search

kubernetes-sigs / bom

A utility to generate SPDX-compliant Bill of Materials manifests
https://kubernetes-sigs.github.io/bom/
Apache License 2.0
337 stars 48 forks source link

PackageFromDirectory segfault #308

Closed howardjohn closed 1 year ago

howardjohn commented 1 year ago

We seemed to get a flake in the bom generation in one of our runs:

https://prow.istio.io/view/gs/istio-prow/logs/release_istio_postsubmit/1672283647324983296

2023-06-23T17:00:38.941316Z info    Running command: bom --log-level error generate --name Istio Source 1.19-alpha.e472f349a52e8721616b3863831b0c30485715f2 --namespace https://storage.googleapis.com/istio-release/releases/1.19-alpha.e472f349a52e8721616b3863831b0c30485715f2/istio-source.spdx --dirs /tmp/tmp.tyao4dBCD0/build/work/src/istio.io/istio --output /tmp/tmp.tyao4dBCD0/build/out/istio-source.spdx
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x48 pc=0x8bcb58]
goroutine 1129 [running]:
sigs.k8s.io/bom/pkg/spdx.(*spdxDefaultImplementation).PackageFromDirectory.func1({0xc0002c4d00, 0x33}, 0xc0016b0680)
    /tmp/go/pkg/mod/sigs.k8s.io/bom@v0.5.1/pkg/spdx/implementation.go:1032 +0x378
created by sigs.k8s.io/bom/pkg/spdx.(*spdxDefaultImplementation).PackageFromDirectory
    /tmp/go/pkg/mod/sigs.k8s.io/bom@v0.5.1/pkg/spdx/implementation.go:1047 +0x995
Error: failed to build: failed to generate sbom: couldn't generate sbom for istio source: exit status 2

As far as I can tell there is nothing special about this specific run, so I am not sure why its failing now.

howardjohn commented 1 year ago

Huh. no clue how this can happen: https://github.com/kubernetes-sigs/bom/blob/5b4933b85df80f015dae11057c1dac7d65f86be9/pkg/spdx/implementation.go#L1032

lic is not nil per L1028 and f is not nil per L1027

puerco commented 1 year ago

Mmh it looks like a combo of scope creep and and a race conditions. I'll try a fix.

Thanks for the report @howardjohn ! /assign