Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

syft packages panics on OCI archive creation #1318

Closed
sophiewigmore opened this issue Nov 3, 2022 · 4 comments
Closed

syft packages panics on OCI archive creation #1318

sophiewigmore opened this issue Nov 3, 2022 · 4 comments
Labels
bug Something isn't working

Comments

@sophiewigmore
Copy link

sophiewigmore commented Nov 3, 2022

Please provide a set of steps on how to reproduce the issue

What happened:

Running syft packages <oci archive> --output cyclonedx-json --file sbom.json panics during the cataloguing phase:

✔ Parsed image
 ⠇ Cataloging packages     [packages 0]panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0x2730f36]

goroutine 131 [running]:
github.com/anchore/syft/syft/pkg.(*Package).SetID(0x0)
        /home/runner/work/syft/syft/syft/pkg/package.go:42 +0x36
github.com/anchore/syft/syft/pkg/cataloger/javascript.parseNodeBinary({0xc0006263a0?, 0xc013895280?}, 0x10?, {{{{0xc000dfab80, 0x3c}, {0xc001567860, 0x47}}, {0xc000dfab80, 0x3c}, {0x4992, ...}}, ...})
        /home/runner/work/syft/syft/syft/pkg/cataloger/javascript/parse_node_binary.go:41 +0x186
github.com/anchore/syft/syft/pkg/cataloger/generic.(*Cataloger).Catalog(0xc00ba15800, {0x340d040, 0xc001202058})
        /home/runner/work/syft/syft/syft/pkg/cataloger/generic/cataloger.go:127 +0x70e
github.com/anchore/syft/syft/pkg/cataloger.Catalog({0x340d040?, 0xc001202058}, 0x8?, {0xc00ba0f450, 0xd, 0x0?})
        /home/runner/work/syft/syft/syft/pkg/cataloger/catalog.go:56 +0x3d8
github.com/anchore/syft/syft.CatalogPackages(0xc00058a480, {{0x1, 0x0, {0x3034513, 0x8}}, {0x0, 0x0, 0x0}})
        /home/runner/work/syft/syft/syft/lib.go:72 +0x5a5
github.com/anchore/syft/cmd/syft/cli/eventloop.generateCatalogPackagesTask.func1(0xc00038eb60, 0x2e7aac0?)
        /home/runner/work/syft/syft/cmd/syft/cli/eventloop/tasks.go:49 +0xdc
github.com/anchore/syft/cmd/syft/cli/eventloop.RunTask(0x0?, 0xc00061dfd0?, 0x2500b4a?, 0xc001550000, 0xc00038be00?)
        /home/runner/work/syft/syft/cmd/syft/cli/eventloop/tasks.go:223 +0x85
created by github.com/anchore/syft/cmd/syft/cli/packages.buildRelationships
        /home/runner/work/syft/syft/cmd/syft/cli/packages/packages.go:121 +0x65

This only occurs for one of our OCI archives, which has a lot of packages (800+).
You can test this out by downloading an example OCI archive similar to the one I was testing with from our release: https://github.com/paketo-buildpacks/jammy-full-stack/releases/download/v0.0.31/jammy-full-stack-0.0.31-build.oci and then running the same syft package command on it with Syft 0.60.1

What you expected to happen:

Expected SBOM generation to succeed as usual

Anything else we need to know?:

This issue only starting happening on 0.60.1 (and 0.60.2)

Environment:

  • Output of syft version: 0.60.1
  • OS (e.g: cat /etc/os-release or similar): mac OS and Ubuntu 22.04.1
@kzantow
Copy link
Contributor

kzantow commented Nov 3, 2022

Hi @sophiewigmore -- I believe this was just fixed (with PR #1313) and a new version of Syft released (v0.60.3) with the fix in it; could you validate this fixes your issue?

@sophiewigmore
Copy link
Author

Ah! Let me try.

@sophiewigmore
Copy link
Author

Yes, that worked. Totally missed that fix. Thank you :)

@kzantow
Copy link
Contributor

kzantow commented Nov 3, 2022

Thanks for following up, @sophiewigmore!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants