search

kubernetes-sigs / bom

A utility to generate SPDX-compliant Bill of Materials manifests
https://kubernetes-sigs.github.io/bom/
Apache License 2.0
325 stars 48 forks source link

Release v0.5.1 of `bom generate` can panic while main has been fixed, could we get v0.5.2? #385

Closed mtardy closed 7 months ago

mtardy commented 7 months ago

What happened:

We get panics from time to time using bom v0.5.1 to generate the SBOM in cilium/tetragon.

The logs look like that:

Run bom generate --format json -o sbom_ci_pr_tetragon_00a3f6a2d6f305dca9a09e9ce09a2818e02c3502.spdx \
level=info msg="bom v0.5.1: Generating SPDX Bill of Materials"
level=info msg="Processing directory ."
level=info msg="Loading license data from downloader"
level=info msg="Using embedded v3.20 license list"
level=info msg="Got 536 licenses from downloader"
level=info msg="Writing license data to /tmp/spdx/downloadCache"
level=info msg="Writing 536 SPDX licenses to /tmp/spdx/licenses"
level=info msg="Applying 29 ignore patterns to list of 16080 filenames"
level=info msg="Scanning 15752 files and adding them to the SPDX package"
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x50 pc=0x894aeb]

goroutine 690 [running]:
sigs.k8s.io/bom/pkg/spdx.(*spdxDefaultImplementation).PackageFromDirectory.func1({0xc0002511c0, 0x31}, 0xc00c8fd1e0)
    /home/runner/go/pkg/mod/sigs.k8s.io/bom@v0.5.1/pkg/spdx/implementation.go:1032 +0x34b
created by sigs.k8s.io/bom/pkg/spdx.(*spdxDefaultImplementation).PackageFromDirectory in goroutine 1
    /home/runner/go/pkg/mod/sigs.k8s.io/bom@v0.5.1/pkg/spdx/implementation.go:1047 +0x92f
Error: Process completed with exit code 2.

See the concerned lines: https://github.com/kubernetes-sigs/bom/blob/5b4933b85df80f015dae11057c1dac7d65f86be9/pkg/spdx/implementation.go#L1012-L1049

What you expected to happen:

I expect bom utility not to crash.

How to reproduce it (as minimally and precisely as possible):

This is yet to be found, it's not a constant so I don't know how easy it is to reproduce.

Anything else we need to know?:

More info there https://github.com/cilium/tetragon/issues/1894.

Environment:

See an example of context. We can get more.

mtardy commented 7 months ago

Oh well, I think I (with the help of my colleagues) found the race issue here, let me write a patch.

mtardy commented 7 months ago

oh oh oh, all that to finally discover it has been patched already https://github.com/kubernetes-sigs/bom/pull/312, could we get a release?

cpanato commented 7 months ago

will check this week and release it

mtardy commented 7 months ago

Just updated the title to reflect that this was already fixed and it would be nice to get a new release. Could I help on that? Thanks

cpanato commented 7 months ago

released https://github.com/kubernetes-sigs/bom/releases/tag/v0.6.0