Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Regression in 0.50.0 - SIGSEGV scanning some container images #6344

Closed
2 tasks done
nikpivkin opened this issue Mar 19, 2024 Discussed in #6343 · 5 comments · Fixed by #6346
Closed
2 tasks done

Regression in 0.50.0 - SIGSEGV scanning some container images #6344

nikpivkin opened this issue Mar 19, 2024 Discussed in #6343 · 5 comments · Fixed by #6346
Assignees
@DmitriyLewen
Labels
kind/bug Categorizes issue or PR as related to a bug. target/container-image Issues relating to container image scanning

Comments

@nikpivkin
Copy link
Contributor

Discussed in #6343

Originally posted by weili-jiang March 19, 2024

Description

Scanning some Docker images using 0.50.0 crashes with a SIGSEGV but were able to complete using Trivy 0.49.1.

Example of problematic image: rabbitmq official Docker image: https://hub.docker.com/_/rabbitmq

Desired Behavior

Scan completes

Actual Behavior

Crashed with SIGSEGV

Reproduction Steps

1. Run `trivy image rabbitmq`

Target

Container Image

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

2024-03-19T10:13:43.024Z        DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-03-19T10:13:43.024Z        DEBUG   Ignore statuses {"statuses": null}
2024-03-19T10:13:43.026Z        DEBUG   cache dir:  /root/.cache/trivy
2024-03-19T10:13:43.027Z        DEBUG   There is no valid metadata file: unable to open a file: open /root/.cache/trivy/db/metadata.json: no such file or directory
2024-03-19T10:13:43.027Z        INFO    Need to update DB
2024-03-19T10:13:43.027Z        INFO    DB Repository: ghcr.io/aquasecurity/trivy-db:2
2024-03-19T10:13:43.027Z        INFO    Downloading DB...
2024-03-19T10:13:43.027Z        DEBUG   no metadata file
44.46 MiB / 44.46 MiB [------------------------------------------------------------------------------------------------] 100.00% 39.26 MiB p/s 1.3s
2024-03-19T10:13:45.736Z        DEBUG   Updating database metadata...
2024-03-19T10:13:45.736Z        DEBUG   DB Schema: 2, UpdatedAt: 2024-03-19 06:11:26.197336549 +0000 UTC, NextUpdate: 2024-03-19 12:11:26.197336089 +0000 UTC, DownloadedAt: 2024-03-19 10:13:45.736689073 +0000 UTC
2024-03-19T10:13:45.736Z        INFO    Vulnerability scanning is enabled
2024-03-19T10:13:45.736Z        DEBUG   Vulnerability type:  [os library]
2024-03-19T10:13:45.736Z        INFO    Secret scanning is enabled
2024-03-19T10:13:45.736Z        INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-03-19T10:13:45.736Z        INFO    Please see also https://aquasecurity.github.io/trivy/v0.50/docs/scanner/secret/#recommendation for faster secret detection
2024-03-19T10:13:45.736Z        DEBUG   Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-03-19T10:13:47.455Z        DEBUG   No secret config detected: trivy-secret.yaml
2024-03-19T10:13:47.455Z        DEBUG   The nuget packages directory couldn't be found. License search disabled
2024-03-19T10:13:47.455Z        DEBUG   No secret config detected: trivy-secret.yaml
2024-03-19T10:13:47.767Z        DEBUG   Image ID: sha256:d6745c5484760de3c5c21766094eb4b892b0794a532e49bb285f2fb5a3421f2b
2024-03-19T10:13:47.767Z        DEBUG   Diff IDs: [sha256:5498e8c22f6996f25ef193ee58617d5b37e2a96decf22e72de13c3b34e147591 sha256:b4ee3af5b1eeecb1735417435d50b22a14c3a09da510977e29dff6cefb8c36c1 sha256:2c1e5cf5366f2a76d2dc51952a84a6860208d82854fd6a8227fbb0196e68af0f sha256:7bcb0cbaa87387ed13ca3c2ead621ca38c8211fdcc147071887149dbd08d1ce3 sha256:aad3505743359a681968f186852fa6458d442cb978666c114f3dc77642dd51d6 sha256:9ba29238a7ef03dd359b1ed69f8a4f8c3fcda57a885e52c0354885c97d4fc892 sha256:52e1411efd602ab56986e3d6437b85dc107723052a7a7b87db53ccc507ccdbb5 sha256:a7780c0c3c1fd7a326f6c9fd941e1d8533ecc2551e9853c38217bfb7e04ffbbd sha256:95cef8c91476c8d3e84fed0098ea87fd0f177157e4fe68daa7e48e4b27e99ae6 sha256:007dd0dcaa95f664bb669a864429c114f353cb47ac8aeb91b56cb70be8c80f36 sha256:06c8824562755bc23b8093a317ce604c4467e27be6bf69af483cab5f40837b6b]
2024-03-19T10:13:47.767Z        DEBUG   Base Layers: [sha256:5498e8c22f6996f25ef193ee58617d5b37e2a96decf22e72de13c3b34e147591]
2024-03-19T10:13:47.768Z        DEBUG   Missing image ID in cache: sha256:d6745c5484760de3c5c21766094eb4b892b0794a532e49bb285f2fb5a3421f2b
2024-03-19T10:13:47.768Z        DEBUG   Missing diff ID in cache: sha256:5498e8c22f6996f25ef193ee58617d5b37e2a96decf22e72de13c3b34e147591
2024-03-19T10:13:47.768Z        DEBUG   Missing diff ID in cache: sha256:b4ee3af5b1eeecb1735417435d50b22a14c3a09da510977e29dff6cefb8c36c1
2024-03-19T10:13:47.768Z        DEBUG   Missing diff ID in cache: sha256:aad3505743359a681968f186852fa6458d442cb978666c114f3dc77642dd51d6
2024-03-19T10:13:47.768Z        DEBUG   Missing diff ID in cache: sha256:7bcb0cbaa87387ed13ca3c2ead621ca38c8211fdcc147071887149dbd08d1ce3
2024-03-19T10:13:47.768Z        DEBUG   Missing diff ID in cache: sha256:2c1e5cf5366f2a76d2dc51952a84a6860208d82854fd6a8227fbb0196e68af0f
2024-03-19T10:13:48.025Z        DEBUG   Skipping directory: dev
2024-03-19T10:13:48.031Z        DEBUG   Skipping directory: proc
2024-03-19T10:13:48.031Z        DEBUG   Skipping directory: sys
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x10 pc=0x66a7526]

goroutine 540 [running]:
github.com/aquasecurity/trivy/pkg/sbom/spdx.(*SPDX).isTrivySBOM(...)
        /home/runner/work/trivy/trivy/pkg/sbom/spdx/unmarshal.go:258
github.com/aquasecurity/trivy/pkg/sbom/spdx.(*SPDX).unmarshal(0xc000ec66a8, 0xc000e20780)
        /home/runner/work/trivy/trivy/pkg/sbom/spdx/unmarshal.go:72 +0x26
github.com/aquasecurity/trivy/pkg/sbom/spdx.(*SPDX).UnmarshalJSON(0xc000ec66a8, {0xc0020e8000, 0x164, 0x200})
        /home/runner/work/trivy/trivy/pkg/sbom/spdx/unmarshal.go:65 +0x21a
encoding/json.(*decodeState).object(0xc000e20668, {0x7d7da60?, 0xc000ec66a8?, 0xc001b1f1c8?})
        /opt/hostedtoolcache/go/1.21.8/x64/src/encoding/json/decode.go:604 +0x6cc
encoding/json.(*decodeState).value(0xc000e20668, {0x7d7da60?, 0xc000ec66a8?, 0xc001b1f218?})
        /opt/hostedtoolcache/go/1.21.8/x64/src/encoding/json/decode.go:374 +0x3e
encoding/json.(*decodeState).unmarshal(0xc000e20668, {0x7d7da60?, 0xc000ec66a8?})
        /opt/hostedtoolcache/go/1.21.8/x64/src/encoding/json/decode.go:181 +0x133
encoding/json.(*Decoder).Decode(0xc000e20640, {0x7d7da60, 0xc000ec66a8})
        /opt/hostedtoolcache/go/1.21.8/x64/src/encoding/json/stream.go:73 +0x179
github.com/aquasecurity/trivy/pkg/sbom.Decode({_, _}, {_, _})
        /home/runner/work/trivy/trivy/pkg/sbom/sbom.go:225 +0x645
github.com/aquasecurity/trivy/pkg/fanal/analyzer/sbom.sbomAnalyzer.Analyze({}, {0x79bed40?, 0x0?}, {{0x0, 0x0}, {0xc003ba2260, 0x1d}, {0x960acb0, 0xc00203c1c0}, {0x7fb53245d608, ...}, ...})
        /home/runner/work/trivy/trivy/pkg/fanal/analyzer/sbom/sbom.go:39 +0x118
github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.AnalyzeFile.func1({0x9603320, 0xcc8f8a0}, {0x9600850?, 0xc002d44180})
        /home/runner/work/trivy/trivy/pkg/fanal/analyzer/analyzer.go:430 +0x25d
created by github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.AnalyzeFile in goroutine 115
        /home/runner/work/trivy/trivy/pkg/fanal/analyzer/analyzer.go:425 +0x525

Operating System

Linux/Docker

Version

Version: 0.50.0

Checklist
@nikpivkin nikpivkin added kind/bug Categorizes issue or PR as related to a bug. target/container-image Issues relating to container image scanning labels Mar 19, 2024
@DmitriyLewen DmitriyLewen self-assigned this Mar 19, 2024
@DmitriyLewen DmitriyLewen mentioned this issue Mar 19, 2024
Merged
6 tasks
@nevotheless
Copy link

Yeah came here to report the same. 👍🏽

For me it's the redis:7.2-alpine image. Saw it yesterday in our CI/CD Pipeline fail to scan some stuff. But strangely only that one pipeline.

@DmitriyLewen
Copy link
Contributor

This happens because spdx file from image doesn't contains required CreationInfo field.
e.g. for redis:7.2-alpine:

➜ docker run -it --rm redis:7.2-alpine cat /usr/local/redis.spdx.json
{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"redis-server-sbom","packages":[{"name":"redis-server","versionInfo":"7.2.4","SPDXID":"SPDXRef-Package--redis-server","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:generic/[email protected]?os_name=alpine&os_version=3.19"}],"licenseDeclared":"BSD-3-Clause"}]}

We already have #6346 to avoid panic for these SPDX files.

majewsky added a commit to sapcc/keppel that referenced this issue Mar 20, 2024
@majewsky
revert trivy 0.49.1 -> 0.50.0 upgrade
b8323aa 
We have to downgrade our trivy-server because of
<aquasecurity/trivy#6344>, so I'm downgrading
here, too, to keep the versions matching.
@yansifw
Copy link

yansifw commented Mar 21, 2024

Same happening to me for redis:7.2-bookworm

@sagiru
Copy link

sagiru commented Mar 22, 2024

Also on macos-arm64 with redis:7.2.4-alpine@sha256:641c365890fc79f182fb198c80ee807d040b9cfdb19cceb7f10c55a268d212b8. The 0.49.1 does it fine.

Regards
Sascha

@saschawiener
Copy link

Same with rabbitmq:3:13-alpine

@andaaron andaaron mentioned this issue Apr 23, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DmitriyLewen DmitriyLewen

Labels
kind/bug Categorizes issue or PR as related to a bug. target/container-image Issues relating to container image scanning
Projects
None yet
Milestone
No milestone
6 participants
@nevotheless @sagiru @saschawiener @DmitriyLewen @nikpivkin @yansifw