Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bug(npm): runtime: out of memory #6854

Closed
2 tasks done
nikpivkin opened this issue Jun 4, 2024 Discussed in #6853 · 7 comments · Fixed by #6858
Closed
2 tasks done

bug(npm): runtime: out of memory #6854

nikpivkin opened this issue Jun 4, 2024 Discussed in #6853 · 7 comments · Fixed by #6858
Assignees
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@nikpivkin
Copy link
Contributor

Discussed in #6853

Originally posted by gobardhan June 4, 2024

Description

For a npm project with following configuration of workspace inside package.json Trivy not able to perform the scan for any scanners.
"workspaces": [ "./" ]

After debugging it I found that it's due the below code inside package-lock.json
"node_modules/@ffdev/bryntum-components": { "resolved": "", "link": true },
It's started working fine if I remove the above part of code from package-lock.json.

Desired Behavior

Trivy should able to scan the repository with such kind of configuration for package.json & package-lock.json without throwing any error.

Actual Behavior

Trvivy scan throw's fatal error: runtime: out of memory. Command trivy fs .
And running trivy in debug mode hang-up my system and in last killed by system. Command trvy fs . -d
Screenshot from 2024-06-04 16-04-46

Reproduction Steps

1. For any npm project inside the package.json file define workspace like ` "workspaces": ["./"] `
2. Do npm install
3. Execute trivy scanning by command `trivy fs .` OR `trivy fs . -d`

Target

Filesystem

Scanner

None

Output Format

None

Mode

Standalone

Debug Output

trivy fs .
2024/06/04 15:58:56 INFO Loaded file_path=trivy.yaml
2024-06-04T15:58:56+05:30       INFO    Vulnerability scanning is enabled
2024-06-04T15:58:56+05:30       INFO    [npm] To collect the license information of packages, "npm install" needs to be performed beforehand dir="node_modules"
fatal error: runtime: out of memory

runtime stack:
runtime.throw({0x8423caf?, 0x2037cb?})
        /opt/hostedtoolcache/go/1.22.3/x64/src/runtime/panic.go:1023 +0x5c fp=0xc000613e10 sp=0xc000613de0 pc=0x43e67c
runtime.sysMapOS(0xc279000000, 0x1cacc00000)
        /opt/hostedtoolcache/go/1.22.3/x64/src/runtime/mem_linux.go:167 +0x11b fp=0xc000613e50 sp=0xc000613e10 pc=0x41c5bb
runtime.sysMap(0xc279000000, 0x1cacc00000, 0xd5ecaa8?)
.
.
.

Operating System

Ubuntu 22.04.4 LTS

Version

Version: 0.51.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-06-04 06:11:34.940587192 +0000 UTC
  NextUpdate: 2024-06-04 12:11:34.940586981 +0000 UTC
  DownloadedAt: 2024-06-04 08:58:30.997724006 +0000 UTC
Check Bundle:
  Digest: sha256:274208f3b043e73d2f1e5d9baed30d77c33bb164b8f2e580020e9c5931c71df4
  DownloadedAt: 2024-06-03 09:58:55.819249061 +0000 UTC

Checklist

@nikpivkin nikpivkin added the kind/bug Categorizes issue or PR as related to a bug. label Jun 4, 2024
@DmitriyLewen DmitriyLewen self-assigned this Jun 5, 2024
@DmitriyLewen
Copy link
Contributor

Hello @gobardhan
Thanks for your report!

I investigated your package-lock.json file. It seems that file incorrect:

    "node_modules/test": {
      "resolved": "",
      "link": true
    },

Link doesn't have resolved field.

Can you write steps to reproduce this case?

Regards, Dmitriy

@gobardhan
Copy link

Hi @DmitriyLewen
You can follow this step for any npm project

  1. Inside the package.json add a new line to define workspace like "workspaces": ["./"]
  2. Do npm Install (It will add "node_modules/pkg_name": {"resolved": "", "link": true} )
  3. Run trivy fs .

@DmitriyLewen
Copy link
Contributor

DmitriyLewen commented Jun 5, 2024

@gobardhan I can't reproduce this case:

root@a8ac21a6d13a:/app2# ls -hl function/
total 4.0K
-rw-r--r-- 1 root root 204 Jun  5 07:15 package.json

root@a8ac21a6d13a:/app2# cat package.json 
{
  "name": "app2",
  "version": "1.0.0",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "keywords": [],
  "author": "",
  "license": "ISC",
  "description": "",
  "workspaces": ["./"]
}
root@a8ac21a6d13a:/app2# npm install

up to date, audited 1 package in 308ms

found 0 vulnerabilities
root@a8ac21a6d13a:/app2# cat package-lock.json 
{
  "name": "app2",
  "version": "1.0.0",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "app2",
      "version": "1.0.0",
      "license": "ISC",
      "workspaces": [
        "./"
      ]
    }
  }
}

npm adds dependency from function/package.json only for "workspaces": ["./function"]

or ./*:

root@a8ac21a6d13a:/app2# cat package-lock.json 
{
  "name": "app2",
  "version": "1.0.0",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "app2",
      "version": "1.0.0",
      "license": "ISC",
      "workspaces": [
        "./*"
      ]
    },
    "function": {
      "version": "1.0.0",
      "license": "ISC"
    },
    "node_modules/function": {
      "resolved": "function",
      "link": true
    }
  }
}

@gobardhan
Copy link

I tried with your package.json and I am able to reproduce it Indeed.
It might be due to the different node version, I am using v18.15.0.
I have attached a screenshot for the same.
Screenshot from 2024-06-05 13-27-55

@DmitriyLewen
Copy link
Contributor

Can you post your test directory structure?
Does the directory contain a subproject?

@gobardhan
Copy link

gobardhan commented Jun 5, 2024

Test project doesn't contain any subproject, You can check at here as well: https://github.com/gobardhan/test
image

@DmitriyLewen
Copy link
Contributor

This looks like a bug in npm
npm creates link without package.

anyway I created #6858 to fix the out of memory error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
3 participants