Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Segmentation violation running trivy image with trivy v0.50.0 #6391

Closed
2 tasks done
nikpivkin opened this issue Mar 26, 2024 Discussed in #6388 · 4 comments · Fixed by #6399
Closed
2 tasks done

Segmentation violation running trivy image with trivy v0.50.0 #6391

nikpivkin opened this issue Mar 26, 2024 Discussed in #6388 · 4 comments · Fixed by #6399
Assignees
@DmitriyLewen
Labels
kind/bug Categorizes issue or PR as related to a bug. scan/sbom Issues relating to SBOM

Comments

@nikpivkin
Copy link
Contributor

nikpivkin commented Mar 26, 2024
edited
Loading

The problem occurs when analysing /opt/microsoft/powershell/7-preview/_manifest/spdx_2.2/manifest.spdx.json .

Discussed in #6388

Originally posted by anstrom March 26, 2024

Description

trivy crashes when scanning certain images with trivy image. The error message is panic: runtime error: invalid memory address or nil pointer dereference. Please see Actual Behavior for the full output.

Desired Behavior

A successful scan of the image

Actual Behavior

Vulnerability scanning is enabled
2024-03-26T09:55:06.954Z        INFO    Secret scanning is enabled
2024-03-26T09:55:06.954Z        INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-03-26T09:55:06.954Z        INFO    Please see also https://aquasecurity.github.io/trivy/v0.50/docs/scanner/secret/#recommendation for faster secret detection
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x4d4d0c1]

goroutine 1746 [running]:
github.com/aquasecurity/trivy/pkg/sbom/core.(*BOM).AddRelationship(0xc001c68000, 0x0, 0x0, {0x7f685a3, 0x8})
        /home/runner/work/trivy/trivy/pkg/sbom/core/bom.go:241 +0x41
github.com/aquasecurity/trivy/pkg/sbom/spdx.(*SPDX).unmarshal(0xc00167e168, 0xc000ad8000)
        /home/runner/work/trivy/trivy/pkg/sbom/spdx/unmarshal.go:92 +0x2b8
github.com/aquasecurity/trivy/pkg/sbom/spdx.(*SPDX).UnmarshalJSON(0xc00167e168, {0xc00725e000, 0x8a841, 0xffe00})
        /home/runner/work/trivy/trivy/pkg/sbom/spdx/unmarshal.go:65 +0x21a
encoding/json.(*decodeState).object(0xc000ad8528, {0x7d7da60?, 0xc00167e168?, 0xc0018311c8?})
        /opt/hostedtoolcache/go/1.21.8/x64/src/encoding/json/decode.go:604 +0x6cc
encoding/json.(*decodeState).value(0xc000ad8528, {0x7d7da60?, 0xc00167e168?, 0xc001831218?})
        /opt/hostedtoolcache/go/1.21.8/x64/src/encoding/json/decode.go:374 +0x3e
encoding/json.(*decodeState).unmarshal(0xc000ad8528, {0x7d7da60?, 0xc00167e168?})
        /opt/hostedtoolcache/go/1.21.8/x64/src/encoding/json/decode.go:181 +0x133
encoding/json.(*Decoder).Decode(0xc000ad8500, {0x7d7da60, 0xc00167e168})
        /opt/hostedtoolcache/go/1.21.8/x64/src/encoding/json/stream.go:73 +0x179
github.com/aquasecurity/trivy/pkg/sbom.Decode({_, _}, {_, _})
        /home/runner/work/trivy/trivy/pkg/sbom/sbom.go:225 +0x645
github.com/aquasecurity/trivy/pkg/fanal/analyzer/sbom.sbomAnalyzer.Analyze({}, {0x79bed40?, 0x0?}, {{0x0, 0x0}, {0xc001354b90, 0x48}, {0x960acb0, 0xc0013882a0}, {0x7f6559cdd6d8, ...}, ...})
        /home/runner/work/trivy/trivy/pkg/fanal/analyzer/sbom/sbom.go:39 +0x118
github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.AnalyzeFile.func1({0x9603320, 0xcc8f8a0}, {0x9600850?, 0xc001850c30})
        /home/runner/work/trivy/trivy/pkg/fanal/analyzer/analyzer.go:430 +0x25d
created by github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.AnalyzeFile in goroutine 84
        /home/runner/work/trivy/trivy/pkg/fanal/analyzer/analyzer.go:425 +0x525

Reproduction Steps

`docker run aquasec/trivy:0.50.0 image mcr.microsoft.com/powershell:preview`

Target

Container Image

Scanner

None

Output Format

Table

Mode

None

Debug Output

Δ ~ $ docker run aquasec/trivy:0.50.0 image mcr.microsoft.com/powershell:preview --debug
2024-03-26T10:10:42.269Z        DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-03-26T10:10:42.270Z        DEBUG   Ignore statuses {"statuses": null}
2024-03-26T10:10:42.287Z        DEBUG   cache dir:  /root/.cache/trivy
2024-03-26T10:10:42.287Z        DEBUG   There is no valid metadata file: unable to open a file: open /root/.cache/trivy/db/metadata.json: no such file or directory
2024-03-26T10:10:42.287Z        INFO    Need to update DB
2024-03-26T10:10:42.287Z        INFO    DB Repository: ghcr.io/aquasecurity/trivy-db:2
2024-03-26T10:10:42.287Z        INFO    Downloading DB...
2024-03-26T10:10:42.287Z        DEBUG   no metadata file
2.01 MiB / 44.64 MiB [-->____________________________________________________________] 4.50% ? p/s ?3.43 MiB / 44.64 MiB [---->__________________________________________________________] 7.69% ? p/s ?5.88 MiB / 44.64 MiB [-------->_____________________________________________________] 13.16% ? p/s ?8.66 MiB / 44.64 MiB [--------->_______________________________________] 19.40% 11.10 MiB p/s ETA 3s11.54 MiB / 44.64 MiB [------------>___________________________________] 25.86% 11.10 MiB p/s ETA 2s14.50 MiB / 44.64 MiB [--------------->________________________________] 32.48% 11.10 MiB p/s ETA 2s17.39 MiB / 44.64 MiB [------------------>_____________________________] 38.96% 11.32 MiB p/s ETA 2s20.33 MiB / 44.64 MiB [--------------------->__________________________] 45.54% 11.32 MiB p/s ETA 2s22.92 MiB / 44.64 MiB [------------------------>_______________________] 51.33% 11.32 MiB p/s ETA 1s24.18 MiB / 44.64 MiB [-------------------------->_____________________] 54.17% 11.32 MiB p/s ETA 1s26.15 MiB / 44.64 MiB [---------------------------->___________________] 58.58% 11.32 MiB p/s ETA 1s28.62 MiB / 44.64 MiB [------------------------------>_________________] 64.11% 11.32 MiB p/s ETA 1s31.33 MiB / 44.64 MiB [--------------------------------->______________] 70.18% 11.36 MiB p/s ETA 1s34.50 MiB / 44.64 MiB [------------------------------------->__________] 77.28% 11.36 MiB p/s ETA 0s37.66 MiB / 44.64 MiB [---------------------------------------->_______] 84.35% 11.36 MiB p/s ETA 0s40.96 MiB / 44.64 MiB [-------------------------------------------->___] 91.76% 11.66 MiB p/s ETA 0s44.50 MiB / 44.64 MiB [----------------------------------------------->] 99.68% 11.66 MiB p/s ETA 0s44.64 MiB / 44.64 MiB [---------------------------------------------->] 100.00% 11.66 MiB p/s ETA 0s44.64 MiB / 44.64 MiB [---------------------------------------------->] 100.00% 11.30 MiB p/s ETA 0s44.64 MiB / 44.64 MiB [---------------------------------------------->] 100.00% 11.30 MiB p/s ETA 0s44.64 MiB / 44.64 MiB [---------------------------------------------->] 100.00% 11.30 MiB p/s ETA 0s44.64 MiB / 44.64 MiB [---------------------------------------------->] 100.00% 10.57 MiB p/s ETA 0s44.64 MiB / 44.64 MiB [---------------------------------------------->] 100.00% 10.57 MiB p/s ETA 0s44.64 MiB / 44.64 MiB [---------------------------------------------->] 100.00% 10.57 MiB p/s ETA 0s44.64 MiB / 44.64 MiB [----------------------------------------------->] 100.00% 9.89 MiB p/s ETA 0s44.64 MiB / 44.64 MiB [----------------------------------------------->] 100.00% 9.89 MiB p/s ETA 0s44.64 MiB / 44.64 MiB [----------------------------------------------->] 100.00% 9.89 MiB p/s ETA 0s44.64 MiB / 44.64 MiB [----------------------------------------------->] 100.00% 9.25 MiB p/s ETA 0s44.64 MiB / 44.64 MiB [----------------------------------------------->] 100.00% 9.25 MiB p/s ETA 0s44.64 MiB / 44.64 MiB [----------------------------------------------->] 100.00% 9.25 MiB p/s ETA 0s44.64 MiB / 44.64 MiB [----------------------------------------------->] 100.00% 8.66 MiB p/s ETA 0s44.64 MiB / 44.64 MiB [----------------------------------------------->] 100.00% 8.66 MiB p/s ETA 0s44.64 MiB / 44.64 MiB [----------------------------------------------->] 100.00% 8.66 MiB p/s ETA 0s44.64 MiB / 44.64 MiB [----------------------------------------------->] 100.00% 8.10 MiB p/s ETA 0s44.64 MiB / 44.64 MiB [----------------------------------------------->] 100.00% 8.10 MiB p/s ETA 0s44.64 MiB / 44.64 MiB [----------------------------------------------->] 100.00% 8.10 MiB p/s ETA 0s44.64 MiB / 44.64 MiB [--------------------------------------------------] 100.00% 6.23 MiB p/s 7.4s2024-03-26T10:10:50.410Z    DEBUG   Updating database metadata...
2024-03-26T10:10:50.410Z        DEBUG   DB Schema: 2, UpdatedAt: 2024-03-26 06:11:10.197763384 +0000 UTC, NextUpdate: 2024-03-26 12:11:10.197763094 +0000 UTC, DownloadedAt: 2024-03-26 10:10:50.410778688 +0000 UTC
2024-03-26T10:10:50.411Z        INFO    Vulnerability scanning is enabled
2024-03-26T10:10:50.411Z        DEBUG   Vulnerability type:  [os library]
2024-03-26T10:10:50.411Z        INFO    Secret scanning is enabled
2024-03-26T10:10:50.411Z        INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-03-26T10:10:50.411Z        INFO    Please see also https://aquasecurity.github.io/trivy/v0.50/docs/scanner/secret/#recommendation for faster secret detection
2024-03-26T10:10:50.411Z        DEBUG   Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-03-26T10:10:50.579Z        DEBUG   No secret config detected: trivy-secret.yaml
2024-03-26T10:10:50.579Z        DEBUG   The nuget packages directory couldn't be found. License search disabled
2024-03-26T10:10:50.579Z        DEBUG   No secret config detected: trivy-secret.yaml
2024-03-26T10:10:50.653Z        DEBUG   Image ID: sha256:fecb1ada9a830c5fcadb287f07dcadbe4dcad5821b66e17d742bae968a8446f9
2024-03-26T10:10:50.653Z        DEBUG   Diff IDs: [sha256:d101c9453715a978a2a520f553588e77dfb4236762175eba61c5c264a449c75d sha256:41d145cbb71d90e33a9b6c0b07f1dc8aab1297240db00e53f33203e23cab3817]
2024-03-26T10:10:50.653Z        DEBUG   Base Layers: [sha256:d101c9453715a978a2a520f553588e77dfb4236762175eba61c5c264a449c75d]
2024-03-26T10:10:50.662Z        DEBUG   Missing image ID in cache: sha256:fecb1ada9a830c5fcadb287f07dcadbe4dcad5821b66e17d742bae968a8446f9
2024-03-26T10:10:50.662Z        DEBUG   Missing diff ID in cache: sha256:d101c9453715a978a2a520f553588e77dfb4236762175eba61c5c264a449c75d
2024-03-26T10:10:50.662Z        DEBUG   Missing diff ID in cache: sha256:41d145cbb71d90e33a9b6c0b07f1dc8aab1297240db00e53f33203e23cab3817
2024-03-26T10:10:50.747Z        DEBUG   Skipping directory: dev
2024-03-26T10:10:50.751Z        DEBUG   Skipping directory: proc
2024-03-26T10:10:50.751Z        DEBUG   Skipping directory: sys
2024-03-26T10:10:56.162Z        DEBUG   Skipping a component with an unsupported type   {"name": "Microsoft.PowerShell.PSResourceGet", "version": "0.9.0-rc1", "type": "swid"}
2024-03-26T10:10:54.101Z        DEBUG   Skipping a component with an unsupported type   {"name": "Unknown", "version": "0.0.0", "type": "swid"}
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x4d4d0c1]

goroutine 1666 [running]:
github.com/aquasecurity/trivy/pkg/sbom/core.(*BOM).AddRelationship(0xc000a0a780, 0x0, 0x0, {0x7f685a3, 0x8})
        /home/runner/work/trivy/trivy/pkg/sbom/core/bom.go:241 +0x41
github.com/aquasecurity/trivy/pkg/sbom/spdx.(*SPDX).unmarshal(0xc00169d8d8, 0xc000888000)
        /home/runner/work/trivy/trivy/pkg/sbom/spdx/unmarshal.go:92 +0x2b8
github.com/aquasecurity/trivy/pkg/sbom/spdx.(*SPDX).UnmarshalJSON(0xc00169d8d8, {0xc0078a2000, 0x8a841, 0xffe00})
        /home/runner/work/trivy/trivy/pkg/sbom/spdx/unmarshal.go:65 +0x21a
encoding/json.(*decodeState).object(0xc0007122a8, {0x7d7da60?, 0xc00169d8d8?, 0xc000e5d1c8?})
        /opt/hostedtoolcache/go/1.21.8/x64/src/encoding/json/decode.go:604 +0x6cc
encoding/json.(*decodeState).value(0xc0007122a8, {0x7d7da60?, 0xc00169d8d8?, 0xc000e5d218?})
        /opt/hostedtoolcache/go/1.21.8/x64/src/encoding/json/decode.go:374 +0x3e
encoding/json.(*decodeState).unmarshal(0xc0007122a8, {0x7d7da60?, 0xc00169d8d8?})
        /opt/hostedtoolcache/go/1.21.8/x64/src/encoding/json/decode.go:181 +0x133
encoding/json.(*Decoder).Decode(0xc000712280, {0x7d7da60, 0xc00169d8d8})
        /opt/hostedtoolcache/go/1.21.8/x64/src/encoding/json/stream.go:73 +0x179
github.com/aquasecurity/trivy/pkg/sbom.Decode({_, _}, {_, _})
        /home/runner/work/trivy/trivy/pkg/sbom/sbom.go:225 +0x645
github.com/aquasecurity/trivy/pkg/fanal/analyzer/sbom.sbomAnalyzer.Analyze({}, {0x79bed40?, 0x0?}, {{0x0, 0x0}, {0xc003604050, 0x48}, {0x960acb0, 0xc000259500}, {0x7f9acd0511b8, ...}, ...})
        /home/runner/work/trivy/trivy/pkg/fanal/analyzer/sbom/sbom.go:39 +0x118
github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.AnalyzeFile.func1({0x9603320, 0xcc8f8a0}, {0x9600850?, 0xc002f88050})
        /home/runner/work/trivy/trivy/pkg/fanal/analyzer/analyzer.go:430 +0x25d
created by github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.AnalyzeFile in goroutine 118
        /home/runner/work/trivy/trivy/pkg/fanal/analyzer/analyzer.go:425 +0x525

Operating System

Ubuntu 22.04.4 LTS (container)

Version

Version: 0.50.0

Checklist
@nikpivkin nikpivkin added kind/bug Categorizes issue or PR as related to a bug. scan/sbom Issues relating to SBOM labels Mar 26, 2024
@tallandtree
Copy link

We have the same issue.

@DmitriyLewen DmitriyLewen self-assigned this Mar 26, 2024
@datadot
Copy link

datadot commented Mar 26, 2024

Agreed - seems to be related to the microsoft .net container images

@Donatien26
Copy link

Hi !
I think is not only microsoft.net container images. We are facing the same problem with public.ecr.aws/docker/library/redis:7.0.15-alpine.
I tried to launch the same command but with aquasec/trivy:0.49.1 it works fine :)

@weisinc
Copy link

weisinc commented Mar 26, 2024

I am facing the same problem with k8s. 6398

@DmitriyLewen DmitriyLewen mentioned this issue Mar 27, 2024
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DmitriyLewen DmitriyLewen

Labels
kind/bug Categorizes issue or PR as related to a bug. scan/sbom Issues relating to SBOM
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(sbom): fix error when parent of SPDX Relationships is not a package. DmitriyLewen/trivy
6 participants
@datadot @weisinc @tallandtree @Donatien26 @DmitriyLewen @nikpivkin