Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pUrl parsing causing crash when locator has invalid value #214

Closed
CrossedSecurity opened this issue May 16, 2023 · 2 comments
Closed

pUrl parsing causing crash when locator has invalid value #214

CrossedSecurity opened this issue May 16, 2023 · 2 comments

Comments

@CrossedSecurity
Copy link

This bug is probably somewhere in github.com/package-url/packageurl-go@v0.1.1-0.20220428063043-89078438f170/packageurl.go

When a Spdx doc contains a package with an external ref that has a locator of literally "pkg:type/namespace/name@version?qualifiers#subpath" , the program will crash.

input:

...
      {
         "SPDXID":"SPDXRef-Package--",
         "name":"",
         "filesAnalyzed":false,
         "licenseDeclared":"NOASSERTION",
         "licenseConcluded":"NOASSERTION",
         "downloadLocation":"https://",
         "copyrightText":"NOASSERTION",
         "externalRefs":[
            {
               "referenceCategory":"PACKAGE_MANAGER",
               "referenceLocator":"pkg:type/namespace/name@version?qualifiers#subpath",
               "referenceType":"purl"
            }
         ]
      }
...

output:

panic: runtime error: index out of range [1] with length 1 [recovered]
        panic: runtime error: index out of range [1] with length 1
@lumjjb
Copy link
Collaborator

lumjjb commented May 23, 2023

hmm... there isn't github.com/package-url/packageurl-go in use in this package, so it looks like we have no control over that code that does the panic..

However, we do have control over validation of the PURLs though, which should be done as part of #194

If this is the case, i think we can close this issue with that mention towards #194

@lumjjb
Copy link
Collaborator

lumjjb commented Jul 24, 2023

Closing this since it seems like it is not caused by issue in library.

@lumjjb lumjjb closed this as completed Jul 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lumjjb @CrossedSecurity