Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

v0.81.0 crashing parsing some images #1837

Closed
thespad opened this issue May 23, 2023 · 3 comments · Fixed by #1839
Closed

v0.81.0 crashing parsing some images #1837

thespad opened this issue May 23, 2023 · 3 comments · Fixed by #1839
Labels
bug Something isn't working

Comments

@thespad
Copy link

thespad commented May 23, 2023

What happened:
Syft v0.81.0 is crashing when parsing some docker images

What you expected to happen:
Syft should not crash parsing images

Steps to reproduce the issue:

docker run --rm -it -v /var/run/docker.sock:/var/run/docker.sock -v ~/syft:/out/ docker.io/anchore/syft:v0.81.0 lscr.io/linuxserver/webtop:alpine-openbox -o json=/out/packages.json

The same image does not exhibit issues when running v0.80.0 against it. Equally, running v0.81.0 against a similar image does not crash:

docker run --rm -it -v /var/run/docker.sock:/var/run/docker.sock -v ~/syft:/out/ docker.io/anchore/syft:v0.81.0 lscr.io/linuxserver/webtop:alpine-mate -o json=/out/packages.json

lscr.io/linuxserver/webtop:alpine-kde is another image that we have seen exhibiting this behaviour.
Anything else we need to know?:

 ✔ Loaded image            
 ✔ Parsed image            
 ✔ Cataloged packages      [604 packages]
2023/05/23 13:20:21 error during command execution: 1 error occurred:
        * runtime error: invalid memory address or nil pointer dereference at:
goroutine 64 [running]:
runtime/debug.Stack()
        /opt/hostedtoolcache/go/1.19.9/x64/src/runtime/debug/stack.go:24 +0x65
github.com/anchore/syft/syft/pkg/cataloger.runCataloger.func1()
        /home/runner/work/syft/syft/syft/pkg/cataloger/catalog.go:57 +0x45
panic({0x1385e80, 0x24b3c20})
        /opt/hostedtoolcache/go/1.19.9/x64/src/runtime/panic.go:884 +0x212
github.com/github/go-spdx/v2/spdxexp.(*tokenStream).parseOperator(...)
        /home/runner/go/pkg/mod/github.com/github/go-spdx/[email protected]/spdxexp/parse.go:364
github.com/github/go-spdx/v2/spdxexp.(*tokenStream).parseParenthesizedExpression(0xc00056e790?)
        /home/runner/go/pkg/mod/github.com/github/go-spdx/[email protected]/spdxexp/parse.go:97 +0x64
github.com/github/go-spdx/v2/spdxexp.(*tokenStream).parseAtom(0xc00056e790)
        /home/runner/go/pkg/mod/github.com/github/go-spdx/[email protected]/spdxexp/parse.go:124 +0x25
github.com/github/go-spdx/v2/spdxexp.(*tokenStream).parseAnd(0xc00056e790)
        /home/runner/go/pkg/mod/github.com/github/go-spdx/[email protected]/spdxexp/parse.go:238 +0x25
github.com/github/go-spdx/v2/spdxexp.(*tokenStream).parseExpression(0xc00056e790)
        /home/runner/go/pkg/mod/github.com/github/go-spdx/[email protected]/spdxexp/parse.go:191 +0x25
github.com/github/go-spdx/v2/spdxexp.(*tokenStream).parseParenthesizedExpression(0xc00056e790)
        /home/runner/go/pkg/mod/github.com/github/go-spdx/[email protected]/spdxexp/parse.go:103 +0x12e
github.com/github/go-spdx/v2/spdxexp.(*tokenStream).parseAtom(0xc00056e790)
        /home/runner/go/pkg/mod/github.com/github/go-spdx/[email protected]/spdxexp/parse.go:124 +0x25
github.com/github/go-spdx/v2/spdxexp.(*tokenStream).parseAnd(0xc00056e790)
        /home/runner/go/pkg/mod/github.com/github/go-spdx/[email protected]/spdxexp/parse.go:238 +0x25
github.com/github/go-spdx/v2/spdxexp.(*tokenStream).parseExpression(0xc00056e790)
        /home/runner/go/pkg/mod/github.com/github/go-spdx/[email protected]/spdxexp/parse.go:191 +0x25
github.com/github/go-spdx/v2/spdxexp.(*tokenStream).parseTokens(0xc00056e790)
        /home/runner/go/pkg/mod/github.com/github/go-spdx/[email protected]/spdxexp/parse.go:38 +0x7c
github.com/github/go-spdx/v2/spdxexp.parse({0xc00534d622?, 0x76?})
        /home/runner/go/pkg/mod/github.com/github/go-spdx/[email protected]/spdxexp/parse.go:28 +0x6c
github.com/github/go-spdx/v2/spdxexp.ValidateLicenses({0xc00056e898?, 0x1, 0xc00534d622?})
        /home/runner/go/pkg/mod/github.com/github/go-spdx/[email protected]/spdxexp/satisfies.go:15 +0xc7
github.com/anchore/syft/syft/license.ParseExpression({0xc00534d622, 0x1})
        /home/runner/work/syft/syft/syft/license/license.go:29 +0x85
github.com/anchore/syft/syft/pkg.NewLicense({0xc00534d622, 0x1})
        /home/runner/work/syft/syft/syft/pkg/license.go:63 +0x53
github.com/anchore/syft/syft/pkg.NewLicenseFromLocations({0xc00534d622?, 0xc00056eef0?}, {0xc00056eef0, 0x1, 0x0?})
        /home/runner/work/syft/syft/syft/pkg/license.go:110 +0x5e
github.com/anchore/syft/syft/pkg.NewLicensesFromLocation(...)
        /home/runner/work/syft/syft/syft/pkg/license.go:104
github.com/anchore/syft/syft/pkg/cataloger/apkdb.newPackage({{0xc00534d622, 0x52}, {{0xc000ac3a2a, 0xf}, {0xc000ac3a5a, 0xf}, {0xc00334d532, 0x23}, {0xc000ac3a42, 0x15}, ...}}, ...)
        /home/runner/work/syft/syft/syft/pkg/cataloger/apkdb/package.go:26 +0x691
github.com/anchore/syft/syft/pkg/cataloger/apkdb.parseApkDB({0x1aa7b08, 0xc0000121c0}, 0xc00019c4a8, {{{{{...}, {...}}, {0xc004294390, 0x15}, {0x2f7f, {...}}}, {0xc00428ba40}}, ...})
        /home/runner/work/syft/syft/syft/pkg/cataloger/apkdb/parse_apk_db.go:131 +0xa85
github.com/anchore/syft/syft/pkg/cataloger/generic.(*Cataloger).Catalog(0xc0053adec0, {0x1aa7b08, 0xc0000121c0})
        /home/runner/work/syft/syft/syft/pkg/cataloger/generic/cataloger.go:129 +0x76e
github.com/anchore/syft/syft/pkg/cataloger.runCataloger({0x1a9c038, 0xc0053adec0}, {0x1aa7b08?, 0xc0000121c0})
        /home/runner/work/syft/syft/syft/pkg/cataloger/catalog.go:65 +0x1fa
github.com/anchore/syft/syft/pkg/cataloger.Catalog.func1()
        /home/runner/work/syft/syft/syft/pkg/cataloger/catalog.go:139 +0x105
created by github.com/anchore/syft/syft/pkg/cataloger.Catalog
        /home/runner/work/syft/syft/syft/pkg/cataloger/catalog.go:134 +0x34a

Interestingly the package file is still output, at least in part (attached, JSON):
openbox-packages.txt

Environment:

  • Output of syft version:
Application:        syft
Version:            0.81.0
JsonSchemaVersion:  8.0.0
BuildDate:          2023-05-22T14:04:53Z
GitCommit:          334a775cb9cd6bf50033de1bb3aa04f46b669f5d
GitDescription:     v0.81.0
Platform:           linux/amd64
GoVersion:          go1.19.9
Compiler:           gc
  • OS (e.g: cat /etc/os-release or similar):
    Ubuntu 22.04

docker version

Client: Docker Engine - Community
 Version:           24.0.1
 API version:       1.43
 Go version:        go1.20.4
 Git commit:        6802122
 Built:             Fri May 19 18:06:21 2023
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          24.0.1
  API version:      1.43 (minimum version 1.12)
  Go version:       go1.20.4
  Git commit:       463850e
  Built:            Fri May 19 18:06:21 2023
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.6.21
  GitCommit:        3dce8eb055cbb6872793272b4f20ed16117344f8
 runc:
  Version:          1.1.7
  GitCommit:        v1.1.7-0-g860f061
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0
@thespad thespad added the bug Something isn't working label May 23, 2023
@tgerla tgerla added this to OSS May 23, 2023
@spiffcs
Copy link
Contributor

spiffcs commented May 23, 2023

Thanks @thespad for filing the issue quickly on this one. It looks like the panic is happening when using github.com/github/go-spdx/v2 to parse a license expression from this image.

I'll take two actions here and try to turn them around ASAP.

  1. Now that we know this function can panic in this way I'll add some defer and recover logic to get a patch out first thing
  2. I'll investigate the image and see which statement is causing the panic and try to get a patch filed downstream

Sorry for the inconvenience here and I really appreciate the report!

@spiffcs
Copy link
Contributor

spiffcs commented May 23, 2023

@thespad just a quick follow up since this was closed by our bot - we have released a new version of syft that fixes this panic and you should not see this behavior going forward with the newest release

@thespad
Copy link
Author

thespad commented May 23, 2023

Thanks for the quick turnaround, I'll run some tests against the affected images and make sure everything looks good.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
Archived in project
Development

Successfully merging a pull request may close this issue.

2 participants