Description
ParseWitnessFile() in pkg/attestation/parser.go reads entire files with os.ReadFile and decodes with json.Unmarshal. Large witness files can cause significant memory spikes and possible OOM.
Steps to Reproduce
- Run parser against a very large network-trace witness JSON file.
- Monitor process memory while parsing.
- Observe high peak memory and possible OOM termination.
Expected Behavior
Parser processes large witness files with stable memory usage.
Actual Behavior
Parser loads full file into memory, causing spikes and instability on very large inputs.
Environment
- sbomit version: current main branch
- Go version: any supported version
- OS: Linux/macOS/Windows
Additional Context
- Area:
pkg/attestation/parser.go
- Suggested fix:
- Use
json.NewDecoder(file) with streaming/incremental decode.
- Avoid loading complete file content into a single byte slice.
Description
ParseWitnessFile()inpkg/attestation/parser.goreads entire files withos.ReadFileand decodes withjson.Unmarshal. Large witness files can cause significant memory spikes and possible OOM.Steps to Reproduce
Expected Behavior
Parser processes large witness files with stable memory usage.
Actual Behavior
Parser loads full file into memory, causing spikes and instability on very large inputs.
Environment
Additional Context
pkg/attestation/parser.gojson.NewDecoder(file)with streaming/incremental decode.