Partial package.json files lead to empty packages in output

[luhring]

What happened:

Some package.json files contain very little information, and specifically, they don't have a name or version field. This is seems to be considered allowable for unpublished packages. (See related: microsoft/rushstack#2070).

For example, here's an entire package.json file we found:

{
  "sideEffects": false,
  "module": "../../esm/fp/isSaturday/index.js",
  "typings": "../../typings.d.ts"
}

This results in Syft decoding the JSON to a PackageJSON without error, which results in an empty and unusable package being returned in the end.

What you expected to happen:

We should enforce that if a parsed PackageJSON is missing the name or version fields, it should not be included in the final output. This doesn't need to be an error, but we should consider expressing this in a more detailed level of log output.

How to reproduce it (as minimally and precisely as possible):

syft docker.io/anchore/enterprise-ui:latest -o json | jq '[ .artifacts[] | select(.name == "" or .version == "") ]'

Anything else we need to know?:

Environment:

• Output of syft version:

Application:   syft
Version:       0.12.2
BuildDate:     2021-01-06T02:43:56Z
GitCommit:     0f6288881bf8db287e07576bf8dd067184745759
GitTreeState:  clean
Platform:      darwin/amd64
GoVersion:     go1.14.13
Compiler:      gc

• OS (e.g: cat /etc/os-release or similar): macOS