From c3fbfbeab5605e3e2d31dc9a8dd95e9ca7139145 Mon Sep 17 00:00:00 2001
From: Shulhan <ms@kilabit.info>
Date: Sun, 11 Jan 2026 14:19:41 +0700
Subject: all: fix slice bounds out of range when scanning dir

Using for-range and slices.Delete inside it will result an error
out-of-range if the slices deleted multiple times.
---
 spdxconv.go               | 28 +++++++++++++++-------------
 testdata/scan/aaa         |  1 +
 testdata/scan/aaa.license |  2 ++
 testdata/scan/zzz         |  1 +
 testdata/scan/zzz.license |  2 ++
 5 files changed, 21 insertions(+), 13 deletions(-)
 create mode 100644 testdata/scan/aaa
 create mode 100644 testdata/scan/aaa.license
 create mode 100644 testdata/scan/zzz
 create mode 100644 testdata/scan/zzz.license

diff --git a/spdxconv.go b/spdxconv.go
index dc0f31d..be13a2c 100644
--- a/spdxconv.go
+++ b/spdxconv.go
@@ -7,6 +7,7 @@ import (
 	"bytes"
 	"fmt"
 	"log"
+	"maps"
 	"os"
 	"path/filepath"
 	"slices"
@@ -19,6 +20,8 @@ import (
 // ConfigFile the file name for configuration file.
 const ConfigFile = `spdxconv.cfg`
 
+// File end with ".license" is SPDX specific file that contains only
+// identifiers.
 var suffixLicense = `.license`
 
 // SPDXConv the main type for converting files to SPDX format.
@@ -279,15 +282,13 @@ func (conv *SPDXConv) scanDir(listDir []string) (listFile []string, err error) {
 
 		listde, err = os.ReadDir(dir)
 		if err != nil {
-			return listFile, err
+			return nil, err
 		}
 
 		var listFileLicense = make(map[string]struct{})
-		var listName []string
+		var listNamePath = map[string]string{}
 		for _, de = range listde {
 			var name = de.Name()
-			// File end with ".license" is SPDX specific file that
-			// contains only identifiers.
 			if strings.HasSuffix(name, suffixLicense) {
 				listFileLicense[name] = struct{}{}
 				continue
@@ -299,22 +300,23 @@ func (conv *SPDXConv) scanDir(listDir []string) (listFile []string, err error) {
 			if ok {
 				continue
 			}
-			listName = append(listName, name)
-			name = filepath.Join(dir, name)
+			var fullpath = filepath.Join(dir, name)
 			if de.IsDir() {
-				listDir = append(listDir, name)
+				listDir = append(listDir, fullpath)
 				continue
 			}
-			listFile = append(listFile, name)
+			listNamePath[name] = fullpath
 		}
 		// Remove the file that have the spdx .license file.
-		for x, name := range listName {
-			_, ok = listFileLicense[name+suffixLicense]
-			if ok {
-				listFile = slices.Delete(listFile, x, x+1)
-			}
+		for name := range listFileLicense {
+			name = strings.TrimSuffix(name, suffixLicense)
+			delete(listNamePath, name)
+		}
+		for v := range maps.Values(listNamePath) {
+			listFile = append(listFile, v)
 		}
 	}
+	slices.Sort(listFile)
 	return listFile, nil
 }
 
diff --git a/testdata/scan/aaa b/testdata/scan/aaa
new file mode 100644
index 0000000..741876f
--- /dev/null
+++ b/testdata/scan/aaa
@@ -0,0 +1 @@
+Dummy file.
diff --git a/testdata/scan/aaa.license b/testdata/scan/aaa.license
new file mode 100644
index 0000000..7b4ad3f
--- /dev/null
+++ b/testdata/scan/aaa.license
@@ -0,0 +1,2 @@
+SPDX-License-Identifier: GPL-3.0-only
+SPDX-FileCopyrightText: 2026 M. Shulhan <ms@kilabit.info>
diff --git a/testdata/scan/zzz b/testdata/scan/zzz
new file mode 100644
index 0000000..741876f
--- /dev/null
+++ b/testdata/scan/zzz
@@ -0,0 +1 @@
+Dummy file.
diff --git a/testdata/scan/zzz.license b/testdata/scan/zzz.license
new file mode 100644
index 0000000..7b4ad3f
--- /dev/null
+++ b/testdata/scan/zzz.license
@@ -0,0 +1,2 @@
+SPDX-License-Identifier: GPL-3.0-only
+SPDX-FileCopyrightText: 2026 M. Shulhan <ms@kilabit.info>
-- 
cgit v1.3