search

wolfi-dev / wolfictl

A CLI used to work with the Wolfi OSS project
Apache License 2.0
53 stars 54 forks source link

Panic runtime with wolfictl advisory discover command #995

Closed lioneloh closed 3 months ago

lioneloh commented 3 months ago

Description

Inside a wolfi-sdk container when running the following command GITHUB_TOKEN=github_pat_xxxx wolfictl advisory discover -d wolfi-dir/ -a advisories-dir/ -p spark-3.4 -r https://my_package_url I have the following error :

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0xab95dc]
goroutine 20 [running]:
  github.com/wolfi-dev/wolfictl/pkg/advisory.DiscoverOptions.filterMatchesForPackage({{0x400108e520, 0x1, 0x1}, 0x400010f080, 0x400010ee80, {0xffffc2f99dfd, 0x5a}, {0x40010580c0, 0x2, 0x2}, ...}, ...)
  github.com/wolfi-dev/wolfictl/pkg/advisory/discover.go:120 +0x25c
  github.com/wolfi-dev/wolfictl/pkg/advisory.DiscoverOptions.discoverMatchesForPackage({{0x400108e520, 0x1, 0x1}, 0x400010f080, 0x400010ee80, {0xffffc2f99dfd, 0x5a}, {0x40010580c0, 0x2, 0x2}, ...}, ...)
  github.com/wolfi-dev/wolfictl/pkg/advisory/discover.go:98 +0x194
  github.com/wolfi-dev/wolfictl/pkg/advisory.Discover({0x39a4110, 0x400075c5f0}, {{0x400108e520, 0x1, 0x1}, 0x400010f080, 0x400010ee80, {0xffffc2f99dfd, 0x5a}, {0x40010580c0, ...}, ...})
  github.com/wolfi-dev/wolfictl/pkg/advisory/discover.go:76 +0x2b4
  github.com/wolfi-dev/wolfictl/pkg/cli.cmdAdvisoryDiscover.func1.2()
  github.com/wolfi-dev/wolfictl/pkg/cli/advisory_discover.go:96 +0x244
  golang.org/x/sync/errgroup.(*Group).Go.func1()
  golang.org/x/sync@v0.7.0/errgroup/errgroup.go:78 +0x58
created by golang.org/x/sync/errgroup.(*Group).Go in goroutine 1
  golang.org/x/sync@v0.7.0/errgroup/errgroup.go:75 +0x98

Could you help me on this ?

For information the wolfictl version i use : 

> wolfictl version
 __        __   ___    _       _____   ___    ____   _____   _
 \ \      / /  / _ \  | |     |  ___| |_ _|  / ___| |_   _| | |
  \ \ /\ / /  | | | | | |     | |_     | |  | |       | |   | |
   \ V  V /   | |_| | | |___  |  _|    | |  | |___    | |   | |___
    \_/\_/     \___/  |_____| |_|     |___|  \____|   |_|   |_____|
wolfictl: A CLI helper for developing Wolfi

GitVersion:    v0.18.0-18-g5f9a2fa
GitCommit:     5f9a2fa42bf3d3ff75bc9ffcb6dd3180e4dea208
GitTreeState:  clean
BuildDate:     '1970-01-01T00:00:00Z'
GoVersion:     go1.22.4
Compiler:      gc
Platform:      linux/arm64

The spark-3.4.yaml package file exist and the package was successfully created.

luhring commented 3 months ago

Thanks for reporting this! I'm intrigued, we haven't had many people using this particular command. Curious what your use case is if you feel like sharing :)

lioneloh commented 3 months ago

Thanks for the fix :) But i dont still don't know what is wrong in my command line :( I will dig further For the use case, to make it short we have several spark images (from 2.4 to 3.5) available internally with some internal dependencies and not default build parameters. I successfully build the packages needed (missing from wolfi) with melange file.

As we have specific build parameters at spark compile time, the jars list is not the same as default wolfi spark images and i was trying to automate the advisories list and secdb build. At the end our internal users would be able to have the list of vulnerabilities with a simple SBOM scan (generated by apko) before using the container image.

This is a test currently to compare the vulnerabilities footprint between wolfi based images and our current existing images.

luhring commented 3 months ago

But i dont still don't know what is wrong in my command line

Oh no! Are you still getting the same error? Or a new one?

And thanks for sharing! What you're doing sounds interesting. What are you planning on doing with the advisories list and secdbs? The secdbs are meant to be consumed by vulnerability scanners, and I'm happy to share more about that process if it's helpful.

It might also be worth mentioning that wolfictl adv discover isn't the best way to find vulnerabilities in a package. It was mostly added as an experiment early on, but it doesn't do any kind of deeper software composition analysis to see what vulnerabilities exist in the package.

lioneloh commented 3 months ago

I understood what i was doing wrong. I did not read all documentation (aka code) :). The command was expecting the name of the package not the yaml file containing the melange information. Moreover there is hardcoded mapping in the code for efficient nvd search. But you are right wolfictl adv discover is not the best command to use. I try wolfictl adv guide and have better result. I had to trick it because the command is expecting to be based on a short list of git remote url (hardcoded in the code as well ;)). But for the guide command it's understandable behavior, as it's here to guide user when submitting package to have the correct advisories file set up. It would be nice to have anyway a new wolfictl adv discover command based on grype scan (like guide) and that initialize or update an advisorie file with detection event if not already present. This command should not need any interaction to be compatible with CI/CD pipeline. It could be coupled with a new search command to list all vulnerabilities last event of a specific type on all or a subset of packages (for example search all vulnerabilities still with an event of type detection on all python packages). What do you think ? I could create a feature request on this point, if you think it worth it.