Grype panics on certain output formats for PURL inputs

[chovanecadam]

What happened:

When scanning a file of PURLs or a single PURL and setting output format to sarif, cyclonedx, or cyclonedx-json, Grype panics.

What you expected to happen:

Grype does not panic and creates the outputs. If not possible due to missing information, Grype should fail gracefully.

How to reproduce it (as minimally and precisely as possible):

podman run --rm --name Grype -v grypedb:/.cache/grype docker.io/anchore/grype:v0.86.0 'pkg:deb/debian/apt@2.6.1?arch=amd64&distro=debian-12' -o cyclonedx-json
[0000]  WARN unable to determine GOPATH or user home dir: %!w(string=exec: "getent": executable file not found in $PATH)
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x191b49c]

goroutine 15 [running]:
github.com/anchore/grype/grype/presenter/cyclonedx.(*Presenter).Present(0xc0007fedc0, {0x25f6940, 0xc000e175f0})
        /home/runner/work/grype/grype/grype/presenter/cyclonedx/presenter.go:59 +0x3c
github.com/anchore/grype/internal/format.(*scanResultPublisher).Write(0x0?, {{{0x1e915ee, 0x5}, {0x25ed56c, 0x6}, {0x2608bc0, 0x28}, {0x25ef2d8, 0x7}, {0x25f5bf0, ...}}, ...})
        /home/runner/work/grype/grype/internal/format/writer.go:213 +0xad
github.com/anchore/grype/internal/format.(*scanResultMultiWriter).Write(0x0?, {{{0x1e915ee, 0x5}, {0x25ed56c, 0x6}, {0x2608bc0, 0x28}, {0x25ef2d8, 0x7}, {0x25f5bf0, ...}}, ...})
        /home/runner/work/grype/grype/internal/format/writer.go:171 +0x9e
github.com/anchore/grype/cmd/grype/cli/commands.runGrype({0x26102c0, 0xc000605180}, 0xc00076f188, {0x7fff1ca8bf3b, 0x34})
        /home/runner/work/grype/grype/cmd/grype/cli/commands/root.go:204 +0xfbd
github.com/anchore/grype/cmd/grype/cli/commands.Root.func1(0x0?, {0xc000678180?, 0x0?, 0x0?})
        /home/runner/work/grype/grype/cmd/grype/cli/commands/root.go:84 +0x3f
github.com/anchore/clio.(*application).setupCommand.(*application).WrapRunE.func2.1(0x0?, {0xc000678180?, 0x0?, 0x0?})
        /home/runner/go/pkg/mod/github.com/anchore/clio@v0.0.0-20241115144204-29e89f9fa837/application.go:150 +0x8c
github.com/anchore/clio.async.func1()
        /home/runner/go/pkg/mod/github.com/anchore/clio@v0.0.0-20241115144204-29e89f9fa837/application.go:364 +0x64
created by github.com/anchore/clio.async in goroutine 1
        /home/runner/go/pkg/mod/github.com/anchore/clio@v0.0.0-20241115144204-29e89f9fa837/application.go:362 +0xc5

Anything else we need to know?:

Environment:

• Output of grype version: v.0.86.0
• OS (e.g: cat /etc/os-release or similar):

[spiffcs]

Thanks @chovanecadam - I've confirmed the panic and reproduced this without the container setup:

grype -o cyclonedx-json pkg:deb/debian/apt@2.6.1 --distro debian-12
panic: runtime error: invalid memory address or nil pointer dereference

I'll pick this up Immediately and try to get a patch out.