panic: runtime error: invalid memory address or nil pointer dereference (go binary parsing)

[wagoodman]

I'm reporting on behalf of @jbauernberger from #523

What happened: From https://github.com/anchore/grype/issues/523#issuecomment-989849082

$> grype .
 ✔ Vulnerability DB        [updated]
 ✔ Indexed .
 ⠧ Cataloging packages     [packages 0]panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x38 pc=0x79cd32]

goroutine 26 [running]:
debug/macho.NewFile(0x14ddca0, 0xc088d08090, 0x3, 0x1, 0x200)
    /Users/runner/hostedtoolcache/go/1.16.10/x64/src/debug/macho/file.go:348 +0x712
github.com/anchore/syft/syft/pkg/cataloger/golang.openExe(0x14e85c0, 0xc05f01e6f0, 0x114fa00, 0x7f6b17a6f5b0, 0x18, 0x18, 0x7f6b644c75b8)
    /Users/runner/go/pkg/mod/github.com/anchore/syft@v0.32.0/syft/pkg/cataloger/golang/exe.go:76 +0x55a
github.com/anchore/syft/syft/pkg/cataloger/golang.parseGoBin(0xc044958869, 0x50, 0x0, 0x0, 0x0, 0x0, 0x12641b, 0xc044958850, 0x69, 0x14e85c0, ...)
    /Users/runner/go/pkg/mod/github.com/anchore/syft@v0.32.0/syft/pkg/cataloger/golang/parse_go_bin.go:19 +0x50
github.com/anchore/syft/syft/pkg/cataloger/golang.(*Cataloger).Catalog(0x1ce6e80, 0x14ff430, 0xc0001e6000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
    /Users/runner/go/pkg/mod/github.com/anchore/syft@v0.32.0/syft/pkg/cataloger/golang/binary_cataloger.go:46 +0x2ad
github.com/anchore/syft/syft/pkg/cataloger.Catalog(0x14ff430, 0xc0001e6000, 0x0, 0xc0d173d8c0, 0xc, 0xc, 0x0, 0xc00174fa50, 0xc0000d5dc0, 0xae8b7b, ...)
    /Users/runner/go/pkg/mod/github.com/anchore/syft@v0.32.0/syft/pkg/cataloger/catalog.go:54 +0x131
github.com/anchore/syft/syft.CatalogPackages(0xc001780120, 0x12e3b05, 0x8, 0xc001780120, 0x1347c68, 0x0, 0x0, 0xc00038bd00, 0x14db301, 0xc00038bd00)
    /Users/runner/go/pkg/mod/github.com/anchore/syft@v0.32.0/syft/lib.go:67 +0x4bf
github.com/anchore/grype/grype/pkg.syftProvider(0x7ffdc749f1b7, 0x1, 0x12e3b05, 0x8, 0xc0017740a0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
    /Users/runner/work/grype/grype/grype/pkg/syft_provider.go:20 +0xe7
github.com/anchore/grype/grype/pkg.Provide(0x7ffdc749f1b7, 0x1, 0x12e3b05, 0x8, 0xc0017740a0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
    /Users/runner/work/grype/grype/grype/pkg/provider.go:20 +0x115
github.com/anchore/grype/cmd.startWorker.func1.2(0xc00174f9e0, 0x7ffdc749f1b7, 0x1, 0xc001741b30, 0xc00179b980, 0xc0001fa000, 0xc00055e120, 0xc00174f9d7)
    /Users/runner/work/grype/grype/cmd/root.go:254 +0x105
created by github.com/anchore/grype/cmd.startWorker.func1
    /Users/runner/work/grype/grype/cmd/root.go:251 +0x35f

What you expected to happen: No panics!

How to reproduce it (as minimally and precisely as possible): From https://github.com/anchore/grype/issues/523#issuecomment-989920003

I downloaded a bunch (see list below) of debian source packages for Debian sid. There are quite a lot (~29G). I fetch them with apt-get source <package> ... then I delete .dsc .gz .xz .bz2 (anything that isn't a subdir) and run grype on it.

So something like:

cd ~/src/debian/
for i in `cat ./packages`
do
  apt-get source "$i"
done

content of ./packages:

Click to see the contents of "packages" file

``` abook accountsservice acl acpi-call-dkms acpi-fakekey acpi-support-base acpi-support acpi acpid adb adduser adequate aglfn aha aiksaurus aisleriot alsa-topology-conf alsa-ucm-conf alsa-utils amd64-microcode anacron android-sdk-platform-tools-common apache2-bin apache2-data apache2-utils apache2 apg apparmor-notify apparmor-profiles-extra apparmor-profiles apparmor-utils apparmor appmenu-gtk-module-common appmenu-gtk2-module appmenu-gtk3-module appmenu-registrar apt-file apt-listbugs apt-listchanges apt-show-versions apt-utils apt arch-test arj artha asciidoc-base asciidoc-common asciidoc at-spi2-core at atool atril-common atril aubio-tools audacious-plugins-data audacious-plugins audacious aufs-dkms aufs-tools autoconf2.13 autoconf autodep8 autogen-doc autogen automake autopkgtest autopoint autotools-dev avahi-autoipd avahi-daemon bamfdaemon baobab base-files base-passwd bash-completion bash bat bb bc bind9-dnsutils bind9-host bind9-libs binfmt-support binutils-common binutils-x86-64-linux-gnu binutils binwalk bison blends-tasks blt blueman bluez-firmware bluez-obexd bluez bolt bpfcc-tools bpftrace brasero-common bridge-utils brightness-udev brightnessctl bsd-mailx bsdextrautils bsdmainutils bsdutils bubblewrap bucklespring-data bucklespring build-essential busybox byacc bzip2 ca-certificates-java ca-certificates-mono ca-certificates caca-utils caja-common caja calendar calf-plugins calibre-bin calibre cargo caribou catch2 cbindgen ccache cdbs cdrdao cgroupfs-mount chafa cheese-common cheese chrome-gnome-shell cinnamon-control-center-data cinnamon-control-center cinnamon-desktop-data cinnamon-l10n cinnamon-screensaver cinnamon-session-common cinnamon-session cinnamon-settings-daemon citation-style-language-styles clang-13 clang cli-common cloud-image-utils cmake-data cmake coinor-libcbc3 coinor-libcgl1 coinor-libclp1 coinor-libcoinmp1v5 coinor-libcoinutils3v5 coinor-libosi1v5 collectl colord-data colord colordiff console-setup-linux console-setup containerd context-modules context convlit coreutils cowbuilder cowdancer cowsay cpio cpp-11 cpp cpufrequtils cracklib-runtime cramfsswap crda cron cryptsetup-bin cryptsetup-initramfs cryptsetup cups-pk-helper curl cuyo-data cuyo dash dbus-bin dbus-daemon dbus-session-bus-common dbus-system-bus-common dbus-user-session dbus-x11 dbus dconf-cli dconf-editor dconf-gsettings-backend dconf-service dctrl-tools deb.torproject.org-keyring debconf-i18n debconf debhelper debian-archive-keyring debian-faq debian-goodies debian-keyring debian-mate-default-settings debianutils debmake debootstrap debsecan debsums default-jre-headless default-jre desktop-base desktop-file-utils devscripts dh-autoreconf dh-elpa-helper dh-make dh-strip-nondeterminism dialog dict-freedict-eng-lat dict-freedict-lat-eng dictionaries-common diffstat diffutils dirmngr discover-data discover distro-info-data distro-info dkms dleyna-server dmeventd dmidecode dmsetup dns-root-data dnscrypt-proxy dnsmasq-base dnsmasq dnstop dnsutils dnswalk doc-base doc-debian docbook-dsssl docbook-xml docbook-xsl docbook docker-compose docker.io docutils-common dosfstools doxygen dpkg-dev dpkg dput dspdfviewer dunst dvisvgm dwm dwz e2fslibs e2fsprogs-l10n e2fsprogs easy-rsa eatmydata ebook-dev-alp ecryptfs-utils ed eject elfutils elinks-data elinks emacsen-common enchant-2 engrampa-common engrampa enscript eog epub-utils equivs espeak-data espeak-ng-data espeak ethtool evolution-data-server-common evolution-data-server execstack exfatprogs exif exim4-base exim4-config exim4-daemon-light exo-utils expect exuberant-ctags fakechroot fakeroot fbreader fdisk feh feynmf ffmpeg fftw-dev fftw2 fig2dev figlet file-roller file findutils firebird3.0-common-doc firebird3.0-common firebird3.0-server-core firebird3.0-utils firefox firejail-profiles firejail firmware-amd-graphics firmware-intel-sound firmware-iwlwifi firmware-linux-free firmware-linux-nonfree firmware-linux firmware-misc-nonfree firmware-realtek five-or-more flex fmtools folks-common fontconfig-config fontconfig foot-terminfo foot fortunes freeglut3 freepats fuse3 fwupd fzf g++-11 g++ gawk gcc-11-base gcc-11-doc gcc-11 gcc-doc-base gcc-doc gcc gconf-service gconf2-common gconf2 gcr gdb-doc gdb gdisk geki2 genisoimage geoclue-2.0 gettext-base gettext ghostscript-x ghostscript gigolo gimp-data-extras gimp-data gimp-gap gimp-texturize gimp gir1.2-accountsservice-1.0 gir1.2-appindicator-0.1 gir1.2-atk-1.0 gir1.2-atspi-2.0 gir1.2-ayatanaappindicator3-0.1 gir1.2-bamf-3 gir1.2-caribou-1.0 gir1.2-champlain-0.12 gir1.2-cinnamondesktop-3.0 gir1.2-clutter-1.0 gir1.2-cogl-1.0 gir1.2-coglpango-1.0 gir1.2-cvc-1.0 gir1.2-dbusmenu-glib-0.4 gir1.2-dbusmenu-gtk3-0.4 gir1.2-freedesktop gir1.2-gck-1 gir1.2-gcr-3 gir1.2-gdesktopenums-3.0 gir1.2-gdkpixbuf-2.0 gir1.2-gdm-1.0 gir1.2-geoclue-2.0 gir1.2-geocodeglib-1.0 gir1.2-gfbgraph-0.2 gir1.2-gkbd-3.0 gir1.2-glib-2.0 gir1.2-gnomebluetooth-1.0 gir1.2-gnomedesktop-3.0 gir1.2-goa-1.0 gir1.2-graphene-1.0 gir1.2-gst-plugins-bad-1.0 gir1.2-gst-plugins-base-1.0 gir1.2-gstreamer-1.0 gir1.2-gtk-2.0 gir1.2-gtk-3.0 gir1.2-gtk-4.0 gir1.2-gtkchamplain-0.12 gir1.2-gtkclutter-1.0 gir1.2-gtksource-3.0 gir1.2-gudev-1.0 gir1.2-gweather-3.0 gir1.2-handy-1 gir1.2-harfbuzz-0.0 gir1.2-ibus-1.0 gir1.2-javascriptcoregtk-4.0 gir1.2-json-1.0 gir1.2-lokdocview-0.1 gir1.2-matedesktop-2.0 gir1.2-matemenu-2.0 gir1.2-matepanelapplet-4.0 gir1.2-mutter-9 gir1.2-nm-1.0 gir1.2-nma-1.0 gir1.2-notify-0.7 gir1.2-packagekitglib-1.0 gir1.2-pango-1.0 gir1.2-peas-1.0 gir1.2-pluma-1.0 gir1.2-polkit-1.0 gir1.2-rest-0.7 gir1.2-rsvg-2.0 gir1.2-secret-1 gir1.2-soup-2.4 gir1.2-upowerglib-1.0 gir1.2-webkit2-4.0 gir1.2-wnck-3.0 gir1.2-xapp-1.0 gir1.2-xkl-1.0 gist git-buildpackage git-man git gjs gkbd-capplet glances glew-utils glib-networking-common glib-networking-services glib-networking gmtp gnome-backgrounds gnome-bluetooth gnome-calculator gnome-characters gnome-colors-common gnome-control-center-data gnome-control-center gnome-desktop3-data gnome-disk-utility gnome-font-viewer gnome-keyring-pkcs11 gnome-keyring gnome-maps gnome-menus gnome-online-accounts gnome-online-miners gnome-screenshot gnome-settings-daemon-common gnome-settings-daemon gnome-shell-common gnome-shell gnome-sound-recorder gnome-system-monitor gnome-tetravex gnome-user-docs gnome-user-share gnome-video-effects gnupg-agent gnupg-l10n gnupg-utils gnupg2 gnupg gnuplot-data gnuplot-qt gnuplot gnutls-bin go-mtpfs gobject-introspection golang-1.17-doc golang-1.17-go golang-1.17-src golang-1.17 golang-any golang-doc golang-github-hanwen-usb-dev golang-go golang-src golang goodvibes google-chrome-stable gource gparted-common gparted gperf gpg-agent gpg-wks-client gpg-wks-server gpg gpgconf gpgsm gpgv gpicview gpointing-device-settings graphviz grep grilo-plugins-0.3 grim groff-base groff grub-common grub-efi-amd64-bin grub-efi-amd64 grub-splashimages grub2-common gsettings-desktop-schemas gsfonts gsimplecal gstreamer1.0-adapter-pulseeffects gstreamer1.0-autogain-pulseeffects gstreamer1.0-clutter-3.0 gstreamer1.0-convolver-pulseeffects gstreamer1.0-crystalhd gstreamer1.0-crystalizer-pulseeffects gstreamer1.0-gl gstreamer1.0-gtk3 gstreamer1.0-libav gstreamer1.0-packagekit gstreamer1.0-pipewire gstreamer1.0-plugins-bad gstreamer1.0-plugins-base gstreamer1.0-plugins-good gstreamer1.0-plugins-ugly gstreamer1.0-pulseaudio gstreamer1.0-x gtk2-engines-murrine gtk2-engines-pixbuf gtk2-engines gtkhash guile-2.2-doc guile-2.2-libs guile-2.2 gvfs-backends gvfs-bin gvfs-common gvfs-daemons gvfs-fuse gvfs-libs gvfs gzip hddtemp hdparm heimdall-flash-frontend heimdall-flash highlight-common highlight hostapd hostname htop httperf httrack hunspell-en-us hwdata hwinfo i3blocks i3status i7z i965-va-driver iagno ibus-data ibus-gtk3 ibus-gtk4 ibus-gtk ibus ibverbs-providers icc-profiles-free icu-devtools ieee-data ifupdown iio-sensor-proxy imagemagick-6-common imagemagick-6.q16 imagemagick img2pdf imgp imv indent info-beamer init-system-helpers init initramfs-tools-core initramfs-tools inotify-tools install-info installation-report intel-media-va-driver intel-microcode intltool-debian inxi iotop ipp-usb iproute2 iptables iputils-ping iputils-tracepath ir.lv2 isc-dhcp-client isc-dhcp-common iso-codes iso-flags-png-320x240 ispell iucode-tool iw jackd2-firewire jackd2 jackd java-common javascript-common jc jmtpfs jo jp2a jpegoptim jq kactivities-bin kactivitymanagerd kbd kcachegrind kded5 keditbookmarks keepassxc keyboard-configuration keyutils kio-extras-data kio-extras kio kitty-doc kitty-terminfo kitty klibc-utils kmod krb5-config krb5-doc krb5-k5tls krb5-locales krb5-user kwayland-data kwayland-integration laptop-detect lbzip2 less lightsoff links2 links lintian lm-sensors lmodern locales locate login logrotate logsave lolcat lp-solve lsb-base lsb-release lshw lsof lsp-plugins-lv2 lsp-plugins-r3d-glx lua-lpeg lv2-dev lvm2 lxappearance lxc-templates lxc lxcfs lxde-settings-daemon lxmenu-data lxterminal lynx-common lynx lzip lzop m4 macchanger mailcap maim make mako-notifier man-db manpages-dev manpages mate-applet-appmenu mate-applet-brisk-menu mate-applets-common mate-backgrounds mate-calc-common mate-calc mate-control-center-common mate-desktop-common mate-desktop mate-dock-applet mate-indicator-applet-common mate-indicator-applet mate-media-common mate-media mate-menu mate-menus mate-netbook-common mate-netbook mate-notification-daemon-common mate-notification-daemon mate-optimus mate-panel-common mate-panel mate-polkit-bin mate-polkit-common mate-polkit mate-power-manager-common mate-power-manager mate-screensaver-common mate-screensaver mate-sensors-applet-common mate-sensors-applet-nvidia mate-sensors-applet mate-session-manager mate-settings-daemon-common mate-sntray-plugin mate-system-monitor-common mate-system-monitor mate-terminal-common mate-terminal mate-tweak mate-user-share-common mate-window-applets-common mate-window-buttons-applet mate-window-menu-applet mate-window-title-applet mawk mda-lv2 media-player-info media-types mencoder menu-xdg menu mercurial-common mercurial mesa-utils mesa-va-drivers mesa-vdpau-drivers mesa-vulkan-drivers meson mime-support mkvtoolnix mmdebstrap mmv mobile-broadband-provider-info moc modemmanager mokutil monitorix mono-4.0-gac mono-gac mono-runtime-common mono-runtime-sgen mono-runtime most mount mozo mp3splt mp3wrap mpc mpd mpg123 mpgtx mplayer msr-tools mtd-utils mtools mtp-tools multitail mupdf mutt muttdown mutter-common mutter mythes-de nasm nautilus-sendto ncal ncompress ncurses-base ncurses-bin ncurses-term ndiff needrestart neofetch neomutt net-tools netbase netcat-traditional netpbm nettle-dev network-manager-gnome network-manager-openvpn-gnome network-manager-openvpn network-manager nftables nim-doc nim ninja-build nmap-common nmap notification-daemon ntfs-3g nyancat obconf obsession ocl-icd-libopencl1 ocrmypdf offlineimap3 offlineimap openjade openjdk-11-jre-headless openjdk-11-jre openjdk-8-jre-headless openjdk-8-jre opensc-pkcs11 opensc opensp openssh-client openssl openvpn optipng orca os-prober p11-kit-modules p11-kit p7zip-full p7zip packagekit-tools packagekit packaging-tutorial pandoc-data pandoc pango1.0-tests pango1.0-tools parted passwd patch patchutils pavucontrol paxtest pbuilder pbzip2 pci.ids pciutils pcmanfm pcscd pdftk-java pdftk perl perltidy pgdg-keyring phonon4qt5-backend-vlc phonon4qt5 pia pidgin-otr pigz pinentry-curses pinentry-gnome3 pipewire-bin pipewire-pulse pipewire piuparts-common piuparts pixz pkg-config playerctl plocate pluma-common plymouth-label plymouth pm-utils pngquant po-debconf poc-streamer policykit-1-gnome policykit-1 poppler-data poppler-utils popularity-contest postgresql-14 postgresql-client-10 postgresql-client-11 postgresql-client-12 postgresql-client-13 postgresql-client-14 postgresql-client-common postgresql-client postgresql-common postgresql powermgmt-base powertop ppp preview-latex-style pristine-tar procps profile-sync-daemon progress protobuf-compiler ps2eps psensor-common psensor psf-unifont psmisc psutils pulseaudio-module-bluetooth pulseaudio-utils pulseaudio pulseeffects pv qalc qdoc-qt5 qemu-block-extra qemu-utils qemu qhelpgenerator-qt5 qjackctl qml-module-qt-labs-folderlistmodel qml-module-qt-labs-settings qml-module-qtgraphicaleffects qml-module-qtmultimedia qml-module-qtqml-models2 qml-module-qtqml qml-module-qtquick-controls qml-module-qtquick-dialogs qml-module-qtquick-layouts qml-module-qtquick-privatewidgets qml-module-qtquick-window2 qml-module-qtquick2 qt5-assistant qt5-gtk-platformtheme qt5-image-formats-plugins qt5-qmake-bin qt5-qmake qt5-qmltooling-plugins qt5ct qtattributionsscanner-qt5 qtchooser qtspeech5-speechd-plugin qttools5-dev-tools qttranslations5-l10n qtwayland5 quadrapassel quilt rake ranger rdfind readline-common realmd redshift rename reportbug resample resolvconf rfkill rhythmbox-data rhythmbox-plugin-cdrecorder rhythmbox rkhunter rmlint-gui rmlint rofi rpcsvc-proto rrdtool rsync rsyslog rtkit rtmpdump rubberband-ladspa rubberband-vamp runc runit-helper rustc rxvt-unicode rygel-playbin rygel samba-libs sane-utils sbuild scantv scdoc schism schroot-common schroot screen screenfetch screenkey scrot seahorse sed sensible-utils sgml-base sgml-data shared-mime-info shellcheck signal-desktop silversearcher-ag sl sleuthkit slop slurp smartmontools smem socat software-properties-common software-properties-gtk sonnet-plugins sox speech-dispatcher-audio-plugins speech-dispatcher-espeak-ng speech-dispatcher speedometer sphinx-common spice-client-glib-usb-acl-helper splint-data splint-doc-html splint sqlite3 squashfs-tools ssl-cert strace streamlink stress stterm subversion suckless-tools sudo sway-backgrounds sway swaybg swayidle swell-foop switcheroo-control sxiv symlinks synaptic sysfsutils sysstat system-config-printer-common system-config-printer-udev systemd-coredump systemd-sysv systemd-timesyncd systemd sysvinit-utils t1utils tali tar task-english task-laptop tasksel-data tasksel tcl-expect tcl8.6 tcl tcpdump teckit telnet tesseract-ocr-eng tesseract-ocr-osd tesseract-ocr thin-provisioning-tools thunar-archive-plugin thunar-data thunar-gtkhash thunar-media-tags-plugin thunar-volman thunar timgm6mb-soundfont tini tint tipa tk8.6-blt2.5 tk8.6 tk tlp-rdw tlp toilet-fonts toilet tor-geoipdb tor torbrowser-launcher torsocks tp-smapi-dkms tpm-udev traceroute transmission-cli transmission-common transmission-gtk tree tty-clock ttyload tumbler-common tumbler tzdata ucf udev udftools udisks2 uidmap unclutter-startup unclutter unhide.rb unhide unicode-data uno-libs-private unpaper unrar-free unrar unzip update-inetd upower ure-java ure usb-modeswitch-data usb-modeswitch usb.ids usbmuxd usbutils uthash-dev util-linux-locales util-linux uuid-dev uuid-runtime v4l-conf va-driver-all vala-panel-appmenu-common valgrind-dbg valgrind vbetool vbindiff vco-plugins vdpau-driver-all vim-addon-manager vim-common vim-gtk3 vim-gui-common vim-pathogen vim-runtime vim-scripts vim vinagre vino virtualenv vlc-bin vlc-data vlc-l10n vlc-plugin-access-extra vlc-plugin-base vlc-plugin-fluidsynth vlc-plugin-notify vlc-plugin-qt vlc-plugin-skins2 vlc-plugin-video-output vlc-plugin-video-splitter vlc-plugin-visualization vlc vulkan-tools w3m-img w3m wayland-protocols wdiff wget whiptail whois wireguard-dkms wireguard-tools wireguard wireless-regdb wireless-tools wireplumber wireshark-common wireshark-qt wireshark wkhtmltopdf wordnet-base wordnet-sense-index wordnet wpasupplicant x11-common x11-utils x11-xkb-utils x11-xserver-utils x11proto-core-dev x11proto-dev x11proto-scrnsaver-dev x11proto-xinerama-dev xapps-common xauth xautolock xawtv-plugins xawtv xbacklight xbrlapi xcb-proto xcb xcwd xdelta3 xdelta xdg-dbus-proxy xdg-desktop-portal-gtk xdg-desktop-portal-wlr xdg-desktop-portal xdg-user-dirs-gtk xdg-user-dirs xdg-utils xdotool xfconf xfwm4 xiccd xinit xinput xkb-data xkbset xml-core xmlto xorg-docs-core xorg-sgml-doctools xorriso xournal xscreensaver-data xscreensaver-gl-extra xscreensaver-gl xsensors xserver-common xserver-xephyr xserver-xorg-core xserver-xorg-input-evdev xserver-xorg-input-libinput xserver-xorg-input-mouse xserver-xorg-legacy xserver-xorg-video-intel xserver-xorg xsltproc xtrans-dev xutils-dev xvfb xwayland xxd xz-utils yasm yelp-xsl yelp yudit-common zam-plugins zathura-cb zathura-djvu zathura-pdf-poppler zathura-ps zathura zenity-common zenity zip zlib1g-dev zlib1g ```

Anything else we need to know?:

Environment:

grype version
Application:          grype
Version:              0.27.0
Syft Version:         v0.32.0
BuildDate:            2021-12-08T22:17:50Z
GitCommit:            e62186725b8bfe3faddb78fa82b1ca44c747c9b6
GitTreeState:         clean
Platform:             linux/amd64
GoVersion:            go1.16.10
Compiler:             gc
Supported DB Schema:  3

[westonsteimel]

@wagoodman, it seems to happen specifically for apt-get source clang-13 for me

# grype --verbose .
[0000]  INFO indexing filesystem path="." from-lib=syft
[0006]  INFO indexing filesystem path="/root/test/llvm-toolchain-13-13.0.0/clang/test/Driver/Inputs/CUDA-symlinks/opt/cuda/bin/ptxas" from-lib=syft
[0006]  INFO indexing filesystem path="/root/test/llvm-toolchain-13-13.0.0/clang/test/Driver/Inputs/basic_cross_linux_tree/usr/bin/i386-unknown-linux-gnu-ld.g
old" from-lib=syft
[0006]  INFO indexing filesystem path="/root/test/llvm-toolchain-13-13.0.0/clang/test/Driver/Inputs/basic_cross_linux_tree/usr/bin/x86_64-unknown-linux-gnu-ld
.gold" from-lib=syft
[0006]  INFO indexing filesystem path="/root/test/llvm-toolchain-13-13.0.0/clang/test/Driver/Inputs/basic_cross_linux_tree/usr/i386-unknown-linux-gnu/bin/ld.g
old" from-lib=syft
[0006]  INFO indexing filesystem path="/root/test/llvm-toolchain-13-13.0.0/clang/test/Driver/Inputs/basic_cross_linux_tree/usr/x86_64-unknown-linux-gnu/bin/ld
.gold" from-lib=syft
[0006]  INFO indexing filesystem path="/root/test/llvm-toolchain-13-13.0.0/clang/test/Driver/Inputs/multilib_32bit_linux_tree/usr/bin/i386-unknown-linux-gnu-a
s" from-lib=syft
[0006]  INFO indexing filesystem path="/root/test/llvm-toolchain-13-13.0.0/clang/test/Driver/Inputs/multilib_32bit_linux_tree/usr/bin/i386-unknown-linux-gnu-l
d" from-lib=syft
[0006]  INFO indexing filesystem path="/root/test/llvm-toolchain-13-13.0.0/clang/test/Driver/Inputs/multilib_64bit_linux_tree/usr/bin/x86_64-unknown-linux-gnu
-as" from-lib=syft
[0006]  INFO indexing filesystem path="/root/test/llvm-toolchain-13-13.0.0/clang/test/Driver/Inputs/multilib_64bit_linux_tree/usr/bin/x86_64-unknown-linux-gnu
-ld" from-lib=syft
[0006]  INFO indexing filesystem path="/root/test/llvm-toolchain-13-13.0.0/libclc/amdgcn-amdhsa" from-lib=syft
[0006]  INFO indexing filesystem path="/root/test/llvm-toolchain-13-13.0.0/pstl/test/std" from-lib=syft
[0006]  INFO indexing filesystem path="/root/test/llvm-toolchain-13-13.0.0/libcxxabi/build/lib/libc++abi.so.1" from-lib=syft
[0006]  INFO indexing filesystem path="/root/test/llvm-toolchain-13-13.0.0/libcxxabi/build/lib/libc++abi.so.1.0" from-lib=syft
[0006]  INFO indexing filesystem path="/root/test/llvm-toolchain-13-13.0.0/openmp/tools/analyzer/llvm-openmp-analyzer" from-lib=syft
[0006]  INFO could not identify distro from-lib=syft
[0006]  INFO cataloging directory from-lib=syft
[0038]  WARN could not parse possible go binary: EOF from-lib=syft
[0038]  WARN could not parse possible go binary: invalid magic number in record at byte 0x0 from-lib=syft
[0038]  WARN could not parse possible go binary: undefined symbols index in dynamic symbol table command is greater than symbol table length (10 > 0) in recor
d at byte 0x280 from-lib=syft
[0038]  WARN could not parse possible go binary: invalid command block size in record at byte 0x1c from-lib=syft
[0039]  WARN could not parse possible go binary: invalid command block size in record at byte 0x20 from-lib=syft
[0039]  WARN could not parse possible go binary: invalid command block size in record at byte 0x1c from-lib=syft
[0039]  WARN could not parse possible go binary: EOF from-lib=syft
[0039]  WARN could not parse possible go binary: unexpected EOF from-lib=syft
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x38 pc=0x79cd32]

goroutine 69 [running]:
debug/macho.NewFile(0x14ddca0, 0xc00d7748d0, 0x3, 0x1, 0x200)
    /Users/runner/hostedtoolcache/go/1.16.10/x64/src/debug/macho/file.go:348 +0x712
github.com/anchore/syft/syft/pkg/cataloger/golang.openExe(0x14e85c0, 0xc009375e30, 0x114fa00, 0x7fd54780e1b8, 0x18, 0x18, 0x7fd56e8af108)
    /Users/runner/go/pkg/mod/github.com/anchore/syft@v0.32.0/syft/pkg/cataloger/golang/exe.go:76 +0x55a
github.com/anchore/syft/syft/pkg/cataloger/golang.parseGoBin(0xc00483a18b, 0x50, 0x0, 0x0, 0x0, 0x0, 0x17ba4, 0xc00483a180, 0x5b, 0x14e85c0, ...)
    /Users/runner/go/pkg/mod/github.com/anchore/syft@v0.32.0/syft/pkg/cataloger/golang/parse_go_bin.go:19 +0x50
github.com/anchore/syft/syft/pkg/cataloger/golang.(*Cataloger).Catalog(0x1ce6e80, 0x14ff430, 0xc0002fef50, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
    /Users/runner/go/pkg/mod/github.com/anchore/syft@v0.32.0/syft/pkg/cataloger/golang/binary_cataloger.go:46 +0x2ad
github.com/anchore/syft/syft/pkg/cataloger.Catalog(0x14ff430, 0xc0002fef50, 0x0, 0xc00d7c8180, 0xc, 0xc, 0x0, 0xc000a96c10, 0xc00070ddc0, 0xae8b7b, ...)
    /Users/runner/go/pkg/mod/github.com/anchore/syft@v0.32.0/syft/pkg/cataloger/catalog.go:54 +0x131
github.com/anchore/syft/syft.CatalogPackages(0xc000731320, 0x12e3b05, 0x8, 0xc000731320, 0x1347c68, 0x0, 0x0, 0xc00043bb40, 0x14db301, 0xc00043bb40)
    /Users/runner/go/pkg/mod/github.com/anchore/syft@v0.32.0/syft/lib.go:67 +0x4bf
github.com/anchore/grype/grype/pkg.syftProvider(0x7fffc61dff57, 0x1, 0x12e3b05, 0x8, 0xc000077800, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
    /Users/runner/work/grype/grype/grype/pkg/syft_provider.go:20 +0xe7
github.com/anchore/grype/grype/pkg.Provide(0x7fffc61dff57, 0x1, 0x12e3b05, 0x8, 0xc000077800, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
    /Users/runner/work/grype/grype/grype/pkg/provider.go:20 +0x115
github.com/anchore/grype/cmd.startWorker.func1.2(0xc000a96ba0, 0x7fffc61dff57, 0x1, 0xc000565e78, 0xc000389ed0, 0xc000292320, 0xc000082120, 0xc000a96b97)
    /Users/runner/work/grype/grype/cmd/root.go:254 +0x105
created by github.com/anchore/grype/cmd.startWorker.func1
    /Users/runner/work/grype/grype/cmd/root.go:251 +0x35f
#

[jbauernberger]

nice job on isolating it! so digging further most of what matches llvm-toolchain-13-13.0.0/llvm/test/Object/Inputs/macho-invalid-* trigger the crash for me:

cd ~/src/debian/llvm-toolchain-13-13.0.0/llvm/test/Object/Inputs

set strace filter on open,openat:

strace -Tfe trace=open,openat -o ~/grype.strace grype --verbose .

then grep openat ~/grype.strace |tail gives:

313546 openat(AT_FDCWD, "/home/joachim/src/debian/llvm-toolchain-13-13.0.0/llvm/test/Object/Inputs/macho-invalid-dylib-id-more-than-one", O_RDONLY|O_CLOEXEC) = 7 <0.000021>
313546 openat(AT_FDCWD, "/home/joachim/src/debian/llvm-toolchain-13-13.0.0/llvm/test/Object/Inputs/macho-invalid-dylib-name_offset-toobig", O_RDONLY|O_CLOEXEC) = 7 <0.000023>
313546 openat(AT_FDCWD, "/home/joachim/src/debian/llvm-toolchain-13-13.0.0/llvm/test/Object/Inputs/macho-invalid-dylib-name_offset-toosmall", O_RDONLY|O_CLOEXEC) = 7 <0.000010>
313546 openat(AT_FDCWD, "/home/joachim/src/debian/llvm-toolchain-13-13.0.0/llvm/test/Object/Inputs/macho-invalid-dylib-name_toobig", O_RDONLY|O_CLOEXEC) = 7 <0.000013>
313547 openat(AT_FDCWD, "/home/joachim/src/debian/llvm-toolchain-13-13.0.0/llvm/test/Object/Inputs/macho-invalid-dylib-no-id", O_RDONLY|O_CLOEXEC) = 7 <0.000021>
313547 openat(AT_FDCWD, "/home/joachim/src/debian/llvm-toolchain-13-13.0.0/llvm/test/Object/Inputs/macho-invalid-dylib-small", O_RDONLY|O_CLOEXEC) = 7 <0.000016>
313540 openat(AT_FDCWD, "/tmp/user/1000/grype-db-listing224606081", O_RDONLY|O_CLOEXEC) = 9 <0.000011>
313547 openat(AT_FDCWD, "/home/joachim/src/debian/llvm-toolchain-13-13.0.0/llvm/test/Object/Inputs/macho-invalid-dylib-wrong-filetype", O_RDONLY|O_CLOEXEC) = 7 <0.000019>
313547 openat(AT_FDCWD, "/home/joachim/src/debian/llvm-toolchain-13-13.0.0/llvm/test/Object/Inputs/macho-invalid-dylib_code_sign_drs-bad-size", O_RDONLY|O_CLOEXEC) = 7 <0.000486>
313546 openat(AT_FDCWD, "/home/joachim/src/debian/llvm-toolchain-13-13.0.0/llvm/test/Object/Inputs/macho-invalid-dysymtab-bad-size", O_RDONLY|O_CLOEXEC) = 7 <0.000010>

tried to isolate them one by one but it seems most of the files cause it. (haven't confirmed if it's each and every one but moving them out of the way and no more crash)

[wagoodman]

.../macho-invalid-*

HA! That explains a lot! I was wondering where mac binaries came from for a linux package...

Right now we make certain to not fail or parse further when there are unexpected inputs like this, however, this panic appears to be coming from the go stdlib itself (could put in an issue / patch upstream). The easiest approach here might be to isolate the stdlib call and do an explicit recover for this path.

Nice job @westonsteimel @jbauernberger !

[barzaka12]

Hello.

Not sure if I should open a new one, but I get the same error, but while indexing the filesystem.

# grype dir:/
 ✔ Vulnerability DB        [updated]
 ⠦ Indexing /              [file: /var/lib/docker/aufs/diff/3ec17d26cd5041c243b00c4c...5e5f7e76f191440/usr/share/man/sv/man8/deluser.8.gz]panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0xadb565]

goroutine 12 [running]:
github.com/anchore/syft/syft/source.(*directoryResolver).indexPath(0xc0001d9e30, 0xc03214eb90, 0xf, 0x0, 0x0, 0x1509a80, 0xc059aac000, 0x5008ad, 0xc03214eb90, 0xf, ...)
    /Users/runner/go/pkg/mod/github.com/anchore/syft@v0.36.0/syft/source/directory_resolver.go:127 +0x85
github.com/anchore/syft/syft/source.(*directoryResolver).indexTree.func1(0xc03214eb90, 0xf, 0x0, 0x0, 0x1509a80, 0xc059aac000, 0x0, 0x0)
    /Users/runner/go/pkg/mod/github.com/anchore/syft@v0.36.0/syft/source/directory_resolver.go:109 +0x9d
path/filepath.Walk(0xc03214eb90, 0xf, 0xc00670b870, 0x0, 0x1509a80)
    /Users/runner/hostedtoolcache/go/1.16.13/x64/src/path/filepath/path.go:499 +0x7e
github.com/anchore/syft/syft/source.(*directoryResolver).indexTree(0xc0001d9e30, 0xc03214eb90, 0xf, 0xc00024ffa0, 0xc059a9a7f0, 0x1, 0xc024623ca8, 0x0, 0xc024623c60)
    /Users/runner/go/pkg/mod/github.com/anchore/syft@v0.36.0/syft/source/directory_resolver.go:105 +0x1e5
github.com/anchore/syft/syft/source.indexAllRoots(0x7ffc872717ad, 0x1, 0xc00670bb50, 0x0, 0x0)
    /Users/runner/go/pkg/mod/github.com/anchore/syft@v0.36.0/syft/source/directory_resolver.go:502 +0x19e
github.com/anchore/syft/syft/source.newDirectoryResolver(0x7ffc872717ad, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
    /Users/runner/go/pkg/mod/github.com/anchore/syft@v0.36.0/syft/source/directory_resolver.go:77 +0x3b0
github.com/anchore/syft/syft/source.(*Source).FileResolver(0xc000c046c0, 0x130b75a, 0x8, 0x0, 0x0, 0x0, 0x0)
    /Users/runner/go/pkg/mod/github.com/anchore/syft@v0.36.0/syft/source/source.go:239 +0x1bd
github.com/anchore/syft/syft.CatalogPackages(0xc000c046c0, 0x1, 0x130b75a, 0x8, 0x0, 0x0, 0xc000c046c0, 0x13702c0, 0x0, 0x0, ...)
    /Users/runner/go/pkg/mod/github.com/anchore/syft@v0.36.0/syft/lib.go:38 +0x5a
github.com/anchore/grype/grype/pkg.syftProvider(0x7ffc872717a9, 0x5, 0xc000c75ac0, 0x1d241a8, 0x0, 0x0, 0x1, 0x130b75a, 0x8, 0x0, ...)
    /Users/runner/work/grype/grype/grype/pkg/syft_provider.go:19 +0x125
github.com/anchore/grype/grype/pkg.Provide(0x7ffc872717a9, 0x5, 0xc000c75ac0, 0x1d241a8, 0x0, 0x0, 0x1, 0x130b75a, 0x8, 0x0, ...)
    /Users/runner/work/grype/grype/grype/pkg/provider.go:27 +0x29c
github.com/anchore/grype/cmd.startWorker.func1.2(0xc0004ea510, 0x7ffc872717a9, 0x5, 0xc0002f0150, 0xc00024ff80, 0xc0001de020, 0xc000108060, 0xc0004ea50d)
    /Users/runner/work/grype/grype/cmd/root.go:268 +0x1f2
created by github.com/anchore/grype/cmd.startWorker.func1
    /Users/runner/work/grype/grype/cmd/root.go:260 +0x35f