search

anchore / syft

CLI tool and library for generating a Software Bill of Materials from container images and filesystems
Apache License 2.0
6.09k stars 562 forks source link

`syft packages` panics on OCI archive creation #1318

Closed sophiewigmore closed 1 year ago

sophiewigmore commented 1 year ago

Please provide a set of steps on how to reproduce the issue

What happened:

Running syft packages <oci archive> --output cyclonedx-json --file sbom.json panics during the cataloguing phase:

✔ Parsed image
 ⠇ Cataloging packages     [packages 0]panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0x2730f36]

goroutine 131 [running]:
github.com/anchore/syft/syft/pkg.(*Package).SetID(0x0)
        /home/runner/work/syft/syft/syft/pkg/package.go:42 +0x36
github.com/anchore/syft/syft/pkg/cataloger/javascript.parseNodeBinary({0xc0006263a0?, 0xc013895280?}, 0x10?, {{{{0xc000dfab80, 0x3c}, {0xc001567860, 0x47}}, {0xc000dfab80, 0x3c}, {0x4992, ...}}, ...})
        /home/runner/work/syft/syft/syft/pkg/cataloger/javascript/parse_node_binary.go:41 +0x186
github.com/anchore/syft/syft/pkg/cataloger/generic.(*Cataloger).Catalog(0xc00ba15800, {0x340d040, 0xc001202058})
        /home/runner/work/syft/syft/syft/pkg/cataloger/generic/cataloger.go:127 +0x70e
github.com/anchore/syft/syft/pkg/cataloger.Catalog({0x340d040?, 0xc001202058}, 0x8?, {0xc00ba0f450, 0xd, 0x0?})
        /home/runner/work/syft/syft/syft/pkg/cataloger/catalog.go:56 +0x3d8
github.com/anchore/syft/syft.CatalogPackages(0xc00058a480, {{0x1, 0x0, {0x3034513, 0x8}}, {0x0, 0x0, 0x0}})
        /home/runner/work/syft/syft/syft/lib.go:72 +0x5a5
github.com/anchore/syft/cmd/syft/cli/eventloop.generateCatalogPackagesTask.func1(0xc00038eb60, 0x2e7aac0?)
        /home/runner/work/syft/syft/cmd/syft/cli/eventloop/tasks.go:49 +0xdc
github.com/anchore/syft/cmd/syft/cli/eventloop.RunTask(0x0?, 0xc00061dfd0?, 0x2500b4a?, 0xc001550000, 0xc00038be00?)
        /home/runner/work/syft/syft/cmd/syft/cli/eventloop/tasks.go:223 +0x85
created by github.com/anchore/syft/cmd/syft/cli/packages.buildRelationships
        /home/runner/work/syft/syft/cmd/syft/cli/packages/packages.go:121 +0x65

This only occurs for one of our OCI archives, which has a lot of packages (800+). You can test this out by downloading an example OCI archive similar to the one I was testing with from our release: https://github.com/paketo-buildpacks/jammy-full-stack/releases/download/v0.0.31/jammy-full-stack-0.0.31-build.oci and then running the same syft package command on it with Syft 0.60.1

What you expected to happen:

Expected SBOM generation to succeed as usual

Anything else we need to know?:

This issue only starting happening on 0.60.1 (and 0.60.2)

Environment:

kzantow commented 1 year ago

Hi @sophiewigmore -- I believe this was just fixed (with PR #1313) and a new version of Syft released (v0.60.3) with the fix in it; could you validate this fixes your issue?

sophiewigmore commented 1 year ago

Ah! Let me try.

sophiewigmore commented 1 year ago

Yes, that worked. Totally missed that fix. Thank you :)

kzantow commented 1 year ago

Thanks for following up, @sophiewigmore!