Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Syft panics on APK parsing when Dependencies or Provides holds an empty string #1483

Closed
Nirusu opened this issue Jan 19, 2023 · 0 comments · Fixed by #1484
Closed

Syft panics on APK parsing when Dependencies or Provides holds an empty string #1483

Nirusu opened this issue Jan 19, 2023 · 0 comments · Fixed by #1484
Labels
bug Something isn't working

Comments

@Nirusu
Copy link
Contributor

Nirusu commented Jan 19, 2023

Please provide a set of steps on how to reproduce the issue
Easiest way is to try to attest our container image:

./syft attest ghcr.io/edgelesssys/keyservice-ko:ci-test@sha256:d876ad6acb3cc520de251504a783c91b20f6230c408cccf97021449b51520549 -o cyclonedx-json

Generally, this seems to come from the "alpine-baselayout-data" package using version 3.4.0-r0 in combination with Chainguard's apko.

What happened:
When Syft parses the APK metadata for "alpine-baselayout-data", it will find an empty string for Dependencies and Provides. Later on Syft tries to strip the version identifier. However, given this is an empty string and stripVersionSpecifier tries to return [0], it will panic:

syft attest ghcr.io/edgelesssys/keyservice-ko:ci-test@sha256:d876ad6acb3cc520de251504a783c91b20f6230c408cccf97021449b51520549 -o cyclonedx-json            
 ⠴ Parsing image            ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 
 ⠋ Cataloging packages     [packages 0]panic: runtime error: index out of range [0] with length 0

goroutine 32 [running]:
github.com/anchore/syft/syft/pkg/cataloger/apkdb.stripVersionSpecifier(...)
	github.com/anchore/syft/syft/pkg/cataloger/apkdb/parse_apk_db.go:356
github.com/anchore/syft/syft/pkg/cataloger/apkdb.discoverPackageDependencies({0x1400043c000, 0x19, 0x140011a3862?})
	github.com/anchore/syft/syft/pkg/cataloger/apkdb/parse_apk_db.go:316 +0x898
github.com/anchore/syft/syft/pkg/cataloger/apkdb.parseApkDB({0x140005cc030?, 0x1400063c930?}, 0x140005cc360, {{{{0x1400063c930, 0x15}, {0x1400003e870, 0x47}}, {0x14001121350, 0x15}, {0x116, ...}}, ...})
	github.com/anchore/syft/syft/pkg/cataloger/apkdb/parse_apk_db.go:101 +0x614
github.com/anchore/syft/syft/pkg/cataloger/generic.(*Cataloger).Catalog(0x140011d78c0, {0x103900850, 0x140005cc030})
	github.com/anchore/syft/syft/pkg/cataloger/generic/cataloger.go:129 +0x6b8
github.com/anchore/syft/syft/pkg/cataloger.runCataloger({0x1038f7448, 0x140011d78c0}, {0x103900850?, 0x140005cc030})
	github.com/anchore/syft/syft/pkg/cataloger/catalog.go:57 +0x15c
github.com/anchore/syft/syft/pkg/cataloger.Catalog.func1()
	github.com/anchore/syft/syft/pkg/cataloger/catalog.go:127 +0xcc
created by github.com/anchore/syft/syft/pkg/cataloger.Catalog
	github.com/anchore/syft/syft/pkg/cataloger/catalog.go:122 +0x250

What you expected to happen:
Don't panic, skip the empty field.

Anything else we need to know?:
This seems to occur when using apko from Chainguard, which a few days ago introduced "apk manipulation" which creates fields for Dependencies and Provides even if no entries are there: https://github.com/chainguard-dev/apko/blob/8cf8e127b1c7174acb3204084ade32a1f1d8e951/pkg/apk/impl/package.go#L35-L36

I will create a PR for how I would imagine the fix to look like and link it here.

Environment:

  • Output of syft version:
Application:        syft
Version:            0.66.2
JsonSchemaVersion:  6.2.0
BuildDate:          2023-01-17T21:26:39Z
GitCommit:          03971ace43b877e371c13e3f786c1f6c3a4ec507
GitDescription:     [not provided]
Platform:           darwin/arm64
GoVersion:          go1.19.5
Compiler:           gc
  • OS (e.g: cat /etc/os-release or similar):
    macOS Ventura arm64 (13.1)
Darwin MacBook-Air.local 22.2.0 Darwin Kernel Version 22.2.0: Fri Nov 11 02:04:44 PST 2022; root:xnu-8792.61.2~4/RELEASE_ARM64_T8103 arm64

Logs with debug info

syft attest ghcr.io/edgelesssys/keyservice-ko:ci-test@sha256:d876ad6acb3cc520de251504a783c91b20f6230c408cccf97021449b51520549 -o cyclonedx-json -vv
[0000]  INFO syft version: 0.66.2
[0000] DEBUG application config:
verbosity: 2
quiet: false
output:
- cyclonedx-json
output-template-path: ""
file: ""
check-for-app-update: true
dev:
  profile-cpu: false
  profile-mem: false
log:
  structured: false
  level: debug
  file: ""
catalogers: []
package:
  cataloger:
    enabled: true
    scope: Squashed
  search-unindexed-archives: false
  search-indexed-archives: true
file-metadata:
  cataloger:
    enabled: false
    scope: Squashed
  digests:
  - sha256
file-classification:
  cataloger:
    enabled: false
    scope: Squashed
file-contents:
  cataloger:
    enabled: false
    scope: Squashed
  skip-files-above-size: 1048576
  globs: []
secrets:
  cataloger:
    enabled: false
    scope: AllLayers
  additional-patterns: {}
  exclude-pattern-names: []
  reveal-values: false
  skip-files-above-size: 1048576
registry:
  insecure-skip-tls-verify: false
  insecure-use-http: false
  auth: []
exclude: []
platform: ""
name: ""
parallelism: 1

[0000] DEBUG checking if a new version of syft is available
[0000] DEBUG no new syft update available
[0000] DEBUG no socket address was found. Trying default address: /run/user/502/podman/podman.sock from-lib=stereoscope
[0000] DEBUG looking for socket file: stat /run/user/502/podman/podman.sock: no such file or directory from-lib=stereoscope
[0000] DEBUG image: source=OciRegistry location=ghcr.io/edgelesssys/keyservice-ko:ci-test@sha256:d876ad6acb3cc520de251504a783c91b20f6230c408cccf97021449b51520549 from-lib=stereoscope
[0000] DEBUG pulling image info directly from registry image="ghcr.io/edgelesssys/keyservice-ko:ci-test@sha256:d876ad6acb3cc520de251504a783c91b20f6230c408cccf97021449b51520549" from-lib=stereoscope
[0000] DEBUG no registry credentials configured, using the default keychain from-lib=stereoscope
[0001] DEBUG image metadata: digest=sha256:d46e692be9109c119ea6be101d1c55b56a5273acd80d5449bbfc2fdb28b76713 mediaType=application/vnd.docker.distribution.manifest.v2+json tags=[] from-lib=stereoscope
[0001] DEBUG layer metadata: index=0 digest=sha256:20823970661bec0053dccd0d94bf451496f3ed2fcddf1a472d10fa06917212d4 mediaType=application/vnd.docker.image.rootfs.diff.tar.gzip from-lib=stereoscope
[0002] DEBUG layer metadata: index=1 digest=sha256:ffe56a1c5f3878e9b5f803842adb9e2ce81584b6bd027e8599582aefe14a975b mediaType=application/vnd.docker.image.rootfs.diff.tar.gzip from-lib=stereoscope
[0002] DEBUG layer metadata: index=2 digest=sha256:a5f89419df2a7c02ae742d0c7308b0361f9ff1673c6ab5b0cd88494ca1ae580d mediaType=application/vnd.docker.image.rootfs.diff.tar.gzip from-lib=stereoscope
[0003]  INFO identified distro: Alpine Linux v3.17
[0003]  INFO cataloging image
[0003] DEBUG cataloging packages catalogers=15 parallelism=1
[0003] DEBUG discovered 0 packages cataloger=alpmdb-cataloger
[0003] DEBUG discovered 0 packages cataloger=ruby-gemspec-cataloger
[0003] DEBUG discovered 0 packages cataloger=python-package-cataloger
[0003] DEBUG discovered 0 packages cataloger=php-composer-installed-cataloger
[0003] DEBUG discovered 0 packages cataloger=javascript-package-cataloger
[0003] DEBUG discovered 0 packages cataloger=dpkgdb-cataloger
[0003] DEBUG discovered 0 packages cataloger=rpm-db-cataloger
[0003] DEBUG discovered 0 packages cataloger=java-cataloger
[0003] DEBUG native-image cataloger: error extracting SBOM from /ko-app/cmd: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /bin/bbsuid: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /bin/busybox: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /bin/mdevd: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /bin/mdevd-coldplug: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /bin/rc-status: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /bin/uniso: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/ld-musl-x86_64.so.1: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/libapk.so.3.12.0: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/libcrypto.so.3: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/libskarnet.so.2.13.0.0: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/libssl.so.3: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/libz.so.1.2.13: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/checkpath: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/ebegin: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/eend: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/eerror: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/eerrorn: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/eindent: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/einfo: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/einfon: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/eoutdent: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/esyslog: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/eval_ecolors: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/ewaitfile: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/ewarn: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/ewarnn: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/ewend: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/fstabinfo: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/get_options: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/is_newer_than: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/is_older_than: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/kill_all: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/mountinfo: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/rc-depend: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/save_options: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/service_crashed: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/service_get_value: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/service_hotplugged: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/service_inactive: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/service_set_value: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/service_started: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/service_started_daemon: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/service_starting: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/service_stopped: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/service_stopping: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/service_wasinactive: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/shell_var: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/vebegin: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/veend: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/veindent: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/veinfo: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/veoutdent: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/vewarn: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/vewend: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/sbin/mark_service_crashed: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/sbin/mark_service_failed: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/sbin/mark_service_hotplugged: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/sbin/mark_service_inactive: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/sbin/mark_service_started: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/sbin/mark_service_starting: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/sbin/mark_service_stopped: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/sbin/mark_service_stopping: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/sbin/mark_service_wasinactive: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/sbin/rc-abort: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/sbin/seedrng: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/sbin/swclock: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /sbin/apk: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /sbin/mkmntdirs: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /sbin/openrc: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /sbin/openrc-run: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /sbin/rc: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /sbin/rc-service: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /sbin/rc-update: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /sbin/start-stop-daemon: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /sbin/supervise-daemon: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /usr/bin/getconf: one or more symbols are missing from the native image executable.
[0003] DEBUG native-image cataloger: error extracting SBOM from /usr/bin/getent: one or more symbols are missing from the native image executable.
[0003] DEBUG native-image cataloger: error extracting SBOM from /usr/bin/iconv: one or more symbols are missing from the native image executable.
[0003] DEBUG native-image cataloger: error extracting SBOM from /usr/bin/scanelf: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /usr/lib/engines-3/afalg.so: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /usr/lib/engines-3/capi.so: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /usr/lib/engines-3/loader_attic.so: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /usr/lib/engines-3/padlock.so: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /usr/lib/libcap.so.2.66: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /usr/lib/libeinfo.so.1: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /usr/lib/libpsx.so.2.66: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /usr/lib/librc.so.1: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /usr/lib/ossl-modules/legacy.so: no symbols found in binary: no symbol section.
[0003] DEBUG discovered 0 packages cataloger=graalvm-native-image-cataloger
panic: runtime error: index out of range [0] with length 0

goroutine 85 [running]:
github.com/anchore/syft/syft/pkg/cataloger/apkdb.stripVersionSpecifier(...)
	github.com/anchore/syft/syft/pkg/cataloger/apkdb/parse_apk_db.go:356
github.com/anchore/syft/syft/pkg/cataloger/apkdb.discoverPackageDependencies({0x1400049c000, 0x19, 0x14000f9a552?})
	github.com/anchore/syft/syft/pkg/cataloger/apkdb/parse_apk_db.go:316 +0x898
github.com/anchore/syft/syft/pkg/cataloger/apkdb.parseApkDB({0x140001a00d0?, 0x140005e63c0?}, 0x140001a0c98, {{{{0x140005e63c0, 0x15}, {0x140000ef270, 0x47}}, {0x14000f6bb30, 0x15}, {0x116, ...}}, ...})
	github.com/anchore/syft/syft/pkg/cataloger/apkdb/parse_apk_db.go:101 +0x614
github.com/anchore/syft/syft/pkg/cataloger/generic.(*Cataloger).Catalog(0x1400124ce40, {0x105750850, 0x140001a00d0})
	github.com/anchore/syft/syft/pkg/cataloger/generic/cataloger.go:129 +0x6b8
github.com/anchore/syft/syft/pkg/cataloger.runCataloger({0x105747448, 0x1400124ce40}, {0x105750850?, 0x140001a00d0})
	github.com/anchore/syft/syft/pkg/cataloger/catalog.go:57 +0x15c
github.com/anchore/syft/syft/pkg/cataloger.Catalog.func1()
	github.com/anchore/syft/syft/pkg/cataloger/catalog.go:127 +0xcc
created by github.com/anchore/syft/syft/pkg/cataloger.Catalog
	github.com/anchore/syft/syft/pkg/cataloger/catalog.go:122 +0x250
@Nirusu Nirusu added the bug Something isn't working label Jan 19, 2023
@Nirusu Nirusu changed the title Syft panics on APK parsing when Dependencies or Provides is empty Syft panics on APK parsing when Dependencies or Provides holds an empty string Jan 19, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant