Skip to content

Address OOM risk in witness parsing#48

Open
IITI-tushar wants to merge 1 commit into
SBOMit:masterfrom
IITI-tushar:fix-witness-parser-oom
Open

Address OOM risk in witness parsing#48
IITI-tushar wants to merge 1 commit into
SBOMit:masterfrom
IITI-tushar:fix-witness-parser-oom

Conversation

@IITI-tushar
Copy link
Copy Markdown

@IITI-tushar IITI-tushar commented Apr 24, 2026

Refers #41
This pull request refactors the way witness files and data are parsed in the pkg/attestation/parser.go file. The main improvement is the introduction of a unified parsing function that works with any io.Reader, which simplifies handling both files and in-memory data. The code now also checks for trailing JSON and improves error handling for malformed input.

Refactoring and improved parsing logic:

  • Introduced a new parseWitnessReader function that parses attestation data from any io.Reader, allowing both file-based and in-memory parsing to share the same logic. (pkg/attestation/parser.go)
  • Updated ParseWitnessFile and ParseWitnessData to use the new parseWitnessReader function, reducing code duplication and improving maintainability. (pkg/attestation/parser.go)

Robustness and error handling:

  • Added a check for trailing JSON after the main attestation object, returning an error if extra data is found, which helps catch malformed input files. (pkg/attestation/parser.go)
  • Improved error messages and handling for missing or malformed payloads and predicates in the attestation JSON. (pkg/attestation/parser.go)

@IITI-tushar
OOM Risk in Witness Parsing
e3e82c5 
Signed-off-by: Tushar Saxena <019saxenatushar@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@IITI-tushar