Missing files causing segmentation violation

[terrymunro]

This might be related to: #5512

Similar to the above issue, when having a symbolic link to a file that is either missing or referencing a file outside of the docker context, kics will panic right after running into the missing file.

7:00AM ERR failed to get file info: stat /src/modules/storage_account/.terraform/providers/registry.terraform.io/hashicorp/azurerm/3.56.0/linux_amd64: no such file or directory
panic: runtime error: invalid memory address or nil pointer dereference

In this case, its because I've terraform init'd on my machine, with terraform plugin_cache_dir configured so the binaries are symlinked to ~/.cache/terraform/... but I'm running kics in docker and bind-mounting the terraform directories.

I am able to make it work by mounting nothing over the top of all the directories that contain the symlinks, which is why I believe the missing files are related to the problem.

Example:

docker run --rm --tty --pull always \
    --volume $(pwd):/src \
    --volume /src/.trunk \
    --volume /src/modules/key_vault/.terraform \
    --volume /src/modules/virtual_network/.terraform \
    --volume /src/modules/storage_account/.terraform \
    --volume /src/workspaces/foo/.terraform \
    --volume /src/workspaces/bar/.terraform \
    checkmarx/kics:latest scan \
    --config /src/kics-config.yaml

Full log:

latest: Pulling from checkmarx/kics
Digest: sha256:3a5d93323e1aa4831a7d72617bb9db489522f8219eee737709d2c2ae30fa849c
Status: Image is up to date for checkmarx/kics:latest
6:59AM INF Scanning with Keeping Infrastructure as Code Secure v1.7.1
6:59AM INF Operating system: linux
6:59AM INF Total memory: 62.6G
6:59AM INF CPU: 32.0
7:00AM INF Total files in the project: 1112
7:00AM INF .gitignore file was found in '/src' and it will be used to automatically exclude paths
7:00AM ERR failed to get file info: stat /src/modules/storage_account/.terraform/providers/registry.terraform.io/hashicorp/azurerm/3.56.0/linux_amd64: no such file or directory
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x2218207]

goroutine 1 [running]:
github.com/Checkmarx/kics/pkg/analyzer.isConfigFile({0xc0000d8d20, 0x6c}, {0x42cbed0, 0x1, 0x0?})
	/app/pkg/analyzer/analyzer.go:602 +0x107
github.com/Checkmarx/kics/pkg/analyzer.Analyze.func1({0xc0000d8d20, 0x6c}, {0xc0009ff6c0?, 0x0?}, {0x0?, 0x0?})
	/app/pkg/analyzer/analyzer.go:285 +0x257
path/filepath.walk({0xc0000d8d20, 0x6c}, {0x2e32860, 0xc0009ff6c0}, 0xc00151f568)
	/usr/local/go/src/path/filepath/path.go:480 +0x116
path/filepath.walk({0xc000da6960, 0x60}, {0x2e32860, 0xc0009ff520}, 0xc00151f568)
	/usr/local/go/src/path/filepath/path.go:504 +0x26f
path/filepath.walk({0xc000da6780, 0x59}, {0x2e32860, 0xc0009ff2b0}, 0xc00151f568)
	/usr/local/go/src/path/filepath/path.go:504 +0x26f
path/filepath.walk({0xc000da65a0, 0x51}, {0x2e32860, 0xc0009ff040}, 0xc00151f568)
	/usr/local/go/src/path/filepath/path.go:504 +0x26f
path/filepath.walk({0xc0010f0320, 0x47}, {0x2e32860, 0xc0009feea0}, 0xc00151f568)
	/usr/local/go/src/path/filepath/path.go:504 +0x26f
path/filepath.walk({0xc0007f7ac0, 0x31}, {0x2e32860, 0xc0009fec30}, 0xc00151f568)
	/usr/local/go/src/path/filepath/path.go:504 +0x26f
path/filepath.walk({0xc000023320, 0x27}, {0x2e32860, 0xc0009fea90}, 0xc00151f568)
	/usr/local/go/src/path/filepath/path.go:504 +0x26f
path/filepath.walk({0xc000c3e7c0, 0x1c}, {0x2e32860, 0xc0009fe820}, 0xc00151f568)
	/usr/local/go/src/path/filepath/path.go:504 +0x26f
path/filepath.walk({0xc000c44c70, 0xc}, {0x2e32860, 0xc00098c8f0}, 0xc00151f568)
	/usr/local/go/src/path/filepath/path.go:504 +0x26f
path/filepath.walk({0xc000d20488, 0x4}, {0x2e32860, 0xc000ebcdd0}, 0xc00151f568)
	/usr/local/go/src/path/filepath/path.go:504 +0x26f
path/filepath.Walk({0xc000d20488, 0x4}, 0xc0012bf568)
	/usr/local/go/src/path/filepath/path.go:571 +0x6c
github.com/Checkmarx/kics/pkg/analyzer.Analyze(0xc00151f8a8)
	/app/pkg/analyzer/analyzer.go:273 +0x2e5
github.com/Checkmarx/kics/pkg/scan.analyzePaths(0xc00151f8a8)
	/app/pkg/scan/utils.go:185 +0x97
github.com/Checkmarx/kics/pkg/scan.(*Client).prepareAndAnalyzePaths(0xc0008413b0, {0x2e2b140, 0xc000058030})
	/app/pkg/scan/utils.go:62 +0x46f
github.com/Checkmarx/kics/pkg/scan.(*Client).initScan(0xc0008413b0, {0x2e2b140, 0xc000058030})
	/app/pkg/scan/scan.go:47 +0x10b
github.com/Checkmarx/kics/pkg/scan.(*Client).executeScan(0xc0008413b0, {0x2e2b140, 0xc000058030})
	/app/pkg/scan/scan.go:125 +0x45
github.com/Checkmarx/kics/pkg/scan.(*Client).PerformScan(0xc0008413b0, {0x2e2b140, 0xc000058030})
	/app/pkg/scan/client.go:86 +0x6c
github.com/Checkmarx/kics/internal/console.executeScan(0x27e0000?)
	/app/internal/console/scan.go:163 +0x111
github.com/Checkmarx/kics/internal/console.run(0x0?)
	/app/internal/console/scan.go:98 +0x1fe
github.com/Checkmarx/kics/internal/console.NewScanCmd.func2(0xc000986000?, {0x27cb6ef?, 0x5?, 0x5?})
	/app/internal/console/scan.go:43 +0x19
github.com/spf13/cobra.(*Command).execute(0xc000986000, {0xc0007a42d0, 0x5, 0x5})
	/go/pkg/mod/github.com/spf13/[email protected]/command.go:916 +0x862
github.com/spf13/cobra.(*Command).ExecuteC(0xc000005b00)
	/go/pkg/mod/github.com/spf13/[email protected]/command.go:1044 +0x3bd
github.com/spf13/cobra.(*Command).Execute(...)
	/go/pkg/mod/github.com/spf13/[email protected]/command.go:968
github.com/spf13/cobra.(*Command).ExecuteContext(...)
	/go/pkg/mod/github.com/spf13/[email protected]/command.go:961
github.com/Checkmarx/kics/internal/console.Execute()
	/app/internal/console/kics.go:90 +0xae
main.main()
	/app/cmd/console/main.go:12 +0x19

[agmond]

I got the same error (multiple times) on v1.7.1.
Note that I didn't see such errors on v1.7.0.

[cx-henriqueAlvelos]

Hi @terrymunro .
Could you give a sample code for this issue? You can send it to [email protected] instead of sharing here.

Best regards,
Henrique Alvelos

[terrymunro]

Sure here you go:

touch example_file

mkdir kics-repo
cd kics-repo

ln -s ../example_file .

docker run -tv $(pwd):/src checkmarx/kics:latest scan -p /src

It has nothing to do with the code, its just about having a dead symlink in the scan path.

So even this would reproduce it:

ln -s nonexistant_file for_example

docker run -tv $(pwd):/src checkmarx/kics:latest scan -p /src

The reason I gave the first example though, is because this seems like a pretty common situation, having symlinks to things outside the docker context. They aren't relevant to the scan, so they shouldn't be able to break it.

Like @agmond mentioned though, if I use 1.7.0 for example:

docker run -tv $(pwd):/src checkmarx/kics:1.7.0 scan -p /src

This works fine.

Oh and I should add that this:

7:00AM INF .gitignore file was found in '/src' and it will be used to automatically exclude paths

Doesn't help this particular problem, even if its in .gitignore, it will still crash kics.