Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(java): Return error when trying to find a remote pom to avoid segfault #7275

Merged
merged 2 commits into from
Jul 31, 2024

Conversation

coheigea
Copy link
Contributor

@coheigea coheigea commented Jul 31, 2024

On updating from 0.52.x to 0.54.0, Trivy is segfaulting when scanning a maven filesystem due to the changes in 1f8fca1

"Nil" is returned for the error in remoteRepoRequest, and so in fetchPOMFromRemoteRepository it proceeds to client.Do with a null "req".

The fix just returns the error in remoteRepoRequest and so it's handled properly by the calling functions.

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x10 pc=0x69868fb]

goroutine 41 [running]:
net/http.(*Client).do(0xc000c76580?, 0x0)
	/opt/hostedtoolcache/go/1.22.5/x64/src/net/http/client.go:599 +0xbb
net/http.(*Client).Do(...)
	/opt/hostedtoolcache/go/1.22.5/x64/src/net/http/client.go:590
github.com/aquasecurity/trivy/pkg/dependency/parser/java/pom.(*Parser).fetchPOMFromRemoteRepository(0xc000c76580, {0xc002fc00e0?, 0xc002e7bd18?}, {0xc0010099e0?, 0xaff9300?, 0xc001e52070?})
	/home/runner/work/trivy/trivy/pkg/dependency/parser/java/pom/parse.go:746 +0x85
github.com/aquasecurity/trivy/pkg/dependency/parser/java/pom.(*Parser).fetchPOMFromRemoteRepositories(0xc000c76580, {0xc0010098c0, 0x6, 0x2?}, 0x0)
	/home/runner/work/trivy/trivy/pkg/dependency/parser/java/pom/parse.go:669 +0x291

@coheigea
Copy link
Contributor Author

FAO @DmitriyLewen

@coheigea coheigea force-pushed the coheigea/pom-remote-repository branch from 7c058be to cef5525 Compare July 31, 2024 11:15
@coheigea coheigea changed the title Return error when trying to find a remote pom to avoid segfault fix(maven): Return error when trying to find a remote pom to avoid segfault Jul 31, 2024
@coheigea coheigea force-pushed the coheigea/pom-remote-repository branch from cef5525 to 2e12a61 Compare July 31, 2024 11:16
@coheigea coheigea changed the title fix(maven): Return error when trying to find a remote pom to avoid segfault fix(java): Return error when trying to find a remote pom to avoid segfault Jul 31, 2024
Copy link
Contributor

@DmitriyLewen DmitriyLewen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello @coheigea
Thanks for fast fix.

I'm worried that we'll stop checking out repos instead of moving on to checking out the next repo.

So i refactored a bit.

@knqyf263 knqyf263 enabled auto-merge July 31, 2024 12:01
@knqyf263 knqyf263 added this pull request to the merge queue Jul 31, 2024
Merged via the queue into aquasecurity:main with commit 49d5270 Jul 31, 2024
12 checks passed
@DmitriyLewen
Copy link
Contributor

@aqua-bot backport release/v0.54

@aqua-bot
Copy link
Contributor

Backport PR created: #7283

@coheigea
Copy link
Contributor Author

coheigea commented Jul 31, 2024

LGTM thanks! Any chance of a fix in 0.54.1 as it's a regression?

@DmitriyLewen
Copy link
Contributor

We are preparing v0.54.1 with this change.

@coheigea coheigea deleted the coheigea/pom-remote-repository branch July 31, 2024 12:43
@knqyf263
Copy link
Collaborator

It's out.
https://github.com/aquasecurity/trivy/releases/tag/v0.54.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants