctly use using var document. Consider checking if DotNetComponentDetector needs the same fix, but this current usage is correct.
#nullable disable

src/Microsoft.ComponentDetection.Detectors/spdx/Spdx22ComponentDetector.cs
Comment on lines +97 to +99
var sbomNamespace = document.TryGetProperty("documentNamespace", out var nsElement) ? nsElement.GetString() : null;
var name = document.TryGetProperty("name", out var nameElement) ? nameElement.GetString() : null;
var spdxVersion = document.TryGetProperty("spdxVersion", out var versionElement2) ? versionElement2.GetString() : null;
Copy link

Copilot AI Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The SpdxComponent constructor calls ValidateRequiredInput on all parameters (see SpdxComponent.cs:16-21), which will throw if these values are null. However, these properties may legitimately be missing from malformed SPDX documents. This will cause the component creation to throw an unhandled exception instead of gracefully logging a warning. Consider adding null checks before constructing the component, or catching the validation exception and logging an appropriate warning message.

Copilot uses AI. Check for mistakes.
src/Microsoft.ComponentDetection.Detectors/spdx/Spdx22ComponentDetector.cs
var spdxVersion = document["spdxVersion"]?.ToString();
var sbomNamespace = document.TryGetProperty("documentNamespace", out var nsElement) ? nsElement.GetString() : null;
var name = document.TryGetProperty("name", out var nameElement) ? nameElement.GetString() : null;
var spdxVersion = document.TryGetProperty("spdxVersion", out var versionElement2) ? versionElement2.GetString() : null;
Copy link

Copilot AI Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The variable name versionElement2 is unclear and suggests a copy-paste error. It should be renamed to spdxVersionElement or versionElementSpdx to better indicate its purpose and distinguish it from versionElement used in IsSPDXVersionSupported.

Suggested change
var spdxVersion = document.TryGetProperty("spdxVersion", out var versionElement2) ? versionElement2.GetString() : null;
var spdxVersion = document.TryGetProperty("spdxVersion", out var spdxVersionElement) ? spdxVersionElement.GetString() : null;

Copilot uses AI. Check for mistakes.
@JamieMagee JamieMagee force-pushed the users/jamagee/go-vcpkg-system.text.json branch 2 times, most recently from b7ebff5 to bd4dcaa Compare November 26, 2025 23:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@RushabhBhansali RushabhBhansali Awaiting requested review from RushabhBhansali RushabhBhansali is a code owner automatically assigned from microsoft/ose-component-detection-maintainers

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@JamieMagee