search

aquasecurity / trivy

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
https://aquasecurity.github.io/trivy
Apache License 2.0
22.91k stars 2.26k forks source link

Segmentation violation running trivy image with trivy v0.50.0 #6389

Closed anstrom closed 5 months ago

anstrom commented 5 months ago

Discussed in https://github.com/aquasecurity/trivy/discussions/6388

Originally posted by **anstrom** March 26, 2024 ### Description `trivy` crashes when scanning certain images with `trivy image`. The error message is `panic: runtime error: invalid memory address or nil pointer dereference`. ### Desired Behavior A successful scan of the image ### Actual Behavior ``` Vulnerability scanning is enabled 2024-03-26T09:55:06.954Z INFO Secret scanning is enabled 2024-03-26T09:55:06.954Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-03-26T09:55:06.954Z INFO Please see also https://aquasecurity.github.io/trivy/v0.50/docs/scanner/secret/#recommendation for faster secret detection panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x4d4d0c1] goroutine 1746 [running]: github.com/aquasecurity/trivy/pkg/sbom/core.(*BOM).AddRelationship(0xc001c68000, 0x0, 0x0, {0x7f685a3, 0x8}) /home/runner/work/trivy/trivy/pkg/sbom/core/bom.go:241 +0x41 github.com/aquasecurity/trivy/pkg/sbom/spdx.(*SPDX).unmarshal(0xc00167e168, 0xc000ad8000) /home/runner/work/trivy/trivy/pkg/sbom/spdx/unmarshal.go:92 +0x2b8 github.com/aquasecurity/trivy/pkg/sbom/spdx.(*SPDX).UnmarshalJSON(0xc00167e168, {0xc00725e000, 0x8a841, 0xffe00}) /home/runner/work/trivy/trivy/pkg/sbom/spdx/unmarshal.go:65 +0x21a encoding/json.(*decodeState).object(0xc000ad8528, {0x7d7da60?, 0xc00167e168?, 0xc0018311c8?}) /opt/hostedtoolcache/go/1.21.8/x64/src/encoding/json/decode.go:604 +0x6cc encoding/json.(*decodeState).value(0xc000ad8528, {0x7d7da60?, 0xc00167e168?, 0xc001831218?}) /opt/hostedtoolcache/go/1.21.8/x64/src/encoding/json/decode.go:374 +0x3e encoding/json.(*decodeState).unmarshal(0xc000ad8528, {0x7d7da60?, 0xc00167e168?}) /opt/hostedtoolcache/go/1.21.8/x64/src/encoding/json/decode.go:181 +0x133 encoding/json.(*Decoder).Decode(0xc000ad8500, {0x7d7da60, 0xc00167e168}) /opt/hostedtoolcache/go/1.21.8/x64/src/encoding/json/stream.go:73 +0x179 github.com/aquasecurity/trivy/pkg/sbom.Decode({_, _}, {_, _}) /home/runner/work/trivy/trivy/pkg/sbom/sbom.go:225 +0x645 github.com/aquasecurity/trivy/pkg/fanal/analyzer/sbom.sbomAnalyzer.Analyze({}, {0x79bed40?, 0x0?}, {{0x0, 0x0}, {0xc001354b90, 0x48}, {0x960acb0, 0xc0013882a0}, {0x7f6559cdd6d8, ...}, ...}) /home/runner/work/trivy/trivy/pkg/fanal/analyzer/sbom/sbom.go:39 +0x118 github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.AnalyzeFile.func1({0x9603320, 0xcc8f8a0}, {0x9600850?, 0xc001850c30}) /home/runner/work/trivy/trivy/pkg/fanal/analyzer/analyzer.go:430 +0x25d created by github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.AnalyzeFile in goroutine 84 /home/runner/work/trivy/trivy/pkg/fanal/analyzer/analyzer.go:425 +0x525 ``` ### Reproduction Steps ```bash `docker run aquasec/trivy:0.50.0 image mcr.microsoft.com/powershell:preview` ``` ### Target Container Image ### Scanner None ### Output Format Table ### Mode None ### Debug Output ```bash Δ ~ $ docker run aquasec/trivy:0.50.0 image mcr.microsoft.com/powershell:preview --debug 2024-03-26T10:10:42.269Z DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"] 2024-03-26T10:10:42.270Z DEBUG Ignore statuses {"statuses": null} 2024-03-26T10:10:42.287Z DEBUG cache dir: /root/.cache/trivy 2024-03-26T10:10:42.287Z DEBUG There is no valid metadata file: unable to open a file: open /root/.cache/trivy/db/metadata.json: no such file or directory 2024-03-26T10:10:42.287Z INFO Need to update DB 2024-03-26T10:10:42.287Z INFO DB Repository: ghcr.io/aquasecurity/trivy-db:2 2024-03-26T10:10:42.287Z INFO Downloading DB... 2024-03-26T10:10:42.287Z DEBUG no metadata file 2.01 MiB / 44.64 MiB [-->____________________________________________________________] 4.50% ? p/s ?3.43 MiB / 44.64 MiB [---->__________________________________________________________] 7.69% ? p/s ?5.88 MiB / 44.64 MiB [-------->_____________________________________________________] 13.16% ? p/s ?8.66 MiB / 44.64 MiB [--------->_______________________________________] 19.40% 11.10 MiB p/s ETA 3s11.54 MiB / 44.64 MiB [------------>___________________________________] 25.86% 11.10 MiB p/s ETA 2s14.50 MiB / 44.64 MiB [--------------->________________________________] 32.48% 11.10 MiB p/s ETA 2s17.39 MiB / 44.64 MiB [------------------>_____________________________] 38.96% 11.32 MiB p/s ETA 2s20.33 MiB / 44.64 MiB [--------------------->__________________________] 45.54% 11.32 MiB p/s ETA 2s22.92 MiB / 44.64 MiB [------------------------>_______________________] 51.33% 11.32 MiB p/s ETA 1s24.18 MiB / 44.64 MiB [-------------------------->_____________________] 54.17% 11.32 MiB p/s ETA 1s26.15 MiB / 44.64 MiB [---------------------------->___________________] 58.58% 11.32 MiB p/s ETA 1s28.62 MiB / 44.64 MiB [------------------------------>_________________] 64.11% 11.32 MiB p/s ETA 1s31.33 MiB / 44.64 MiB [--------------------------------->______________] 70.18% 11.36 MiB p/s ETA 1s34.50 MiB / 44.64 MiB [------------------------------------->__________] 77.28% 11.36 MiB p/s ETA 0s37.66 MiB / 44.64 MiB [---------------------------------------->_______] 84.35% 11.36 MiB p/s ETA 0s40.96 MiB / 44.64 MiB [-------------------------------------------->___] 91.76% 11.66 MiB p/s ETA 0s44.50 MiB / 44.64 MiB [----------------------------------------------->] 99.68% 11.66 MiB p/s ETA 0s44.64 MiB / 44.64 MiB [---------------------------------------------->] 100.00% 11.66 MiB p/s ETA 0s44.64 MiB / 44.64 MiB [---------------------------------------------->] 100.00% 11.30 MiB p/s ETA 0s44.64 MiB / 44.64 MiB [---------------------------------------------->] 100.00% 11.30 MiB p/s ETA 0s44.64 MiB / 44.64 MiB [---------------------------------------------->] 100.00% 11.30 MiB p/s ETA 0s44.64 MiB / 44.64 MiB [---------------------------------------------->] 100.00% 10.57 MiB p/s ETA 0s44.64 MiB / 44.64 MiB [---------------------------------------------->] 100.00% 10.57 MiB p/s ETA 0s44.64 MiB / 44.64 MiB [---------------------------------------------->] 100.00% 10.57 MiB p/s ETA 0s44.64 MiB / 44.64 MiB [----------------------------------------------->] 100.00% 9.89 MiB p/s ETA 0s44.64 MiB / 44.64 MiB [----------------------------------------------->] 100.00% 9.89 MiB p/s ETA 0s44.64 MiB / 44.64 MiB [----------------------------------------------->] 100.00% 9.89 MiB p/s ETA 0s44.64 MiB / 44.64 MiB [----------------------------------------------->] 100.00% 9.25 MiB p/s ETA 0s44.64 MiB / 44.64 MiB [----------------------------------------------->] 100.00% 9.25 MiB p/s ETA 0s44.64 MiB / 44.64 MiB [----------------------------------------------->] 100.00% 9.25 MiB p/s ETA 0s44.64 MiB / 44.64 MiB [----------------------------------------------->] 100.00% 8.66 MiB p/s ETA 0s44.64 MiB / 44.64 MiB [----------------------------------------------->] 100.00% 8.66 MiB p/s ETA 0s44.64 MiB / 44.64 MiB [----------------------------------------------->] 100.00% 8.66 MiB p/s ETA 0s44.64 MiB / 44.64 MiB [----------------------------------------------->] 100.00% 8.10 MiB p/s ETA 0s44.64 MiB / 44.64 MiB [----------------------------------------------->] 100.00% 8.10 MiB p/s ETA 0s44.64 MiB / 44.64 MiB [----------------------------------------------->] 100.00% 8.10 MiB p/s ETA 0s44.64 MiB / 44.64 MiB [--------------------------------------------------] 100.00% 6.23 MiB p/s 7.4s2024-03-26T10:10:50.410Z DEBUG Updating database metadata... 2024-03-26T10:10:50.410Z DEBUG DB Schema: 2, UpdatedAt: 2024-03-26 06:11:10.197763384 +0000 UTC, NextUpdate: 2024-03-26 12:11:10.197763094 +0000 UTC, DownloadedAt: 2024-03-26 10:10:50.410778688 +0000 UTC 2024-03-26T10:10:50.411Z INFO Vulnerability scanning is enabled 2024-03-26T10:10:50.411Z DEBUG Vulnerability type: [os library] 2024-03-26T10:10:50.411Z INFO Secret scanning is enabled 2024-03-26T10:10:50.411Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-03-26T10:10:50.411Z INFO Please see also https://aquasecurity.github.io/trivy/v0.50/docs/scanner/secret/#recommendation for faster secret detection 2024-03-26T10:10:50.411Z DEBUG Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot] 2024-03-26T10:10:50.579Z DEBUG No secret config detected: trivy-secret.yaml 2024-03-26T10:10:50.579Z DEBUG The nuget packages directory couldn't be found. License search disabled 2024-03-26T10:10:50.579Z DEBUG No secret config detected: trivy-secret.yaml 2024-03-26T10:10:50.653Z DEBUG Image ID: sha256:fecb1ada9a830c5fcadb287f07dcadbe4dcad5821b66e17d742bae968a8446f9 2024-03-26T10:10:50.653Z DEBUG Diff IDs: [sha256:d101c9453715a978a2a520f553588e77dfb4236762175eba61c5c264a449c75d sha256:41d145cbb71d90e33a9b6c0b07f1dc8aab1297240db00e53f33203e23cab3817] 2024-03-26T10:10:50.653Z DEBUG Base Layers: [sha256:d101c9453715a978a2a520f553588e77dfb4236762175eba61c5c264a449c75d] 2024-03-26T10:10:50.662Z DEBUG Missing image ID in cache: sha256:fecb1ada9a830c5fcadb287f07dcadbe4dcad5821b66e17d742bae968a8446f9 2024-03-26T10:10:50.662Z DEBUG Missing diff ID in cache: sha256:d101c9453715a978a2a520f553588e77dfb4236762175eba61c5c264a449c75d 2024-03-26T10:10:50.662Z DEBUG Missing diff ID in cache: sha256:41d145cbb71d90e33a9b6c0b07f1dc8aab1297240db00e53f33203e23cab3817 2024-03-26T10:10:50.747Z DEBUG Skipping directory: dev 2024-03-26T10:10:50.751Z DEBUG Skipping directory: proc 2024-03-26T10:10:50.751Z DEBUG Skipping directory: sys 2024-03-26T10:10:56.162Z DEBUG Skipping a component with an unsupported type {"name": "Microsoft.PowerShell.PSResourceGet", "version": "0.9.0-rc1", "type": "swid"} 2024-03-26T10:10:54.101Z DEBUG Skipping a component with an unsupported type {"name": "Unknown", "version": "0.0.0", "type": "swid"} panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x4d4d0c1] goroutine 1666 [running]: github.com/aquasecurity/trivy/pkg/sbom/core.(*BOM).AddRelationship(0xc000a0a780, 0x0, 0x0, {0x7f685a3, 0x8}) /home/runner/work/trivy/trivy/pkg/sbom/core/bom.go:241 +0x41 github.com/aquasecurity/trivy/pkg/sbom/spdx.(*SPDX).unmarshal(0xc00169d8d8, 0xc000888000) /home/runner/work/trivy/trivy/pkg/sbom/spdx/unmarshal.go:92 +0x2b8 github.com/aquasecurity/trivy/pkg/sbom/spdx.(*SPDX).UnmarshalJSON(0xc00169d8d8, {0xc0078a2000, 0x8a841, 0xffe00}) /home/runner/work/trivy/trivy/pkg/sbom/spdx/unmarshal.go:65 +0x21a encoding/json.(*decodeState).object(0xc0007122a8, {0x7d7da60?, 0xc00169d8d8?, 0xc000e5d1c8?}) /opt/hostedtoolcache/go/1.21.8/x64/src/encoding/json/decode.go:604 +0x6cc encoding/json.(*decodeState).value(0xc0007122a8, {0x7d7da60?, 0xc00169d8d8?, 0xc000e5d218?}) /opt/hostedtoolcache/go/1.21.8/x64/src/encoding/json/decode.go:374 +0x3e encoding/json.(*decodeState).unmarshal(0xc0007122a8, {0x7d7da60?, 0xc00169d8d8?}) /opt/hostedtoolcache/go/1.21.8/x64/src/encoding/json/decode.go:181 +0x133 encoding/json.(*Decoder).Decode(0xc000712280, {0x7d7da60, 0xc00169d8d8}) /opt/hostedtoolcache/go/1.21.8/x64/src/encoding/json/stream.go:73 +0x179 github.com/aquasecurity/trivy/pkg/sbom.Decode({_, _}, {_, _}) /home/runner/work/trivy/trivy/pkg/sbom/sbom.go:225 +0x645 github.com/aquasecurity/trivy/pkg/fanal/analyzer/sbom.sbomAnalyzer.Analyze({}, {0x79bed40?, 0x0?}, {{0x0, 0x0}, {0xc003604050, 0x48}, {0x960acb0, 0xc000259500}, {0x7f9acd0511b8, ...}, ...}) /home/runner/work/trivy/trivy/pkg/fanal/analyzer/sbom/sbom.go:39 +0x118 github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.AnalyzeFile.func1({0x9603320, 0xcc8f8a0}, {0x9600850?, 0xc002f88050}) /home/runner/work/trivy/trivy/pkg/fanal/analyzer/analyzer.go:430 +0x25d created by github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.AnalyzeFile in goroutine 118 /home/runner/work/trivy/trivy/pkg/fanal/analyzer/analyzer.go:425 +0x525 ``` ### Operating System Ubuntu 22.04.4 LTS (container) ### Version ```bash Version: 0.50.0 ``` ### Checklist - [X] Run `trivy image --reset` - [X] Read [the troubleshooting](https://aquasecurity.github.io/trivy/latest/docs/references/troubleshooting/)
github-actions[bot] commented 5 months ago

Please see https://aquasecurity.github.io/trivy/latest/community/contribute/issue/