segmentation fault when scanning a CycloneDX bom.json without dependencies

[manolo]

When having a bom.json file generated from a maven project without dependencies, osv-scanner fails.

Tested with osv-scanner version 1.2 and 1.3

How to reproduce

1. save the following pom.xml in an empty folder

<project xmlns="http://maven.apache.org/POM/4.0.0"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <groupId>text</groupId>
    <artifactId>test</artifactId>
    <packaging>jar</packaging>
    <version>1.0</version>
    <dependencies>
    </dependencies>
</project>

2. Generate CycloneDX SBOM file

mvn -ntp -B org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom

3. run osv-scanner

osv-scanner --sbom target/bom.json

4. you can see the following error

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x7d7817]

goroutine 1 [running]:
github.com/google/osv-scanner/internal/sbom.(*CycloneDX).enumeratePackages(0xc000128758?, 0x30?, 0xc0001b6c00)
	/home/runner/go/pkg/mod/github.com/google/[email protected]/internal/sbom/cyclonedx.go:25 +0x37
github.com/google/osv-scanner/internal/sbom.(*CycloneDX).GetPackages(0xc00017e5e8?, {0xb8c5c8?, 0xc000128758}, 0x5?)
	/home/runner/go/pkg/mod/github.com/google/[email protected]/internal/sbom/cyclonedx.go:50 +0x217
github.com/google/osv-scanner/pkg/osvscanner.scanSBOMFile(0xc0001ce700, 0xc000122b40, {0xc00017e5a0, 0x50})
	/home/runner/go/pkg/mod/github.com/google/[email protected]/pkg/osvscanner/osvscanner.go:235 +0x246
github.com/google/osv-scanner/pkg/osvscanner.DoScan({{0x0, 0x0, 0x0}, {0xc0001af7f0, 0x1, 0x1}, {0xf76918, 0x0, 0x0}, {0x0, ...}, ...}, ...)
	/home/runner/go/pkg/mod/github.com/google/[email protected]/pkg/osvscanner/osvscanner.go:424 +0x4a5
main.run.func3(0xc0001ce180)
	/home/runner/go/pkg/mod/github.com/google/[email protected]/cmd/osv-scanner/main.go:108 +0x458
github.com/urfave/cli/v2.(*Command).Run(0xc000192420, 0xc0001ce180, {0xc00011a150, 0x3, 0x3})
	/home/runner/go/pkg/mod/github.com/urfave/cli/[email protected]/command.go:273 +0x9eb
github.com/urfave/cli/v2.(*App).RunContext(0xc000210000, {0xb8dcb8?, 0xc00012e028}, {0xc00011a150, 0x3, 0x3})
	/home/runner/go/pkg/mod/github.com/urfave/cli/[email protected]/app.go:332 +0x616
github.com/urfave/cli/v2.(*App).Run(...)
	/home/runner/go/pkg/mod/github.com/urfave/cli/[email protected]/app.go:309
main.run({0xc00011a150, 0x3, 0x3}, {0xb89d00?, 0xc000128008}, {0xb89d00?, 0xc000128010})
	/home/runner/go/pkg/mod/github.com/google/[email protected]/cmd/osv-scanner/main.go:127 +0x9b8
main.main()
	/home/runner/go/pkg/mod/github.com/google/[email protected]/cmd/osv-scanner/main.go:153 +0x46

[oliverchang]

Thank you for reporting! @michaelkedar can you please take a look tomorrow?

[oliverchang]

This should be fixed in 1.3.1 which should be released shortly.