Skip to main content

json_parse_failure_finding

Function json_parse_failure_finding 

Source
pub fn json_parse_failure_finding(
    content: &str,
    file: &str,
    message: &str,
) -> Option<Finding>
Expand description

Builds a fail-loud diagnostic finding for a manifest (JSON/TOML/…) that could not be parsed.

The structured scanners parse the manifest to inspect specific fields, but a parse failure must never silently produce a zero-finding (clean) scan: a manifest that a lenient loader accepts while a strict parser rejects (BOM, trailing comma, // comment) is a plausible evasion vector. The raw-content baseline still runs on the bytes; this finding surfaces the parse failure itself so the artifact can’t fake a clean result. See issue #219 / #136. Returns a fail-loud parse-failure finding, but only when content was plausibly intended to be JSON.

The structured scanners are sometimes invoked on files that were never JSON (a bare .md passed on the command line). Emitting a parse-failure finding for those would be noise, so gate on a JSON-ish opening: {/[, or a leading ////* comment, after stripping a UTF-8 BOM. Genuinely malformed manifests (BOM + {, trailing comma, // comment) still qualify. See #219.