Migrate vcpkg and Go detectors from Newtonsoft.Json to System.Text.Json

- `VcpkgComponentDetector`: Replace `JsonConvert.DeserializeObject` with `JsonSerializer.Deserialize`
- `GoCLIParser`: Replace `JsonTextReader`/`JsonSerializer` with `Utf8JsonReader` for parsing multi-object JSON output from `go list`
  - .NET 9 added `AllowMultipleValues`, but unfortunately we are still on .NET 8
- Add explicit `[JsonPropertyName]` attributes to vcpkg contract classes using SPDX 2.2.1 schema field names

Author: JamieMagee

src/Microsoft.ComponentDetection.Detectors/go/Parsers/GoCLIParser.cs

@@ -5,12 +5,12 @@ namespace Microsoft.ComponentDetection.Detectors.Go;
 using System.Collections.Generic;
 using System.Diagnostics.CodeAnalysis;
 using System.IO;
+using System.Text.Json;
 using System.Threading.Tasks;
 using Microsoft.ComponentDetection.Common.Telemetry.Records;
 using Microsoft.ComponentDetection.Contracts;
 using Microsoft.ComponentDetection.Contracts.TypedComponent;
 using Microsoft.Extensions.Logging;
-using Newtonsoft.Json;
 
 public class GoCLIParser : IGoParser
 {
@@ -74,19 +74,37 @@ public async Task<bool> ParseAsync(
     private void RecordBuildDependencies(string goListOutput, ISingleFileComponentRecorder singleFileComponentRecorder, string projectRootDirectoryFullName)
     {
         var goBuildModules = new List<GoBuildModule>();
-        var reader = new JsonTextReader(new StringReader(goListOutput))
-        {
-            SupportMultipleContent = true,
-        };
 
         using var record = new GoReplaceTelemetryRecord();
 
-        while (reader.Read())
+        // Go CLI outputs multiple JSON objects (not an array), so we need to parse them one by one
+        var remaining = goListOutput.AsMemory();
+        while (!remaining.IsEmpty)
         {
-            var serializer = new JsonSerializer();
-            var buildModule = serializer.Deserialize<GoBuildModule>(reader);
+            var reader = new Utf8JsonReader(System.Text.Encoding.UTF8.GetBytes(remaining.ToString()));
+            try
+            {
+                var buildModule = JsonSerializer.Deserialize<GoBuildModule>(ref reader);
+                if (buildModule != null)
+                {
+                    goBuildModules.Add(buildModule);
+                }
+
+                // Move past the consumed bytes plus any whitespace
+                var consumed = (int)reader.BytesConsumed;
+                remaining = remaining[consumed..];
 
-            goBuildModules.Add(buildModule);
+                // Skip whitespace between JSON objects
+                while (!remaining.IsEmpty && char.IsWhiteSpace(remaining.Span[0]))
+                {
+                    remaining = remaining[1..];
+                }
+            }
+            catch (JsonException ex)
+            {
+                this.logger.LogWarning("Failed to parse Go build module JSON: {ErrorMessage}", ex.Message);
+                break;
+            }
         }
 
         foreach (var dependency in goBuildModules)

src/Microsoft.ComponentDetection.Detectors/vcpkg/Contracts/Annotation.cs

@@ -2,14 +2,19 @@
 namespace Microsoft.ComponentDetection.Detectors.Vcpkg.Contracts;
 
 using System;
+using System.Text.Json.Serialization;
 
 public class Annotation
 {
+    [JsonPropertyName("annotationDate")]
     public DateTime Date { get; set; }
 
+    [JsonPropertyName("comment")]
     public string Comment { get; set; }
 
+    [JsonPropertyName("annotationType")]
     public string Type { get; set; }
 
+    [JsonPropertyName("annotator")]
     public string Annotator { get; set; }
 }

src/Microsoft.ComponentDetection.Detectors/vcpkg/Contracts/ManifestInfo.cs

@@ -2,11 +2,9 @@
 namespace Microsoft.ComponentDetection.Detectors.Vcpkg.Contracts;
 
 using System.Text.Json.Serialization;
-using Newtonsoft.Json;
 
 public class ManifestInfo
 {
-    [JsonProperty("manifest-path")]
     [JsonPropertyName("manifest-path")]
     public string ManifestPath { get; set; }
 }

src/Microsoft.ComponentDetection.Detectors/vcpkg/Contracts/Package.cs

@@ -1,21 +1,31 @@
 #nullable disable
 namespace Microsoft.ComponentDetection.Detectors.Vcpkg.Contracts;
 
+using System.Text.Json.Serialization;
+
 public class Package
 {
+    [JsonPropertyName("SPDXID")]
     public string SPDXID { get; set; }
 
+    [JsonPropertyName("versionInfo")]
     public string VersionInfo { get; set; }
 
+    [JsonPropertyName("downloadLocation")]
     public string DownloadLocation { get; set; }
 
+    [JsonPropertyName("packageFileName")]
     public string Filename { get; set; }
 
+    [JsonPropertyName("homepage")]
     public string Homepage { get; set; }
 
+    [JsonPropertyName("description")]
     public string Description { get; set; }
 
+    [JsonPropertyName("name")]
     public string Name { get; set; }
 
+    [JsonPropertyName("annotations")]
     public Annotation[] Annotations { get; set; }
 }

src/Microsoft.ComponentDetection.Detectors/vcpkg/Contracts/VcpkgSBOM.cs

@@ -1,12 +1,16 @@
 #nullable disable
 namespace Microsoft.ComponentDetection.Detectors.Vcpkg.Contracts;
 
+using System.Text.Json.Serialization;
+
 /// <summary>
 /// Matches a subset of https://raw.githubusercontent.com/spdx/spdx-spec/v2.2.1/schemas/spdx-schema.json.
 /// </summary>
 public class VcpkgSBOM
 {
+    [JsonPropertyName("packages")]
     public Package[] Packages { get; set; }
 
+    [JsonPropertyName("name")]
     public string Name { get; set; }
 }

src/Microsoft.ComponentDetection.Detectors/vcpkg/VcpkgComponentDetector.cs

@@ -7,14 +7,14 @@ namespace Microsoft.ComponentDetection.Detectors.Vcpkg;
 using System.IO;
 using System.Linq;
 using System.Reactive.Linq;
+using System.Text.Json;
 using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.ComponentDetection.Contracts;
 using Microsoft.ComponentDetection.Contracts.Internal;
 using Microsoft.ComponentDetection.Contracts.TypedComponent;
 using Microsoft.ComponentDetection.Detectors.Vcpkg.Contracts;
 using Microsoft.Extensions.Logging;
-using Newtonsoft.Json;
 
 public class VcpkgComponentDetector : FileComponentDetector
 {
@@ -83,7 +83,7 @@ await processRequests.ForEachAsync(async pr =>
                 using (var reader = new StreamReader(pr.ComponentStream.Stream))
                 {
                     var contents = await reader.ReadToEndAsync().ConfigureAwait(false);
-                    var manifestData = JsonConvert.DeserializeObject<ManifestInfo>(contents);
+                    var manifestData = JsonSerializer.Deserialize<ManifestInfo>(contents);
 
                     if (manifestData == null || string.IsNullOrWhiteSpace(manifestData.ManifestPath))
                     {
@@ -112,7 +112,7 @@ private async Task ParseSpdxFileAsync(
         VcpkgSBOM sbom;
         try
         {
-            sbom = JsonConvert.DeserializeObject<VcpkgSBOM>(await reader.ReadToEndAsync());
+            sbom = JsonSerializer.Deserialize<VcpkgSBOM>(await reader.ReadToEndAsync());
         }
         catch (Exception)
         {