Closed ivangonzalezacuna closed 3 months ago
Thanks for the report @ivangonzalezacuna! I am taking a look now.
I have some more information on why this is happening. You're absolutely right that it's a nil pointer dereference at the line you pointed out.
Here's a minimal Dockerfile that reproduces the issue
FROM --platform=linux/amd64 golang:1.22.5-bookworm
RUN go install github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@v1.6.0
CMD bash
What's happening is that a package syft finds at /go/pkg/mod/github.com/!cyclone!d!x/cyclonedx-gomod@v1.6.0/pkg/generate/testdata/simple1.18
in that built image has a goCompiledVersion
of "devel", which can't be parsed into a CPE, and so the stdlib package is nil.
I'll push a PR that at least fixes the panic, but I'll check in with the team if it makes sense to fix another way, for example by changing the CPE parsing logic to handle a Go standard lib package with the version "devel".
Hi @willmurphyscode, thanks a lot for giving it a check and bring a quick fix for now! Really appreciate it :smile:
Looking forward to what the final decision with such scenarios is like. I totally agree that adding some logic to handle this "devel" packages would make sense at the end.
For now, we just won't emit a go stdlib package with the version "devel". The reason is that this version string is just not enough information to construct a meaningful package. Since which build of go stdlib might be called "devel" changes over time, without a real version number, emitting the package is incorrect or misleading.
Thanks for the detailed bug report!
What happened:
Syft report panics if an image which includes Golang binaries is scanned. This behavior didn't happen in the version v1.5.0, but happened in the newer versions since the v1.6.0.
What you expected to happen:
The report to be successful and no panics are triggered at all.
Steps to reproduce the issue:
The lines that, I think, are affecting this report are the following ones from a internal Dockerfile. I will omit the other parts and keep only the important ones:
Anything else we need to know?:
I am pretty sure the issue was added in this Pull Request, and specifically this pointer assignment as per the panic information.
Also, by checking older issues, I believe it might be related to this issue: https://github.com/anchore/syft/issues/2736, which was solved here: https://github.com/anchore/syft/pull/2739.
Environment:
syft version
:cat /etc/os-release
or similar):