Migrate vcpkg and Go detectors from Newtonsoft.Json to System.TextJson (#1570)

* Migrate vcpkg and Go detectors from `Newtonsoft.Json` to `System.Text.Json`

- `VcpkgComponentDetector`: Replace `JsonConvert.DeserializeObject` with `JsonSerializer.Deserialize`
- `GoCLIParser`: Replace `JsonTextReader`/`JsonSerializer` with `Utf8JsonReader` for parsing multi-object JSON output from `go list`
  - .NET 9 added `AllowMultipleValues`, but unfortunately we are still on .NET 8
- Add explicit `[JsonPropertyName]` attributes to vcpkg contract classes using SPDX 2.2.1 schema field names

* Optimize Go CLI output parsing by converting to utf-8 only once

* Add unit test coverage for Go CLI parser

* PR comments

* Pass `CancellationToken` to `ParseAsync`

Author: JamieMagee

src/Microsoft.ComponentDetection.Detectors/go/GoComponentDetector.cs

@@ -115,7 +115,7 @@ protected override async Task OnFileFoundAsync(ProcessRequest processRequest, ID
             case ".MOD":
             {
                 this.Logger.LogDebug("Found Go.mod: {Location}", file.Location);
-                var wasModParsedSuccessfully = await this.goParserFactory.CreateParser(GoParserType.GoMod, this.Logger).ParseAsync(singleFileComponentRecorder, file, record);
+                var wasModParsedSuccessfully = await this.goParserFactory.CreateParser(GoParserType.GoMod, this.Logger).ParseAsync(singleFileComponentRecorder, file, record, cancellationToken);
 
                 // Check if go.mod was parsed successfully and Go version is >= 1.17 in go.mod
                 if (wasModParsedSuccessfully &&
@@ -155,7 +155,7 @@ await GoDependencyGraphUtility.GenerateAndPopulateDependencyGraphAsync(
                 {
                     if (!wasGoCliDisabled)
                     {
-                        wasGoCliScanSuccessful = await this.goParserFactory.CreateParser(GoParserType.GoCLI, this.Logger).ParseAsync(singleFileComponentRecorder, file, record);
+                        wasGoCliScanSuccessful = await this.goParserFactory.CreateParser(GoParserType.GoCLI, this.Logger).ParseAsync(singleFileComponentRecorder, file, record, cancellationToken);
                     }
                     else
                     {
@@ -176,7 +176,7 @@ await GoDependencyGraphUtility.GenerateAndPopulateDependencyGraphAsync(
                 {
                     record.WasGoFallbackStrategyUsed = true;
                     this.Logger.LogDebug("Go CLI scan when considering {GoSumLocation} was not successful. Falling back to scanning go.sum", file.Location);
-                    await this.goParserFactory.CreateParser(GoParserType.GoSum, this.Logger).ParseAsync(singleFileComponentRecorder, file, record);
+                    await this.goParserFactory.CreateParser(GoParserType.GoSum, this.Logger).ParseAsync(singleFileComponentRecorder, file, record, cancellationToken);
                 }
                 else
                 {

src/Microsoft.ComponentDetection.Detectors/go/Parsers/GoCLIParser.cs

@@ -3,14 +3,15 @@ namespace Microsoft.ComponentDetection.Detectors.Go;
 
 using System;
 using System.Collections.Generic;
-using System.Diagnostics.CodeAnalysis;
 using System.IO;
+using System.Text;
+using System.Text.Json;
+using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.ComponentDetection.Common.Telemetry.Records;
 using Microsoft.ComponentDetection.Contracts;
 using Microsoft.ComponentDetection.Contracts.TypedComponent;
 using Microsoft.Extensions.Logging;
-using Newtonsoft.Json;
 
 public class GoCLIParser : IGoParser
 {
@@ -25,11 +26,11 @@ public GoCLIParser(ILogger logger, IFileUtilityService fileUtilityService, IComm
         this.commandLineInvocationService = commandLineInvocationService;
     }
 
-    [SuppressMessage("Maintainability", "CA1508:Avoid dead conditional code", Justification = "False positive")]
     public async Task<bool> ParseAsync(
         ISingleFileComponentRecorder singleFileComponentRecorder,
         IComponentStream file,
-        GoGraphTelemetryRecord record)
+        GoGraphTelemetryRecord record,
+        CancellationToken cancellationToken = default)
     {
         record.WasGraphSuccessful = false;
         record.DidGoCliCommandFail = false;
@@ -49,7 +50,7 @@ public async Task<bool> ParseAsync(
                                    "Detection time may be improved by activating fallback strategy (https://github.com/microsoft/component-detection/blob/main/docs/detectors/go.md#fallback-detection-strategy). " +
                                    "But, it will introduce noise into the detected components.");
 
-        var goDependenciesProcess = await this.commandLineInvocationService.ExecuteCommandAsync("go", null, workingDirectory: projectRootDirectory, ["list", "-mod=readonly", "-m", "-json", "all"]);
+        var goDependenciesProcess = await this.commandLineInvocationService.ExecuteCommandAsync("go", null, projectRootDirectory, cancellationToken, "list", "-mod=readonly", "-m", "-json", "all");
         if (goDependenciesProcess.ExitCode != 0)
         {
             this.logger.LogError("Go CLI command \"go list -m -json all\" failed with error: {GoDependenciesProcessStdErr}", goDependenciesProcess.StdErr);
@@ -66,27 +67,41 @@ public async Task<bool> ParseAsync(
             this.logger,
             singleFileComponentRecorder,
             projectRootDirectory.FullName,
-            record);
+            record,
+            cancellationToken);
 
         return true;
     }
 
     private void RecordBuildDependencies(string goListOutput, ISingleFileComponentRecorder singleFileComponentRecorder, string projectRootDirectoryFullName)
     {
         var goBuildModules = new List<GoBuildModule>();
-        var reader = new JsonTextReader(new StringReader(goListOutput))
-        {
-            SupportMultipleContent = true,
-        };
 
         using var record = new GoReplaceTelemetryRecord();
 
-        while (reader.Read())
+        // Go CLI outputs multiple JSON objects (not an array), so we need to parse them one by one
+        var utf8Bytes = Encoding.UTF8.GetBytes(goListOutput);
+        var remaining = utf8Bytes.AsSpan();
+        while (!remaining.IsEmpty)
         {
-            var serializer = new JsonSerializer();
-            var buildModule = serializer.Deserialize<GoBuildModule>(reader);
+            var reader = new Utf8JsonReader(remaining);
+            try
+            {
+                var buildModule = JsonSerializer.Deserialize<GoBuildModule>(ref reader);
+                if (buildModule != null)
+                {
+                    goBuildModules.Add(buildModule);
+                }
 
-            goBuildModules.Add(buildModule);
+                // Move past the consumed bytes plus any whitespace
+                var consumed = (int)reader.BytesConsumed;
+                remaining = remaining[consumed..];
+            }
+            catch (JsonException ex)
+            {
+                this.logger.LogWarning("Failed to parse Go build module JSON: {ErrorMessage}", ex.Message);
+                break;
+            }
         }
 
         foreach (var dependency in goBuildModules)

src/Microsoft.ComponentDetection.Detectors/go/Parsers/GoModParser.cs

@@ -5,6 +5,7 @@ namespace Microsoft.ComponentDetection.Detectors.Go;
 using System.Collections.Generic;
 using System.IO;
 using System.Text.RegularExpressions;
+using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.ComponentDetection.Common.Telemetry.Records;
 using Microsoft.ComponentDetection.Contracts;
@@ -71,7 +72,8 @@ private static void HandleReplaceDirective(
     public async Task<bool> ParseAsync(
         ISingleFileComponentRecorder singleFileComponentRecorder,
         IComponentStream file,
-        GoGraphTelemetryRecord record)
+        GoGraphTelemetryRecord record,
+        CancellationToken cancellationToken = default)
     {
         // Collect replace directives
         var (replacePathDirectives, moduleReplacements) = await this.GetAllReplaceDirectivesAsync(file);
@@ -84,7 +86,7 @@ public async Task<bool> ParseAsync(
         // There can be multiple require( ) sections in go 1.17+. loop over all of them.
         while (!reader.EndOfStream)
         {
-            var line = await reader.ReadLineAsync();
+            var line = await reader.ReadLineAsync(cancellationToken);
 
             while (line != null && !line.StartsWith("require ("))
             {
@@ -100,11 +102,11 @@ public async Task<bool> ParseAsync(
                     this.TryRegisterDependencyFromModLine(file, line[StartString.Length..], singleFileComponentRecorder, replacePathDirectives, moduleReplacements);
                 }
 
-                line = await reader.ReadLineAsync();
+                line = await reader.ReadLineAsync(cancellationToken);
             }
 
             // Stopping at the first ) restrict the detection to only the require section.
-            while ((line = await reader.ReadLineAsync()) != null && !line.EndsWith(')'))
+            while ((line = await reader.ReadLineAsync(cancellationToken)) != null && !line.EndsWith(')'))
             {
                 this.TryRegisterDependencyFromModLine(file, line, singleFileComponentRecorder, replacePathDirectives, moduleReplacements);
             }

src/Microsoft.ComponentDetection.Detectors/go/Parsers/GoSumParser.cs

@@ -3,6 +3,7 @@ namespace Microsoft.ComponentDetection.Detectors.Go;
 
 using System.IO;
 using System.Text.RegularExpressions;
+using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.ComponentDetection.Common.Telemetry.Records;
 using Microsoft.ComponentDetection.Contracts;
@@ -24,12 +25,13 @@ public class GoSumParser : IGoParser
     public async Task<bool> ParseAsync(
         ISingleFileComponentRecorder singleFileComponentRecorder,
         IComponentStream file,
-        GoGraphTelemetryRecord record)
+        GoGraphTelemetryRecord record,
+        CancellationToken cancellationToken = default)
     {
         using var reader = new StreamReader(file.Stream);
 
         string line;
-        while ((line = await reader.ReadLineAsync()) != null)
+        while ((line = await reader.ReadLineAsync(cancellationToken)) != null)
         {
             if (this.TryToCreateGoComponentFromSumLine(line, out var goComponent))
             {

src/Microsoft.ComponentDetection.Detectors/go/Parsers/IGoParser.cs

@@ -1,11 +1,12 @@
 #nullable disable
 namespace Microsoft.ComponentDetection.Detectors.Go;
 
+using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.ComponentDetection.Common.Telemetry.Records;
 using Microsoft.ComponentDetection.Contracts;
 
 public interface IGoParser
 {
-    Task<bool> ParseAsync(ISingleFileComponentRecorder singleFileComponentRecorder, IComponentStream file, GoGraphTelemetryRecord record);
+    Task<bool> ParseAsync(ISingleFileComponentRecorder singleFileComponentRecorder, IComponentStream file, GoGraphTelemetryRecord record, CancellationToken cancellationToken = default);
 }

src/Microsoft.ComponentDetection.Detectors/vcpkg/Contracts/Annotation.cs

@@ -2,14 +2,19 @@
 namespace Microsoft.ComponentDetection.Detectors.Vcpkg.Contracts;
 
 using System;
+using System.Text.Json.Serialization;
 
 public class Annotation
 {
+    [JsonPropertyName("annotationDate")]
     public DateTime Date { get; set; }
 
+    [JsonPropertyName("comment")]
     public string Comment { get; set; }
 
+    [JsonPropertyName("annotationType")]
     public string Type { get; set; }
 
+    [JsonPropertyName("annotator")]
     public string Annotator { get; set; }
 }

src/Microsoft.ComponentDetection.Detectors/vcpkg/Contracts/ManifestInfo.cs

@@ -2,11 +2,9 @@
 namespace Microsoft.ComponentDetection.Detectors.Vcpkg.Contracts;
 
 using System.Text.Json.Serialization;
-using Newtonsoft.Json;
 
 public class ManifestInfo
 {
-    [JsonProperty("manifest-path")]
     [JsonPropertyName("manifest-path")]
     public string ManifestPath { get; set; }
 }

src/Microsoft.ComponentDetection.Detectors/vcpkg/Contracts/Package.cs

@@ -1,21 +1,31 @@
 #nullable disable
 namespace Microsoft.ComponentDetection.Detectors.Vcpkg.Contracts;
 
+using System.Text.Json.Serialization;
+
 public class Package
 {
+    [JsonPropertyName("SPDXID")]
     public string SPDXID { get; set; }
 
+    [JsonPropertyName("versionInfo")]
     public string VersionInfo { get; set; }
 
+    [JsonPropertyName("downloadLocation")]
     public string DownloadLocation { get; set; }
 
+    [JsonPropertyName("packageFileName")]
     public string Filename { get; set; }
 
+    [JsonPropertyName("homepage")]
     public string Homepage { get; set; }
 
+    [JsonPropertyName("description")]
     public string Description { get; set; }
 
+    [JsonPropertyName("name")]
     public string Name { get; set; }
 
+    [JsonPropertyName("annotations")]
     public Annotation[] Annotations { get; set; }
 }

src/Microsoft.ComponentDetection.Detectors/vcpkg/Contracts/VcpkgSBOM.cs

@@ -1,12 +1,16 @@
 #nullable disable
 namespace Microsoft.ComponentDetection.Detectors.Vcpkg.Contracts;
 
+using System.Text.Json.Serialization;
+
 /// <summary>
 /// Matches a subset of https://raw.githubusercontent.com/spdx/spdx-spec/v2.2.1/schemas/spdx-schema.json.
 /// </summary>
 public class VcpkgSBOM
 {
+    [JsonPropertyName("packages")]
     public Package[] Packages { get; set; }
 
+    [JsonPropertyName("name")]
     public string Name { get; set; }
 }

src/Microsoft.ComponentDetection.Detectors/vcpkg/VcpkgComponentDetector.cs

@@ -7,14 +7,14 @@ namespace Microsoft.ComponentDetection.Detectors.Vcpkg;
 using System.IO;
 using System.Linq;
 using System.Reactive.Linq;
+using System.Text.Json;
 using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.ComponentDetection.Contracts;
 using Microsoft.ComponentDetection.Contracts.Internal;
 using Microsoft.ComponentDetection.Contracts.TypedComponent;
 using Microsoft.ComponentDetection.Detectors.Vcpkg.Contracts;
 using Microsoft.Extensions.Logging;
-using Newtonsoft.Json;
 
 public class VcpkgComponentDetector : FileComponentDetector
 {
@@ -83,7 +83,7 @@ await processRequests.ForEachAsync(async pr =>
                 using (var reader = new StreamReader(pr.ComponentStream.Stream))
                 {
                     var contents = await reader.ReadToEndAsync().ConfigureAwait(false);
-                    var manifestData = JsonConvert.DeserializeObject<ManifestInfo>(contents);
+                    var manifestData = JsonSerializer.Deserialize<ManifestInfo>(contents);
 
                     if (manifestData == null || string.IsNullOrWhiteSpace(manifestData.ManifestPath))
                     {
@@ -112,7 +112,7 @@ private async Task ParseSpdxFileAsync(
         VcpkgSBOM sbom;
         try
         {
-            sbom = JsonConvert.DeserializeObject<VcpkgSBOM>(await reader.ReadToEndAsync());
+            sbom = JsonSerializer.Deserialize<VcpkgSBOM>(await reader.ReadToEndAsync());
         }
         catch (Exception)
         {