You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Generally, this seems to come from the "alpine-baselayout-data" package using version 3.4.0-r0 in combination with Chainguard's apko.
What happened:
When Syft parses the APK metadata for "alpine-baselayout-data", it will find an empty string for Dependencies and Provides. Later on Syft tries to strip the version identifier. However, given this is an empty string and stripVersionSpecifier tries to return [0], it will panic:
syft attest ghcr.io/edgelesssys/keyservice-ko:ci-test@sha256:d876ad6acb3cc520de251504a783c91b20f6230c408cccf97021449b51520549 -o cyclonedx-json
⠴ Parsing image ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
⠋ Cataloging packages [packages 0]panic: runtime error: index out of range [0] with length 0
goroutine 32 [running]:
github.com/anchore/syft/syft/pkg/cataloger/apkdb.stripVersionSpecifier(...)
github.com/anchore/syft/syft/pkg/cataloger/apkdb/parse_apk_db.go:356
github.com/anchore/syft/syft/pkg/cataloger/apkdb.discoverPackageDependencies({0x1400043c000, 0x19, 0x140011a3862?})
github.com/anchore/syft/syft/pkg/cataloger/apkdb/parse_apk_db.go:316 +0x898
github.com/anchore/syft/syft/pkg/cataloger/apkdb.parseApkDB({0x140005cc030?, 0x1400063c930?}, 0x140005cc360, {{{{0x1400063c930, 0x15}, {0x1400003e870, 0x47}}, {0x14001121350, 0x15}, {0x116, ...}}, ...})
github.com/anchore/syft/syft/pkg/cataloger/apkdb/parse_apk_db.go:101 +0x614
github.com/anchore/syft/syft/pkg/cataloger/generic.(*Cataloger).Catalog(0x140011d78c0, {0x103900850, 0x140005cc030})
github.com/anchore/syft/syft/pkg/cataloger/generic/cataloger.go:129 +0x6b8
github.com/anchore/syft/syft/pkg/cataloger.runCataloger({0x1038f7448, 0x140011d78c0}, {0x103900850?, 0x140005cc030})
github.com/anchore/syft/syft/pkg/cataloger/catalog.go:57 +0x15c
github.com/anchore/syft/syft/pkg/cataloger.Catalog.func1()
github.com/anchore/syft/syft/pkg/cataloger/catalog.go:127 +0xcc
created by github.com/anchore/syft/syft/pkg/cataloger.Catalog
github.com/anchore/syft/syft/pkg/cataloger/catalog.go:122 +0x250
What you expected to happen:
Don't panic, skip the empty field.
OS (e.g: cat /etc/os-release or similar):
macOS Ventura arm64 (13.1)
Darwin MacBook-Air.local 22.2.0 Darwin Kernel Version 22.2.0: Fri Nov 11 02:04:44 PST 2022; root:xnu-8792.61.2~4/RELEASE_ARM64_T8103 arm64
Logs with debug info
syft attest ghcr.io/edgelesssys/keyservice-ko:ci-test@sha256:d876ad6acb3cc520de251504a783c91b20f6230c408cccf97021449b51520549 -o cyclonedx-json -vv
[0000] INFO syft version: 0.66.2
[0000] DEBUG application config:
verbosity: 2
quiet: false
output:
- cyclonedx-json
output-template-path: ""
file: ""
check-for-app-update: true
dev:
profile-cpu: false
profile-mem: false
log:
structured: false
level: debug
file: ""
catalogers: []
package:
cataloger:
enabled: true
scope: Squashed
search-unindexed-archives: false
search-indexed-archives: true
file-metadata:
cataloger:
enabled: false
scope: Squashed
digests:
- sha256
file-classification:
cataloger:
enabled: false
scope: Squashed
file-contents:
cataloger:
enabled: false
scope: Squashed
skip-files-above-size: 1048576
globs: []
secrets:
cataloger:
enabled: false
scope: AllLayers
additional-patterns: {}
exclude-pattern-names: []
reveal-values: false
skip-files-above-size: 1048576
registry:
insecure-skip-tls-verify: false
insecure-use-http: false
auth: []
exclude: []
platform: ""
name: ""
parallelism: 1
[0000] DEBUG checking if a new version of syft is available
[0000] DEBUG no new syft update available
[0000] DEBUG no socket address was found. Trying default address: /run/user/502/podman/podman.sock from-lib=stereoscope
[0000] DEBUG looking for socket file: stat /run/user/502/podman/podman.sock: no such file or directory from-lib=stereoscope
[0000] DEBUG image: source=OciRegistry location=ghcr.io/edgelesssys/keyservice-ko:ci-test@sha256:d876ad6acb3cc520de251504a783c91b20f6230c408cccf97021449b51520549 from-lib=stereoscope
[0000] DEBUG pulling image info directly from registry image="ghcr.io/edgelesssys/keyservice-ko:ci-test@sha256:d876ad6acb3cc520de251504a783c91b20f6230c408cccf97021449b51520549" from-lib=stereoscope
[0000] DEBUG no registry credentials configured, using the default keychain from-lib=stereoscope
[0001] DEBUG image metadata: digest=sha256:d46e692be9109c119ea6be101d1c55b56a5273acd80d5449bbfc2fdb28b76713 mediaType=application/vnd.docker.distribution.manifest.v2+json tags=[] from-lib=stereoscope
[0001] DEBUG layer metadata: index=0 digest=sha256:20823970661bec0053dccd0d94bf451496f3ed2fcddf1a472d10fa06917212d4 mediaType=application/vnd.docker.image.rootfs.diff.tar.gzip from-lib=stereoscope
[0002] DEBUG layer metadata: index=1 digest=sha256:ffe56a1c5f3878e9b5f803842adb9e2ce81584b6bd027e8599582aefe14a975b mediaType=application/vnd.docker.image.rootfs.diff.tar.gzip from-lib=stereoscope
[0002] DEBUG layer metadata: index=2 digest=sha256:a5f89419df2a7c02ae742d0c7308b0361f9ff1673c6ab5b0cd88494ca1ae580d mediaType=application/vnd.docker.image.rootfs.diff.tar.gzip from-lib=stereoscope
[0003] INFO identified distro: Alpine Linux v3.17
[0003] INFO cataloging image
[0003] DEBUG cataloging packages catalogers=15 parallelism=1
[0003] DEBUG discovered 0 packages cataloger=alpmdb-cataloger
[0003] DEBUG discovered 0 packages cataloger=ruby-gemspec-cataloger
[0003] DEBUG discovered 0 packages cataloger=python-package-cataloger
[0003] DEBUG discovered 0 packages cataloger=php-composer-installed-cataloger
[0003] DEBUG discovered 0 packages cataloger=javascript-package-cataloger
[0003] DEBUG discovered 0 packages cataloger=dpkgdb-cataloger
[0003] DEBUG discovered 0 packages cataloger=rpm-db-cataloger
[0003] DEBUG discovered 0 packages cataloger=java-cataloger
[0003] DEBUG native-image cataloger: error extracting SBOM from /ko-app/cmd: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /bin/bbsuid: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /bin/busybox: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /bin/mdevd: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /bin/mdevd-coldplug: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /bin/rc-status: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /bin/uniso: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/ld-musl-x86_64.so.1: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/libapk.so.3.12.0: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/libcrypto.so.3: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/libskarnet.so.2.13.0.0: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/libssl.so.3: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/libz.so.1.2.13: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/checkpath: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/ebegin: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/eend: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/eerror: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/eerrorn: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/eindent: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/einfo: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/einfon: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/eoutdent: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/esyslog: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/eval_ecolors: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/ewaitfile: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/ewarn: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/ewarnn: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/ewend: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/fstabinfo: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/get_options: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/is_newer_than: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/is_older_than: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/kill_all: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/mountinfo: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/rc-depend: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/save_options: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/service_crashed: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/service_get_value: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/service_hotplugged: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/service_inactive: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/service_set_value: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/service_started: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/service_started_daemon: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/service_starting: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/service_stopped: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/service_stopping: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/service_wasinactive: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/shell_var: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/vebegin: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/veend: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/veindent: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/veinfo: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/veoutdent: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/vewarn: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/bin/vewend: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/sbin/mark_service_crashed: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/sbin/mark_service_failed: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/sbin/mark_service_hotplugged: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/sbin/mark_service_inactive: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/sbin/mark_service_started: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/sbin/mark_service_starting: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/sbin/mark_service_stopped: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/sbin/mark_service_stopping: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/sbin/mark_service_wasinactive: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/sbin/rc-abort: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/sbin/seedrng: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /lib/rc/sbin/swclock: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /sbin/apk: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /sbin/mkmntdirs: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /sbin/openrc: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /sbin/openrc-run: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /sbin/rc: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /sbin/rc-service: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /sbin/rc-update: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /sbin/start-stop-daemon: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /sbin/supervise-daemon: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /usr/bin/getconf: one or more symbols are missing from the native image executable.
[0003] DEBUG native-image cataloger: error extracting SBOM from /usr/bin/getent: one or more symbols are missing from the native image executable.
[0003] DEBUG native-image cataloger: error extracting SBOM from /usr/bin/iconv: one or more symbols are missing from the native image executable.
[0003] DEBUG native-image cataloger: error extracting SBOM from /usr/bin/scanelf: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /usr/lib/engines-3/afalg.so: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /usr/lib/engines-3/capi.so: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /usr/lib/engines-3/loader_attic.so: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /usr/lib/engines-3/padlock.so: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /usr/lib/libcap.so.2.66: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /usr/lib/libeinfo.so.1: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /usr/lib/libpsx.so.2.66: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /usr/lib/librc.so.1: no symbols found in binary: no symbol section.
[0003] DEBUG native-image cataloger: error extracting SBOM from /usr/lib/ossl-modules/legacy.so: no symbols found in binary: no symbol section.
[0003] DEBUG discovered 0 packages cataloger=graalvm-native-image-cataloger
panic: runtime error: index out of range [0] with length 0
goroutine 85 [running]:
github.com/anchore/syft/syft/pkg/cataloger/apkdb.stripVersionSpecifier(...)
github.com/anchore/syft/syft/pkg/cataloger/apkdb/parse_apk_db.go:356
github.com/anchore/syft/syft/pkg/cataloger/apkdb.discoverPackageDependencies({0x1400049c000, 0x19, 0x14000f9a552?})
github.com/anchore/syft/syft/pkg/cataloger/apkdb/parse_apk_db.go:316 +0x898
github.com/anchore/syft/syft/pkg/cataloger/apkdb.parseApkDB({0x140001a00d0?, 0x140005e63c0?}, 0x140001a0c98, {{{{0x140005e63c0, 0x15}, {0x140000ef270, 0x47}}, {0x14000f6bb30, 0x15}, {0x116, ...}}, ...})
github.com/anchore/syft/syft/pkg/cataloger/apkdb/parse_apk_db.go:101 +0x614
github.com/anchore/syft/syft/pkg/cataloger/generic.(*Cataloger).Catalog(0x1400124ce40, {0x105750850, 0x140001a00d0})
github.com/anchore/syft/syft/pkg/cataloger/generic/cataloger.go:129 +0x6b8
github.com/anchore/syft/syft/pkg/cataloger.runCataloger({0x105747448, 0x1400124ce40}, {0x105750850?, 0x140001a00d0})
github.com/anchore/syft/syft/pkg/cataloger/catalog.go:57 +0x15c
github.com/anchore/syft/syft/pkg/cataloger.Catalog.func1()
github.com/anchore/syft/syft/pkg/cataloger/catalog.go:127 +0xcc
created by github.com/anchore/syft/syft/pkg/cataloger.Catalog
github.com/anchore/syft/syft/pkg/cataloger/catalog.go:122 +0x250
The text was updated successfully, but these errors were encountered:
Nirusu
changed the title
Syft panics on APK parsing when Dependencies or Provides is empty
Syft panics on APK parsing when Dependencies or Provides holds an empty string
Jan 19, 2023
Please provide a set of steps on how to reproduce the issue
Easiest way is to try to attest our container image:
Generally, this seems to come from the "alpine-baselayout-data" package using version 3.4.0-r0 in combination with Chainguard's apko.
What happened:
When Syft parses the APK metadata for "alpine-baselayout-data", it will find an empty string for
Dependencies
andProvides
. Later on Syft tries to strip the version identifier. However, given this is an empty string andstripVersionSpecifier
tries to return [0], it will panic:What you expected to happen:
Don't panic, skip the empty field.
Anything else we need to know?:
This seems to occur when using apko from Chainguard, which a few days ago introduced "apk manipulation" which creates fields for Dependencies and Provides even if no entries are there: https://github.com/chainguard-dev/apko/blob/8cf8e127b1c7174acb3204084ade32a1f1d8e951/pkg/apk/impl/package.go#L35-L36
I will create a PR for how I would imagine the fix to look like and link it here.
Environment:
syft version
:cat /etc/os-release
or similar):macOS Ventura arm64 (13.1)
Logs with debug info
The text was updated successfully, but these errors were encountered: