From e68ec18db8ba2b871381c836188b773455740280 Mon Sep 17 00:00:00 2001
From: Patrick <patrick.weiss@iteratec.com>
Date: Wed, 24 Sep 2025 12:32:09 +0200
Subject: [PATCH] parse response string to object

Signed-off-by: Patrick <patrick.weiss@iteratec.com>
---
 hooks/persistence-dependencytrack/hook/hook.js   | 11 ++++++++++-
 .../hook/hook.test.js                            | 16 ++++++++++++----
 2 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/hooks/persistence-dependencytrack/hook/hook.js b/hooks/persistence-dependencytrack/hook/hook.js
index b0974e02f2..de8b4bc5b4 100644
--- a/hooks/persistence-dependencytrack/hook/hook.js
+++ b/hooks/persistence-dependencytrack/hook/hook.js
@@ -15,7 +15,16 @@ export async function handle({
     return;
   }
 
-  const result = await getRawResults();
+  const rawResult = await getRawResults();
+
+  let result;
+  try {
+    result = JSON.parse(rawResult);
+  } catch {
+    console.log("Response is not a valid json object.");
+    return;
+  }
+
   if (result.bomFormat !== "CycloneDX") {
     // Not a CycloneDX SBOM, cannot be handled by Dependency-Track, ignore
     console.log(
diff --git a/hooks/persistence-dependencytrack/hook/hook.test.js b/hooks/persistence-dependencytrack/hook/hook.test.js
index b9a41bf0ae..64018b91b5 100644
--- a/hooks/persistence-dependencytrack/hook/hook.test.js
+++ b/hooks/persistence-dependencytrack/hook/hook.test.js
@@ -18,7 +18,9 @@ beforeEach(() => {
 test("should not send a post request if not an SBOM scan", async () => {
   const result = {};
 
-  const getRawResults = async () => result;
+  const stringResult = JSON.stringify(result);
+
+  const getRawResults = async () => stringResult;
 
   const scan = {
     metadata: {
@@ -53,7 +55,9 @@ test("should not send a post request if not a CycloneDX SBOM", async () => {
     },
   };
 
-  const getRawResults = async () => result;
+  const stringResult = JSON.stringify(result);
+
+  const getRawResults = async () => stringResult;
 
   // technically we're saying here that this scan is a CycloneDX scan even though we're then sending something looking like an SPDX SBOM
   const scan = {
@@ -84,7 +88,9 @@ test("should send a post request to the url when fired", async () => {
     },
   };
 
-  const getRawResults = async () => result;
+  const stringResult = JSON.stringify(result);
+
+  const getRawResults = async () => stringResult;
 
   const scan = {
     metadata: {
@@ -169,7 +175,9 @@ test.each([
       },
     };
 
-    const getRawResults = async () => result;
+    const stringResult = JSON.stringify(result);
+
+    const getRawResults = async () => stringResult;
 
     const scan = {
       metadata: {