Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

grype cannot handle empty sboms, results in SIGSEGV #693

Closed
ForceFaction opened this issue Mar 24, 2022 · 1 comment · Fixed by #695
Closed

grype cannot handle empty sboms, results in SIGSEGV #693

ForceFaction opened this issue Mar 24, 2022 · 1 comment · Fixed by #695
Assignees
@luhring
Labels
bug Something isn't working

Comments

@ForceFaction
Copy link

What happened:

mfg@OptiPlex-7020 [10:21:12] [~/grype/test/cli/test-fixtures]
-> % touch sbom-empty.json
mfg@OptiPlex-7020 [10:21:20] [~/grype/test/cli/test-fixtures]
-> % grype sbom:sbom-empty.json
 ⠋ Vulnerability DB        [checking for update]panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0xbc0329]

goroutine 27 [running]:
github.com/anchore/syft/internal/formats/common/spdxhelpers.findLinuxReleaseByPURL(0x0)
	/Users/runner/go/pkg/mod/github.com/anchore/syft@v0.39.3/internal/formats/common/spdxhelpers/to_syft_model.go:41 +0x29
github.com/anchore/syft/internal/formats/common/spdxhelpers.ToSyftModel(0x159e160)
	/Users/runner/go/pkg/mod/github.com/anchore/syft@v0.39.3/internal/formats/common/spdxhelpers/to_syft_model.go:27 +0xa5
github.com/anchore/syft/internal/formats/spdx22tagvalue.decoder({0x159e160, 0xc00047cab0})
	/Users/runner/go/pkg/mod/github.com/anchore/syft@v0.39.3/internal/formats/spdx22tagvalue/decoder.go:19 +0x75
github.com/anchore/syft/internal/formats/spdx22tagvalue.validator({0x159e160, 0xc00047cab0})
	/Users/runner/go/pkg/mod/github.com/anchore/syft@v0.39.3/internal/formats/spdx22tagvalue/validator.go:8 +0x25
github.com/anchore/syft/syft/format.Format.Validate(...)
	/Users/runner/go/pkg/mod/github.com/anchore/syft@v0.39.3/syft/format/format.go:51
github.com/anchore/syft/internal/formats.Identify({0xc00033a400, 0x0, 0x200})
	/Users/runner/go/pkg/mod/github.com/anchore/syft@v0.39.3/internal/formats/formats.go:31 +0x14e
github.com/anchore/syft/syft.Decode({0x15a2440, 0xc0000be118})
	/Users/runner/go/pkg/mod/github.com/anchore/syft@v0.39.3/syft/encode_decode.go:37 +0xb1
github.com/anchore/grype/grype/pkg.syftSBOMProvider({0x7ffffe440bbb, 0x6b8b05})
	/Users/runner/work/grype/grype/grype/pkg/syft_sbom_provider.go:27 +0x33
github.com/anchore/grype/grype/pkg.Provide({0x7ffffe440bbb, 0x14}, {0xc00058a2a0, {0x1fb1e18, 0x0, 0x0}, {{0x1, 0x0, {0x12b18c6, 0x8}}}})
	/Users/runner/work/grype/grype/grype/pkg/provider.go:16 +0x3b
github.com/anchore/grype/cmd.startWorker.func1.2()
	/Users/runner/work/grype/grype/cmd/root.go:268 +0x225
created by github.com/anchore/grype/cmd.startWorker.func1
	/Users/runner/work/grype/grype/cmd/root.go:260 +0x686

What you expected to happen:
No SIGSEGV. A message telling me that the sbom file is empty would be helpful

How to reproduce it (as minimally and precisely as possible):

touch sbom-empty.json
grype sbom:sbom-empty.json

Anything else we need to know?:

Environment:

  • Output of grype version: d8e1c37
  • OS (e.g: cat /etc/os-release or similar): Ubuntu 21.10
@ForceFaction ForceFaction added the bug Something isn't working label Mar 24, 2022
@luhring
Copy link
Contributor

luhring commented Mar 24, 2022

@ForceFaction Thanks for spotting this! I can reproduce this on my machine. We'll get a fix out shortly.

This was referenced Mar 24, 2022
Merged
Merged
@luhring luhring self-assigned this Mar 24, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@luhring luhring

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Detect when a user specifies an empty SBOM luhring/grype
2 participants
@luhring @ForceFaction