Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Invalid memory address or nil pointer dereference #7352

Closed
nikpivkin opened this issue Aug 19, 2024 Discussed in #7351 · 0 comments · Fixed by #7353
Closed

Invalid memory address or nil pointer dereference #7352

nikpivkin opened this issue Aug 19, 2024 Discussed in #7351 · 0 comments · Fixed by #7353
Assignees
Labels
kind/breaking Categorizes issue or PR as related to breaking compatibility.

Comments

@nikpivkin
Copy link
Contributor

Discussed in #7351

Originally posted by smeckert August 19, 2024

Question

Description

I hope the issue didn't exist yet, because at least I couldn't find it. I use trivy for scanning Terraform files locally and in a CICD pipeline for Terraform. I use the following versions:

local => trivy 0.53.0
CICD => trivy 0.54.0

The pipeline is built with AWS Code* tools. According to this, trivy runs in a CodeBuild project. I built my own container image for the pipeline based on Alpine and Amazon Linux 2 (just for testing). Here is the content, almost everything irrelevant is removed.

Alpine:

FROM --platform=linux/arm64 public.ecr.aws/docker/library/alpine:3.20.1

# -- Define build arguments for the versions

ARG TERRAFORM_VERSION=1.9.0
ARG TRIVY_VERSION=0.54.0
ARG USER=automation

# -- Update the package list and install the specified packages

RUN apk update && \
    apk upgrade && \
    apk add --no-cache \
    bash \
    unzip \
    wget \
    git \
    curl \
    jq \
    python3 \
    py3-pip \
    py3-boto3 \
    aws-cli \
    sudo \
    && rm -rf /var/cache/apk/*

RUN adduser -D $USER \
        && echo "$USER ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/$USER \
        && chmod 0440 /etc/sudoers.d/$USER

USER $USER
WORKDIR /home/$USER

RUN unzip -v && \
    wget --version && \
    git --version && \
    curl --version && \
    jq --version && \
    python3 --version && \
    pip3 --version && \
    aws --version

RUN wget https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_arm64.zip && \
    unzip terraform_${TERRAFORM_VERSION}_linux_arm64.zip && \
    sudo mv terraform /usr/local/bin/ && \
    touch .terraformrc && \
    rm terraform_${TERRAFORM_VERSION}_linux_arm64.zip

RUN wget https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-ARM64.tar.gz && \
    tar zxvf trivy_${TRIVY_VERSION}_Linux-ARM64.tar.gz && \
    sudo mv trivy /usr/local/bin/ && \
    rm trivy_${TRIVY_VERSION}_Linux-ARM64.tar.gz

As already mentioned, trivy runs in a container (AWS CodeBuild Project) and here is the content of the buildspec.yaml.

version: 0.2

run-as: automation

env:
  shell: bash

phases:
  install:
    on-failure: ABORT
    commands:
      - echo "Set ENV variables..."
      - export TF_TRIVY_REPORT=${CODEBUILD_SRC_DIR}/trivy_report.json
      - export TRIVY_CACHE_DIR=${CODEBUILD_SRC_DIR}/trivy_cache
      - export TRIVY_MODULE_DIR=${CODEBUILD_SRC_DIR}/trivy_modules
    finally:
      - echo "ENV variables set"
      - echo $TF_TRIVY_REPORT
      - echo $TRIVY_CACHE_DIR
      - echo $TRIVY_MODULE_DIR
  build:
    on-failure: ABORT
    commands:
      - cd terraform/
      - trivy config . --debug

Desired Behavior

If I build an image locally and run it locally, then create a main.tf with content inside the container and use trviy for a scan, then it works without problems (applies to the Alpine and Amazon Linux version of the image). If I use the same image in a CodeBuild project, then I get an error. At first I thought it had something to do with the sizing of the container in terms of CPU/memory, but changes did not help.

Actual Behavior

This is the error I get with all the images I have tested so far.

[Container] 2024/08/16 13:55:36.070225 Running command trivy config . --debug
2024-08-16T13:55:36Z    DEBUG   Cache dir   dir="/codebuild/output/src58333712/src/trivy_cache"
2024-08-16T13:55:36Z    DEBUG   Parsed severities   severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-08-16T13:55:36Z    INFO    [misconfig] Misconfiguration scanning is enabled
2024-08-16T13:55:36Z    DEBUG   Failed to open the check metadata   err="open /codebuild/output/src58333712/src/trivy_cache/policy/metadata.json: no such file or directory"
2024-08-16T13:55:36Z    INFO    Need to update the built-in policies
2024-08-16T13:55:36Z    INFO    Downloading the built-in policies...
2024-08-16T13:55:36Z    DEBUG   Loading check bundle    repository="ghcr.io/aquasecurity/trivy-checks:0"
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-08-16T13:55:37Z    DEBUG   Digest of the built-in policies digest="sha256:ef2d9ad4fce0f933b20a662004d7e55bf200987c180e7f2cd531af631f408bb3"
2024-08-16T13:55:37Z    DEBUG   [misconfig] Policies successfully loaded from disk
2024-08-16T13:55:37Z    DEBUG   Enabling misconfiguration scanners  scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-08-16T13:55:37Z    DEBUG   Initializing scan cache...  type="memory"
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x2a29e64]
goroutine 1 [running]:
github.com/aquasecurity/trivy/pkg/utils/fsutils.DirExists({0x40015c7500?, 0x4?})
    /home/runner/work/trivy/trivy/pkg/utils/fsutils/fs.go:62 +0x54
github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/dotnet/nuget.newNuspecParser()
    /home/runner/work/trivy/trivy/pkg/fanal/analyzer/language/dotnet/nuget/nuspec.go:42 +0x94
github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/dotnet/nuget.newNugetLibraryAnalyzer({{0x0, 0x0}, 0x0, {0x75b3d00, 0x0, 0x0}, {0x4002a03c08, 0x5f, 0x6f}, {0x1, ...}, ...})
    /home/runner/work/trivy/trivy/pkg/fanal/analyzer/language/dotnet/nuget/nuget.go:50 +0x1c
github.com/aquasecurity/trivy/pkg/fanal/analyzer.NewAnalyzerGroup({{0x0, 0x0}, 0x0, {0x75b3d00, 0x0, 0x0}, {0x4002a03c08, 0x5f, 0x6f}, {0x1, ...}, ...})
    /home/runner/work/trivy/trivy/pkg/fanal/analyzer/analyzer.go:359 +0x568
github.com/aquasecurity/trivy/pkg/fanal/artifact/local.NewArtifact({_, _}, {_, _}, {_, _}, {{0x0, 0x0}, {0x4002a03c08, 0x5f, ...}, ...})
    /home/runner/work/trivy/trivy/pkg/fanal/artifact/local/fs.go:56 +0x17c
github.com/aquasecurity/trivy/pkg/commands/artifact.initializeFilesystemScanner({_, _}, {_, _}, {{_, _}, {_, _}, {_, _}, ...}, ...)
    /home/runner/work/trivy/trivy/pkg/commands/artifact/wire_gen.go:106 +0x24c
github.com/aquasecurity/trivy/pkg/commands/artifact.filesystemStandaloneScanner({_, _}, {{0xffffe1d335a2, 0x1}, {{0x3c78ce4, 0x6}, {0x4000074010, 0x2d}, {0x0, 0x0}, ...}, ...})
    /home/runner/work/trivy/trivy/pkg/commands/artifact/scanner.go:56 +0x80
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scan(_, {_, _}, {{{0x3c95846, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, ...}, ...}, ...)
    /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:636 +0x1d4
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact(_, {_, _}, {{{0x3c95846, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, ...}, ...}, ...)
    /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:259 +0x94
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanFS(_, {_, _}, {{{0x3c95846, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, ...}, ...})
    /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:204 +0xa4
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).ScanFilesystem(_, {_, _}, {{{0x3c95846, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, ...}, ...})
    /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:184 +0x1b0
github.com/aquasecurity/trivy/pkg/commands/artifact.Run({_, _}, {{{0x3c95846, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, {0x4000074010, ...}, ...}, ...}, ...)
    /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:369 +0x40c
github.com/aquasecurity/trivy/pkg/commands.NewConfigCommand.func2(0x4000345b08, {0x40026100e0, 0x1, 0x2})
    /home/runner/work/trivy/trivy/pkg/commands/app.go:717 +0x278
github.com/spf13/cobra.(*Command).execute(0x4000345b08, {0x40026100c0, 0x2, 0x2})
    /home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:985 +0x840
github.com/spf13/cobra.(*Command).ExecuteC(0x4000aeb508)
    /home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1117 +0x344
github.com/spf13/cobra.(*Command).Execute(0x3cea271?)
    /home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1041 +0x1c
main.run()
    /home/runner/work/trivy/trivy/cmd/trivy/main.go:39 +0x124
main.main()
    /home/runner/work/trivy/trivy/cmd/trivy/main.go:19 +0x20

[Container] 2024/08/16 13:55:37.044256 Command did not exit successfully trivy config . --debug exit status 2
[Container] 2024/08/16 13:55:37.048419 Phase complete: BUILD State: FAILED_WITH_ABORT
[Container] 2024/08/16 13:55:37.048435 Phase context status code: COMMAND_EXECUTION_ERROR Message: Error while executing command: trivy config . --debug. Reason: exit status 2

Question

I can't get into the CodeBuild container in AWS and check what is failing there. The --debug logs are certainly helpful, but I can't tell exactly where the error is coming from. Does anyone have an idea?

Target

Filesystem

Scanner

Misconfiguration

Output Format

JSON

Mode

None

Operating System

No response

Version

local => trivy 0.53.0
CICD => trivy 0.54.0
@nikpivkin nikpivkin added the triage/support Indicates an issue that is a support question. label Aug 19, 2024
@nikpivkin nikpivkin self-assigned this Aug 19, 2024
@nikpivkin nikpivkin added kind/breaking Categorizes issue or PR as related to breaking compatibility. and removed triage/support Indicates an issue that is a support question. labels Aug 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/breaking Categorizes issue or PR as related to breaking compatibility.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant