aquasecurity
diff --git a/‎go.mod
+1-1 b/‎go.mod
+1-1
diff --git a/‎go.sum
+2-2 b/‎go.sum
+2-2
diff --git a/‎pkg/dependency/parser/c/conan/parse.go
+19-49 b/‎pkg/dependency/parser/c/conan/parse.go
+19-49
diff --git a/‎pkg/dependency/parser/dotnet/core_deps/parse.go
+8-31 b/‎pkg/dependency/parser/dotnet/core_deps/parse.go
+8-31
diff --git a/‎pkg/dependency/parser/dotnet/core_deps/parse_test.go
+1-1 b/‎pkg/dependency/parser/dotnet/core_deps/parse_test.go
+1-1
diff --git a/‎pkg/dependency/parser/nodejs/npm/parse.go
+7-45 b/‎pkg/dependency/parser/nodejs/npm/parse.go
+7-45
@@ -48,7 +48,7 @@ require (
 	github.com/docker/go-units v0.5.0
 	github.com/fatih/color v1.18.0
 	github.com/go-git/go-git/v5 v5.14.0
-	github.com/go-json-experiment/json v0.0.0-20250211171154-1ae217ad3535 // Replace with encoding/json/v2 when proposal is accepted. Track https://github.com/golang/go/issues/71497
+	github.com/go-json-experiment/json v0.0.0-20250223041408-d3c622f1b874 // Replace with encoding/json/v2 when proposal is accepted. Track https://github.com/golang/go/issues/71497
 	github.com/go-openapi/runtime v0.28.0 // indirect
 	github.com/go-openapi/strfmt v0.23.0 // indirect
 	github.com/go-redis/redis/v8 v8.11.5
 
@@ -1127,8 +1127,8 @@ github.com/go-jose/go-jose/v3 v3.0.3 h1:fFKWeig/irsp7XD2zBxvnmA/XaRWp5V3CBsZXJF7
 github.com/go-jose/go-jose/v3 v3.0.3/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ=
 github.com/go-jose/go-jose/v4 v4.0.5 h1:M6T8+mKZl/+fNNuFHvGIzDz7BTLQPIounk/b9dw3AaE=
 github.com/go-jose/go-jose/v4 v4.0.5/go.mod h1:s3P1lRrkT8igV8D9OjyL4WRyHvjB6a4JSllnOrmmBOA=
-github.com/go-json-experiment/json v0.0.0-20250211171154-1ae217ad3535 h1:yE7argOs92u+sSCRgqqe6eF+cDaVhSPlioy1UkA0p/w=
-github.com/go-json-experiment/json v0.0.0-20250211171154-1ae217ad3535/go.mod h1:BWmvoE1Xia34f3l/ibJweyhrT+aROb/FQ6d+37F0e2s=
+github.com/go-json-experiment/json v0.0.0-20250223041408-d3c622f1b874 h1:F8d1AJ6M9UQCavhwmO6ZsrYLfG8zVFWfEfMS2MXPkSY=
+github.com/go-json-experiment/json v0.0.0-20250223041408-d3c622f1b874/go.mod h1:TiCD2a1pcmjd7YnhGH0f/zKNcCD06B029pHhzV23c2M=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-latex/latex v0.0.0-20210118124228-b3d85cf34e07/go.mod h1:CO1AlKB2CSIqUrmQPqA0gdRIlnLEY0gK5JGjh37zN5U=
 github.com/go-latex/latex v0.0.0-20210823091927-c0d11ff05a81/go.mod h1:SX0U8uGpxhq9o2S/CELCSUxEWWAuoCUcVCQWv7G2OCk=
 
@@ -1,18 +1,19 @@
 package conan
 
 import (
-	"io"
 	"slices"
 	"strings"
 
+	"github.com/go-json-experiment/json"
+	"github.com/go-json-experiment/json/jsontext"
 	"github.com/samber/lo"
 	"golang.org/x/xerrors"
 
-	"github.com/aquasecurity/jfather"
 	"github.com/aquasecurity/trivy/pkg/dependency"
 	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/log"
 	xio "github.com/aquasecurity/trivy/pkg/x/io"
+	xjson "github.com/aquasecurity/trivy/pkg/x/json"
 )
 
 type LockFile struct {
@@ -25,19 +26,20 @@ type GraphLock struct {
 }
 
 type Node struct {
-	Ref       string   `json:"ref"`
-	Requires  []string `json:"requires"`
-	StartLine int
-	EndLine   int
+	Ref      string   `json:"ref"`
+	Requires []string `json:"requires"`
+	xjson.Location
 }
+type Requires []Require
 
 type Require struct {
 	Dependency string
-	StartLine  int
-	EndLine    int
+	xjson.Location
 }
 
-type Requires []Require
+func (r *Require) UnmarshalJSONFrom(dec *jsontext.Decoder) error {
+	return json.UnmarshalDecode(dec, &r.Dependency)
+}
 
 type Parser struct {
 	logger *log.Logger
@@ -63,7 +65,7 @@ func (p *Parser) parseV1(lock LockFile) ([]ftypes.Package, []ftypes.Dependency,
 		if node.Ref == "" {
 			continue
 		}
-		pkg, err := toPackage(node.Ref, node.StartLine, node.EndLine)
+		pkg, err := toPackage(node.Ref, node.Location)
 		if err != nil {
 			p.logger.Debug("Parse ref error", log.Err(err))
 			continue
@@ -105,7 +107,7 @@ func (p *Parser) parseV2(lock LockFile) ([]ftypes.Package, []ftypes.Dependency,
 	var pkgs []ftypes.Package
 
 	for _, req := range lock.Requires {
-		pkg, err := toPackage(req.Dependency, req.StartLine, req.EndLine)
+		pkg, err := toPackage(req.Dependency, req.Location)
 		if err != nil {
 			p.logger.Debug("Creating package entry from requirement failed", log.Err(err))
 			continue
@@ -118,12 +120,7 @@ func (p *Parser) parseV2(lock LockFile) ([]ftypes.Package, []ftypes.Dependency,
 
 func (p *Parser) Parse(r xio.ReadSeekerAt) ([]ftypes.Package, []ftypes.Dependency, error) {
 	var lock LockFile
-
-	input, err := io.ReadAll(r)
-	if err != nil {
-		return nil, nil, xerrors.Errorf("failed to read conan lock file: %w", err)
-	}
-	if err := jfather.Unmarshal(input, &lock); err != nil {
+	if err := xjson.UnmarshalRead(r, &lock); err != nil {
 		return nil, nil, xerrors.Errorf("failed to decode conan lock file: %w", err)
 	}
 
@@ -152,42 +149,15 @@ func parsePackage(text string) (string, string, error) {
 	return ss[0], ss[1], nil
 }
 
-func toPackage(pkg string, startLine, endLine int) (ftypes.Package, error) {
+func toPackage(pkg string, location xjson.Location) (ftypes.Package, error) {
 	name, version, err := parsePackage(pkg)
 	if err != nil {
 		return ftypes.Package{}, err
 	}
 	return ftypes.Package{
-		ID:      dependency.ID(ftypes.Conan, name, version),
-		Name:    name,
-		Version: version,
-		Locations: []ftypes.Location{
-			{
-				StartLine: startLine,
-				EndLine:   endLine,
-			},
-		},
+		ID:        dependency.ID(ftypes.Conan, name, version),
+		Name:      name,
+		Version:   version,
+		Locations: []ftypes.Location{ftypes.Location(location)},
 	}, nil
 }
-
-// UnmarshalJSONWithMetadata needed to detect start and end lines of deps
-func (n *Node) UnmarshalJSONWithMetadata(node jfather.Node) error {
-	if err := node.Decode(&n); err != nil {
-		return err
-	}
-	// Decode func will overwrite line numbers if we save them first
-	n.StartLine = node.Range().Start.Line
-	n.EndLine = node.Range().End.Line
-	return nil
-}
-
-func (r *Require) UnmarshalJSONWithMetadata(node jfather.Node) error {
-	var dep string
-	if err := node.Decode(&dep); err != nil {
-		return err
-	}
-	r.Dependency = dep
-	r.StartLine = node.Range().Start.Line
-	r.EndLine = node.Range().End.Line
-	return nil
-}
@@ -1,19 +1,18 @@
 package core_deps
 
 import (
-	"io"
 	"sort"
 	"strings"
 	"sync"
 
 	"github.com/samber/lo"
 	"golang.org/x/xerrors"
 
-	"github.com/aquasecurity/jfather"
 	"github.com/aquasecurity/trivy/pkg/dependency"
 	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/log"
 	xio "github.com/aquasecurity/trivy/pkg/x/io"
+	xjson "github.com/aquasecurity/trivy/pkg/x/json"
 )
 
 type dotNetDependencies struct {
@@ -23,9 +22,8 @@ type dotNetDependencies struct {
 }
 
 type dotNetLibrary struct {
-	Type      string `json:"type"`
-	StartLine int
-	EndLine   int
+	Type string `json:"type"`
+	xjson.Location
 }
 
 type RuntimeTarget struct {
@@ -52,12 +50,7 @@ func NewParser() *Parser {
 
 func (p *Parser) Parse(r xio.ReadSeekerAt) ([]ftypes.Package, []ftypes.Dependency, error) {
 	var depsFile dotNetDependencies
-
-	input, err := io.ReadAll(r)
-	if err != nil {
-		return nil, nil, xerrors.Errorf("read error: %w", err)
-	}
-	if err = jfather.Unmarshal(input, &depsFile); err != nil {
+	if err := xjson.UnmarshalRead(r, &depsFile); err != nil {
 		return nil, nil, xerrors.Errorf("failed to decode .deps.json file: %w", err)
 	}
 
@@ -87,15 +80,10 @@ func (p *Parser) Parse(r xio.ReadSeekerAt) ([]ftypes.Package, []ftypes.Dependenc
 		}
 
 		pkgs = append(pkgs, ftypes.Package{
-			ID:      dependency.ID(ftypes.DotNetCore, split[0], split[1]),
-			Name:    split[0],
-			Version: split[1],
-			Locations: []ftypes.Location{
-				{
-					StartLine: lib.StartLine,
-					EndLine:   lib.EndLine,
-				},
-			},
+			ID:        dependency.ID(ftypes.DotNetCore, split[0], split[1]),
+			Name:      split[0],
+			Version:   split[1],
+			Locations: []ftypes.Location{ftypes.Location(lib.Location)},
 		})
 	}
 
@@ -118,14 +106,3 @@ func (p *Parser) isRuntimeLibrary(targetLibs map[string]TargetLib, library strin
 	// Check that `runtime`, `runtimeTarget` and `native` sections are not empty
 	return !lo.IsEmpty(lib)
 }
-
-// UnmarshalJSONWithMetadata needed to detect start and end lines of deps
-func (t *dotNetLibrary) UnmarshalJSONWithMetadata(node jfather.Node) error {
-	if err := node.Decode(&t); err != nil {
-		return err
-	}
-	// Decode func will overwrite line numbers if we save them first
-	t.StartLine = node.Range().Start.Line
-	t.EndLine = node.Range().End.Line
-	return nil
-}
@@ -82,7 +82,7 @@ func TestParse(t *testing.T) {
 		{
 			name:    "sad path",
 			file:    "testdata/invalid.deps.json",
-			wantErr: "failed to decode .deps.json file: EOF",
+			wantErr: "failed to decode .deps.json file: jsontext: unexpected EOF within",
 		},
 	}
 
 
@@ -2,7 +2,6 @@ package npm
 
 import (
 	"fmt"
-	"io"
 	"maps"
 	"path"
 	"slices"
@@ -12,13 +11,13 @@ import (
 	"github.com/samber/lo"
 	"golang.org/x/xerrors"
 
-	"github.com/aquasecurity/jfather"
 	"github.com/aquasecurity/trivy/pkg/dependency"
 	"github.com/aquasecurity/trivy/pkg/dependency/parser/utils"
 	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/log"
 	"github.com/aquasecurity/trivy/pkg/set"
 	xio "github.com/aquasecurity/trivy/pkg/x/io"
+	xjson "github.com/aquasecurity/trivy/pkg/x/json"
 )
 
 const nodeModulesDir = "node_modules"
@@ -34,8 +33,7 @@ type Dependency struct {
 	Dependencies map[string]Dependency `json:"dependencies"`
 	Requires     map[string]string     `json:"requires"`
 	Resolved     string                `json:"resolved"`
-	StartLine    int
-	EndLine      int
+	xjson.Location
 }
 
 type Package struct {
@@ -49,8 +47,7 @@ type Package struct {
 	Dev                  bool              `json:"dev"`
 	Link                 bool              `json:"link"`
 	Workspaces           []string          `json:"workspaces"`
-	StartLine            int
-	EndLine              int
+	xjson.Location
 }
 
 type Parser struct {
@@ -65,11 +62,7 @@ func NewParser() *Parser {
 
 func (p *Parser) Parse(r xio.ReadSeekerAt) ([]ftypes.Package, []ftypes.Dependency, error) {
 	var lockFile LockFile
-	input, err := io.ReadAll(r)
-	if err != nil {
-		return nil, nil, xerrors.Errorf("read error: %w", err)
-	}
-	if err := jfather.Unmarshal(input, &lockFile); err != nil {
+	if err := xjson.UnmarshalRead(r, &lockFile); err != nil {
 		return nil, nil, xerrors.Errorf("decode error: %w", err)
 	}
 
@@ -117,10 +110,6 @@ func (p *Parser) parseV2(packages map[string]Package) ([]ftypes.Package, []ftype
 		}
 
 		pkgID := packageID(pkgName, pkg.Version)
-		location := ftypes.Location{
-			StartLine: pkg.StartLine,
-			EndLine:   pkg.EndLine,
-		}
 
 		var ref ftypes.ExternalRef
 		if pkg.Resolved != "" {
@@ -145,7 +134,7 @@ func (p *Parser) parseV2(packages map[string]Package) ([]ftypes.Package, []ftype
 				sortExternalReferences(savedPkg.ExternalReferences)
 			}
 
-			savedPkg.Locations = append(savedPkg.Locations, location)
+			savedPkg.Locations = append(savedPkg.Locations, ftypes.Location(pkg.Location))
 			sort.Sort(savedPkg.Locations)
 
 			pkgs[pkgID] = savedPkg
@@ -159,7 +148,7 @@ func (p *Parser) parseV2(packages map[string]Package) ([]ftypes.Package, []ftype
 			Relationship:       lo.Ternary(pkgIndirect, ftypes.RelationshipIndirect, ftypes.RelationshipDirect),
 			Dev:                pkg.Dev,
 			ExternalReferences: lo.Ternary(ref.URL != "", []ftypes.ExternalRef{ref}, nil),
-			Locations:          []ftypes.Location{location},
+			Locations:          []ftypes.Location{ftypes.Location(pkg.Location)},
 		}
 		pkgs[pkgID] = newPkg
 
@@ -304,12 +293,7 @@ func (p *Parser) parseV1(dependencies map[string]Dependency, versions map[string
 					URL:  dep.Resolved,
 				},
 			},
-			Locations: []ftypes.Location{
-				{
-					StartLine: dep.StartLine,
-					EndLine:   dep.EndLine,
-				},
-			},
+			Locations: []ftypes.Location{ftypes.Location(dep.Location)},
 		}
 		pkgs = append(pkgs, pkg)
 
@@ -396,28 +380,6 @@ func joinPaths(paths ...string) string {
 	return strings.Join(paths, "/")
 }
 
-// UnmarshalJSONWithMetadata needed to detect start and end lines of deps for v1
-func (t *Dependency) UnmarshalJSONWithMetadata(node jfather.Node) error {
-	if err := node.Decode(&t); err != nil {
-		return err
-	}
-	// Decode func will overwrite line numbers if we save them first
-	t.StartLine = node.Range().Start.Line
-	t.EndLine = node.Range().End.Line
-	return nil
-}
-
-// UnmarshalJSONWithMetadata needed to detect start and end lines of deps for v2 or newer
-func (t *Package) UnmarshalJSONWithMetadata(node jfather.Node) error {
-	if err := node.Decode(&t); err != nil {
-		return err
-	}
-	// Decode func will overwrite line numbers if we save them first
-	t.StartLine = node.Range().Start.Line
-	t.EndLine = node.Range().End.Line
-	return nil
-}
-
 func packageID(name, version string) string {
 	return dependency.ID(ftypes.Npm, name, version)
 }
Original file line number	Diff line number	Diff line change
`@@ -82,7 +82,7 @@ func TestParse(t *testing.T) {`
`82`	`82`	`{`
`83`	`83`	`name: "sad path",`
`84`	`84`	`file: "testdata/invalid.deps.json",`
`85`		`- wantErr: "failed to decode .deps.json file: EOF",`
	`85`	`+ wantErr: "failed to decode .deps.json file: jsontext: unexpected EOF within",`
`86`	`86`	`},`
`87`	`87`	`}`
`88`	`88`