attest panic on MacOS

[telelvis]

What happened:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x2 addr=0x28 pc=0x101f13fbc]

goroutine 1 [running]:
github.com/anchore/syft/cmd/syft/cli/attest.formatPredicateType(...)
	/Users/runner/work/syft/syft/cmd/syft/cli/attest/attest.go:323
github.com/anchore/syft/cmd/syft/cli/attest.Run({0x1029367a8, _}, _, {0x0, {0x0, 0x0}, {0x16f7b7ac2, 0x19}, {0x101f8a33d, 0x1b}, ...}, ...)
	/Users/runner/work/syft/syft/cmd/syft/cli/attest/attest.go:75 +0x9c
github.com/anchore/syft/cmd/syft/cli.Attest.func2(0x14001219680?, {0x1400122fc20?, 0x1?, 0x6?})
	/Users/runner/work/syft/syft/cmd/syft/cli/attest.go:70 +0x130
github.com/spf13/cobra.(*Command).execute(0x14001219680, {0x1400122fbc0, 0x6, 0x6})
	/Users/runner/go/pkg/mod/github.com/spf13/cobra@v1.5.0/command.go:872 +0x4d0
github.com/spf13/cobra.(*Command).ExecuteC(0x14001246000)
	/Users/runner/go/pkg/mod/github.com/spf13/cobra@v1.5.0/command.go:990 +0x354
github.com/spf13/cobra.(*Command).Execute(...)
	/Users/runner/go/pkg/mod/github.com/spf13/cobra@v1.5.0/command.go:918
main.main()
	/Users/runner/work/syft/syft/cmd/syft/main.go:15 +0x60

What you expected to happen:
SBOM produced and signed as attestation stored locally
How to reproduce it (as minimally and precisely as possible):
syft attest --key release.key --no-upload -o sdpx-json myregistry.net/my-api:latest
Anything else we need to know?:
release.key was generated by cosign generate-key, although I don't think it matters
Environment:

• Output of syft version:

syft version
Application:        syft
Version:            0.56.0
JsonSchemaVersion:  3.3.2
BuildDate:          2022-09-12T16:36:53Z
GitCommit:          c5dca001e267d2a91ff82e53ca72535ceef6af02
GitDescription:     v0.56.0
Platform:           darwin/arm64
GoVersion:          go1.18.5
Compiler:           gc

syft is installed with brew

• OS (e.g: cat /etc/os-release or similar):

 sw_vers 
ProductName:	macOS
ProductVersion:	12.4
BuildVersion:	21F79

[tgerla]

Hi @telelvis, sorry for the trouble. A couple of questions: do you see this panic happen for any image, or just "myregistry.net/my-api:latest"? Would it be possible for you to share the image that is crashing so that we can attempt to reproduce the problem? Thanks!

[telelvis]

Hello @tgerla , thanks for looking into this.
I think i managed to pinpoint when it goes panic and it's due to easy to make typo.
Notice these two commands

syft attest --key release.key -o spdx-json --no-upload docker.io/library/redis
syft attest --key release.key -o spdx-jsonx --no-upload docker.io/library/redis 

Second does throw a panic message and it's indeed just -o output specified as spdx-jsonx. Turns out I can specify any kind of value not in the list [table syft-json spdx-json cyclonedx-json] and it crashes

[tgerla]

Hi @telelvis, thanks for the additional information. I've reproduced the problem here, so we'll hopefully have a fix soon. We appreciate your report!

Tim