Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BUG: panic: runtime error: index out of range [4] with length 4 #2549

Closed
ianlewis opened this issue Dec 17, 2022 · 2 comments
Closed

BUG: panic: runtime error: index out of range [4] with length 4 #2549

ianlewis opened this issue Dec 17, 2022 · 2 comments
Assignees
@naveensrinivasan
Labels
kind/bug Something isn't working

Comments

@ianlewis
Copy link

ianlewis commented Dec 17, 2022
edited

We are seeing panic in the scorecard-action v2.1.0 for our scheduled runs.

See this scheduled run:
https://github.com/slsa-framework/slsa-github-generator/actions/runs/3719005620/jobs/6307584758

panic: runtime error: index out of range [4] with length 4

goroutine 9 [running]:
github.com/ossf/scorecard/v4/checks/raw.isGoUnpinnedDownload({0xc000d04540, 0x4, 0x2565ec0?})
	github.com/ossf/scorecard/v4@v4.10.0/checks/raw/shell_download_validate.go:460 +0x5a7
github.com/ossf/scorecard/v4/checks/raw.collectUnpinnedPakageManagerDownload(0xc0008cbc80?, 0xc000db8a80?, {0x2565ec0?, 0xc000db8a80}, {0xc000a00840, 0xc}, {0xc0003b7494, 0x2a}, 0xc0008cbc80)
	github.com/ossf/scorecard/v4@v4.10.0/checks/raw/shell_download_validate.go:647 +0xf9
github.com/ossf/scorecard/v4/checks/raw.validateShellFileAndRecord.func1({0x2565ec0, 0xc000db8a80})
	github.com/ossf/scorecard/v4@v4.10.0/checks/raw/shell_download_validate.go:932 +0x31f
mvdan.cc/sh/v3/syntax.Walk({0x2565ec0?, 0xc000db8a80?}, 0xc000e88640)
	mvdan.cc/sh/v3@v3.5.1/syntax/walk.go:32 +0x56
mvdan.cc/sh/v3/syntax.Walk({0x2566208?, 0xc0011de000?}, 0xc000e88640)
	mvdan.cc/sh/v3@v3.5.1/syntax/walk.go:49 +0x1605
mvdan.cc/sh/v3/syntax.walkStmts({0xc0010c9000, 0x1, 0x203000?}, {0x0, 0x0, 0xc000db8000?}, 0xc000db8608?)
	mvdan.cc/sh/v3@v3.5.1/syntax/walk.go:14 +0x4d
mvdan.cc/sh/v3/syntax.Walk({0x2566028?, 0xc000d043c0?}, 0xc000e88640)
	mvdan.cc/sh/v3@v3.5.1/syntax/walk.go:38 +0x536
github.com/ossf/scorecard/v4/checks/raw.validateShellFileAndRecord({0xc0003b7494, 0x2a}, 0x13, 0x13, {0xc000a007d0?, 0x3eb?, 0x3ec?}, 0xc000e87800, 0xc0008cbc80)
	github.com/ossf/scorecard/v4@v4.10.0/checks/raw/shell_download_validate.go:898 +0x24a
github.com/ossf/scorecard/v4/checks/raw.validateShellFile(...)
	github.com/ossf/scorecard/v4@v4.10.0/checks/raw/shell_download_validate.go:1029
github.com/ossf/scorecard/v4/checks/raw.glob..func8({0xc0003b7494, 0x2a}, {0xc00061dc00, 0x3eb, 0x3ec}, {0xc000b5c670?, 0x7f6ae76d55b8?, 0x10?})
	github.com/ossf/scorecard/v4@v4.10.0/checks/raw/pinned_dependencies.go:164 +0x457
github.com/ossf/scorecard/v4/checks/fileparser.OnMatchingFileContentDo({0x258a7b0, 0xc00057cb40}, {{0x221194c?, 0x1ea21c0?}, 0x20?}, 0x[233](https://github.com/slsa-framework/slsa-github-generator/actions/runs/3719005620/jobs/6307584758#step:4:234)7298, {0xc000b5c670, 0x1, 0x1})
	github.com/ossf/scorecard/v4@v4.10.0/checks/fileparser/listing.go:100 +0x1c3
github.com/ossf/scorecard/v4/checks/raw.collectDockerfileInsecureDownloads(...)
	github.com/ossf/scorecard/v4@v4.10.0/checks/raw/pinned_dependencies.go:105
github.com/ossf/scorecard/v4/checks/raw.PinningDependencies(0xc000184c60)
	github.com/ossf/scorecard/v4@v4.10.0/checks/raw/pinned_dependencies.go:46 +0x19c
github.com/ossf/scorecard/v4/checks.PinningDependencies(0xc000184c60)
	github.com/ossf/scorecard/v4@v4.10.0/checks/pinned_dependencies.go:41 +0x5e
github.com/ossf/scorecard/v4/checker.(*Runner).Run(0xc000aaff18, {0x[257](https://github.com/slsa-framework/slsa-github-generator/actions/runs/3719005620/jobs/6307584758#step:4:258)5a00, 0xc0001[260](https://github.com/slsa-framework/slsa-github-generator/actions/runs/3719005620/jobs/6307584758#step:4:261)00}, {0x23371d8?, {0xc000560500?, 0x0?, 0x0?}})
	github.com/ossf/scorecard/v4@v4.10.0/checker/check_runner.go:111 +0x574
github.com/ossf/scorecard/v4/pkg.runEnabledChecks.func1()
	github.com/ossf/scorecard/v4@v4.10.0/pkg/scorecard.go:60 +0x1d0
created by github.com/ossf/scorecard/v4/pkg.runEnabledChecks
	github.com/ossf/scorecard/v4@v4.10.0/pkg/scorecard.go:52 +0x216
@ianlewis ianlewis added the kind/bug Something isn't working label Dec 17, 2022
@naveensrinivasan
Copy link
Member

Thanks!

@laurentsimon, Would you be able to look into this?

@naveensrinivasan naveensrinivasan self-assigned this Dec 18, 2022
naveensrinivasan added a commit that referenced this issue Dec 18, 2022
@naveensrinivasan
🐛 Fix broken go mod download check
9bb8143 
- Fixed the #2549

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
@naveensrinivasan naveensrinivasan mentioned this issue Dec 18, 2022
Merged
naveensrinivasan added a commit that referenced this issue Dec 18, 2022
@naveensrinivasan
🐛 Fix broken go mod download check (#2550)
6c5d964 
- Fixed the #2549

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
naveensrinivasan added a commit to ossf/scorecard-action that referenced this issue Dec 18, 2022
@naveensrinivasan
🌱 Update scorecard for the panic
61f62ea 
- Update scorecard for ossf/scorecard#2549

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
@naveensrinivasan naveensrinivasan mentioned this issue Dec 18, 2022
Merged
naveensrinivasan added a commit to ossf/scorecard-action that referenced this issue Dec 19, 2022
@naveensrinivasan
🌱 Update scorecard for the panic
bc58bd6 
- Update scorecard for ossf/scorecard#2549

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
naveensrinivasan added a commit to ossf/scorecard-action that referenced this issue Dec 19, 2022
@naveensrinivasan
🌱 Update scorecard for the panic (#1045)
f96da1a 
- Update scorecard for ossf/scorecard#2549

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
@laurentsimon
Copy link
Contributor

Fixed in ossf/scorecard-action#1045

raghavkaul pushed a commit to raghavkaul/scorecard that referenced this issue Feb 9, 2023
@naveensrinivasan @raghavkaul
🐛 Fix broken go mod download check (ossf#2550)
c858e40 
- Fixed the ossf#2549

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@naveensrinivasan naveensrinivasan

Labels
kind/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ianlewis @naveensrinivasan @laurentsimon