search

anchore / syft

CLI tool and library for generating a Software Bill of Materials from container images and filesystems
Apache License 2.0
6.31k stars 578 forks source link

Runtime Error with Syft on Singularity .sif file (panic: index out of range) #3390

Open SaurabhNair96 opened 4 weeks ago

SaurabhNair96 commented 4 weeks ago

Description: I'm attempting to generate an SBOM for a Singularity file using Syft, but I encounter a runtime error. Below is my setup and the command I used. I apologize, but due to the proprietary nature of the code I cannot share the .sif file

Environment: OS: Windows 10 running a virtual Ubuntu 24.04.1 Syft version: 1.14.1

Steps to taken: 1) Running the tool directly on the sif file syft scan singularity:/mnt/shareee/siffiles/[FILE].sif -o cyclonedx-json > sbom-output.json

Error: panic: runtime error: index out of range [512] with length 512

running syft scan singularity:/mnt/shareee/siffiles/[FILE].sif -o cyclonedx-json > sbom-output.json -vv returns

panic: runtime error: index out of range [512] with length 512

goroutine 52 [running]: github.com/sylabs/squashfs/low.(Reader).fragEntry(0xc000162000, 0x16abf80?) /home/runner/go/pkg/mod/github.com/sylabs/squashfs@v1.0.0/low/reader.go:162 +0x4d3 github.com/sylabs/squashfs/low.(FileBase).GetRegFileReaders.func1() /home/runner/go/pkg/mod/github.com/sylabs/squashfs@v1.0.0/low/file_base.go:110 +0x39 github.com/sylabs/squashfs/low.(FileBase).GetRegFileReaders(0x53?, 0xc000162000) /home/runner/go/pkg/mod/github.com/sylabs/squashfs@v1.0.0/low/file_base.go:120 +0x67e github.com/sylabs/squashfs.(File).initializeReaders(...) /home/runner/go/pkg/mod/github.com/sylabs/squashfs@v1.0.0/file.go:176 github.com/sylabs/squashfs.(File).Read(0xc001e28180, {0xc001378000, 0xc00, 0xc00}) /home/runner/go/pkg/mod/github.com/sylabs/squashfs@v1.0.0/file.go:103 +0x5c github.com/anchore/stereoscope/pkg/file.(sizer).Read(0xc0016ab248, {0xc001378000?, 0xc0004aa0e8?, 0x458849?}) /home/runner/go/pkg/mod/github.com/anchore/stereoscope@v0.0.4/pkg/file/mime_type.go:41 +0x28 io.ReadAtLeast({0x1fafbc0, 0xc0016ab248}, {0xc001378000, 0xc00, 0xc00}, 0xc00) /opt/hostedtoolcache/go/1.22.8/x64/src/io/io.go:335 +0x90 io.ReadFull(...) /opt/hostedtoolcache/go/1.22.8/x64/src/io/io.go:354 github.com/gabriel-vasile/mimetype.DetectReader({0x1fafbc0, 0xc0016ab248}) /home/runner/go/pkg/mod/github.com/gabriel-vasile/mimetype@v1.4.6/mimetype.go:61 +0xe5 github.com/anchore/stereoscope/pkg/file.MIMEType({0x1fafbe0, 0xc001e28180}) /home/runner/go/pkg/mod/github.com/anchore/stereoscope@v0.0.4/pkg/file/mime_type.go:21 +0x85 github.com/anchore/stereoscope/pkg/file.NewMetadataFromSquashFSFile({0xc001449f60, 0x1b}, 0xc001e28180) /home/runner/go/pkg/mod/github.com/anchore/stereoscope@v0.0.4/pkg/file/metadata.go:118 +0x475 github.com/anchore/stereoscope/pkg/image.(Layer).readSingularityImageLayer.squashfsVisitor.func1({0x1fafba0?, 0xc0001a0de0?}, {0xc0001fc150, 0x6f}, {0xc001449f60, 0x1b}) /home/runner/go/pkg/mod/github.com/anchore/stereoscope@v0.0.4/pkg/image/layer.go:331 +0x16b github.com/anchore/stereoscope/pkg/file.WalkSquashFS.walkDir.func1({0xc001449f60?, 0x0?}, {0x0?, 0x0?}, {0x0?, 0x0?}) /home/runner/go/pkg/mod/github.com/anchore/stereoscope@v0.0.4/pkg/file/squashfs_walk.go:47 +0x57 io/fs.walkDir({0x1fafba0, 0xc0001a0de0}, {0xc001449f60, 0x1b}, {0x1fbe920, 0xc0002eac20}, 0xc0004aa9d8) /opt/hostedtoolcache/go/1.22.8/x64/src/io/fs/walk.go:73 +0x6c io/fs.walkDir({0x1fafba0, 0xc0001a0de0}, {0xc0008abea8, 0x11}, {0x1fbe920, 0xc0003d0000}, 0xc0004aa9d8) /opt/hostedtoolcache/go/1.22.8/x64/src/io/fs/walk.go:95 +0x2bf io/fs.walkDir({0x1fafba0, 0xc0001a0de0}, {0xc00047ca67, 0x7}, {0x1fbe920, 0xc00068a190}, 0xc0004aa9d8) /opt/hostedtoolcache/go/1.22.8/x64/src/io/fs/walk.go:95 +0x2bf io/fs.walkDir({0x1fafba0, 0xc0001a0de0}, {0xc000682d5a, 0x3}, {0x1fbe920, 0xc0001a0120}, 0xc0004aa9d8) /opt/hostedtoolcache/go/1.22.8/x64/src/io/fs/walk.go:95 +0x2bf io/fs.walkDir({0x1fafba0, 0xc0001a0de0}, {0x1f9ef28, 0x1}, {0x1fbe920, 0xc0001a0e00}, 0xc0004aa9d8) /opt/hostedtoolcache/go/1.22.8/x64/src/io/fs/walk.go:95 +0x2bf io/fs.WalkDir({0x1fafba0, 0xc0001a0de0}, {0x1f9ef28, 0x1}, 0xc0006529d8) /opt/hostedtoolcache/go/1.22.8/x64/src/io/fs/walk.go:122 +0xa5 github.com/anchore/stereoscope/pkg/file.WalkSquashFS({0xc0001fc150, 0x6f}, 0xc000652ae0) /home/runner/go/pkg/mod/github.com/anchore/stereoscope@v0.0.4/pkg/file/squashfs_walk.go:37 +0x138 github.com/anchore/stereoscope/pkg/image.(Layer).readSingularityImageLayer(0xc0005a26c0, 0xc000100008?, {0xc00009a090, 0x27}, 0xc0000c81c8) /home/runner/go/pkg/mod/github.com/anchore/stereoscope@v0.0.4/pkg/image/layer.go:167 +0x399 github.com/anchore/stereoscope/pkg/image.(Layer).Read(0xc0005a26c0, 0xc0000d2f90, 0x0, {0xc00009a090, 0x27}) /home/runner/go/pkg/mod/github.com/anchore/stereoscope@v0.0.4/pkg/image/layer.go:106 +0x149 github.com/anchore/stereoscope/pkg/image.(Image).Read(0xc000260008) /home/runner/go/pkg/mod/github.com/anchore/stereoscope@v0.0.4/pkg/image/image.go:227 +0x6e5 github.com/anchore/stereoscope/pkg/image/sif.(singularityImageProvider).Provide(0xc0001ad0b0, {0xc000149800?, 0x15ad15c?}) /home/runner/go/pkg/mod/github.com/anchore/stereoscope@v0.0.4/pkg/image/sif/archive_provider.go:61 +0x249 github.com/anchore/syft/syft/source/stereoscopesource.stereoscopeImageSourceProvider.Provide({{0x1fb6740, 0xc0001ad0b0}, {{{0x7ffeb43bb0d4, 0x27}, 0x0, {0x0, 0x0, {...}, {...}, {...}}}, ...}}, ...) /home/runner/work/syft/syft/syft/source/stereoscopesource/image_source_provider.go:32 +0xb3 github.com/anchore/syft/syft.GetSource({0x1fbe798, 0xc000692410}, {0x7ffeb43bb0d4, 0x27}, 0xc000149a40?) /home/runner/work/syft/syft/syft/get_source.go:29 +0x1b8 github.com/anchore/syft/cmd/syft/internal/commands.getSource({0x1fbe798, 0xc000692410}, 0xc000004440, {0x7ffeb43bb0d4, 0x27}, {0xc0002eb880, 0x1, 0x1}) /home/runner/work/syft/syft/cmd/syft/internal/commands/scan.go:248 +0x63b github.com/anchore/syft/cmd/syft/internal/commands.runScan({0x1fbe798, 0xc000692410}, {{0x19a1e1d, 0x4}, {0x1fa61ac, 0x6}, {0x1fbae60, 0x28}, {0x1fa7e20, 0x7}, ...}, ...) /home/runner/work/syft/syft/cmd/syft/internal/commands/scan.go:185 +0x27d github.com/anchore/syft/cmd/syft/internal/commands.Scan.func1(0xc0000ccc08, {0xc00038a300, 0x1, 0x0?}) /home/runner/work/syft/syft/cmd/syft/internal/commands/scan.go:102 +0xe6 github.com/anchore/clio.(application).setupCommand.(*application).WrapRunE.func2.1(0x0?, {0xc00038a300?, 0x0?, 0x0?}) /home/runner/go/pkg/mod/github.com/anchore/clio@v0.0.0-20240522144804-d81e109008aa/application.go:146 +0x9e github.com/anchore/clio.async.func1() /home/runner/go/pkg/mod/github.com/anchore/clio@v0.0.0-20240522144804-d81e109008aa/application.go:344 +0x6a created by github.com/anchore/clio.async in goroutine 1 /home/runner/go/pkg/mod/github.com/anchore/clio@v0.0.0-20240522144804-d81e109008aa/application.go:342 +0xc5

I was wondering if you would have some insight how I can circumvent the issue. Thank you in advance.

willmurphyscode commented 4 weeks ago

Hi @SaurabhNair96! Thanks for the issue!

It looks like this panic is happening here: https://github.com/sylabs/squashfs/blob/3afc631a963a045b6863f2b3ceddcb0d969cac99/low/reader.go#L162

Syft (via Stereoscope) already depends on the latest version of that library, so this might require an upstream fix in that library (cc @tri-adam).

I don't have any suggestions as a workaround right now - it looks like you're using Syft correctly and we're hitting a bug parsing the SIF image.

It would be helpful if there were a link to a publicly available artifact that causes this issue. @SaurabhNair96 is there a link you're able to share?

Dev notes:

https://github.com/sylabs/squashfs/blob/3afc631a963a045b6863f2b3ceddcb0d969cac99/low/reader.go#L123-L163

This panics at the last line, apparently because i is one higher than expected (index 512 in length 512).

SaurabhNair96 commented 3 weeks ago

Hi @willmurphyscode, thanks for the response! I don't think we have a publicly available version of the sif file that we can share, but we can definitely share the requirements file for the sif image. Would it be possible for you to create the image based on this requirements file for debugging purposes? requirements.txt

Thank you very much in advance and looking forward!

willmurphyscode commented 3 weeks ago

@SaurabhNair96 thanks for the requirements.txt, but I haven't been able to reproduce the issue from that, because I don't know how you're going from a requirements.txt file to a singularity image. Can you tell me about how you are going from requiremets.txt to a singularity image? Syft doesn't panic scanning the singularity images I have, and I don't have access to your image, so anything you could tell me about your build process would help us understand the bug here.

Thanks very much!

SaurabhNair96 commented 3 weeks ago

Hi @willmurphyscode. Thanks for letting me know. I spoke to my seniors are I think we can share the sif image with you directly. Hopefully, this helps! Please let me know if you need any more information. Please find attached the onedrive link for the zipped image file - https://1drv.ms/f/c/d595eda503cbaa82/Ej4VSlrev4tNnfeFFKq12mwBPtU8cU8-Tva9PsvNkvCFDg?e=12k30t Thank you and looking forward!

sbutcher commented 2 weeks ago

I can replicate too on all my singularity/apptainer images. Using a basic container recipe similar to https://apptainer.org/docs/user/main/build_a_container.html

Bootstrap: docker
From: ubuntu:24.04

%post
    apt-get -y update
    apt-get -y install cowsay lolcat

%environment
    export LC_ALL=C
    export PATH=/usr/games:$PATH

%runscript
    date | cowsay | lolcat

Then apptainer build lol.sif lol.def and syft singularity:./lol.sif gives me:

⠧ Parsing image                   ━━━━━━━━━━━━━━━━━━━━                 sha256:3d42aab2bf432777e3253d540767d16fbe7a35955d9e66dd398d13ff6388528e
panic: runtime error: index out of range [512] with length 512

                                                              goroutine 28 [running]:
                                                                                     github.com/sylabs/squashfs/low.(*Reader).fragEntry(0xc0004db930, 0x8?)
                /home/runner/go/pkg/mod/github.com/sylabs/squashfs@v1.0.0/low/reader.go:162 +0x4d3
                                                                                                  github.com/sylabs/squashfs/low.(*FileBase).GetRegFileReaders.func1()
                        /home/runner/go/pkg/mod/github.com/sylabs/squashfs@v1.0.0/low/file_base.go:110 +0x39
                                                                                                            github.com/sylabs/squashfs/low.(*FileBase).GetRegFileReaders(0x10?, 0xc0004db930)
...
popey commented 2 weeks ago

Thanks for the reproduction steps @sbutcher !

I was able to reproduce it on Ubuntu 24.04 here. 

syft -vvv singularity:./lol.sif
[0000]  INFO syft version: 1.16.0
[0000] DEBUG config:
  log:
      quiet: false
      level: trace
      file: ""
  dev:
      profile: none
  config: ""
  output:
      - syft-table
  format:
      pretty: null
      template:
          path: ""
          legacy: false
      json:
          legacy: false
          pretty: false
      spdx-json:
          pretty: false
      cyclonedx-json:
          pretty: false
      cyclonedx-xml:
          pretty: false
  check-for-app-update: true
  default-catalogers: []
  select-catalogers: []
  package:
      search-unindexed-archives: false
      search-indexed-archives: true
      exclude-binary-overlap-by-ownership: true
  file:
      metadata:
          selection: owned-by-package
          digests:
              - sha1
              - sha256
      content:
          skip-files-above-size: 256000
          globs: []
      executable:
          globs: []
  scope: squashed
  parallelism: 1
  relationships:
      package-file-ownership: true
      package-file-ownership-overlap: true
  compliance:
      missing-name: drop
      missing-version: stub
  enrich: []
  golang:
      search-local-mod-cache-licenses: null
      local-mod-cache-dir: /home/alan/go/pkg/mod
      search-remote-licenses: null
      proxy: https://proxy.golang.org,direct
      no-proxy: ""
      main-module-version:
          from-ld-flags: true
          from-contents: true
          from-build-settings: true
  java:
      use-network: null
      use-maven-local-repository: null
      maven-local-repository-dir: /home/alan/.m2/repository
      maven-url: https://repo1.maven.org/maven2
      max-parent-recursive-depth: 0
      resolve-transitive-dependencies: false
  javascript:
      search-remote-licenses: null
      npm-base-url: ""
      include-dev-dependencies: null
  linux-kernel:
      catalog-modules: true
  python:
      guess-unpinned-requirements: false
  registry:
      insecure-skip-tls-verify: false
      insecure-use-http: false
      auth: []
      ca-cert: ""
  from: []
  platform: ""
  source:
      name: ""
      version: ""
      base-path: ""
      file:
          digests:
              - SHA-256
      image:
          default-pull-source: ""
  exclude: []
  unknowns:
      remove-when-packages-defined: true
      executables-without-packages: true
      unexpanded-archives: true
  cache:
      dir: /home/alan/.cache/syft
      ttl: 7d
[0000] DEBUG checking if a new version of syft is available
[0000] DEBUG no new syft update available
[0000] TRACE looking for matching encoder name=syft-table version=
[0000] TRACE considering format aliases=[json syft] name=syft-json version=16.0.18
[0000] TRACE considering format aliases=[table] name=syft-table version=
[0000] TRACE considering format aliases=[text] name=syft-text version=
[0000] TRACE considering format aliases=[github] name=github-json version=
[0000] TRACE considering format aliases=[cyclonedx cyclone cdx] name=cyclonedx-xml version=1.0
[0000] TRACE considering format aliases=[cyclonedx cyclone cdx] name=cyclonedx-xml version=1.1
[0000] TRACE considering format aliases=[cyclonedx cyclone cdx] name=cyclonedx-xml version=1.2
[0000] TRACE considering format aliases=[cyclonedx cyclone cdx] name=cyclonedx-xml version=1.3
[0000] TRACE considering format aliases=[cyclonedx cyclone cdx] name=cyclonedx-xml version=1.4
[0000] TRACE considering format aliases=[cyclonedx cyclone cdx] name=cyclonedx-xml version=1.5
[0000] TRACE considering format aliases=[cyclonedx cyclone cdx] name=cyclonedx-xml version=1.6
[0000] TRACE considering format aliases=[] name=cyclonedx-json version=1.2
[0000] TRACE considering format aliases=[] name=cyclonedx-json version=1.3
[0000] TRACE considering format aliases=[] name=cyclonedx-json version=1.4
[0000] TRACE considering format aliases=[] name=cyclonedx-json version=1.5
[0000] TRACE considering format aliases=[] name=cyclonedx-json version=1.6
[0000] TRACE considering format aliases=[] name=spdx-json version=2.2
[0000] TRACE considering format aliases=[] name=spdx-json version=2.3
[0000] TRACE considering format aliases=[spdx spdx-tv] name=spdx-tag-value version=2.1
[0000] TRACE considering format aliases=[spdx spdx-tv] name=spdx-tag-value version=2.2
[0000] TRACE considering format aliases=[spdx spdx-tv] name=spdx-tag-value version=2.3
[0000] TRACE found matching encoder name=syft-table version=
[0000] DEBUG image metadata: digest=sha256:5c3bb61e4be6a53b71820ca79bb40d0db472968fe4aa9d53745c537838e5198a mediaType=application/vnd.sylabs.sif.layer.v1.sif tags=[]
[0000] DEBUG layer metadata: index=0 digest=sha256:fb51c8f1f383dad9f0632d14b7c44b25b7dafc95bdbee61d0c9e1fff5a815145 mediaType=application/vnd.sylabs.sif.layer.v1.squashfs
panic: runtime error: index out of range [512] with length 512

goroutine 14 [running]:
github.com/sylabs/squashfs/low.(*Reader).fragEntry(0xc0007d2d00, 0x8?)
    /home/runner/go/pkg/mod/github.com/sylabs/squashfs@v1.0.0/low/reader.go:162 +0x4d3
github.com/sylabs/squashfs/low.(*FileBase).GetRegFileReaders.func1()
    /home/runner/go/pkg/mod/github.com/sylabs/squashfs@v1.0.0/low/file_base.go:110 +0x39
github.com/sylabs/squashfs/low.(*FileBase).GetRegFileReaders(0x10?, 0xc0007d2d00)
    /home/runner/go/pkg/mod/github.com/sylabs/squashfs@v1.0.0/low/file_base.go:120 +0x67e
github.com/sylabs/squashfs.(*File).initializeReaders(...)
    /home/runner/go/pkg/mod/github.com/sylabs/squashfs@v1.0.0/file.go:176
github.com/sylabs/squashfs.(*File).Read(0xc0018bbbf0, {0xc001e51000, 0xc00, 0xc00})
    /home/runner/go/pkg/mod/github.com/sylabs/squashfs@v1.0.0/file.go:103 +0x5c
github.com/anchore/stereoscope/pkg/file.(*sizer).Read(0xc001506ca8, {0xc001e51000?, 0xc000bb7e90?, 0x458849?})
    /home/runner/go/pkg/mod/github.com/anchore/stereoscope@v0.0.6-0.20241101185849-cbd43fb4e5d3/pkg/file/mime_type.go:41 +0x28
io.ReadAtLeast({0x1fba3e0, 0xc001506ca8}, {0xc001e51000, 0xc00, 0xc00}, 0xc00)
    /opt/hostedtoolcache/go/1.22.8/x64/src/io/io.go:335 +0x90
io.ReadFull(...)
    /opt/hostedtoolcache/go/1.22.8/x64/src/io/io.go:354
github.com/gabriel-vasile/mimetype.DetectReader({0x1fba3e0, 0xc001506ca8})
    /home/runner/go/pkg/mod/github.com/gabriel-vasile/mimetype@v1.4.6/mimetype.go:61 +0xe5
github.com/anchore/stereoscope/pkg/file.MIMEType({0x1fba400, 0xc0018bbbf0})
    /home/runner/go/pkg/mod/github.com/anchore/stereoscope@v0.0.6-0.20241101185849-cbd43fb4e5d3/pkg/file/mime_type.go:21 +0x85
github.com/anchore/stereoscope/pkg/file.NewMetadataFromSquashFSFile({0xc0018628d0, 0x29}, 0xc0018bbbf0)
    /home/runner/go/pkg/mod/github.com/anchore/stereoscope@v0.0.6-0.20241101185849-cbd43fb4e5d3/pkg/file/metadata.go:118 +0x475
github.com/anchore/stereoscope/pkg/image.(*Layer).readSingularityImageLayer.squashfsVisitor.func1({0x1fba3c0?, 0xc0006817a0?}, {0xc0001340e0, 0x6f}, {0xc0018628d0, 0x29})
    /home/runner/go/pkg/mod/github.com/anchore/stereoscope@v0.0.6-0.20241101185849-cbd43fb4e5d3/pkg/image/layer.go:331 +0x16b
github.com/anchore/stereoscope/pkg/file.WalkSquashFS.walkDir.func1({0xc0018628d0?, 0x0?}, {0x0?, 0x0?}, {0x0?, 0x0?})
    /home/runner/go/pkg/mod/github.com/anchore/stereoscope@v0.0.6-0.20241101185849-cbd43fb4e5d3/pkg/file/squashfs_walk.go:47 +0x57
io/fs.walkDir({0x1fba3c0, 0xc0006817a0}, {0xc0018628d0, 0x29}, {0x1fc9160, 0xc00078a330}, 0xc000bb89d8)
    /opt/hostedtoolcache/go/1.22.8/x64/src/io/fs/walk.go:73 +0x6c
io/fs.walkDir({0x1fba3c0, 0xc0006817a0}, {0xc000f4fea0, 0x20}, {0x1fc9160, 0xc00078a240}, 0xc000bb89d8)
    /opt/hostedtoolcache/go/1.22.8/x64/src/io/fs/walk.go:95 +0x2bf
io/fs.walkDir({0x1fba3c0, 0xc0006817a0}, {0xc001563780, 0x19}, {0x1fc9160, 0xc000053060}, 0xc000bb89d8)
    /opt/hostedtoolcache/go/1.22.8/x64/src/io/fs/walk.go:95 +0x2bf
io/fs.walkDir({0x1fba3c0, 0xc0006817a0}, {0xc000d07350, 0x15}, {0x1fc9160, 0xc00025c980}, 0xc000bb89d8)
    /opt/hostedtoolcache/go/1.22.8/x64/src/io/fs/walk.go:95 +0x2bf
io/fs.walkDir({0x1fba3c0, 0xc0006817a0}, {0xc000c276b0, 0xe}, {0x1fc9160, 0xc0007b8580}, 0xc000bb89d8)
    /opt/hostedtoolcache/go/1.22.8/x64/src/io/fs/walk.go:95 +0x2bf
io/fs.walkDir({0x1fba3c0, 0xc0006817a0}, {0xc0000123d0, 0x9}, {0x1fc9160, 0xc000680230}, 0xc000bb89d8)
    /opt/hostedtoolcache/go/1.22.8/x64/src/io/fs/walk.go:95 +0x2bf
io/fs.walkDir({0x1fba3c0, 0xc0006817a0}, {0xc000c40e4a, 0x3}, {0x1fc9160, 0xc000460000}, 0xc000bb89d8)
    /opt/hostedtoolcache/go/1.22.8/x64/src/io/fs/walk.go:95 +0x2bf
io/fs.walkDir({0x1fba3c0, 0xc0006817a0}, {0x1fa9728, 0x1}, {0x1fc9160, 0xc0006817b0}, 0xc000bb89d8)
    /opt/hostedtoolcache/go/1.22.8/x64/src/io/fs/walk.go:95 +0x2bf
io/fs.WalkDir({0x1fba3c0, 0xc0006817a0}, {0x1fa9728, 0x1}, 0xc00057a9d8)
    /opt/hostedtoolcache/go/1.22.8/x64/src/io/fs/walk.go:122 +0xa5
github.com/anchore/stereoscope/pkg/file.WalkSquashFS({0xc0001340e0, 0x6f}, 0xc00057aae0)
    /home/runner/go/pkg/mod/github.com/anchore/stereoscope@v0.0.6-0.20241101185849-cbd43fb4e5d3/pkg/file/squashfs_walk.go:37 +0x138
github.com/anchore/stereoscope/pkg/image.(*Layer).readSingularityImageLayer(0xc0000dc2d0, 0xc000093008?, {0xc000712000, 0x27}, 0xc000592588)
    /home/runner/go/pkg/mod/github.com/anchore/stereoscope@v0.0.6-0.20241101185849-cbd43fb4e5d3/pkg/image/layer.go:167 +0x399
github.com/anchore/stereoscope/pkg/image.(*Layer).Read(0xc0000dc2d0, 0xc0003231a0, 0x0, {0xc000712000, 0x27})
    /home/runner/go/pkg/mod/github.com/anchore/stereoscope@v0.0.6-0.20241101185849-cbd43fb4e5d3/pkg/image/layer.go:106 +0x149
github.com/anchore/stereoscope/pkg/image.(*Image).Read(0xc000004388)
    /home/runner/go/pkg/mod/github.com/anchore/stereoscope@v0.0.6-0.20241101185849-cbd43fb4e5d3/pkg/image/image.go:227 +0x6e5
github.com/anchore/stereoscope/pkg/image/sif.(*singularityImageProvider).Provide(0xc00073e360, {0xc0007f5800?, 0x15b545c?})
    /home/runner/go/pkg/mod/github.com/anchore/stereoscope@v0.0.6-0.20241101185849-cbd43fb4e5d3/pkg/image/sif/archive_provider.go:61 +0x249
github.com/anchore/syft/syft/source/stereoscopesource.stereoscopeImageSourceProvider.Provide({{0x1fc0f80, 0xc00073e360}, {{{0x7ffc17d1b320, 0x9}, 0x0, {0x0, 0x0, {...}, {...}, {...}}}, ...}}, ...)
    /home/runner/work/syft/syft/syft/source/stereoscopesource/image_source_provider.go:32 +0xb3
github.com/anchore/syft/syft.GetSource({0x1fc8fd8, 0xc0003827d0}, {0x7ffc17d1b320, 0x9}, 0xc0007f5a40?)
    /home/runner/work/syft/syft/syft/get_source.go:29 +0x1b8
github.com/anchore/syft/cmd/syft/internal/commands.getSource({0x1fc8fd8, 0xc0003827d0}, 0xc0001bd240, {0x7ffc17d1b320, 0x9}, {0xc000680f70, 0x1, 0x1})
    /home/runner/work/syft/syft/cmd/syft/internal/commands/scan.go:250 +0x63b
github.com/anchore/syft/cmd/syft/internal/commands.runScan({0x1fc8fd8, 0xc0003827d0}, {{0x19aad4f, 0x4}, {0x1fb0980, 0x6}, {0x1fc56a0, 0x28}, {0x1fb25f0, 0x7}, ...}, ...)
    /home/runner/work/syft/syft/cmd/syft/internal/commands/scan.go:187 +0x27d
github.com/anchore/syft/cmd/syft/internal/commands.Root.func1(0xc0004faf08, {0xc000464020, 0x1, 0x8e35e0?})
    /home/runner/work/syft/syft/cmd/syft/internal/commands/root.go:28 +0xe6
github.com/anchore/clio.(*application).setupCommand.(*application).WrapRunE.func2.1(0x1fc8f68?, {0xc000464020?, 0x0?, 0x0?})
    /home/runner/go/pkg/mod/github.com/anchore/clio@v0.0.0-20241015191535-f538a9016e10/application.go:147 +0x9e
github.com/anchore/clio.async.func1()
    /home/runner/go/pkg/mod/github.com/anchore/clio@v0.0.0-20241015191535-f538a9016e10/application.go:345 +0x6a
created by github.com/anchore/clio.async in goroutine 1
    /home/runner/go/pkg/mod/github.com/anchore/clio@v0.0.0-20241015191535-f538a9016e10/application.go:343 +0xc5
willmurphyscode commented 1 day ago

Hi @sbutcher thanks so much for the repro steps. I was able to build an SIF file that causes this panic using the steps you suggested.

I am fairly certain that this is a bug in our underlying SquashFS library that occurs when a read call asks for fragment 512 in the squashFS table. Lots of images don't have 512 fragments, which explains why the bug has gone unnoticed.

I'll work on a patch for the SquashFS library.